【OSCP】vivifytech

OSCP 靶场

靶场介绍

vivifytech

easy

常规信息收集、wordpress利用、ssh爆破、主机信息收集、git 提权

信息收集

主机发现

nmap -sn 192.168.31.0/24

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.31.107
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-08 22:57 EST
Nmap scan report for 192.168.31.107
Host is up (0.0011s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey: 
|   256 32:f3:f6:36:95:12:c8:18:f3:ad:b8:0f:04:4d:73:2f (ECDSA)
|_  256 1d:ec:9c:6e:3c:cf:83:f6:f0:45:22:58:13:2f:d3:9e (ED25519)
80/tcp    open  http    Apache httpd 2.4.57 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.57 (Debian)
3306/tcp  open  mysql   MySQL (unauthorized)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|     HY000
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000

目录扫描

└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.31.107 -x php,html,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.107
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.31.107/.php                 (Status: 403) [Size: 279]
http://192.168.31.107/index.html           (Status: 200) [Size: 10701]
http://192.168.31.107/.html                (Status: 403) [Size: 279]
http://192.168.31.107/wordpress            (Status: 301) [Size: 320] [--> http://192.168.31.107/wordpress/]
http://192.168.31.107/.html                (Status: 403) [Size: 279]
http://192.168.31.107/.php                 (Status: 403) [Size: 279]
http://192.168.31.107/server-status        (Status: 403) [Size: 279]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.31.107/wordpress -x php,html,txt -e

这里找到一个字典文件

漏洞扫描

wpscan --url http://192.168.31.107/wordpress -e

权限获取

爆破wp后台失败

wpscan --url http://192.168.31.107/wordpress/wp-login.php -U sancelisso -P pass.txt

爆破ssh失败

重新从如下页面从找到几个名字进行爆破

http://192.168.31.107/wordpress/index.php/2023/12/05/the-story-behind-vivifytech/

hydra -L user.txt -P pass.txt ssh://192.168.31.107

权限提升

sarah 目录下找到gbodja 用户的账号密码

利用git 提权到root 权限

End

“点赞、在看与分享都是莫大的支持”

原文始发于微信公众号（贝雷帽SEC）：【OSCP】vivifytech