每日一攻防DC-2（二），网络安全开发者出路在哪

2401_84138968

已于 2024-04-09 12:04:16 修改

阅读量638

点赞数 27

分类专栏： 2024年程序员学习文章标签： web安全安全

于 2024-04-09 12:04:15 首次发布

本文链接：https://blog.csdn.net/2401_84138968/article/details/137546006

版权

2024年程序员学习专栏收录该内容

114 篇文章 0 订阅

订阅专栏

/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
/: Drupal Link header found with value: ARRAY(0x55b160d56a08). See: https://www.drupal.org/
/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
No CGI Directories found (use ‘-C all’ to force check all possible dirs)
Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
/: Web Server returns a valid response with junk HTTP methods which may cause false positives.
/icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin ‘Tested up to’ version usually matches the WordPress version.
/wp-links-opml.php: This WordPress script reveals the installed version.
/license.txt: License file found may identify site software.
/: A Wordpress installation was found.
/wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
/wp-login.php: Wordpress login found.
7850 requests: 0 error(s) and 12 item(s) reported on remote host
End Time: 2024-01-02 14:56:50 (GMT8) (159 seconds)

1 host(s) tested
从上面信息已经知道了登入后台就是wp-login.php

5.登入后台

使用已知的账号和密码字典找出真是账号对应的密码

使用BP抓包，并找到密码如下图所示，将数据包发送给Intruder后修改数据包爆破参数

找到tom和jerry账号的密码

使用下面账号登入后台看看

user 1: tom
password 2: parturient
User 2：jerry
Password 2: adipiscing

Users1的信息

在tom账号中并没有看到其他有用信息，换jerry账号登入测试，逐步看发现有一个flag2，点击进入看到

If you can’t exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

翻译：如果你不能利用WordPress并采取快捷方式，还有另一种方法。希望你能找到另一个切入点。

发现拿到的账号并没啥有用信息，在对服务器进行全端口探测，看看除了80端口其他什么端口

C:\Users\Administrator\Desktop>nmap -sS -sV -A -T4 172.16.10.13 -p1-65535
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-02 15:44 中国标准时间
NSOCK ERROR [0.3070s] ssl_init_helper(): OpenSSL legacy provider failed to load.

Nmap scan report for dc-2 (172.16.10.13)
Host is up (0.00085s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site
|http-generator: WordPress 4.7.10
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
| 1024 52517b6e70a4337ad24be10b5a0f9ed7 (DSA)
| 2048 5911d8af38518f41a744b32803809942 (RSA)
| 256 df181d7426cec14f6f2fc12654315191 (ECDSA)
| 256 d9385f997c0d647e1d46f6e97cc63717 (ED25519)
MAC Address: 00:0C:29:D5:51:48 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.85 ms dc-2 (172.16.10.13)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.43 seconds

发现该系统还开放了一个ssh服务的7744端口，尝试用wordpress获取到的账号和密码测试能不能登入系统

发现tom账号可以登入系统

发现tom目录下有一个flag3.txt文件，使用cat、more、tail发现都没有这个命令，原因是这些命令被限制了，只要更改rbash为bash既可以解决，于是使用vi发现能打开，less也没被过滤。内容为“Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.”，意思是说不要总围绕在Tom这个用户身上，这时我们看看home目录有那些用户的家目录，发现使用cd无法进入/home目录，这里我们将调用/bin/bash解释器。

Bash_CMDS[dajun]=/bin/bash 调用解释器
Export PATH=PATH:/bin 切换环境变量

进入jerry目录ls下看到了flag4.txt,内容如下所示，意思是：可以使用git工具