Vulnhub - DC:2

下载地址

题目描述

Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

As with the original DC-1, it's designed with beginners in mind.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Just like with DC-1, there are five flags including the final flag.

And again, just like with DC-1, the flags are important for beginners, but not so important for those who have experience.

In short, the only flag that really counts, is the final flag.

For beginners, Google is your friend. Well, apart from all the privacy concerns etc etc.

I haven't explored all the ways to achieve root, as I scrapped the previous version I had been working on, and started completely fresh apart from the base OS install.

靶机测试

flag1

首先用nmap探测一下端口

image-20220629153700708

可以发现有80端口和7744端口,7744端口是ssh端口。80端口做了一个重定向,重定向到了http://dc-2/,直接访问IP访问失败

image-20220629153857232

修改一下本地hosts文件,添加一行192.168.162.169 dc-2即可访问成功

image-20220629153945955

在首页上即可发现flag1页面,并得到之后的提示

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

image-20220629154002816

flag2

根据第一个提示可知,需要用到cewl去进行信息收集,得到密码字典。利用kali自带的cewl即可

cewl http://dc-2/ -w passwd.txt

image-20220629154306247

通过首页可知这是一个wordpress框架,尝试找一下wordpress的后台

image-20220629154332156

wordpress的后台登录页面为wp-login.php,尝试访问http://dc-2/wp-login.php即可成功访问后台页面

image-20220629154430686

之后尝试利用kali自带的wpscan去进行扫描,尝试发现用户名

wpscan --url http://dc-2/ -e u

image-20220629160749681

一共发现了三个用户,将这三个用户写入user.txt

admin
jerry
tom

最后尝试登录

wpscan --url http://dc-2/ -U user.txt -P passwd.txt

发现jerry和tom均存可登录成功

image-20220629161023012

Username: jerry, Password: adipiscing
Username: tom, Password: parturient

尝试登录jerry,输入账号密码后即可登录成功

image-20220629161126659

在pages页面发现flag2

image-20220629161143188

得到flag2和之后的提示

If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

image-20220629161155109

flag3

第二个提示说如果不能再从wordpress里找到突破口,就换一种方法。该wordpress大部分后台管理功能都被删除了,没有后台getshell的方法了。ssh端口被特意改成了7744,怀疑可以直接ssh登录。利用tom用户的账号密码即可成功连上ssh。

image-20220629161439000

不过连上之后是一个rbash,所有命令都执行不了。

image-20220629161528701

稍微测试了一下,发现vi命令是可用的

image-20220629161708262

也可以使用compgen -c看一下有多少命令可用

image-20220629162651257

也可以发现vi

image-20220629162720996

那么直接vi一下flag3.txt即可,即可得到flag3和之后的提示

image-20220629162837259

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

flag4

根据提示可知需要su jerry,怀疑flag4.txt在jerry用户目录下,那么就需要绕过rbash去命令执行cd来进行读取。

不过也可以直接vi读取一下../jerry/flag4.txt即可成功得到flag4,,但这里还是先绕过rbash再解,为后续的解题做铺垫。

image-20220629163401294

尝试利用vi生成个shell

:set shell=/bin/bash
:shell
export PATH=/usr/sbin:/usr/bin:/sbin:/bin

image-20220629161946524

将linux的命令环境变量映重置一下,即可成功命令执行。

或者可以把/bin/bash给一个变量,然后执行这个变量,之后重置一下环境变量即可。

BASH_CMDS[a]=/bin/sh;a

image-20220629162549582

可以命令执行之后,cd到jerry用户目录,即可找到flag4.txt和之后的hint

Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

image-20220629163007175

flag5

最后一个提示虽然没有明说,但很明显需要做一个提权在root目录下寻找flag。

先利用python生成一个读写比较方便的ttybash

python -c "import pty;pty.spawn('/bin/bash')"

尝试sudo -l一下,发现没有权限

image-20220629164600383

那就切换到jerry用户,su jerry即可,密码为adipiscing

再次尝试sudo -l

image-20220629164654449

发现对git有root权限,那最后一步肯定就是git提权了,git提取有两种方式

sudo git help config
!/bin/bash或者!'sh'完成提权
sudo git  -p help
!/bin/bash

image-20220629165148126

提权成功后在root目录下读取最后一个flag即可

Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

image-20220629165014126

发表评论