VulnHub—DC-6

01 环境搭建

• 靶机环境下载：https://www.vulnhub.com/entry/dc-6,315/
• 题目信息如下

Description
DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

This isn't an overly difficult challenge so should be great for beginners.

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

Technical Information
DC-6 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.

I have tested this on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.

NOTE: You WILL need to edit your hosts file on your pentesting device so that it reads something like:

192.168.0.142 wordy

NOTE: I've used 192.168.0.142 as an example. You'll need to use your normal method to determine the IP address of the VM, and adapt accordingly.

This is VERY important.

And yes, it's another WordPress based VM (although only my second one).

Important
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

Contact
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @DCAU7

Clue
OK, this isn't really a clue as such, but more of some "we don't want to spend five years waiting for a certain process to finish" kind of advice for those who just want to get on with the job.

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt That should save you a few years. ;-)

02 信息收集

将靶机环境恢复到virtualbox之后，开始第一步信息收集工作。

发现靶机

查看攻击机的ip为192.168.56.1(环境恢复时采用Host-Only Adapter)

使用nmap扫描网段内的ip地址

nmap -sP 192.168.56.1/24

扫描发现的192.168.56.20就是目标靶机的ip地址。

端口扫描

使用nmap对目标靶机开放的端口进行扫描

nmap -Pn -n -sV 192.168.56.20

发现目标靶机开放了2个tcp端口22，80。

遍历目录

根据题目描述，修改hosts文件，添加192.168.56.20 wordy。
访问80端口，是一个wordpress页面。

扫描发现wordpress版本为5.1.1

使用dirb扫描web目录，没有发现特殊的目录，文件。

03 Get Shell

账户爆破

使用wpscan扫描靶机上的账户

wpscan --url wordy --enumerate u

发现有5个账户admin, graham,mark,sarah,jens。将这5个用户名存入users文件。
根据提示，获取密码本。

尝试爆破这三个账户的密码。

wpscan --url wordy --usernames users --wordlist passwords.txt

得到mark的密码helpdesk01。

反弹shell

使用wpscan扫描靶机上的插件漏洞

wpscan --url wordy --enumerate vp

发现有个rce到漏洞CVE-2018-15877，下载poc，根据本地信息修改对应内容。

使用mark账户登录后台，打开下载的html文件，点击提交即可获取反弹shell

04 提权

在/home/mark/stuff下发现一个文件，记录了用户graham的密码GSo7isUM1D4

切换用户到graham，查询sudo配置

可以无密码以jens权限执行backups.sh脚本。且graham有权限更改脚本内容。在脚本中追加一行/bin/bash，然后执行

echo "/bin/bash" >> /home/jens/backups.sh
sudo -u jens /home/jens/backups.sh

获得jens账户权限。查看其sudo配置。

可以无密码执行nmap命令。尝试进入nmap的交互模式，失败。
搜索nmap提权方法，还有另一种用script提权的方式。

按照这种方法，提权成功，获取flag