Drone DC-2 Practice: get shell bypassed by rbash, using the git command mention the right

1. Host found

Drone IP address: 192.168.109.163

2. Scan the target service version

3. found 80 ports, access the home page

Access failure

Obviously, this does not resolve the local domain, you can add in / etc / hosts file

Refresh the page again

Click the lower left corner of Home

Found FLAG1 : Suspected user name appears cewl, log on to find under a flag

Other web module is not found to be effective information, then scan the directory background

4. Scan tool backstage directory

The first directory access

Obviously, just get cewl not a user name, a search found kali-linux password attack tools can generate a password

Access the second directory, find php file basically a blank page and found no useful information

The remaining three directories found no useful information, then directly from wordpress, there is a special scanning tool wpscan, before the drone is also useful to lazysysadmin too

What users scan wordpress (Note: The parameter does not scan out)

……

Found three users jerry, admin, tom, write dc-2-users.txt

So far, this user and password already have this, you can use the tool to match

Method one: Continue to use wpscan

He gets only come to jerry and tom

Method Two: Use burpsuite

Method three: kali comes hydra

hydra -L dc-2-users.txt -P dc-2.txt dc-2 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

5. Use the username and password obtained an SSH

Login using jerry, I do not know why, tried several times without success

Tom switch to the user, you can check permissions

Obviously, some of the commands are executed forbid, try to bypass the rbash

Refer to: https://www.freebuf.com/articles/system/188989.html

rbash就是受限制的bash，一般管理员会限制很多命令

6.查看可使用命令

可用命令有less、ls、scp、vi，绕过可用如下方法：

• 可使用less绕过：$less test    然后!'sh'
• 使用ls绕过：$man ls    然后!'sh'
• 使用vi绕过：$vi test    然后:!/bin/sh 或者 :!/bin/bash

还可以用  BASH_CMDS[a]=/bin/sh;a 直接绕过

查看flag3还有点问题，应该是环境变量问题

7.更改环境变量，并查看flag3.txt

感觉自己翻译的怪怪的，总之接下来就是要切换用户jerry，并查看目录以及查看权限

发现flag4.txt，并查看

看到一个特别的关键词git，查看sudo配置文件

8.尝试git提权：可使用$sudo git help config 或者 $ sudo git -p help

提权成功

查看根目录，发现final-flag文件