OSCP 靶场
靶场介绍
|
azer |
easy |
命令注入、docker、内网扫描、主机存活扫描、fscan 使用 |
信息收集、
主机发现
nmap -sn 192.168.1.0/24
端口扫描
──(root㉿kali)-[~/下载]
└─# nmap -sV -A -p- -T4 192.168.1.61
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-28 22:57 EST
Nmap scan report for 192.168.1.61
Host is up (0.00090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Debian))
|_http-title: LÖSEV | Lösemili Çocuklar VakfxC4xB1
|_http-server-header: Apache/2.4.57 (Debian)
3000/tcp open http Node.js (Express middleware)
|_http-title: Login Page
MAC Address: 08:00:27:73:B3:BB (Oracle VirtualBox virtual NIC)
Aggressive OS guesses: Linux 5.0 - 5.5 (95%), Linux 4.15 - 5.8 (94%), Linux 3.2 - 4.9 (91%), Linux 2.6.32 - 3.10 (91%), Linux 5.0 - 5.4 (91%), Linux 5.4 (90%), Linux 2.6.32 (90%), Linux 5.3 - 5.4 (89%), Linux 3.4 - 3.10 (88%), Synology DiskStation Manager 5.2-5644 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.90 ms 192.168.1.61
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.65 seconds
目录扫描
┌──(root㉿kali)-[~/下载]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.61 -x html,txt,php -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.61
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.61/.html (Status: 403) [Size: 277]
http://192.168.1.61/index.html (Status: 200) [Size: 40603]
http://192.168.1.61/v6 (Status: 301) [Size: 309] [--> http://192.168.1.61/v6/]
http://192.168.1.61/ik (Status: 301) [Size: 309] [--> http://192.168.1.61/ik/]
http://192.168.1.61/.html (Status: 403) [Size: 277]
http://192.168.1.61/server-status (Status: 403) [Size: 277]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
权限获取
对登录框进行测试,发现存在命令执行
我们直接反弹shell,获取系统权限
权限提升
ifconfig 发现里面存在 docker, 使用fscan 对10.10.10.0 网段进行主机存活扫描
curl http://10.10.10.10
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】azer
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论