当前位置:网站首页>[vulnhub range] - DC2
[vulnhub range] - DC2
2022-04-23 12:38:00 【weixin_ forty-three million four hundred and forty-six thousand】
1、 Environment configuration
kali:88.16.153.14
dc-2:88.16.153.6
To configure hosts file :
linux:vi /etv/hosts
2、 information gathering
2.1 Open ports :80、7744, And 7744 yes ssh service , It's usually 22 port , It's not normal
2.2 Browse the website , hear CMS yes wordpress5.9.3, And there is one flag1, The general meaning of the translation is w No, for my dictionary , Need to use cewl Collect passwords , And flag It may not be in the user directory
2.3 cewl http://dc-2/ -w w.txt, Collect password dictionary
2.4, because cms yes wordpress, But Baidu has its background Directory , The background directory of this website is http://dc-2/wp-login.php
3、 penetration
3.1 kali Tools exist in wpscan, yes wordpress Scan tool , Use this tool to scan user names
wpscan --url dc-2 -e u, Get three user names , Save in user.txt in ,
Use wpscan To crack violently , wpscan --url dc-2 -U user.txt -P w.txt, obtain jerry/adipiscing、tom/parturient
3.2 Log in to this website , Find out flag2, The tip is if I can't take advantage of wordpress Loophole , You can try other entry points
3.3, When collecting ports 7744 The port is on ssh port , Try to use the blasted user name and password ssh Sign in , Use jerry Login time , No authority to report an error , Use tom Successfully logged in
obtain flag3
according to flag3 Content judgment , Need to switch to jerry Under the user , Use su Switch , But no su This command , According to the error report, it should be rbash The escape , I don't really understand , Can own Baidu
BASH_CMDS[a]=/bin/sh ;
a # call /bin/sh command interpreter
/bin/bash # Use bash command interpreter
export PATH=PATH:/bin:/sbin:/usr/bin:/usr/sbin # Set the environment variable
Find the flag4, stay home/jerry Under the table of contents
According to the prompt is to use git Raise the right ,git Yes root jurisdiction
sudo git help config
!/bin/bash
Successfully found the last flag
版权声明
本文为[weixin_ forty-three million four hundred and forty-six thousand]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204231218506522.html
边栏推荐
- 【vulnhub靶场】-dc2
- Array---
- Bert base Chinese Download (SMART)
- MySQL函数-递归函数
- Kubernetes 入門教程
- C, calculation code of parameter points of two-dimensional Bezier curve
- What are the forms of attack and tampering on the home page of the website
- 栈和队列a
- Worder font page font comparison table
- Lesson 24 analysis of classical problems
猜你喜欢
实现一个盒子在父盒子中水平垂直居中的几种“姿势”
Introduction to kubernetes
A graphic designer's fantasy world | ones characters
STM32控制步进电机(ULN2003+28byj)
c# 设置logo图标和快捷方式的图标
[redis series] redis learning 13. Redis often asks simple interview questions
云原生KubeSphere部署Redis
bert-base-chinese下载(智取)
没有空闲服务器?导入 OVF 镜像快速体验 SmartX 超融合社区版
解决disagrees about version of symbol device_create
随机推荐
php生成json处理中文
Qt一个进程运行另一个进程
力扣刷题之完全二叉树的节点个数
BUUCTF WEB [BJDCTF2020]The mystery of ip
Metalama简介4.使用Fabric操作项目或命名空间
关于使用Go语言创建WebSocket服务浅谈
Image attribute of input: type attribute of fashion cloud learning -h5
免费试用一个月的服务器,并附上教程
[csnote] ER diagram
SSL证书退款说明
Recommended programming AIDS: picture tool snipaste
[daily question] chessboard question
Stm32cubeprogrammer basic instructions
Uni app native app cloud packaging integrated Aurora push (jg-jpush) detailed tutorial
解锁OpenHarmony技术日!年度盛会,即将揭幕!
Zigbee之CC2530最小系统及寄存器配置(1)
BUUCTF WEB [BJDCTF2020]The mystery of ip
传统企业如何应对数字化转型?这些书给你答案
STM32工程移植:不同型号芯片工程之间的移植:ZE到C8
Markdown语法学习