Vulnhub practice DC-1 target

Vulnhub practice DC-1 Drone aircraft
Download link https://www.vulnhub.com/entry/dc-1,292/
It is recommended to use Xunlei to download , Compared to browser download , It's going to be faster
Use nat Pattern , Build a virtual LAN , The proposal USES VMnet1
First, perform host discovery
nmap -sS 192.168.43.0/24 Use ping testing 43 Whole C End to end host survival

Port detection , Here are two methods ,nmap and goby
Nmap -A 192.168.43.238 -T4 Perform port and service detection at a faster speed
Goby If you do, you will ip Throw it in and wait for the result

First, determine the opening status of the port ,22 ssh Remote login interface 80 Port display Apache Indicates that the port exists web service ,111 The service displayed on the port is rpcbind, Baidu has only one ddos The loopholes of the attack , No dice , Yes 22 port , Use the super weak password detection tool to blast

No results detected
Only from 80 Port open Apache Service starts
see 80 Open port services
The website is found to be Drupal Site, Use wapplyzer Found as drupal7, It's a cms Content management framework , stay https://www.exploit-db.com/ Find the corresponding vulnerability ,xss There's no need to see , Preference is given to remote command execution and sql Injected
It's useless here 2018-04-17 the , The back shows metasploit Description has been integrated into msf in , stay kali Open in msf, And look for druple Using modules ,

Here's the second one , Because and exploit-db The descriptions in are consistent
Set your own goals IP You can successfully obtain shell, Find yourself a normal user , The next step is to raise the right

Originally intended to use sudo And the dirty cow ,sudo Display command not found , Dirty cow's words ,make Missing when compiling gcc

use suid Raise the right , Search for using root Permission file
find / -perm -4000 -type f 2>/dev/null
lookup SUID file
find / -uid 0 -perm -4000 -type f 2>/dev/null
found find, Use find Right to raise
touch test
Nc rebound shell

find test -exec netcat -lvp 5555 -e /bin/sh ;
Reopen a command line , Connect to the target host to get root jurisdiction

It was supposed to end here , But seeing someone else's wp You also need to log in to the background ,
Take it out again Baidu Dafa stay exploit-db There are no other vulnerabilities shown in , Change platform
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=drupal7 You will find druple There is one. sql Inject holes ,
cve The number is , Click in to give a detailed introduction , And there are exp The location of , But it still shows up in exploit-db in ,explioit Zhongyoudao github in , It can be described as an infinite set of dolls , However, due to the lack of personal skills ,php Written exp Don't use , stay github Search for just found cve Number , You can find the corresponding py Script , You can add users directly
https://github.com/happynote3966/CVE-2014-3704
Usage method

Be careful , When using this script, you need to use python2, Otherwise, you will make the same mistake as me

As for another connection to the database , How to change your password , Post the address here
https://blog.csdn.net/qq_45427131/article/details/118711572

View the current page , Use findsomething The plug-in found some paths in the current page

Copy and access

There are three functions in total , Registered account , Sign in , And email to retrieve the password
On the registration screen , Register your own account

enter one user name admin,[email protected] when , The display name admin Occupied , This is just the enumeration of user names ？
Don't talk much , Capture packets in the login interface , Weak password top1000

Stop running for a few minutes ip 了 , This method will not work
Input admin’ It is found that the returned content of the page becomes unrecognized , Don't talk much , Throw it sqlmap Run inside