Vulnhub-DC9 Learning notes

1.Fping + Nmap Probe host port

2. test 80 port http service

Find out search.php Page will use post Method to find the data content , Try to use sqlmap post Methods to inject



Injection obtained admin The encrypted password of the user
Let's find one md5 Declassified web Get the plaintext password

After logging in, there is a post Upload information page , I haven't found a way to use it for the time being , But the footer indicates that the file does not exist


After all kinds of attempts , It is found that the file contains parameters file, You can read some files of the system , Found some user names that can log in to the system
We have another one when we inject user library , There are user names and passwords

22 Port utilization

We got something that can ssh Login username and password , however ssh You will be prompted that the port refuses access .

Here we use it again nmap Scan and find that the port status is filtered No open
After reading the introduction of other big guys, here is a name Knockd Of ssh protective .
Knockd The configuration file is located in /etc/knockd.conf

So we got knock Needed 3 Port number .
We use it according to the instruction manual Nmap Knock at the door

After knocking on the door, we found 22 The status of the port changes to open

Then we can use ssh Sign in , Let's sort out the user name and password into a dictionary , And then use hydra To try which users can log in

We are janitor A hidden folder with some passwords was found in the user's home directory , We update the password dictionary and reuse hydra Blast

We found again fredf User's password , We see this on the website fredf It's the system administrator , So we are not far from success

We found that fredf The user has a root Orders of authority

We run test, Prompt reading test.py, Search for test.py The path of , And then look at the content , Judge test.py yes test Source code , You can take two parameters later , The parameters are two files , The script will splice the first file to the end of the second .
So we can follow /etc/passwd File format , Create a root Privileged user
Where the password is openssl passwd -1 Generate encrypted ciphertext