DC4 of vulnhub

Refer to official documents for operation

https://blog.mzfr.me/vulnhub-writeups/2019-07-11-DC4

There are still some differences between this range and other ranges , In a nutshell , Just beat around the bush , It won't directly let you carry out the operation of raising rights , Some of the ideas in this official document , I feel there are some problems

The host found

nmap -sS 192.168.43.0/24

The goal is IP by 192.16843.138, attack IP by 192.168.43.128
Port scan
Goals exist 22 ssh port 80 http port , Don't talk much ,ssh Blast , Pull out top100

hydra -L /opt/user.txt -P /opt/password.txt -e ns -f -vV 192.168.43.138 ssh

Unsuccessful blasting , from http（80） Port start , fingerprint identification
No related framework is recognized
There is only one login box , And for clear text transmission , Don't talk much , Take out the cracked version bp and top1000, The cracked version runs fast ,

Yes uername and password Respectively traverse the dictionary
Soon the account number and password burst out , But the problem is , This interface , Only one successful input , The rest, no matter what the input is , Will show the status of successful login , So the official blogger admin/54321, I don't think so

After successful login , An interface for executing a command , But there is no way to input manually , Use bp Block changes , The host monitors
The host gets the corresponding shell conversation , Upload linux sugger2 file , Test how to claim

kali Use python Turn on http service , Controlled host download , Increase the permission to run , After running , No corresponding right raising method is detected ,
To home Under the table of contents , See which users ,

Only jim There are corresponding documents under ,test.sh and mbox Do not have running permission ,backups For one .bak The file of , direct cat open
It's a dictionary , I don't know how to download this file ,nc Mode transmission , Show no permission , Copy and paste , Edit to test.txt in , Use hydra To crack violently
Crack out jim And the corresponding password jibril4, Use ssh Sign in , see mbox, Similar to a mail format , In the corresponding directory of the mail /var/mail Find the appropriate file

There are users in the message charles The corresponding password is ^xHhA&hvim0y
Switching users , View what this user can do root command , by teehee
echo "mzfr::0:0:::/bin/sh" | sudo teehee -a /etc/passwd
teehee I don't know this , translate help explain , You can insert or overwrite the contents under the corresponding file , stay /etc/passwd Insert a root Privileged user , Just switch , The orders are provided in the official links