DC-6

DC系列是专门构建的易受攻击的实验室，旨在获得渗透测试领域的经验，目前总共有9个靶机
关注微信公众号：网络安全101，公众号内回复**DC**，即可获取DC系列靶机镜像！

导入DC6靶机，网络适配器选择NAT模式，确保和kali处于同一IP段！！！

## 信息收集

> 确定主机IP地址 - netdiscover -i eth0 -r 192.168.84.0/24

![image-20221217213013956](https://oss.maolin101.com/20250107035333237.png-101.webp)

> 端口探测

```bash
masscan 192.168.84.182 --rate=1000 -p 0-65535
```

![image-20221217213105553](https://oss.maolin101.com/20250107035333238.png-101.webp)

> 使用nmap 对80端口进行漏洞扫描

![image-20221217213152675](https://oss.maolin101.com/20250107035333239.png-101.webp)

## WEB测试

> 直接访问 目标ip+端口 会跳到wordy域名，修改hosts文件

![image-20221217213510057](https://oss.maolin101.com/20250107035333240.png-101.webp)

> 站点由wordpress搭建

![image-20221217213604447](https://oss.maolin101.com/20250107035333241.png-101.webp)

> 根据nmap扫描出来的用户名， 形成用户名字典，使用wpscan进行用户名爆破

![image-20221217213820359](https://oss.maolin101.com/20250107035333242.png-101.webp)

密码字典使用Kali自带的rockyou.txt

![image-20221217213940797](https://oss.maolin101.com/20250107035333243.png-101.webp)

> 进行爆破

```bash
wpscan --url http://wordy/ -U ./user.txt -P /usr/share/wordlists/rockyou.txt
```

账户密码 mark 、helpdesk01

> 登录成功之后，发现网站使用了插件，插件是否存在漏洞呢？

![image-20221217215058570](https://oss.maolin101.com/20250107035333244.png-101.webp)

> 搜索该查询是否存在历史漏洞

![image-20221217215210590](https://oss.maolin101.com/20250107035333245.png-101.webp)

使用45274.html

将文件拷贝到当前目录

![image-20221217215452458](https://oss.maolin101.com/20250107035333246.png-101.webp)

> POC

![image-20221217215425978](https://oss.maolin101.com/20250107035333247.png-101.webp)

将POC部分复制出来单独形成文件

![image-20221217221239184](https://oss.maolin101.com/20250107035333248.png-101.webp)

> 在本机开启http服务，去访问poc.html

用python开启http服务，访问poc.html，同时攻击机开启监听端口

![image-20221217220354304](https://oss.maolin101.com/20250107035333249.png-101.webp)

![image-20221217220404970](https://oss.maolin101.com/20250107035333250.png-101.webp)

![image-20221217220435637](https://oss.maolin101.com/20250107035333251.png-101.webp)

点击request

成功获取shell

![image-20221217221308567](https://oss.maolin101.com/20250107035333252.png-101.webp)

## 提权

> 获取标准的终端

```bash
python -c 'import pty;pty.spawn("/bin/bash")'
```

![image-20221217221422490](https://oss.maolin101.com/20250107035333253.png-101.webp)

> 查看家目录

![image-20221217221612534](https://oss.maolin101.com/20250107035333254.png-101.webp)

> 在mark目录下发现内容

![image-20221217221756248](https://oss.maolin101.com/20250107035333255.png-101.webp)

得到graham 的密码 GSo7isUM1D4

> ssh登录graham账户

![image-20221217221908240](https://oss.maolin101.com/20250107035333256.png-101.webp)

> sudo -l 查看当前用户可用执行哪些root命令

![image-20221217221947753](https://oss.maolin101.com/20250107035333257.png-101.webp)

不需要密码就可以执行sh文件

> 查看sh文件内容

![image-20221217222128445](https://oss.maolin101.com/20250107035333258.png-101.webp)

> 是否可以追加bash内容呢？

![image-20221217222323886](https://oss.maolin101.com/20250107035333259.png-101.webp)

> 查看jens用户可以执行哪些root命令呢？

![image-20221217222354968](https://oss.maolin101.com/20250107035333260.png-101.webp)

这个账户可以执行nmap，nmap是可以执行脚本文件的

> 可写一个脚本进行提权

![image-20221217222830574](https://oss.maolin101.com/20250107035333261.png-101.webp)

```bash
原型：os.execute ([command])
解释：这个函数相当于C语言中的system()
解析command.再来通过的系统来调用解析的结果
```

![image-20221217222901608](https://oss.maolin101.com/20250107035333262.png-101.webp)