Vulnhub Shooting Range DC-1

Mobile 2023-05-04 18:38:52 views: null

download link

Link: https://pan.baidu.com/s/1W3bEDx219EEsnGFUnDX3-Q 
Extraction code: pm7e

Use vnware to import the ova file, pay attention to make both kali and the target machine in nat network mode

 Start, the display page cannot perform any operations

Prepare

First check kali's ip

nmap scan to find the target machine ip 

View Range Open Ports

 

Browser access ip, see Drupal

 

test

Use msf to see if there is an exploit script, enter msfconsole to start

 Find something related to drupal, try to choose the one with a better new date, use the serial number 1, and bounce the shell

 Check out the options that need to be set

You can see that you only need to set rhosts at present, that is, the shooting range ip, and then exploit

 Enter the shell

Then use python fixed statements for interactive access

python -c 'import pty; pty.spawn("/bin/bash")'

Judging permissions, it is a low-privilege account

 

 Escalation of rights

Suid privilege escalation is to set some that can be run by root

fixed statement query

find / -user root -perm -4000 -print 2>/dev/null

 Pay attention to the feasibility documents that can be used to raise rights at present, we use find to raise rights

find / -name cron.php -exec "/bin/sh" \; 


//   路径含有cron.php文件,   \为转义字符

 

You can see that we have root permissions

 

Find files related to flag

 

 Check it out, it's done

drupal classic vulnerability

CVE2014-3704, add administrator account, suitable for version 7.0-7.31

Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) - PHP webapps Exploit

 After downloading, it becomes a py file. In the directory of the downloaded file, the following are some parameter prompts

Run python 34992.py -t http://192.168.80.129 -u 123 -p 123  

python 34992.py -t http://192.168.80.129 -u 123 -p 123

Copy the url below and open the browser

Try to log in, and if you successfully log in to the background, you have obtained administrator privileges

 Complete steps - find flag5 from flag1

Combining this article and reference: [Basic direction] Super detailed explanation of vulnhub shooting range DC-1_哔哩哔哩_bilibili

Guess you like

Origin blog.csdn.net/weixin_52221158/article/details/126561577
Recommended
Apache Doris version 2.0.10 is officially released!
Open Source Daily | Big models go to war; big model unicorns are revealed to be selling themselves; Zhou Hongyi suggests that Google open source all its products; the largest open source AI community provides $10 million to share GPUs
Ranking
JS inheritance and monitoring
[ProblemSolving][Ubuntu][LyX] The selected document class ... requires external files that are not available...
Java threads sharing static variable
balancap/SSD-Tensorflow使用及训练预测自己的数据集
Detailed core ES6
JS --- reverse traversal achieved Array array, the array is connected string
How to Uninstall (or Reinstall) Windows 10’s Ubuntu Bash Shell
Linux modify the hostname method
Charging Specification BC v1.2
node的性能和java对比分析
Daily
More
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)

Code World

© 2018 codetd.com