当前位置:网站首页>Hackmyvm target series (2) -warrior
Hackmyvm target series (2) -warrior
2022-07-06 14:04:00 【The moon should know my meaning】
One 、 information gathering
Scan network segment first , Detect live hosts , Because there are too many campus network hosts , I'll steal a little lazy .
Target host found IP
nmap -sP 192.168.200.0/24 | grep -i -B 2 virtualbox
Use nmap Scan the target port , Explore open services .
nmap -sT -T4 -sV -sC -O -A -p- 192.168.200.183
Here's the picture , Scan to two ports , Namely ssh and http service
Visit http service , View the source code , However, no useful information was found .
Use dirsearch Do a directory scan .
dirsearch -u http://192.168.200.183/ -e php,html,txt,db,bak,zip,7z,gz -x 404,301,500-599 -t 50 -r -R 3
Find the following information .
visit robots.txt file , I found these files and directories below , Visit one by one .
user.txt, It should be a user name
Translate it , This probably means to constantly change mac Last digit of address , And up there secret.txt Because this is the scope of transformation , just 16 position .
Two 、 Exploit
Change the computer's MAC Address , The use cases are as follows :
Prevent some software from recording your true MAC Address
The network administrator blocked your MAC Address
After testing, only mac The address is 00:00:00:00:00:af Successful access
ifconfig eth0 down
ifconfig eth0 hw ether 00:00:00:00:00:af
ifconfig eth0 up
Pictured above , Got the code Zurviv0r1
First I used user.txt In the middle of loco, But login failed . But I saw that sentence mentioned bro, So log in again with this user . Login successful !( Hey ! Fortunately, the picture was cut at that time )
Get the first one flag
3、 ... and 、 Elevated privileges
Let's see if it works sudo The abuse of .
??? There is no such order ?
Don't panic , try suid Raise the right .
View with s Permission file , I found that there was actually one sudo. Quickly check the environment variables .??? Really , No environment variables /usr/sbin/ Catalog .
Enter the following command , Find out task The command does not need a password to be able to root Permission to run
sudo -l
utilize task Order to raise rights
/usr/sbin/sudo task execute /bin/bash
Pictured , Successfully promoted the permission to root
Get the last one flag
边栏推荐
猜你喜欢
3. Input and output functions (printf, scanf, getchar and putchar)
About the parental delegation mechanism and the process of class loading
7-7 7003 combination lock (PTA program design)
Have you encountered ABA problems? Let's talk about the following in detail, how to avoid ABA problems
撲克牌遊戲程序——人機對抗
[dark horse morning post] Shanghai Municipal Bureau of supervision responded that Zhong Xue had a high fever and did not melt; Michael admitted that two batches of pure milk were unqualified; Wechat i
A piece of music composed by buzzer (Chengdu)
浅谈漏洞发现思路
7-7 7003 组合锁(PTA程序设计)
Matlab opens M file garbled solution
随机推荐
Strengthen basic learning records
canvas基础2 - arc - 画弧线
Have you encountered ABA problems? Let's talk about the following in detail, how to avoid ABA problems
Detailed explanation of redis' distributed lock principle
Strengthen basic learning records
[err] 1055 - expression 1 of order by clause is not in group by clause MySQL
2022 Teddy cup data mining challenge question C idea and post game summary
【MySQL数据库的学习】
7-9 制作门牌号3.0(PTA程序设计)
Safe driving skills on ice and snow roads
How to turn wechat applet into uniapp
深度强化文献阅读系列(一):Courier routing and assignment for food delivery service using reinforcement learning
Attach the simplified sample database to the SQLSERVER database instance
Canvas foundation 2 - arc - draw arc
Read only error handling
Inaki Ading
7-11 mechanic mustadio (PTA program design)
The difference between cookies and sessions
7-3 construction hash table (PTA program design)
7-6 local minimum of matrix (PTA program design)