打靶记录2

靶机介绍

1）靶机地址：https://www.vulnhub.com/entry/dc-1,292/

2）靶机难度低

3）打靶目标root权限+5flag

打靶过程

1）主机发现

nmap -sn 192.168.40.0/24

 2)对目标主机端口扫描

nmap -sV 192.169.40.140

 3)登录目标网站

 发现是drupal cms

4）查看目标cms版本

 5）查看drupal 7的exp

①查找exp

 ②打开exp查看使用方法

 ③需要三个参数，目标网址，添加的用户名，密码

 ④使用成功

 6）登录后台

 7）查找到第一个flag，flag3

Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.

8）上传难突破，使用kali的msf进行

①

 选择2018的那个exp进行

②设置参数

 ③运行

 9）进入shell

①

 ②

 10）查找其他flag

 ①找到flag1

Every good CMS needs a config file - and so do you.

②通过flag1的提示，去配置文件查找，drupal的配置文件一般在sites/default/settings.php

flag2
 * Brute force and dictionary attacks aren't the
 * only ways to gain access (and you WILL need access).
 * What can you do with these credentials?

③查找另外的flag

发现find命令有些不对劲，能查找到root下的文件，怀疑设了suid

④查看suid

 ⑤使用find进行提权

 ⑥提权成功，查看flag

flag4

Can you use this same method to find or access the flag in root?

Probably. But perhaps it's not that easy.  Or maybe it is?

 thefinalflag

cat /root/thefinalflag.txt
Well done!!!!

Hopefully you've enjoyed this and learned some new skills.

You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7

打靶总结

使用了主机发现，端口扫描，cms识别，msf使用，suid提权