OSCP 靶场
靶场介绍
|
gigachad |
easy |
ftp利用、google反图搜索、 suid提权、s-nail 提权 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
nmap -sV -A -p- -T4 192.168.1.220
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-03 20:55 EST
Nmap scan report for 192.168.1.220
Host is up (0.00051s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 1000 1000 297 Feb 07 2021 chadinfo
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.158
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_/kingchad.html
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:1B:5C:9E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.51 ms 192.168.1.220目录扫描
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.220 -x php,txt,html
ffuf -u http://192.168.1.220/FUZZ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -mc 200这里提示有人要攻击他们,首页下面有一串特殊字符
解密后居然是fuck you virgin
这里的目录扫描非常奇怪,扫描什么就会出现什么
然后出现下面的画面
权限获取
通过匿名访问获取ftp 权限,里面有一个压缩包
解压缩包后,是图片地址目录和名字
谷歌上找到了这个地方叫maidens tower(处女塔)
尝试使用这个地方名作为密码登录ssh 居然真成功了。
权限提升
find / -perm -4000 -type f -exec ls -al {} ; 2>/dev/null
这有一个 s-nail 文件,查看漏洞库发现低于 14.8.16 的版本存在漏洞。
https://www.exploit-db.com/exploits/47172
由于此漏洞利用在竞争条件下起作用,这里执行一次不能直接提权,可以使用加个循环去执行。
chmod +x 47172.sh
while true; do ./47172.sh ;done
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】gigachad
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论