文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-02-19   541

VulnHub::DC-1 Walkthrough

0x01 Introduction

DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.

To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.

There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.

There are five flags in total, but the ultimate goal is to find and read the flag in root’s home directory. You don’t even need to be root to do this, however, you will require root privileges.

Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.

Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

0x02 Tools and Tips

  • nmap
  • JohnTheRipper
  • Drupal Geddon 2 Forms API Property Injection
  • Drupal Geddon SQL Injection (Add admin user)

0x03 Pentesting

查找靶机IP:

查找靶机端口和服务:

从drupal 7下手,在metasploit中查看相关漏洞:

发现drupal_drupalgeddon2可以成功exploit,进行相关配置:

使用Python命令获取正常tty,获得第一个flag1.txt:

提示我们去找配置文件,Google一下drupal站点的配置文件目录:

不仅得到flag2的内容,还有MySQL数据库的连接用户和密码,尝试登录:

查询用户表的账号和密码:

用JohnTheRipper爆破密码:

使用Fred账号登录后台,没有flag或hint,尝试获取后台管理员权限,用searchexploit查找相关利用:

根据提示新增一个管理员用户:

在数据库中查询发现成功插入:

登录后台系统,在contents中获得flag3:

看一下flag3,要我们去查看shadow文件,看到perm猜测是不是suid提权:

find命令可以用来提权:

输入find . -exec /bin/sh \; -quit

有一个flag4的用户,进入主目录发现flag4.txt:

进入root主目录,发现最后一个flag:

0x04 Extra

根据flag3的提示,期望的做法应该是用find命令查询:

命令解释:https://blog.csdn.net/u010900754/article/details/83020378?utm_source=distribute.pc_relevant.none-task

拿到密码的sha256,试试能不能爆破密码出来:

ssh登录成功:

Copyright © ca01h 2019-2020 | 本站总访问量