Vulnhub靶机DC系列-DC6
2021-01-15 11:14:19 Author: www.freebuf.com(查看原文) 阅读量:119 收藏

0x0:靶场介绍

靶场名称: DC: 6

靶场发布时间:2019-4-26

靶场地址:https://www.vulnhub.com/entry/dc-6,315/

靶场描述:

DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

This isn't an overly difficult challenge so should be great for beginners.

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

1x0:环境搭建

VMware虚拟机(桥接模式) 在提示中能知道是wordpress的

需要修改hosts 192.168.3.34 wordy 靶机ip绑定wordy域名

2x0:靶机渗透

获取靶机的IP

nmap -sn 192.168.3.0/24

1610671517_6000e59d3e957e60dffe0.png!small?1610671516652

使用nmap来查看靶机的端口信息和系统信息等等

1610671584_6000e5e0509715aec5889.png!small?1610671583806

首先去查看80端口的web服务

1610671632_6000e610af53c83a09a01.png!small?1610671632819

使用dirb扫描一下目录,wordpress的目录结构 查看后台地址

1610671741_6000e67d307ab6c220e1c.png!small?1610671740670

后台还是默认地址

1610671706_6000e65a4c51616e6f82d.png!small?1610671705724

wpscan 在扫描一下获取wordpress的版本信息 和枚举用户

版本信息:

1610671859_6000e6f3a1264a4cb9137.png!small?1610671858944

枚举用户:

1610671878_6000e7065f9d4ab816158.png!small?1610671877774

提示和插件有关(这个提示是在后门有用的)

1610672599_6000e9d746e573d069e33.png!small?1610672600071

wpscan扫一下插件

1610672685_6000ea2d1992f01761d88.png!small?1610672684573

twentyseventeen 2.1版本 也没有利用点

在靶机页面下面发现了是有关暴力破解的提示

1610672972_6000eb4ca24dd053a1d65.png!small?1610672972097

用wpscan进行爆破。(漫长的等待)

cat /usr/share/wordlists/rockyou.txt| grep k01 > password.txt 构建利用的字典 根据提示

1610673380_6000ece42fd44ee7db301.png!small?1610673379512

mark/helpdesk01

3x0:后台篇

使用mark账号登录后台 绕一圈 发现这个插件使用的命令执行?(cve-2018-15877)

1610673584_6000edb0c5c17b8a62c2c.png!small?1610673584130

尝试去利用 反弹shell

前端有限制长度,用抓包在数据包中修改绕过

1610674189_6000f00d9728652c6ab6a.png!small?1610674188938

在数据包尝试用 | 即可绕过

1610674174_6000effe86a9858dd9483.png!small?1610674173870

|| 也可以绕过

1610674225_6000f031e3eb3b10f76a2.png!small?1610674225138

反弹shell

1610674358_6000f0b66ec8bb52f0bdf.png!small?1610674357709

4x0:提权篇

切换shell

1610674433_6000f101aaeb031c83d88.png!small?1610674432964

查看可以登录的用户有哪些

1610674485_6000f135a28b0164c811a.png!small?1610674485057

mysql 也不是root权限

1610674719_6000f21f5014e34267993.png!small

root命令也没有什么可以利用的。

1610674764_6000f24ca7e9350bfdaec.png!small

wordpress中的mysql的配置信息(wp-config.php)

1610675014_6000f34687ee9deebfe00.png!small

账号的信息

1610675194_6000f3fa4d6d2d6ec6656.png!small

jens目录

1610674648_6000f1d8c3378a47b7203.png!small

在mark目录下发现一个文本

1610674589_6000f19d56ddbe4ddea32.png!small?1610674588730

使用su切换到 graham/GSo7isUM1D4

使用sudo -l

1610675616_6000f5a0344458e92cd57.png!small?1610675615553

可以使用backups.sh 进行提权 在文本里面 添加上反弹shell的命令(使用ssh登录,修改文件方便)

1610676167_6000f7c712af58ea36457.png!small?1610676166410

kali监听4444端口

获取到jens的shell

1610676345_6000f879c0d52154d04e8.png!small?1610676345116

切换shell

1610676418_6000f8c2ebe6bdff26a68.png!small?1610676418244

使用nmap来进行SUID提权

查看nmap的版本

1610676501_6000f915843397da84249.png!small?1610676500915

5.20版本以后没有交互式 利用代码执行来获取到root权限

1610676598_6000f9764f7c587b1314b.png!small?1610676597557

使用nmap执行root.nse

1610676644_6000f9a418247f527e4da.png!small?1610676643353

成功获取到root权限

5x0:flag获取

1610676688_6000f9d04d50832efc52a.png!small?1610676687599


文章来源: https://www.freebuf.com/articles/web/260927.html
如有侵权请联系:admin#unsafe.sh