1.明确目标
DC:1
下载地址
https ://download.vulnhub.com/dc/DC-1.zip
2.信息收集
2.1被动信息收集
2.1.1DC:1网页信息收集
https://www.vulnhub.com/entry/dc-1,292/
Description
Back to the Top
DESCRIPTION
DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.
To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.
There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.
There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges.
Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.
Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.
得到DC:1系统为Linux,flag一共有5个,最终目标是在 root 的主目录中找到并读取标志,甚至不需要成为 root 即可执行此操作,但是需要 root 权限。
TECHNICAL INFORMATION
DC-1 is a VirtualBox VM built on Debian 32 bit, so there should be no issues running it on most PCs.
While I haven't tested it within a VMware environment, it should also work.
It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.
得到DC:1为桥接模式,IP地址与主机为同一网段
2.2主动信息收集
2.2.1查看MAC地址
获得信息
| 主机 | MAC |
|---|---|
| DC:1 | 00:0C:29:7E:17:C8 |
2.2.2端口扫描
arp-scan扫描:
root㉿kali)-[~/桌面]
└─# arp-scan -I eth0 10.9.28.0/24 >DC1-ip 扫描10.9.28.0同一网段存活主机并保存到DC-ip
┌──(root㉿kali)-[~/桌面]
└─# cat DC1-ip
Interface: eth0, type: EN10MB, MAC: 00:0c:29:7f:05:7d, IPv4: 10.9.28.188
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
10.9.28.96 00:0c:29:7e:17:c8 VMware, Inc.
74 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.401 seconds (106.62 hosts/sec). 65 responded
(root㉿kali)-[~/桌面]
└─# cat DC1-ip | grep -i "00:0C:29:7E:17:C8"
10.9.28.96 00:0c:29:7e:17:c8 VMware, Inc.
获得信息
| 主机 | IP地址 | MAC |
|---|---|---|
| DC:1 | 10.9.28.96 | 00:0c:29:7e:17:c8 |
3.漏洞扫描
3.1nmap扫描
(root㉿kali)-[~/桌面]
└─# nmap -A -T4 -sC -p- -sT 10.9.28.96 -oN DC:1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-12 03:58 EST
Nmap scan report for bogon (10.9.28.96)
Host is up (0.00059s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-title: Welcome to Drupal Site | Drupal Site
|_http-server-header: Apac
最低0.47元/天 解锁文章
2120
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
