靶机介绍
1)靶机地址:https://www.vulnhub.com/entry/dc-1,292/
2)靶机难度低
3)打靶目标root权限+5flag
打靶过程
1)主机发现
nmap -sn 192.168.40.0/24
2)对目标主机端口扫描
nmap -sV 192.169.40.140
3)登录目标网站
发现是drupal cms
4)查看目标cms版本
5)查看drupal 7的exp
①查找exp
②打开exp查看使用方法
③需要三个参数,目标网址,添加的用户名,密码
④使用成功
6)登录后台
7)查找到第一个flag,flag3
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
8)上传难突破,使用kali的msf进行
①
选择2018的那个exp进行
②设置参数
③运行
9)进入shell
①
②
10)查找其他flag
①找到flag1
Every good CMS needs a config file - and so do you.
②通过flag1的提示,去配置文件查找,drupal的配置文件一般在sites/default/settings.php
flag2
* Brute force and dictionary attacks aren't the
* only ways to gain access (and you WILL need access).
* What can you do with these credentials?
③查找另外的flag
发现find命令有些不对劲,能查找到root下的文件,怀疑设了suid
④查看suid
⑤使用find进行提权
⑥提权成功,查看flag
flag4
Can you use this same method to find or access the flag in root?
Probably. But perhaps it's not that easy. Or maybe it is?
thefinalflag
cat /root/thefinalflag.txt
Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7
打靶总结
使用了主机发现,端口扫描,cms识别,msf使用,suid提权