INFOSEC PREP:OSCP

发表于 2024/01/24 更新于 2024/06/10

作者 6 分钟阅读

INFOSEC PREP: OSCP

听说这个靶场对新手比较友好，今天来试试，吃一堑长一智，这次使用virtualbox进行打开：

ok，一切正常。

踩点

打开看一下有没有啥提示：

随便点点，瞅瞅！找到一个登录界面：

还有提示：

Heya! Welcome to the hunt.
In order to enter the give away, you must obtain the root flag located in /root/. Once you’ve obtained the flag, message the TryHarder bot with the command !flag <insert flag>. It will then validate the flag for verification. Should it be incorrect, it will let you know. If it’s correct, you will be given a new role on the server where you can chat with others in a private channel. Once you’ve received the role you are entered into the give away!
You must be a member of the server in order to use the command above.
For those downloading this box off vulnhub at a later time, the command above will no longer be available.
Oh yea! Almost forgot the only user on this box is “oscp”.
A big thank you to Offensive Security for providing the voucher.
Happy Hunting
-FalconSpy & InfoSec Prep Discord Server
( https://discord.gg/RRgKaep )

可以看出来只有一个用户名为OSCP，先扫一下开放端口和目录吧。

扫描开放端口

  
nmap -Pn -sT -p- IP -o nmap.txt -T4

我这里觉得太慢直接使用nmap IP出现了报错：

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-23 21:54 EST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.03 seconds
Solution: use ‘-Pn’ .

结果如下：

Nmap scan report for 172.20.10.4
Host is up (0.0015s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
110/tcp   open  pop3
33060/tcp open  mysqlx

目录扫描

使用dirb尝试：

dirb http://172.20.10.4/

可以看到有robots.txt文件夹，看一下有没有啥惊喜：

尝试访问一下，看看能不能访问：

看到最后的=意识到这可能是base64编码，解码一下：

  
sudo curl -s 'http://172.20.10.4/secret.txt' | base64 --decode > 1.txt

这里如果出现问题就创建一个1.txt，给下权限再执行，获取ssh私钥，尝试连接：

直接ssh连接上去：

  
ssh -i id_rsa oscp@172.20.10.4
# ssh服务开了的
# id_rsa是1.txt改了个名字：mv 1.txt id_rsa
# 用户名是给了的oscp
┌──(kali㉿kali)-[~/nmap/OSCP]
└─$ ssh -i id_rsa oscp@172.20.10.4
The authenticity of host '172.20.10.4 (172.20.10.4)' can't be established.
ED25519 key fingerprint is SHA256:OORLHLygIlTRZ4nXi9nq+WIrJ26fv7tfgvVHm8FaAzE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.20.10.4' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
  System information as of Wed 24 Jan 2024 03:28:22 AM UTC
  System load:  0.08               Processes:             172
  Usage of /:   26.8% of 19.56GB   Users logged in:       0
  Memory usage: 58%                IPv4 address for eth0: 172.20.10.4
  Swap usage:   0%
0 updates can be installed immediately.
0 of these updates are security updates.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sat Jul 11 16:50:11 2020 from 192.168.128.1

SUID提权

SUID (Set UID)是Linux中的一种特殊权限,其功能为用户运行某个程序时，如果该程序有SUID权限，那么程序运行为进程时，进程的属主不是发起者，而是程序文件所属的属主。但是SUID权限的设置只针对二进制可执行文件,对于非可执行文件设置SUID没有任何意义.
在执行过程中，调用者会暂时获得该文件的所有者权限,且该权限只在程序执行的过程中有效. 通俗的来讲,假设我们现在有一个可执行文件ls,其属主为root,当我们通过非root用户登录时,如果ls设置了SUID权限,我们可在非root用户下运行该二进制可执行文件,在执行文件时,该进程的权限将为root权限.

先使用find命令查找SUID文件：

  
find / -perm -u=s -type f 2>/dev/null

使用bash进行提权：

获取flag。

Training platform, Vulnhub

Vulnhub web

本文由作者按照 CC BY 4.0 进行授权

INFOSEC PREP: OSCP

踩点

扫描开放端口

目录扫描

SUID提权

热门标签