Sunset:Decoy

https://download.vulnhub.com/sunset/decoy.ova

靶场IP:192.168.2.16

扫描对外端口服务

┌──(root㉿kali)-[/tmp]
└─# nmap -p1-65535 -sV 192.168.2.16
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-08 10:02 EDT
Nmap scan report for 192.168.2.16
Host is up (0.000079s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38
MAC Address: 08:00:27:36:E2:8F (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.47 seconds

访问80端口,有一个压缩包

image-20220908220315686

压缩包解压需要密码,爆破压缩包密码为:manuel

解压压缩包

查看shadow文件

爆破用户root296640a3b825115a47b68fc44501c828。只发现用户296640a3b825115a47b68fc44501c828的密码为server

ssh登录后没有rbash

image-20220908221242934

绕过rbash

需要全路径才可以执行命令,查看sudo列表,没有东西。

可以配置环境变量

执行honeypot.decoy

使用pspy64监控进程,发现Chkrootkit-0.49

image-20220908222729736

Chkrootkit 提权漏洞:https://www.exploit-db.com/exploits/33899

配置反弹shell

再次运行AV扫描。

image-20220908222537019

一分钟后就可以连接反弹shell

image-20230208160708748
上一页SunsetNoontide下一页Ted

最后更新于

这有帮助吗?