DC-1

link: https://www.vulnhub.com/entry/dc-1,292/

Description
DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.
To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.
There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.
There are five flags in total, but the ultimate goal is to find and read the flag in root’s home directory. You don’t even need to be root to do this, however, you will require root privileges.
Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.
Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

Write-UP

以下是ifconfig和虚拟机情况。

扫描vmnet8下的主机:
hausa@debian:~$ fping -asg 172.16.100.1/24
172.16.100.1
172.16.100.129

扫172.16.100.129的开放端口:
hausa@debian:~$ nmap -Pn 172.16.100.129
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 10:26 EDT
Nmap scan report for 172.16.100.129
Host is up (0.49s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds

发现80端口开着,尝试浏览器访问,下面是访问画面:

Drupal,是一个CMS,老版本了,msf上就有exp。
当一回脚本小子,2333333.

几个excellent依次尝试,msf还是比较方便的。

拿到meterpreter后shell,ls,看到flag1.txt,如下:

cat flag1.txt
Every good CMS needs a config file – and so do you.

找到这个CMS的配置文件,在sites/default/settings.php

有了flag2和数据库、用户、密码。
flag2大致意思是:除了爆破,你还有什么办法?

python -c “import pty;pty.spawn(‘/bin/bash’)”
在新的shell中连接数据库。
use drupaldb;
show tables;
注意到users表,select * from users;
看到回显,感觉不是正常的加密。
猜测是这个CMS自己的加密方式,那么应该有一个加密脚本
最后在/var/www/scripts目录下发现一个password-hash.sh
运行一下,得到以下回显:

output hash may be manually entered into the {users}.pass field to
change a password via SQL to a known value.
输出哈希值可以手动输入到{users} .pass字段中,以
通过SQL将密码更改为已知值。

直接告诉我们可以将输出的值手动输入到sql中。
看来flag2的意思就是,不是让爆破,是让通过sql和给的加密脚本,对密码进行覆盖。
运行了一下,报了很多错,于是又仔细看了一下脚本的说明:
To execute this script this has to be the root directory of your
Drupal installation
要执行此脚本,它必须是您Drupal安装的根目录

于是回到上一级目录,运行这个脚本,如下:

然后回到数据库,将这个hash改到admin的密码上,如下:

然后尝试在web界面用123456登录管理帐号。
登录成功,找到flag3,如下:

Special PERMS will help FIND the passwd – but you’ll need to -exec that command to work out how to get what’s in the shadow.
特殊的PERMS可以帮助找到密码-但您需要-exec该命令来确定如何获取隐藏的内容。

要提权了。
suid提权:当s标志出现在文件所有者的x权限上时,则此程序被设置了SUID特殊权限。
查找所有设置了setuid的程序:
www-data@DC-1:/var/www$ find /bin /sbin /usr/bin /usr/sbin -perm -4000
find /bin /sbin /usr/bin /usr/sbin -perm -4000
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/sbin/mount.nfs
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/find
/usr/sbin/exim4

find命令有,
find的时候要找一个存在的文件,尽量不要find文件夹,否则会出现无输出或输出太多的情况。
最后flag如下:

Well done!!!!
Hopefully you’ve enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter – @DCAU7
做得好!!!!
希望您喜欢这个并学到一些新技能。
你可以让我知道你对这个小旅程的看法
通过Twitter与我联系-@ DCAU7

结束

总结

我这个思路应该是按着设计者的来的,但是没有看到flag4。
看了看其他人的思路,flag4在/home文件夹里,而且www-data用户有读取权限,在/etc/passwd文件中也有提示。

有一个很偏门的思路,改写了CMS登录的逻辑:https://blog.csdn.net/a1004070060/article/details/105565924?utm_medium=distribute.pc_relevant.none-task-blog-baidulandingword-2&spm=1001.2101.3001.4242#t3
由于虚拟机已经删掉了,所以就不再尝试了。有兴趣的师傅可以试试这种方式。

还学到了另一点,来自:https://blog.csdn.net/qq_43622442/article/details/107007593?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-2.channel_param&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-2.channel_param
已知的可用来提权的文件列表如下:
nmap
vim
find
bash
more
less
nano
cp

另外,/etc/passwd和/home可以多看看。

如果师傅您有什么别的思路或理解,欢迎与我交流,在下不胜荣幸【抱拳】。