靶机信息

DESCRIPTION
DC-7 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

While this isn't an overly technical challenge, it isn't exactly easy.

While it's kind of a logical progression from an earlier DC release (I won't tell you which one), there are some new concepts involved, but you will need to figure those out for yourself. :-) If you need to resort to brute forcing or dictionary attacks, you probably won't succeed.

What you will need to do, is to think "outside" of the box.

Waaaaaay "outside" of the box. :-)

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

TECHNICAL INFORMATION
DC-7 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.

I have tested this on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.

IMPORTANT
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

CONTACT
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @DCAU7

信息收集

部署完靶机后扫描nmap获得ip地址,一个是kali的ip,另一个就是靶机的ip,之后再扫描主机的开放端口

#ping扫描网段内的主机
nmap -sP 10.0.0.0/24
#扫描主机端口
nmap -sV -p- 10.0.0.23

QQ截图20210306104614.png

访问80端口

QQ截图20210306104753.png

获取版本信息

QQ截图20210306105336.png

根据提示,在Twitter找到了github的地址

eed5d56ec19d54abb06d943d67611c6.jpg

在github中找到源码

QQ截图20210306111403.png

在源码中找到线索

QQ截图20210306111539.png

flag1

可以用密码登录ssh

QQ截图20210306114007.png

登录后获取信息后发现一个带有root执行定时任务的脚本和家目录下的备份信息

QQ截图20210306114510.png

QQ截图20210306115829.png

进入之后可以通过修改密码来登录后台

drush user-password admin --password="123456"

登录以后可以利用反弹shell来获得www-data权限,之后利用/opt/scripts/backups.sh脚本获得root权限,直接编辑没有php执行需要载入模块

QQ截图20210306123547.png

https://www.drupal.org/project/php
https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz

QQ截图20210306123457.png

QQ截图20210306123629.png

QQ截图20210306123656.png

QQ截图20210306123712.png

QQ截图20210306123838.png

QQ截图20210306123927.png

插入小马,然后用中国蚁剑连接

QQ截图20210306124026.png

QQ截图20210306124315.png

利用root用户设置的/opt/scripts/backups.sh定时任务反弹shell获得root权限

QQ截图20210306125610.png

脚本每15分钟执行一次,等待15分钟

QQ截图20210306130012.png

QQ截图20210306130300.png