Preliminary study on DC-1 shooting range

DC Series range environment , This is a simulated red team. It can be said that it has run through almost every step of the penetration test from information collection to dotting to power raising , Looking for one by one flag, adopt flag Guidelines in , Help us get the last root identity , The process is still very interesting .

Range download environment ：https ://download.vulnhub.com/dc/DC-1.zip

After the download is completed, there is a DC-1.ova Double click the file with vm open That's it

You can see that the whole environment test is a black box test （ No login account and password ）

One 、 Access permissions

First , First collect information about the target

You can see that the target plane is on 22,80,111 Three ports

Visit the web page of the target through the browser

It can be seen that it is DrupalCMS Build a website and then we visit it robots.txt file

At first glance, there are many catalogs , But there is nothing useful for us , Take another look at the homepage of the website and find that it is a login page. First, try to register a new user and find that the new user can't log in and admin This user is occupied , That's probably the administrator user , Next, try to explode the password .

  It seems that the road of blasting is impassable , Then scan the website directory , Still fruitless , It seems that we can only go online to find open loopholes , After a look, there is a CVE-2018-7600 Is the most likely vulnerability, and this vulnerability is directly in MSF There are .

flag1

Just use it directly , After a successful attack, you can get a low privileged user , Let's casually check what's in it

There is one flag1.txt Open the file and have a look

 flag2

This is the general meaning, that is to say, our next goal is DrupalCMS Database configuration file for , You can know from the Internet DrupalCMS The configuration file directory is in /sites/default/settings.php in , After entering, you can see flag2 The account password connected to the database

flag2 It probably means that you need an account password to get access

  Two 、 Raise the right

Get the account password of the database and try to pass Navicat The connection result is disconnected . But now that you have the database account name and password , have access to python Bounce an interactive shell, Then use the account name and password to connect to the database

python -c 'import pty;pty.spawn("/bin/bash")'

mysql -u dbuser -p

 Input password ：R0ck3t

show databases; Take a look at the databases

adopt show tables Look at all the tables

Here is a users The table looks like the location of the administrator account password , The password of the administrator is salted. You can only find it on the Internet and change it , We can know from the Internet

 flag3

After changing the password, you can successfully log in to the website management background

I originally wanted to try to upload a one sentence Trojan horse here, but I didn't find the suspicious upload point template after looking , The style has no place but to give up , But I found flag3,

flag3 The message mentioned passwd and shadow, It should be /etc/passwd and /etc/shadow These two files , and find、perms、-exec It should be used only when rights are raised

/etc/passwd Document and /etc/shadow file

1、 All user accounts and passwords are in these two files

2、/etc/passwd Save each user account . This file can only be modified by the administrator , But it is readable by all users

3、/etc/shadow Keep passwords and other information . Only the system administrator can modify and view this file , Other users cannot view 、 modify .

flag4

  Forget it, it's all right. Next, I'll continue to look through the directory /home/flag4/ Found in the flag4.txt

The next step is to raise rights , I read the articles of other masters, which use suid Raise the right , This master's article I think it's right suid Tiquan is well written

Find out if you have root Other commands for permissions , The following can be inquired ：

find / -user root -perm -4000 -print 2>/dev/null

find / -perm -u=s -type f 2>/dev/null

find / -user root -perm -4000 -exec ls -ldb { }

  perform ：ls -lh /usr/bin/find see find The permission discovery of is root jurisdiction

utilize find Right to come

find ./ 111 -exec '/bin/sh' \;

  To succeed in root jurisdiction

endflag

And then in root Get the final... Under the directory flag