1. Host found
Drone IP address: 192.168.109.163
2. Scan the target service version
3. found 80 ports, access the home page
Access failure
Obviously, this does not resolve the local domain, you can add in / etc / hosts file
Refresh the page again
Click the lower left corner of Home
Found FLAG1 : Suspected user name appears cewl, log on to find under a flag
Other web module is not found to be effective information, then scan the directory background
4. Scan tool backstage directory
The first directory access
Obviously, just get cewl not a user name, a search found kali-linux password attack tools can generate a password
Access the second directory, find php file basically a blank page and found no useful information
The remaining three directories found no useful information, then directly from wordpress, there is a special scanning tool wpscan, before the drone is also useful to lazysysadmin too
What users scan wordpress (Note: The parameter does not scan out)
……
Found three users jerry, admin, tom, write dc-2-users.txt
So far, this user and password already have this, you can use the tool to match
Method one: Continue to use wpscan
He gets only come to jerry and tom
Method Two: Use burpsuite
Method three: kali comes hydra
hydra -L dc-2-users.txt -P dc-2.txt dc-2 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
5. Use the username and password obtained an SSH
Login using jerry, I do not know why, tried several times without success
Tom switch to the user, you can check permissions
Obviously, some of the commands are executed forbid, try to bypass the rbash
Refer to: https://www.freebuf.com/articles/system/188989.html
rbash就是受限制的bash,一般管理员会限制很多命令
6.查看可使用命令
可用命令有less、ls、scp、vi,绕过可用如下方法:
- 可使用less绕过:$less test 然后!'sh'
- 使用ls绕过:$man ls 然后!'sh'
- 使用vi绕过:$vi test 然后:!/bin/sh 或者 :!/bin/bash
还可以用 BASH_CMDS[a]=/bin/sh;a 直接绕过
查看flag3还有点问题,应该是环境变量问题
7.更改环境变量,并查看flag3.txt
感觉自己翻译的怪怪的,总之接下来就是要切换用户jerry,并查看目录以及查看权限
发现flag4.txt,并查看
看到一个特别的关键词git,查看sudo配置文件
8.尝试git提权:可使用$sudo git help config 或者 $ sudo git -p help
提权成功
查看根目录,发现final-flag文件