Vulnhub靶机DC系列-DC3 – 作者:fghsk456

0x0:靶场介绍

靶场名称: DC: 3

靶场发布时间:2019-4-25

靶场地址:https://www.vulnhub.com/entry/dc-32,312/

靶场描述:

DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.

For those with experience doing CTF and Boot2Root challenges, this probably won’t take you long at all (in fact, it could take you less than 20 minutes easily).

If that’s the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.

1×0:环境搭建

使用VMware(NAT)会出现没有IP的情况,下面使用virtualBox(NAT模式)

在更新完win10最新版本后会出现打开不virtualBox的情况

在安装目录中cmd 输入(就可以解决Hyper-v和vurtualBox共存的情况)

#指定vbox下的虚拟系统开启这个功能
VBoxManage setextradata "<虚拟机名字>" "VBoxInternal/NEM/UseRing0Runloop" 0

#或指定vbox所有虚拟系统开启
VBoxManage setextradata global "VBoxInternal/NEM/UseRing0Runloop" 0

2×0:靶机渗透

获取靶机的IP

nmap -sn 192.168.3.0/24(靶机在virtualbox上,攻击机在VMware使用桥接网络)

1610421243_5ffd13fbbfdd52301973b.png!small?1610421242466

使用nmap来查看靶机的端口信息和系统信息等等

1610421211_5ffd13dbb4da0210c569f.png!small

首先去查看80端口的web服务

1610421331_5ffd1453bfb57d39eb2c5.png!small?1610421330518

没有什么明显的信息使用dirb扫描一下目录

1610421377_5ffd14812d3d9fe344ca4.png!small?1610421376435

扫描到后台地址:http://192.168.3.30/administrator/

1610421426_5ffd14b2d66ce38affcf7.png!small?1610421425639

看见就知道是joomla的cms,但是版本没有办法判断,在尝试一下说明文件README.txt 发现版本说明

1610422007_5ffd16f7ba705f43156cc.png!small?1610422006523

在kali中去搜索joomla 3.7的漏洞

1610422137_5ffd1779197254dbbb52d.png!small?1610422135935

sql注入

1610422239_5ffd17df13f73aff68d85.png!small?1610422238579

漏洞点地址:http://192.168.3.30/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27

单引号尝试:存在sql注入

1610422365_5ffd185d76e4b8b377e73.png!small?1610422364199

sqlmap 走起!

1610422554_5ffd191aa9c7f65674915.png!small?1610422553816

跑数据 格式有点问题。

1610423093_5ffd1b357de8c2807d1fd.png!small?1610423092233

获取到管理员加密后的密码

$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

使用john 来破解

john pwd –wordlist=/usr/share/wordlist/rockyou.txt (我直接出来了密码)

1610423396_5ffd1c6407c121b3d7c21.png!small?1610423394771

admin/snoopy 登录后台

3×0:后台篇

在后台查找一番发现 类似于模板的页面

1610423726_5ffd1dae973e2f1f101e5.png!small?1610423725426

可以利用模板的信息

1610423778_5ffd1de20beefd84eba43.png!small?1610423776947

在结合上面的端口信息没有ssh应该是从web端进入 webshell? 来尝试一下

直接创建一个php的文件msf的反弹shell (可以使用msf来接接收,我使用nc)

1610423832_5ffd1e18c0dcb6015e6be.png!small?1610423831496

要选择这个模板

1610424235_5ffd1fab8d6c543bddb5d.png!small

反弹shell1610424218_5ffd1f9a3b720204d9fd4.png!small

地址:http://192.168.3.30//templates/protostar//A1.php(地址找半天)

1610424426_5ffd206ab903434c2a03e.png!small?1610424425500

在做靶机的时候,我的终端出现一些问题,不能用python升级

1610425192_5ffd2368a4d6466e72522.png!small?1610425191370

我也不知道为什么。。。就接着用了

4×0:提权篇

查看系统的内核版本

1610424661_5ffd2155d5c5963979a48.png!small?1610424660610

启动kali上的apache,把exp上传到服务器

1610424861_5ffd221d5dc6f4ba89a86.png!small?1610424860120

把exp下载到靶机

1610424850_5ffd22124745cbfe8c6d1.png!small?1610424848986

解压exp

1610424926_5ffd225e9e680bd649820.png!small?1610424925388

授权脚本

1610424974_5ffd228edfd46e4fac268.png!small?1610424973662

使用exp

1610425057_5ffd22e1e5fecac6b38da.png!small?1610425056676

报错不影响使用

1610425078_5ffd22f616a3a3ce7ba11.png!small?1610425076722获取到root权限

1610425106_5ffd23120a0b22b6fa136.png!small?1610425104689

5×0:flag获得

1610425138_5ffd23329fd01aeaf3e22.png!small?1610425137358

来源:freebuf.com 2021-01-12 12:21:26 by: fghsk456

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论