OSCP report 练手之 - vulnhub development-improved

临近 OSCP Exam了,做点 Vulnhub 的靶机练练手,顺便也练练 Report 的编写。





2、网页报错的时候,没有想到去搜索文件名。看了攻略才发现百度能搜到相关的 exploit

OSCP Exam Report 的模板在此:


由于 Report 中只有第三节是重点,所以本节就直接仿照第三节来写了。

3.2 Report – Service Enumeration

Server IP Address Ports Open Service / Banner 22, 8080 ssh / Apache

3.3 Report – Penetration

Vulnerability Exploited: SiTeFiLo File Disclosure vulnerability

System Vulnerable:

Vulnerability Explanation: The Simple Text-File Login script (SiTeFiLo) suffers from a File Disclosure vulnerability . Leak a ssh account username and password.This vulnerability was used to obtain a low privilege shell.

Privilege Escalation Vulnerability: Credential leak and abuse sudo permission

Vulnerability Fix: Update SiTeFiLo to the lasted version

Severity: Critical

Information Gathering:

kali@kali:~/Desktop$ sudo nmap -sV -p 1-65535 -n



22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

113/tcp open ident?

139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

8080/tcp open http-proxy IIS 6.0

Browse port 8080 web page.View the source code.Note these stuff:

Browse url “development” may be a hint

Browse url View the source code.Find an intersting page

Browse url Find a link

Browse url Find a link again

Browse url Try to submit the form

After submit the form.Get an error

Searching the file name in Google.Get a sensitive data disclosure bug



Browse url Get four accounts’ username and password

Credentials here:

admin, 3cb1d13bb83ffff2defe8d1443d3a0eb

intern, 4a8a2b374f463b7aedbb44a066363b81

patrick, 87e6d56ce79af90dbe07d387d3d0579e

qiu, ee64497098d0926d198f54f6d5431f98

go to https://www.somd5.com/ website to crack above password md5 hash.

Plaintext username and password here:




Try to use above username and password logging ssh. Only user “intern” logging successfully. But our shell is a limited shell named “lshell”

note that we can use command “echo”

escape payload:

echo && ‘bash’

Enum target information.

cat /etc/passwd

Note there a user “patrick”. We have this account’s password by SiTeFiLo “sensitive data disclosure bug” before.

Try to use command “su” to privilege lateral move to user “patrick” associated password “P@ssw0rd25”.

Eunmeration the sudo Permissions for user “patrick”

use vim to get root permission.